Check Point Report states Financial Cyberattacks Doubled in 2025. The Real Story is Why
There is a comforting story the financial industry tells itself. It goes like this: banks are conservative institutions, tightly regulated, built to absorb shocks, and protected by layers of controls that most companies don’t have. Even when something breaks, the assumption is that the system holds because it has been designed to hold.
The internet has never respected that story. In 2025, it tore through it.
Check Point Exposure Management Research’s 2025 Finance Sector Landscape Report (February 2026) counts 1,858 cyber incidents targeting the global financial sector in 2025, up from 864 in 2024. That is a 115% year-over-year jump. When a number moves that quickly, it is rarely explained by one clever new technique. It usually means something more basic has changed: the cost of attacking has fallen, the tools have become easier to use, and the rewards have become more reliable.
That shift is visible in the mix of incidents, because the report does not describe a single wave. It describes pressure from multiple directions at once. DDoS incidents rose from 329 in 2024 to 674 in 2025. Ransomware incidents climbed from 269 to 451. Breach and leak events jumped from 256 to 443. Defacement attacks reached 278. Each one targets a different weakness, but together they create a pattern that financial leaders should recognise as a business problem, not only a security problem.
The pattern is that attackers are increasingly building leverage in layers. If they can knock a service offline, they can create customer frustration and operational panic. If they can steal data, they can create regulatory exposure and reputational damage even if systems keep running.
If they can deploy ransomware, they can turn the situation into a timed negotiation and amplify it through threats to publish data, contact customers, or pressure partners. The categories that appear separately in a dashboard can now form a single storyline for a victim: disruption becomes distraction, theft becomes leverage, extortion becomes payout.
The return of DDoS as a geopolitical instrument
DDoS is often misunderstood because it is loud. It does not always look sophisticated, and it does not always involve deep access. That is precisely why it works. It is a blunt instrument that reliably creates visible failure.
Banks have spent the last decade turning themselves into software companies. Customers interact with them through apps, websites, payment rails, and embedded finance integrations that sit inside other products. In that environment, downtime is not a technical inconvenience. It is a public event. The moment a login page stalls or a transfer fails, it becomes a reputational problem and a customer support crisis, and it can quickly become a regulatory problem as well.
The report’s DDoS numbers, more than doubling year-on-year, sit comfortably inside what the broader world has been living through since the Russia-Ukraine war, the Gaza conflict, and rising regional tensions in Asia and the Middle East.
Hacktivism has evolved from small groups chasing attention into semi-organised digital militias that coordinate narratives, pick targets based on symbolism, and often time attacks to moments of maximum visibility. Even when the operational damage is temporary, the intent is lasting: shake confidence, embarrass institutions, and demonstrate reach.
The defensive implication is awkward for many organisations because it is expensive and boring. You cannot treat DDoS as a contingency you will address “when it happens” if you are being hit repeatedly and unpredictably. You have to build resilience into your architecture in the same way you build redundancy into payments. That means the right network posture, sensible multi-provider design, constant filtering capability, and the operational muscle memory to sustain defensive posture while other parts of the organisation are under pressure.
Breaches and leaks are rising because identity still breaks first
If DDoS is about public disruption, breaches and leaks are about quiet leverage.
The report counts 443 breach and leak incidents in 2025, a sharp increase from the year before. In the background, the same themes keep repeating across the sector: access controls that are too permissive, cloud configurations that are wrong in ways nobody notices until it is too late, and third-party integrations that expand the attack surface faster than governance expands to match it.
What is changing is not that banks do not know these problems exist. It is that the ecosystem around exploiting them has matured. Credentials, access, and stolen data are now traded and packaged in markets that allow attackers to specialise. One group gains access. Another monetises. Another uses the material for extortion. Attribution becomes messy not only because defenders are bad at it, but because the adversary supply chain is designed to blur responsibility.
This is why the consequences of breaches and leaks in finance are so disproportionate. Losing data is not only embarrassing. It is often the beginning of a longer chain: customer identity theft, synthetic identity creation, account takeovers, and fraud that shows up months later, long after the incident response timeline has ended and the institution has tried to move on.
Ransomware is no longer just encryption. It is coercion
The report counts 451 ransomware incidents in 2025, and highlights major ransomware families active in the period, including Qilin, Akira, and Clop. It is easy to treat ransomware as a technical event. It is not. It is an organisational stress test.
Modern ransomware is rarely limited to locking files and asking for payment. It increasingly includes data theft, threats of publication, and tactics that expand the blast radius by involving customers or partners directly.
In finance, this is particularly potent because the industry operates under strict disclosure requirements and faces immediate trust erosion when customer data is involved. Attackers understand that the value of ransomware is not only in the encryption. The value is in the boardroom pressure it creates, especially when leadership feels it is running out of time.
The institutions that suffer most are often not the ones with the weakest technology. They are the ones with weak organisational readiness: poor segmentation, unclear recovery priorities, fragile identity governance, and incident response processes that are designed for compliance rather than for real adversaries.
Fraud is becoming automated, and that is the most dangerous shift
The most unsettling element in the report is the normalisation of AI-enabled fraud. The industry has talked about deepfakes and synthetic identities for years, often as a future risk. The report’s framing suggests it is now a present one.
Deepfakes are not scary because they are cinematic. They are scary because they are cheap, scalable, and good enough to bypass processes that were designed in a slower era.
Synthetic identities and AI-assisted impersonation allow criminals to target KYC workflows, trick support agents, and mimic executives in ways that make old verification rituals feel like theatre.
In an ecosystem where onboarding is a growth metric and “frictionless” is treated as a competitive advantage, fraud becomes the tax you pay for speed.
This is also where the global angle matters. The report points to heavy activity not only in the United States, but also in markets such as India, Indonesia, South Korea, the United Kingdom, Brazil, and Latin America.
These are places where digital finance has expanded quickly, often faster than institutional capacity and enforcement can keep up. Attackers don’t need every market to be weak. They just need enough seams in enough places to scale their operations.
Mobile banking is a frontline now, not a channel
A decade ago, mobile security was treated as a specialised topic. Today it is simply banking security, because the phone is where customers authenticate, approve transfers, and receive messages that determine whether a fraud attempt succeeds.
The report highlights advanced mobile banking malware, including Android trojans that attempt to simulate human behaviour and hijack sessions.
What makes that important is not the name of a specific trojan. It is the direction: malware authors are learning to behave like users so that detection tools trained on “obvious bots” don’t trigger. As defensive systems lean more heavily on behavioural signals, attackers are adapting by trying to look normal.
This again is about the economics of attack. When mobile malware can be reused, sold, and updated like any other software product, you should assume it will continue to improve.
Payments are still vulnerable where infrastructure is old
The report also points to the resurgence of payment fraud tied to weak enforcement and legacy infrastructure, including exploitation of magstripe fallback and point-of-sale misconfigurations in parts of Latin America. That matters because payments are where trust becomes tangible. People will tolerate many inconveniences, but they do not tolerate money disappearing.
In regions where the upgrade path is uneven and compliance is inconsistent, attackers do not need to invent a new system. They simply need to find where the old one still exists and apply pressure there. Legacy becomes a map of opportunity.
What 2026 is likely to bring
The report’s warning about 2026 is not a prophecy so much as an extrapolation from incentives. If 2025 showed anything, it is that criminals and politically motivated actors are benefiting from the same conditions: global instability, expanding digital surfaces, and automation that lowers the barrier to entry.
That means more geopolitically motivated DDoS, more ransomware enabled by supply chain and third-party compromise, more cloud-based data breaches driven by misconfiguration and identity weakness, more AI-powered fraud using synthetic identities, more mobile malware attempting to blend into normal user behaviour, and more payment fraud in places where legacy infrastructure creates loopholes.
As Shir Atzil, Cyber Threat Intelligence Analyst at Check Point Exposure Management Research, put it, “Financial cybercrime has entered a new era where AI, automation, and globalized threat networks have dramatically lowered the cost of attack - and massively increased the speed and scale of damage, and attacking every layer of the financial ecosystem - infrastructure, customers and trust. In 2026, staying safe means staying ahead: banks must shift from reactive controls to proactive, AI- intelligence-driven defenses that can anticipate, detect, and disrupt threats before they break through.”
The uncomfortable conclusion for financial leaders
The easiest mistake a bank can make after reading a report like this is to ask security teams to “tighten controls” and treat the surge as a technical deficiency to patch.
The harder conclusion is that 2025 is showing a shift in the operating environment. Financial institutions have become more digital, more interconnected, and more dependent on identity and uptime than ever before. That has made them more scalable as targets, and it has made disruption and fraud more valuable.
This is not only a question of whether defences are good. It is a question of whether the institution is built to function under sustained pressure. That includes architecture, governance, third-party exposure, incident response muscle memory, fraud operations, customer communication, and the internal incentives that decide whether convenience beats verification.
The financial sector likes to imagine it is special because it is regulated. Attackers do not experience regulation as protection. They experience it as leverage, because the more rules you must follow, the more pressure you feel when something goes wrong.
That is why the jump from 864 incidents to 1,858 is not just a statistic. It is a signal that the cost and speed of attacking finance is moving faster than the industry’s ability to slow it down.
And if that imbalance continues, 2025 will look less like an anomaly and more like the year the new baseline arrived.