Key findings and conclusions of the study:

• Phishing emails, ransomware, and DDoS attacks were the most common methods of cyberattacks on financial organizations in 2024 and early 2025.
• Most often, cyberattacks on financial organizations resulted in confidential data breaches and operational disruptions.
• The greatest impact on the cybersecurity of the financial sector in 2025–2026 is expected to come from the exploitation of API vulnerabilities and supply chain attacks.
• Underestimating the risks associated with the implementation of artificial intelligence and the lack of oversight of AI operation could lead to a decline in security posture of financial organizations in the coming years.
• Despite the difficulty of attacking blockchain projects, cybercriminals are already actively launching cyberattacks on the blockchain infrastructure and code. They steal decentralized currency and hack smart contracts.
   

This report presents an overview of the current global cybersecurity threats to the financial sector. It is based on the results of incident investigations, the expertise accumulated by Positive Technologies, and data from reputable sources.

Organizations covered by the study include banks and other credit institutions, insurance companies, payment systems, securities firms, microfinance organizations, and investment funds, among others.

We estimate that most cyberattacks are not made public due to reputational risks. As a consequence, even companies specializing in incident investigation and analysis of hacker activity are unable to quantify the precise number of threats. Our report seeks to draw the attention of companies and individuals to the key motives and methods of cyberattacks, as well as to highlight the main trends in the changing cyberthreat landscape.

This report considers each mass attack (for example, phishing emails sent to multiple addresses) as one attack, not several. For explanations of terms used in this report, please refer to the Positive Technologies glossary.

In our study of cyberthreats to the financial sector in 2023–2024, we examined the latest threats, analyzed the dark web market, and identified the major types of non-tolerable events that could occur in financial companies because of cyberattacks. In this part of our ongoing study of cyberthreat landscape in the financial sector, we explore which cyberattack methods will be most relevant in the coming years and what threats will arise from implementing new technologies.

The financial sector is among the top 5 industries most targeted by cybercriminals. According to our data, it accounted for 5% of successful cyberattacks globally from 2024 to the first quarter of 2025, and 7% in Russia.

In some regions and countries, financial organizations attract even more attention from cybercriminals. In 2024, for instance, the financial sector was the second most targeted sector in the UAE and Malaysia (after government institutions), and the most targeted sector in Mexico. 

The landscape of cyberthreats for financial organizations is influenced by several features specific to the industry:

• Key role in the economy. Financial organizations ensure the stable operation of the national economy, covering a wide range of tasks: from providing financial services to maintaining the stability of the national currency. The importance of financial organizations to the state makes them a priority target for APT groups and hacktivists.
• Processing of large volumes of confidential data. Financial organizations process significant volumes of sensitive client data, such as financial, personal, biometric, and medical information. The abundance of data combined with the financial solvency of clients makes financial organizations an attractive target for extortionists and other financially motivated cybercriminals.
• High interconnectedness. The stable operation of financial organizations depends on their numerous connections with each other, as well as with contractors and suppliers of information solutions and services. Attackers can target even the most secure companies through their suppliers and contractors due to the uneven level of security across different organizations in the industry.
• The necessity of continuous operation. Any disruption in the provision of financial services negatively impacts the reputation and profits of financial organizations, and attacks on large organizations can lead to problems at the national level. This potential impact attracts two groups of threat actors: hacktivists, who often launch DDoS attacks, and ransomware operators.

By attacking financial organizations, cybercriminals aim to achieve various goals, including data theft (67% of successful cyberattacks), operational disruptions (26%), money theft (5%), or reputational damage. Ransomware groups persuade victims to pay by threatening to destroy or disclose stolen sensitive data.

It is important to note that a single cyberattack can lead to multiple consequences and non-tolerable events. For example, in June 2024, the ransomware group RansomHub attacked Patelco, a credit organization, which refused to pay the ransom. The attack resulted in a theft of confidential customer data, two weeks of service disruptions due to the shutdown of banking systems, and financial losses estimated at $39 million.

The increase in supply chain attacks was a notable trend in cybercriminal activities in 2024. This issue is of particular concern to the financial sector, given the large number of connections and the frequent exchange of information between various organizations. By targeting contractors and suppliers, cybercriminals aim to inject malicious code into IT solution supply chains, gain access to a company's infrastructure through resources available to a trusted partner, or damage the primary target by causing disruptions to its service provider. According to the report by the Bank of Russia on cyberattacks in the financial sector for 2024, the supply chain compromise has become the most common method of gaining initial access to the country's financial institutions.

Supply chain attacks are shooting up as the infrastructure-as-a-service (IaaS) market keeps growing. This problem is exacerbated by the fact that IT service providers can work with many financial organizations simultaneously, which allows cybercriminals to damage multiple companies with a single cyberattack. For example, an attack by the RansomEXX ransomware group on C-Edge Technologies, a provider of banking systems, led to disruptions in financial services for approximately 300 small banks in India in the summer of 2024. This attack clearly demonstrates the importance of building defenses against supply chain attacks, as C-Edge Technologies itself was attacked through one of its partners.

In the near future, the number of attacks on financial organizations through contractors and suppliers will continue to grow. Cybercriminals will bypass the established cybersecurity systems of large companies by exploiting trusted relationships with less protected partners. In order to defend against supply chain attacks, it is crucial to carefully assess the security measures of your contractors and partners, incorporate the supply chain compromise into your threat model, grant minimal and strictly segregated access to your systems, and use up-to-date security tools to monitor anomalous user and application activity.

The increasing trend of attacks through trusted relationships will not only impact the security of large financial organizations but also put small and medium-sized businesses that collaborate with large companies at risk. In their search for opportunities to further their attacks, threat actors will increasingly target partners and suppliers. However, they will also harm intermediate targets, especially if they cannot advance further.

Selling initial access is one of the primary services offered on the dark web. According to our study, nearly one in ten (9%) of access sales ads pertain to the financial sector. The access-as-a-service market poses a serious threat to financial organizations by enabling cybercriminals not only to efficiently divide labor (for example, ransomware operators can quickly purchase initial access rather than obtain it themselves) but also to carry out repeated attacks. Repeated attacks through a single vector obtained by cybercriminals can occur, for example, if the attackers, having already achieved their goal or being unable to further the attack, sell the access to another group. FinCERT reported another scheme of repeated attacks on a financial organization using the same initial access. Cybercriminals left a backdoor that allowed them to conduct another attack even after the initial vulnerability was patched.

The sale of initial access will remain a serious issue in 2025, and its significance will only grow amid the overall increase in digitalization and the lowering of skill requirements for attackers due to the emergence of automated vulnerability scanning and exploitation tools, as well as AI-powered generation of phishing messages. Inexperienced attackers, unable to advance an attack on their own, are likely to sell the access to more skilled cybercriminals.

Application programming interfaces (APIs) are integrated into a variety of information systems, including those of financial organizations. For example, the global market for open banking API, one of the key elements of business digitalization, is growing at approximately 24% per year. The growth of API implementation will continue in the coming years. For instance, the Central Bank of Russia intends to mandate the use of open APIs by 2026, and the number of companies subject to this requirement will gradually increase.

The active implementation of APIs carries significant cybersecurity risks because each insufficiently protected interface can serve as an entry point for cybercriminals. For example, cybersecurity researchers at Tenable discovered around 2,000 vulnerable APIs in leading financial and insurance companies in Southeast Asia. Attackers are currently exploring the possibilities and prospects of API hacking, and the number of attacks on them is already starting to grow. It is also necessary to consider the potential exacerbation of the problem due to shadow APIs, as each unaccounted-for and therefore unprotected interface adds a vulnerable point to the corporate perimeter. By exploiting API vulnerabilities, cybercriminals can steal confidential data and account credentials, infiltrate the victim's infrastructure, and launch supply chain attacks. DDoS attacks on APIs result in service unavailability, leading to disruptions in service delivery to customers. We expect the number of API attacks on financial organizations to increase in the coming years, along with the continued exponential growth in the scale of API adoption in open banking and other processes. To protect the API, it is critical to approach development responsibly, apply DevSecOps practices, ensure the security of data transmission for both the application and clients. Special emphasis should be placed on the secure implementation of authentication. In addition, API keys should not be allowed to be placed in publicly available sources. For example, in July 2024, Cybernews researchers discovered sensitive data from Brazil's Braza Bank available online, including API keys. Regular inventory checks will prevent the emergence of shadow APIs. To protect against attacks, we recommend using web application firewalls, such as PT Application Firewall.

The widespread adoption of artificial intelligence for customer service and information processing also contributes to the increase in the number of vulnerable APIs. According to a report by Wallarm, the number of vulnerable AI-enabled APIs increased tenfold in 2024, and we anticipate that the problem will only worsen in the future as AI solutions become more prominent in the financial sector.

According to our data, social engineering remains one of the primary methods used by cybercriminals: in 57% of successful cyberattacks on financial organizations in 2024, various social engineering techniques were employed, mainly via email (87%), to infect victims with malware or steal credentials. Phishing messages can be disguised as communications from government agencies or job offers. They can also pick up on current events, such as disruptions caused by CrowdStrike.

Social engineering remains effective for two main reasons. First, it targets human emotions, which are an integral part of life. Second, this method is flexible and adaptable. Topics change to align with current events, and payload obfuscation techniques evolve. In late 2024, for example, cybercriminals used specially crafted QR codes and intentionally damaged MS Word files to bypass email security systems. New malicious tools and technologies are also introduced, some of which use AI. To protect against social engineering, it is necessary to regularly inform and train staff, including through simulated phishing attacks. Attention should be given not only to the most common phishing channel—email—but also to messaging apps, fake websites, and phone calls. Penetration tests and automated email security assessment services, such as PT Knockin, can help evaluate a company's defenses against phishing. We expect that social engineering attacks will continue. In the coming years, we will likely see AI solutions on both sides of the barricade: cybercriminals will use generative AI capabilities to create convincing messages, while the defenders will leverage AI to recognize generated content.

Ransomware was used in almost every second malware-related attack (42%) on financial organizations in 2024–Q1 2025.

Ransomware attacks can have two common types of consequences that financial organizations are not willing to tolerate: operational disruptions and data breaches. Service disruptions affect customer service delivery, and data breaches result in fines and the need to pay compensations to affected customers. Besides, the victim company suffers reputational damage. In addition to the classic methods of infecting companies with ransomware through vulnerability exploitation or phishing campaigns, cybercriminals are targeting financial organizations via attacks on the software supply chain. In one of the cases, cybercriminals attacked a payment processing company from the UAE using a compromised software update from a trusted supplier. The attack disrupted the operations of the financial organization and the retailers that used its services.

If the ransom is not paid, financially motivated cybercriminals attempt to sell the stolen data on the dark web. In 2024, for example, 3.7 TB of data from the Peruvian bank Interbank was put up for sale by extortionists. If a buyer cannot be found or if the attack had a non-financial motive from the start, the perpetrators may release the data publicly to build their reputation and intimidate future victims.

In addition to encrypting data and threatening to disclose confidential information, ransomware gangs may threaten financial companies with the complete destruction of their data and disruption of their infrastructure operations.

One way extortionists can pressure an organization is by threatening to disclose a data breach, which would result in reputational damage, as well as the need to pay fines and compensate the personal data subjects. Some cybercriminals motivate their victims to pay by demanding a ransom that is less than the potential fine for a data breach. In countries with turnover-based fines, such as Russia, Brazil (the fine was increased in 2024) and China, this tactic will become more common.

Throughout 2025 and 2026, ransomware will remain a primary type of malware used by cybercriminals. In addition to sophisticated ransomware attacks on large financial organizations, we expect an increase in the number of attacks involving data encryption and destruction targeting small and medium-sized companies with connections to the financial sector. Two important cybersecurity trends may converge in the near future: an increase in attacks on less-protected partners and suppliers, as mentioned earlier, and the growing availability of ransomware to novice cybercriminals who cannot afford to develop or purchase malware. The availability and affordability of ransomware are increasing due to a number of factors. First, there is a plethora of simple and inexpensive ransomware, which we discussed in our study of the cybercrime market. Second, ransomware source code is frequently disclosed, enabling the creation of new versions, as was the case with Babuk. Third, novice cybercriminals can increasingly compensate for their lack of knowledge and skills in ransomware development by using AI, as demonstrated by the FunSec group (see our report on cyberthreats based on data from late 2024 and early 2025). Thus, even novice cybercriminals can acquire or create simple and inexpensive ransomware, which will be sufficient for attacks on small and medium-sized businesses. The disruptions caused by such attacks will harm connected organizations and the entire financial sector.

QR codes as a method of contactless payment are gaining an increasing share of transactions worldwide, with forecasts for further growth. One of the leading regions in terms of QR-code payment adoption is Southeast Asia, where QR codes are widely used even for cross-border payments. In 2023, for example, Bank Indonesia and Bank Negara Malaysia announced the commercial launch of cross-border QR payment connectivity between the two countries.

The increased use of QR codes for payments and information sharing has attracted the attention of cybercriminals. QR code attacks, known as quishing, involve placing phishing links in QR code format and using QR codes to bypass phishing defenses. Many security systems fail to recognize QR codes. And it's impossible for people to detect quishing with the naked eye, unlike common phishing links, where you can spot incorrect characters or other irregularities.

Physical replacement of QR codes by placing a sticker with a malicious QR code over the real one is increasingly common in the transportation sector today: on parking machines or electric scooters, for example. We expect that fraudsters will continue to spread quishing stickers in other public places as well. Therefore, to ensure cybersecurity, it makes sense for financial organizations to immediately implement a process of verifying all QR codes posted on its premises, especially in areas accessible to outsiders.

Although QR codes are relatively rare in emails (according to a study by Cisco Talos, roughly one out of every 500 emails contains QR codes), they can pose a serious security threat as they can evade many anti-spam filters. The challenge of detecting a phishing QR code in an email lies in the fact that the security system must first identify the QR code within the email, scan it, and then analyze the link. Issues can arise as early as during the first step because cybercriminals embed QR codes not only as images but also using ASCII and Unicode characters, which complicates detection. When considering the threat of email quishing, it's important to note that a single attack may affect multiple devices: the victim may open the email with the phishing QR code on one device and scan the code with another device.

As QR codes for payments become more widespread, cybercriminals will also increase their efforts to attack various stages of the payment process. In the near future, for example, we expect to see the emergence of malware that would replace QR codes on the victim's screen just before payment. A thorough and comprehensive approach to ensuring security of QR code payments is required. Relevant recommendations and security standards are already beginning to emerge. For example, the Bank of Russia approved a recommended standard in February 2025.

DDoS attacks on financial organizations continued throughout 2024. Although such attacks are relatively easy to carry out, they can have a significant impact on financial organizations by triggering non-tolerable events, interrupting service to customers, and sparking public outcry. These factors make DDoS attacks an ideal weapon for hacktivists targeting the financial sector amid the current complex geopolitical climate. An indirect confirmation of the scale of the threat is that DDoS attacks on the financial sector are the most popular topic on dark web platforms.

DDoS attacks on financial organizations can last for several hours: for example, an attack on the national payment card system in Russia, which caused disruptions in Russia's fast payment system. They can also extend for several days, as in the six-day attack by hacktivists on a bank in the UAE. In addition to causing service disruptions, which is the most common goal of DDoS attacks, highly skilled cybercriminals may use such attacks to distract security teams from other malicious activities. There are no indications that the number of DDoS attacks could fall in 2025. We expect the trend of using IoT devices to create large-scale botnets for attacks to continue, as well as the implementation of AI technologies to run DDoS campaigns that adapt to the victim's actions.

AI as source of new vulnerabilities

Generative artificial intelligence is being widely implemented to accelerate software product development, both as programmer assistants (copilots) and as fully autonomous agents. The flipside of accelerating development is the increase in the number of code vulnerabilities, API security flaws, and the exposure of sensitive data in repositories. AI-enabled software development, combined with the widespread use of low-code and no-code solutions (they were used in 97% of the financial sector as early as in 2022), may lead to reduced security for small and medium-sized businesses, for which accelerated development is a vital necessity in a highly competitive environment. For its part, the security of small and medium-sized companies also affects the security posture of the entire industry, as we discussed earlier in the section on supply chain attacks. We urge companies to approach the software development process responsibly, review the generated code, and participate in bug bounty programs, which allow you to identify and fix vulnerabilities before cybercriminals can exploit them.

In addition to being integrated into software development, AI technologies are used for some other tasks in the financial sector, including data and documentation processing, and initial customer service. It is important to remember that any AI solution remains a piece of software, which can become a target of a cyberattack. Cybercriminals have already started looking for ways to attack AI solutions, and they are having some success. In March 2025, attackers managed to steal ETH 55 (worth approximately USD 106,000) by gaining unauthorized access to the control panel of the rxbt bot. The attack not only resulted in the direct loss of cryptocurrency but also led to a drop in the value of the AIXBT token. In addition to the impact of AI on the potential expansion of the attack surface, it is necessary to consider the threat posed by cybercriminals who retrain AI models for malicious activities—for example, embedding backdoors in the generated code.

AI security is a rapidly evolving field that has yet to catch up with the pace at which AI is advancing and being adopted. In the meantime, companies using AI tools must incorporate AI risks into their threat models because, despite all the challenges, cybercriminals will not ignore a new potential attack vector and will learn to breach AI-enabled systems.

AI as a source of disinformation

It is essential to mention the threat of disinformation posed by generative artificial intelligence. In addition to the widespread use of generated content in various fraudulent schemes targeting clients of financial organizations, cybercriminals could potentially conduct a disinformation operation against a targeted organization. In their study, experts at Say No to Disinfo and Fenimore Harper Communications demonstrated the possibility of using generated fake news and advertisements to prompt clients to withdraw their deposits from banks en masse. The potential speed of a bank run can be gauged by the case of Silicon Valley Bank, which collapsed in 2023 when depositors withdrew $42 billion within 24 hours after a panic erupted on social media. Skilled cybercriminals may attempt to provoke a similar public reaction, especially by taking advantage of another negative news event. Financial organizations need to monitor the emergence of such information trends in real-time to issue rebuttals and reassure clients as quickly as possible.

However, AI remains a powerful tool for disinformation even in the hands of low-skilled malicious actors: instead of attempting to cause panic among investors, they can generate other content to discredit the organization and its representatives. Generated disinformation poses a particular danger to cryptocurrency organizations and private investors. In our study on the use of AI in cyberattacks, we noted the popularity of deepfake fraud in the context of cryptocurrencies. Digital financial assets are prone to higher volatility, and the market is highly sensitive to any news triggers. For example, a deepfake involving the creator of a cryptocurrency or a fake news story can significantly impact the cryptocurrency's value.

Biometric payment is a promising sector of contactless payments. It is being implemented today in many countries along with other technologies that use biometric data for identifying people in security systems, authentication on multiple devices, and two-factor authentication. Despite the numerous advantages of biometrics, such as customer convenience and enhanced security due to the difficulty of forgery, it is essential to consider the cyberthreats inherently associated with biometric data.

The greatest risks lie in storing biometric data, the leakage of which may lead to irreparable consequences: affected company employees and clients obviously cannot change their biometric data, unlike their login credentials. It is critical to strongly protect stored biometric data, as cybercriminals are already eyeing it for theft, extortion, and subsequent attacks. In recent years, there have been several high-profile attacks that involved stealing biometric data of large numbers of people. For example, a data breach occurred at FacePass, a Brazilian identification app, in March 2025. The stolen data included national identity card information and verification selfies, among other things. The theft of verification selfies, along with other personal data, is particularly dangerous given the evolving technology of deepfakes. This threatens not only individuals whose data has fallen into the hands of cybercriminals, but also organizations that implement biometric services. Malicious actors who possess a set of an individual's biometric data, ID scans, and other personal information can not only exploit existing accounts but also create new ones for further fraud.

The financial sector worldwide is beginning to implement blockchain technologies such as asset tokenization and smart contracts. According to Chainalysis, Central and South Asia and Oceania lead in cryptocurrency adoption, with Indonesia having the highest index of decentralized finance (DeFi) usage. Blockchain technologies are finding potential applications both in domestic financial services markets, such as for real estate tokenization in Dubai, and in international trade. For example, one of the topics of Brazil's BRICS presidency will be the use of blockchain for international transactions. By early 2025, the total value locked (TVL) in DeFi projects has increased, fluctuating between $90 million and $110 million. Digital asset markets are showing high growth rates. For example, the digital financial asset market in Russia grew more than fourfold in 2024, which can largely be attributed to the low base effect. The rapid adoption of the technology is causing significant concerns in terms of cybersecurity of blockchain systems: cybercriminals stole nearly $1.5 billion from the Web3 infrastructure in 2024, and 2025 began with several high-profile crypto thefts, such as the ByBit and Abracadabra Finance heists.

Security of blockchain projects

According to a study of Web3 breaches conducted by the blockchain security team at Positive Technologies, the most popular methods of attacking blockchain projects in 2024 were exploitation of access control vulnerabilities and compromise of private keys. These methods target the infrastructure of blockchain projects rather than the technology itself. However, infrastructure compromise can result in significant damage. For example, the DMM Bitcoin heist was the largest theft of 2024, resulting in a loss of $308 million. Similarly, the ByBit heist in 2025 caused a loss of $1.4 billion, the largest so far this year.

Companies using blockchain need to carefully ensure the security of their infrastructure and employees, as despite the use of new technology, attackers can still employ old social engineering techniques to gain initial access to the system.

In addition to infrastructure attacks, there are several types of attacks directly targeting the blockchain technology. These are less common but can be used by highly skilled cybercriminals, especially in smaller public blockchain projects:

1. Sybil attack

In a Sybil attack, cybercriminals create numerous centrally controlled nodes to manipulate legitimate nodes or achieve a 51% attack.

Sibyl attacks can be direct (when fraudulent nodes directly interact with legitimate nodes) or indirect (when fraudulent nodes are not integrated into the network of legitimate nodes but act through specific intermediary participants).

2. 51% attack (majority attack)

A 51% attack occurs when cybercriminals control the majority of a blockchain network. By controlling more than half of the network's total hashrate (power), attackers can bypass the consensus¹ mechanism  and impose any changes in the blockchain to the rest of the network, alter and exclude transactions, create alternative chains, implement double-spending, and engage in selfish mining.

The larger the targeted network, the more resources attackers will need to spend to execute a 51% attack. For example, such an attack on Bitcoin would cost nearly $1.5 million per hour. Therefore, these attacks pose a greater threat to smaller blockchain projects, where the costs would not be as high.

3. Routing attack

Cybercriminals could potentially attack internet service providers and the network infrastructure to manipulate blockchain data flows. In routing attacks, they intercept and redirect data to split the network, isolate individual node chains, and manipulate their operation.

4. Selfish mining

Selfish mining is a fraudulent blockchain mining tactic where an attacker deliberately withholds a discovered block to continue mining subsequent blocks faster than honest miners.

For example, a selfish miner finds block number N+1 but does not disclose this information. While other miners are searching for N+1, the selfish miner is already looking for N+2 and subsequent blocks. In a proof of work system, the chain with the most blocks is considered valid. Therefore, the selfish miner can publish a chain with one more block than the honest miners and claim the rewards for the blocks found.

Selfish mining can potentially lead to honest miners joining the selfish ones until one of the pools reaches 51%, but such security issues can crash the value of the cryptocurrency, thus affecting the profitability of mining.

5. Double spending: race attack and Finney attack

Some fraudulent methods allow for double-spending of cryptocurrency, meaning the repeated use of a single unit of digital asset. Double spending is possible because it takes some time to confirm a transaction on the blockchain, during which a scammer may manage to conduct a new transaction with the same digital asset. To execute double-spending, attackers employ a range of different attacks:

A race attack involves simultaneously sending two transactions with the same digital asset. The first transaction is sent to the victim (for example, the seller of a product) and contains information about the transfer of the digital asset, while the second is broadcast to the blockchain, signaling that the digital asset remains with the fraudster. The victim, who initially sees the first transaction, thinks they have received payment, but the blockchain confirms the second transaction instead. As a result, the victim does not receive the funds.

A Finney attack involves a specific sequence of actions: the cybercriminal pre-mines a block and adds a transaction between their two accounts, A and B, to this block. The cybercriminal then makes a payment with the same digital assets from their account A to the victim's account C. If the victim accepts the transaction without confirmation, the scammer can publish the pre-mined block, and when it is confirmed, the payment to the victim will become invalid.

We anticipate that the total number of attacks on blockchain projects, as well as the damage from them, will increase in the coming years, following the overall expansion of the blockchain industry. In the future, most attacks on blockchain projects will target their infrastructure rather than the technology itself, as attacks on the blockchain technology require cybercriminals to have profound knowledge and specific skills, as well as an in-depth understanding of blockchain's logic, consensus mechanisms, and cryptography.

Security of smart contracts

The smart contract market is expected to grow steadily in the coming years, with the financial sector being a key driver of adopting the technology for various purposes. For example, major Russian banks have already started using smart contracts for trade deals and insurance.

Although smart contracts operate on blockchain platforms, they remain programs susceptible to a range of attacks and vulnerabilities that cybercriminals exploit to disrupt contract operations and steal funds. The compromise of private keys poses a serious threat to smart contracts as well: a cybercriminal who obtains a private key gains the ability to manipulate the smart contract and steal funds. For example, the Zoth protocol was hacked twice in March 2025. The first time it was a sophisticated attack exploiting logical flaws, and the second hack used a compromised private key. As a result, the attacker stole the equivalent of $8.4 million.

Top 5 threats to smart contracts according to OWASP (2025 version):

1. Access control vulnerabilities

By exploiting access control vulnerabilities in smart contract functions, attackers can perform unauthorized actions. Access control for smart contracts, as in regular programs, must strictly segregate and limit user capabilities, promptly granting and revoking permissions as necessary. In February 2025, the payment company Infini lost $50 million due to a former employee who misused his unrevoked administrator privileges.

2. Price oracle manipulation

By interfering with the channels through which a digital oracle receives external data, a cybercriminal can affect the contract's logic, potentially leading to financial losses and system instability. For example, the Vow project tested a smart contract on the mainnet with a rate change in August 2024. An automated scam bot exploited the time interval between the rate change transactions and the cancellation of the change to mint and sell 2 billion VOW tokens. As a result of the attack, Vow lost almost $1.2 million.

3. Logic errors

Logical errors in smart contracts can lead to incorrect transaction processing, improper token distribution, and consequently, financial losses. For example, an attacker exploited a vulnerability in an outdated version of the Fusion1 contracts and stole $5 million in March 2025. The attack highlights the importance of timely software updates. Interestingly, the affected platform called 1inch managed to recover most of the funds by negotiating a reward payment with the cybercriminal for discovering the vulnerability.

4. Lack of input validation

If input values are insufficiently validated, a cybercriminal can intentionally input malicious data to disrupt the contract's logic and manipulate its operation. In August 2024, a malicious actor exploited the lack of input validation for a parameter in the Convergence Finance smart contract. The cybercriminal issued and then sold tokens intended for issuance, amounting to approximately $210,000. Additionally, following the attack, the value of the CVG token dropped by more than 99%. 

5. Reentrancy attacks

Cybercriminals can exploit vulnerabilities in smart contracts to conduct a reentrancy attack. Attackers repeatedly call the contract function before the previous call is completed. Such an attack results in unauthorized invocation of smart contract functions, disruption of its state, and interference with its normal operation. For example, in September 2024, a re-entry attack resulted in a theft of $27 million from the DeFi platform Penpie.

Since many vulnerabilities and attack methods on smart contracts are similar to those on "classic" systems, we expect cybercriminals to target smart contracts more frequently in the near future. This will lead to an increase in attacks on smart contracts. Companies using smart contracts need to implement secure development processes from the start, systematically assess the security and reliability of the contracts, and identify potential vulnerabilities. Special checklists can help with this. For example, experts at Positive Technologies developed a checklist for auditing the TON platform.

Cybersecurity of CBDCs

At the time of the study's publication, more than 100 countries around the world are at various stages of researching, developing, pilot-testing, and implementing central bank digital currencies (CBDCs), which could potentially create a reliable, secure, and easily traceable alternative to fiat currencies. Implementing and maintaining a CBDC is complex and costly, and not all projects will reach full-scale operation. For example, Ecuador abandoned its CBDC shortly after its launch due to a number of issues, particularly the lack of engagement from citizens and businesses.

Although central bank digital currencies utilize technologies similar to those of common cryptocurrencies, they differ significantly in terms of potential non-tolerable events. One of the most dangerous consequences for classic, decentralized cryptocurrencies is the theft of funds. Stolen funds are very difficult to recover, especially considering that cyberthieves always cover their tracks quickly by laundering the funds and converting them into other asset formats. For a de facto centralized and controlled CBDC, the threat of asset theft is less severe because cybercriminals are much easier to track and fraudulent transactions can be reversed. However, attacks aimed at disrupting the operation of a CBDC pose a much greater threat. A CBDC ecosystem contains numerous connections both within the banking infrastructure and outside of it, potentially exposing a wide attack surface to cybercriminals.

As CBDCs are increasingly adopted and their use expands globally, we anticipate attacks on these digital currencies primarily from politically motivated cybercriminals. The financial sector is already a prime target for hacktivists, and the direct connection of a CBDC with the issuing state will make it a priority target.

Authentication data must be kept secret

Clients of financial organizations need to be aware that unreliable authentication data and careless handling of it can lead to theft of funds, exposure of sensitive data, and misuse of the account by malicious actors. Scammers may use the victim's accounts to make fraudulent transfers in an attempt to cover their tracks. The person whose accounts are used risks being listed as an accomplice in criminal activities.

Biometric data: from cradle to grave

The widespread adoption of biometric authentication and biometric acquiring will prompt cybercriminals to steal individuals' biometric data. We urge you to handle the distribution of your biometric data responsibly. Minimize the number of services to which you provide it because, if exposed, biometric data cannot be changed. In the future, biometric extortion may emerge. In this scenario, cybercriminals would demand ransom from individuals, threatening to disclose or exploit their biometric data.

Digital future, fraud-ridden present

Despite the fact that many digital currencies are still in the planning, development, or limited use stages, cybercriminals have already begun to take advantage of this new, unfamiliar payment method. We warn that as the full launch of digital currency approaches in each individual country, the popularity of this topic in fraud schemes will also increase. But even after the launch, people must stay vigilant because the efforts to popularize a new currency (for example, coupons were distributed in China for payments using the digital yuan) provide fertile ground for fraudulent schemes.

In addition to phishing campaigns, cybercriminals may conduct campaigns to deliver trojans targeting CBDC applications in every country that brings its CBDCs to the stage of large-scale testing and operation. These campaigns would be similar to the widely used banking trojans that target conventional financial applications.

Good information is verified information

Cybercriminals can use any topics and pretexts for social engineering attacks aimed at collecting customer credentials or infecting devices with banking trojans².  We strongly recommend staying vigilant and remembering that attackers use all channels: phone calls, phishing emails and messaging apps, social media news, fraudulent advertisements, and even fake banking apps in official stores. No matter how enticing or alarming a message may be, no matter how authoritative or urgent it seems, we urge you not to rush into providing codes, clicking on links, downloading files and applications, or scanning QR codes. At the slightest suspicion, it's better to double-check the information first and directly contact the bank for clarification. In the worst case, it will take an extra five minutes, but it will reliably protect you against much greater losses from an attack.

The financial sector possesses qualities that create a distinctive cyber landscape. First, the sector is critical to the state, businesses, and individuals. Second, it must operate continuously without interruption. Third, there are extensive horizontal connections within the industry and with external parties, including clients and suppliers. Finally, the sector implements many cutting-edge technologies, the security of which still needs to be addressed.

Given the significant diversity of attacks, which will continue in the coming years, fueled by both ideological and materialistic motives, financial organizations must focus on consistently applying the result-driven cybersecurity approach to prevents non-tolerable events. Information security must be ensured at all levels: at the level of employees, infrastructure, and relationships with contractors, suppliers, and partners. This can only be achieved by being alert, using up-to-date cybersecurity tools and methods, and implementing new technologies in a responsible manner.