Darktrace: The State of Cybersecurity in the Finance Sector 2025

Keypoints

• Typical report structure: Acknowledgements and authorship; Executive summary (high-level findings and strategic recommendations); Objectives & Methodology (data sources, sectors covered, analytical frameworks); Threat Landscape Overview organized by the CIA triad (Confidentiality, Integrity, Availability); Protocol & Infrastructure Targeting (commonly exploited protocols and third-party risks); Threat Actor Spotlights (profiles and notable campaigns); Case studies / Current campaigns (detailed technical incidents and IoCs); Conclusion (strategic takeaways); Appendices (IoCs, bibliography, supporting data).
• Executive summary content: synthesis of telemetry and expert interviews, summary of dominant adversaries and attack vectors, and recommended defensive priorities (identity controls, patching, AI-driven detection, governance, training, and cross-industry collaboration).
• Data sources and methods: combines Darktrace telemetry (anonymized alerts from financial customers, primarily UK/US), OSINT, and structured analysis using the Diamond Model, hypothesis-driven threat hunting, and behavioral-based detection.
• Key statistics: Darktrace observed over 214,000 emails sent to suspected personal addresses and 351,000 emails to freemail addresses in October (financial-sector customers); nearly 2,400,000 phishing emails observed in H1 2025 across financial deployments; over 1,000,000 QR-code phishing emails detected in February 2025; 32% of phishing in 2024 used novel AI-enabled social engineering techniques.
• Major financial-impact figures: Global BEC losses from 2013–2023 exceed $55 billion; the FBI reported $2.7 billion in BEC losses in 2024; average BEC wire-fraud demands rose ~46% between December 2024 and early 2025.
• Top recurring threats: credential harvesting and phishing (including AiTM and quishing), supply-chain compromises (MOVEit, GoAnywhere and other file-transfer platforms), ransomware/extortion groups (Cl0p, RansomHub, LockBit successors), and state-sponsored espionage/financial theft (notably DPRK-linked activity and Lazarus Group campaigns).
• Evolving attack techniques: adversary-in-the-middle (AiTM) and QR-code phishing to bypass MFA and email filters; Ethereum/blockchain-based C2 (EtherRAT); weaponized open-source package repositories (malicious npm/PyPI packages); living-off-the-land (LOTL) and novel pre-auth RCE exploits (React2Shell CVE-2025-55182).
• Malware and tooling of note: BeaverTail (Beavertail) info-stealer and loader linked to DPRK campaigns; EtherRAT using smart-contract-based C2; Tsunami modules and injectors for session hijacking; Zloader and WarmCookie observed for persistence and data manipulation.
• Protocol and infrastructure targeting: SMB, RDP, DNS tunneling, Kerberos abuse (Kerberoasting) and exploitation of edge devices (VPNs, remote access gateways, firewalls). Observed exploitation of file transfer platforms and deployment of webshells for persistent access.
• Third-party and supply-chain risk: enterprise file transfer solutions (MOVEit, GoAnywhere, Cleo) and widely used management platforms (Ivanti, Palo Alto devices) repeatedly targeted—demonstrating that vendor vulnerabilities enable large-scale downstream impact.
• Availability and resilience concerns: ransomware accounted for a dominant share of incidents (e.g., nearly 64% of US financial incidents in 2023) and UK reporting showed ransomware as a significant portion of incidents; DDoS used as distraction while other intrusions proceed; single-point failure and cloud-outage scenarios stress the need for robust COOP and disaster recovery.
• Insider risk and governance gaps: workforce awareness gaps, recruiting/job-seeker lures, and insufficient AI governance create data-exposure risks (particularly around LLM use and data stewardship). Microsoft Conditional Access and similar controls may not cover CLI/scripted logins, leaving gaps.
• Operational challenges for defenders: cloud complexity, identity-management gaps, DLP limitations at scale, budget and boardroom friction impeding proactive investments, and the need for behavioral/AI-driven detection to find novel or living-off-the-land activity.
• Notable incident patterns and case studies: routine scanning and DoS attempts against Fortra GoAnywhere MFT; MOVEit exploitation by extortion groups; DPRK-linked coordinated campaign using malicious npm packages and React2Shell exploitation across multiple countries, with artifacts and IoCs provided in appendices.
• Actionable defensive priorities highlighted: strengthen identity and MFA posture with detection for AiTM behaviors; accelerate patching and reduce exposure of internet-facing file transfer services; implement behavioral/AI-based anomaly detection; harden edge services and conditional access for non-interactive logins; invest in DLP, incident response playbooks, and COOP planning.
• Strategic recommendations: govern AI adoption and data sharing, prioritize third-party risk management and vendor patch cycles, foster cross-sector information sharing on IoCs and TTPs, and allocate budget to adaptive, self-learning defenses that reduce mean-time-to-detect and respond.
• Recurring themes and takeaways: attackers follow financial value and trust—combining sophisticated social engineering, supply-chain compromise, and exploitation of legacy/edge systems; AI is a dual-use accelerant (used by attackers for phishing and by defenders for detection); collaboration, governance, and investment in resilient architecture remain critical to mitigate rapidly evolving threats.