January 2025 Security Issues in Korean & Global Financial Sector
This report comprehensively covers actual cyber threats and security issues that have occurred in the financial industry in South Korea and abroad.
This includes the analysis of malware and phishing cases distributed to the financial sector, the Top 10 malware targeting the financial sector, and statistics on the industries of leaked South Korean accounts. A case of phishing emails distributed to the financial sector is also covered in detail.
Additionally, the analysis covers major financial threats and cases that occurred in the dark web, including the threat and cases of credit card data breach and database breach in financial institutions. It also includes the threat and cases of ransomware attacks targeting the financial sector, and various cyber threat and actual cases of attacks targeting financial institutions.
Financial issues in Deep Web & Dark Web
Database Leak
Affected Company: g***.mx/***
It has been revealed that data from Banco ***, a state-owned financial institution in Mexico, is being sold on the cybercrime forum BreachForums.
primarily manages and distributes funds for Mexico’s social welfare programs. It aims to promote savings among Mexican citizens (both domestic and abroad) and provides primary and secondary financial support, including savings accounts and remittance services. The institution’s mission is to build an ethical and socially inclusive financial system, ensuring access to grants, pensions, and scholarships to realize development rights.
The threat actor, known as Th3F0x_101, claims to have leaked a small amount of legacy data related to user and admin panels. The released sample screenshots include internal user and admin account information and the user management system interface. The threat actor stated that no IP or URL information was included and mentioned that more information could be extracted using the Yopmail nickname used during testing. Yopmail is a website that provides temporary email services. The threat actor has provided a link to download the email and user list and is threatening to release more information in the future.
This data breach, involving a financial institution that manages funds for government-run social welfare programs, could significantly impact national trust. The threat actor’s pressure to release additional data increases the likelihood of further sensitive information being exposed. Given the exposure of admin panel and user account information, there is a high risk of malicious access attempts. The Mexican government must promptly investigate the validity of the leaked data and strengthen security measures to prevent secondary damage.
Additionally, swift action and transparent information disclosure are necessary to minimize the legal and economic impacts of the data breach.
Figure 1. Data released for sale on BreachForums
Ransomware Breach
Ransomware: BASHE
Affected Company: ***bank.com
The ransomware group BASHE has claimed responsibility for a ransomware attack on *** Bank, a multinational financial institution based in India.
Established in 1955, *** Bank operates in global financial markets, including India, Canada, China, Hong Kong, Germany, Singapore, the UK, and the USA. The bank offers a wide range of financial services to individual and corporate clients, such as accounts, deposits, loans, cards, investments, and insurance. As of December 2021, the bank’s total assets were reported to be INR 16.829 trillion. By May 2024, *** Bank had 6,004 branches and 17,067 ATM/CRM networks across India, along with a global network. It has been named ‘Bank of the Year’ for five consecutive years in the BT KPMG Best Banks survey for 2023-24, earning significant customer trust.
BASHE ransomware group claims to have stolen a large amount of customer data from *** Bank’s internal systems. To prove their credibility, they released a sample of the customer database, including names, national identification numbers, account types, genders, residential addresses, and ages. They have also indicated their willingness to sell this data to third parties and threatened to release the entire dataset if their ransom demands are not met by January 24, 2025. This ransomware attack on *** Bank, a major player in the global financial market, could severely damage the bank’s reputation and customer trust. Given the bank’s extensive customer data, the breach could escalate into an international security incident.
The release of actual data samples and the threat of further leaks not only validate the data’s authenticity but also increase the risk of secondary attacks, such as account takeovers or financial fraud. The bank must immediately activate its incident response protocols to prevent further damage and conduct a thorough vulnerability assessment of its security systems. Transparent disclosure of the incident and response measures is crucial to maintaining customer trust, along with developing a long-term security improvement plan.
This incident highlights the ongoing ransomware threat to the global financial sector.
Figure 2. Victim companies listed on BASHE ransomware group DLS
Cyber Attack Incident
Affected Company: https://www.***bank.ch/de/
The pro-Palestinian hacktivist group RootDos launched a large-scale DDoS attack on *** Bank, a major financial institution in Switzerland.***
Founded in 1958, *** Bank is a subsidiary of Switzerland’s largest supermarket chain, *** Group. The bank primarily focuses on providing various financial services, including accounts, cards, loans, and investments, within Switzerland. Its main customer base consists of retail customers, affluent individuals, SMEs, and real estate clients. *** *** Bank is the fourth-largest mortgage lender in Switzerland and ranks seventh in total assets. It employs approximately 1,700 people and operates over 70 branches nationwide.
Forbes ranked *** Bank as the third-best bank in the world in 2024, and credit rating agency Standard & Poor’s awarded it an “A” rating, recognizing its strong capital and profitability. RootDos conducted intensive DDoS attacks on January 6 and 7, 2025, causing a complete shutdown of *** Bank’s core financial services, including its online banking system and ATM network. The official website was also inaccessible, severely disrupting customers’ access to financial services.
The DDoS attack on *** Bank, ranked as the third-best bank globally and a major financial institution in Switzerland, had significant repercussions. RootDos continues to carry out indiscriminate DDoS attacks across industries and countries to spread political messages, posing a growing threat to global financial system stability. The service disruption affected 1.7 million retail and corporate customers, raising concerns about the overall stability of the Swiss financial market.
To restore customer trust, *** Bank must significantly enhance its DDoS defense infrastructure and reorganize its emergency response system to ensure financial service continuity. This incident underscores the need for increased cyber resilience across the Swiss financial sector. With the rise in politically motivated attacks by hacktivist groups, it is urgent to review and improve the security posture of critical financial infrastructure.
Figure 3. Post uploaded on RootDos Telegram channel after their DDoS Attack
