Insider Spotlight
The cybersecurity company said DPRK-linked actors drove a 51 percent year-over-year increase in digital asset theft, with total reported losses reaching $2.02 billion in 2025.
One group, PRESSURE CHOLLIMA, allegedly carried out the largest financial theft ever reported by stealing $1.46 billion in cryptocurrency through trojanized software distributed via a supply chain compromise.
The report also noted that hands-on-keyboard intrusions against financial institutions climbed 43 percent globally and 48 percent in North America over the past two years as attackers increasingly exploited trusted identities and SaaS applications to bypass legacy security defenses.
Why it matters
Financial institutions are facing mounting cyber risks as state-backed espionage groups and ransomware operators adopt AI-powered deception tools to accelerate attacks, lower operational costs, and evade detection.
CrowdStrike said DPRK-linked groups expanded operations using AI-generated identities, synthetic video conferencing environments, and recruitment-themed lures to infiltrate cryptocurrency exchanges, fintech platforms, and consumer banks.
FAMOUS CHOLLIMA reportedly doubled its operations using fake AI-generated personas, while STARDUST CHOLLIMA tripled its operational tempo targeting fintech firms across North America, Europe, and Asia.
China-linked cyber espionage groups also intensified operations globally. CrowdStrike identified HOLLOW PANDA intrusions at financial institutions in the Philippines, Indonesia, and Brazil, while MURKY PANDA deployed an operational relay box network spanning more than 150 endpoints across 36 countries.
Between the lines
The report said ransomware pressure on the financial sector continued to increase, with 423 financial services organizations appearing on dedicated leak sites in 2025, up 27 percent year over year.
MUTANT SPIDER drove the highest intrusion volumes through vishing campaigns before selling access to ransomware groups, enabling faster and more scalable attacks. Meanwhile, SCATTERED SPIDER resumed aggressive ransomware campaigns targeting insurance firms during the first half of 2025 after a four-month pause.
“Financial services organizations face threats from every direction and AI is making each of them harder to stop. The cost to create convincing identities, automate reconnaissance, and accelerate credential theft is near zero,” Adam Meyers, head of counter adversary operations at CrowdStrike, said in a press statement on May 15, 2026.
“Adversaries are using AI to compress the time from initial access to impact, moving through trusted paths faster than legacy defenses can respond. To close that gap, defenders have to meet AI with AI–pairing intelligence with hunting to outpace the adversary,” he added.
CrowdStrike said the report was based on intelligence from its Counter Adversary Operations team, which tracks more than 280 named threat actors globally. —Vanessa Hidalgo | Ed: Corrie S. Narisma
