Research from Quorum Cyber’s Threat Intelligence (TI) team has found a 400% increase in tracked threat actors worldwide. While these vary widely in nature from well-funded nation-state aligned actors, organised cybercriminal groups, and hacktivist collectives, all are a threat to the financial services sector. However, some are a greater threat than others and our Global Cyber Risk Outlook Report 2025 details the specific groups and nation-states that organisations need to defend against most urgently.

An insightful Global Cyber Risk Outlook Report 2025 webinar focused on the findings from the report, James Allman-Talbot, Quorum Cyber’s Head of Incident Response and Threat Intelligence, explained that it’s crucial to understand the capabilities that threat actors have and which organisations they target. “Understanding this will help us protect ourselves as a community.”

While it’s often difficult to distinguish one criminal group from another due to the ever-evolving  tactics, techniques, and procedures (TTPs) they use, our Threat Intelligence team understands that adversaries are leveraging new technology in the same way that organisations and cyber defenders do. Some criminal groups are becoming more sophisticated in their use of artificial intelligence (AI), but the evidence so far suggests this is limited.

During the webinar, Jack Alexander, Quorum Cyber’s Senior Threat Intelligence Consultant, spoke about how  threat actors are leveraging AI tools, such as large language models (LLMs), for research into their targets and to produce more convincing emails to use in phishing and spear phishing attacks.

The reports shares specific insights into the types of groups targeting the financial services sector and where those groups originate from.

Hacktivist disruption

During periods of regional tensions, politically motivated hacktivist groups are likely to launch distributed denial-of-service (DDoS) attacks targeting financial services, given the sector’s high-profile significance. Quorum Cyber ‘s threat hunters have observed Russia-aligned cyber groups disrupting Western financial firms in retaliation to their support for Ukraine. Additionally, pro-Palestinian hacktivism poses a risk to the financial sector in Western countries due to their support of Israel, as well as to Gulf nations like the United Arab Emirates that have normalised relations with Israel.

Financially motivated cybercrime

In 2024, several ransomware strains were used to target the financial services industry, notably BianLian, Play, RansomHub, and Kill Security. These variants are expected to pose an increased risk to the sector throughout 2025, likely driven by the potential to gain ransom payments. To counteract stealware operations within the financial services sector, it is advisable to conduct dark web and credential monitoring to reduce criminal opportunities.

During the webinar, Paul Caiazzo, Quorum Cyber’s Chief Threat Officer, said: “There’s a whole universe of financial services firms being targeted”. And Andy Ellis, a member of Quorum Cyber’s Strategic Advisory Board (SAB), explained that criminals do their research, and they find out when deals are due to be signed so that they can send fake contracts to try to steal any money being transferred.

Nation-state threats

North Korea poses the most severe threat to the financial services sector among the Big Four nation-states, followed closely by Iran as a substantial threat, while Russia and China are considered moderate threats. North Korean actors have become the most dangerous state-sponsored threat to the financial services sector, focusing heavily on exploiting vulnerabilities in financial institutions and cryptocurrency exchanges.

North Korea

The UN has imposed heavy sanctions on North Korea, which is determined to continue with its long-range missile programme regardless. To fund this, the world’s most isolated state has developed its capability to breach financial services firms and successfully target cryptocurrency enterprises.

According to the Global Cyber Risk Outlook Report, “Its cyber actors pose the greatest nation-state risk to the financial services industry.” In 2025, North Korean threat actors such as Citrine Sleet, identified by Microsoft in August 2024, will likely continue to compromise software vulnerabilities.

Iran

Quorum Cyber’s Threat Intelligence team sees no reason why Iranian threat actors will stop to targeting the financial sector in the UK, France, and Germany – especially if the UK continues to support Israel. The report explains that, “This will also likely expand to include the US finance sector in retaliation to President Donald Trump”. In President Trump’s first term in office, his administration applied a ‘maximum pressure’ policy on Iran’s regime.

Learn more about the threats facing your company today

Watch our short video, where, Paul Caiazzo, Chief Threat Officer at Quorum Cyber, sums up what you need to know from our Global Cyber Risk Outlook Report, including hacktivism, geopolitics, organised cybercrime, and attack vectors.