Cyberattacks targeting financial institutions worldwide more than doubled in 2025, rising from 864 incidents in 2024 to 1,858 in 2025, driven by coordinated hacktivist campaigns and sophisticated ransomware operations, according to Check Point Software Technologies’ 2025 Financial Threat Landscape Report released this week.
The 115 percent increase reflects a dramatic shift in threat actor behavior, with attacks ranging from ideologically motivated disruptions to commercialized cybercrime as a service models that exploit financial sector vulnerabilities across multiple attack vectors, the cybersecurity firm stated in its comprehensive analysis of global financial sector threats.
Distributed Denial of Service (DDoS) attacks emerged as the most dominant threat category, surging 105 percent from 329 incidents in 2024 to 674 in 2025. Unlike previous years where such attacks primarily targeted financial gain, the 2025 wave consisted largely of coordinated hacktivist campaigns aligned with geopolitical triggers aimed at denying citizen access to banking portals and payment interfaces rather than extracting money.
Israel bore the highest concentration of DDoS attacks with 112 incidents representing 16.6 percent of the global total, followed by the United States with 40 cases at 5.9 percent, and the United Arab Emirates with 38 incidents at 5.6 percent. Ukraine and Germany rounded out the top five most targeted countries with 35 and 34 attacks respectively, reflecting strategic focus on financial entities symbolizing national resilience and global influence.
Two hacktivist groups dominated the DDoS landscape, with Keymous+ claiming responsibility for 121 attacks and NoName057(16) executing 98 separate campaigns. These groups operated high volume, rapid fire campaigns across multiple countries and sectors using readily accessible botnets and shared infrastructure, allowing moderately skilled actors to scale their impact significantly.
Data breaches and leaks increased sharply from 256 incidents in 2024 to 443 in 2025, highlighting systemic weaknesses across identity governance, cloud environments, and third party integrations. The United States remained the most heavily targeted geography with 177 breach cases representing 40 percent of all global incidents. India recorded 31 cases while Indonesia experienced 24 breaches, largely due to rapidly expanding financial ecosystems and growing exposure to cloud based operations.
Notably, 33 percent of breach incidents were attributed to unknown actors, reflecting increased operational security, short lived infrastructure, and a shift toward decentralized identities that complicate attribution efforts. Threat actors such as Breach Laboratory, responsible for 43 incidents, built reputations for exploiting misconfigurations, purchasing initial access credentials, and leveraging leak sites for extortion campaigns.
Ransomware attacks surged from 269 incidents in 2024 to 451 in 2025, driven by mature Ransomware as a Service (RaaS) ecosystems and increasingly sophisticated multi extortion strategies. Attackers no longer rely solely on data encryption but combine encryption, exfiltration, public shaming, and direct pressure on executives and customers to maximize leverage.
The United States topped ransomware victim counts with 196 cases representing 43.5 percent of the total, followed by South Korea with 31 incidents at 6.9 percent, the United Kingdom with 22 cases at 4.9 percent, and Canada with 16 attacks at 3.5 percent. The geographic distribution maps closely to economies with large digital banking footprints, making them prime candidates for maximum extortion leverage.
Qilin led ransomware operations with 83 incidents representing 18.4 percent of the total, followed by Akira with 37 cases at 8.2 percent and Clop with 19 incidents at 4.2 percent. These groups operate sophisticated affiliate programs with shared tooling, highly modular malware, and well organized networks that scale operations quickly by exploiting VPN vulnerabilities, abusing stolen credentials, and targeting third party service providers.
Hendrik de Bruin, Head of Security Consulting for Africa at Check Point Software Technologies, warned that African financial institutions cannot afford complacency despite the report focusing primarily on attacks in the United States, India, Indonesia, South Korea, the United Kingdom, Brazil, and Latin American markets. He noted that Africa’s financial sector often leads in deploying digital services to customers while maintaining relatively mature cybersecurity postures, yet the report demonstrates that maturity alone provides insufficient protection against evolving threats.
The report emphasizes that offensive security capabilities are advancing faster than organizations can deploy appropriate defenses, with more adversaries leveraging Artificial Intelligence to enhance campaign effectiveness while geopolitical tensions continue escalating. Financial institutions face growing pressure to transition from traditional prevention focused strategies toward intelligence led, identity first, and always on security models.
Check Point recommends financial sector organizations implement Continuous Threat Exposure Management (CTEM) approaches that enable proactive identification, verification, and prioritization of security risks including stolen credentials, vulnerabilities, and misconfigurations before attackers can exploit them. The rise of multi extortion ransomware has made traditional backup and recovery strategies necessary but insufficient on their own.
The financial sector enters 2026 facing unprecedented cyber risk characterized by campaign driven DDoS operations, stealthy data compromise tactics, and high impact ransomware ecosystems requiring rapid adaptation to intelligence driven security frameworks that address the growing sophistication, automation, and global coordination of threat actors operating across criminal and ideological motives.
