March 2025 Security Issues in Korean & Global Financial Sector
This report comprehensively covers actual cyber threats and security issues that have occurred in the financial industry in South Korea and abroad.
This includes an analysis of malware and phishing cases targeting the financial industry, a list of the top 10 malware strains that target the industry, and statistics on the industries of the Korean accounts leaked on Telegram. A case of phishing email distribution targeting the financial industry is also covered in detail.
The report also analyzes major financial threats and cases that occurred in the dark web. It looks into threats and cases of credit card data breach, database breach, ransomware, and other cyber attacks that targeted the financial sector.
Summary of Key Deep Web and Dark Web Issues Related to the Financial Sector
– Cases of Credit Card Information Leaks
Affected Company: 40 GB credit card details offered for sale on BreachForums
A threat actor, identified as “420,” claims to be selling over 40 GB of card data from the biggest credit card store, BidenCash, on BreachForums and has released sample data to back up the claim. The data is believed to have been leaked from an unknown seller’s database and includes masked card numbers, expiration dates, CVVs, cardholder names, countries, banks, classes, and brands.
While the immediate risk of misuse is lower due to the masked card numbers, the inclusion of expiration dates and CVVs poses a significant threat for account takeovers and phishing attacks. Financial institutions and e-commerce companies should enhance monitoring efforts, considering the possibility of the leaked card data being resold on the dark web. Implementing machine learning-based anomaly detection technologies to identify unusual transactions in card payment systems is crucial. This incident underscores the need for companies to review internal data leak pathways and strengthen data management policies with partners and third parties.
Figure 3. Stolen credit card details up for sale on BreachForums
– Case of Database Leak
Affected Company: http://*****ch.com/
Data from a Swiss insurance company *****ch Insurance Group is being offered for sale on BreachForums.
A threat actor known as “Rey” claims to have stolen over 1,400 sensitive data from *****chch Insurance Group, which was founded in 1872, providing a range of property and casualty, and life insurance products and services to customers in more than 215 countries.
Rey asserts that the leaked data includes financial reports (XLSX, XLS), contracts and agreements (PDF, DOC), internal emails, confidential documents, and personal reports of customers and employees. The data was allegedly obtained during a data breach incident at *****ch Insurance Group in February 2025. Sample data released by Rey includes cash flow statements, identification documents, and corporate customer verification forms.
Given *****ch Insurance Group’s 150-year history and global financial reputation, this data breach could impact not only the company but also the overall security trustworthiness of the Swiss financial sector. The release of sample data such as cash flow statements, identification documents, and corporate customer verification forms increases the likelihood of further financial crimes. Companies should thoroughly review potential data leak pathways for internal financial documents and customer data, and strengthen multi-factor authentication and access control policies to prevent unauthorized access. Additionally, the industry should be vigilant against secondary attacks such as spear phishing and financial fraud based on the leaked data, and enhance their security awareness and threat response posture.
Figure 4. Stolen corporate data up for sale on BreachForums
– Cases of ransomware infection
Affected company: https://www.***bank.com/
Ransomware group called Hunters International claims to have stolen 1.9TB of data (1,137,008 files) from *** Bank in Sri Lanka threatened to release the data around March 27.
*** Bank PLC is a commercial bank established in 2014, providing commercial banking and related financial services to individuals and corporate clients.
This incident, involving the theft of over 1.9TB and more than a million files, highlights the urgent need to review data access and storage systems comprehensively. *** Bank, being a trusted financial institution in Sri Lanka, faces a significant threat to its reputation, which could extend to the broader industry reliant on customer trust. Given the nature of the financial sector, data breaches directly translate to reputational risks, necessitating continuous review of threat detection and response processes across similar industries. The undetected large-scale file exfiltration underscores the need for sophisticated monitoring systems to detect abnormal traffic flows. Banks and related financial institutions should immediately implement measures such as minimizing internal access permissions, controlling external transmission channels, and cleaning up long-unused accounts.
Figure 5. Hunters International ransomware gang published victim’s data on DLS
– Cases of Damage Due to Selling Access Permissions
Affected company: http://www.******.ca/
Access to the ****** Bankers Association’s SSH is being sold on the cybercrim forum BreachForums.
The ****** Bankers Association, established in 1891, is a financial services industry organization in ****** that represents and supports the ****** banking industry.
A threat actor known as “miya” claims to have stolen SSH access credentials for the ****** Bankers Association and is selling them for $400.
Considering the ongoing sale of SSH access credentials by the threat actor, this incident likely represents a systematic effort to collect and distribute access rights rather than a one-time breach. The fact that an institution representing the entire financial sector has been targeted suggests that related organizations or associations with relatively weaker security may be exploited as conduits for supply chain attacks.
Financial institutions must review not only their internal systems but also the security levels of their partner and affiliated organizations. Regular monitoring of access privilege and providing restricted privileges are essential. Additionally, robust authentication systems for remote access methods like SSH and RDP, along with anomaly detection, must be implemented.
Figure 6. Miya published victim’s data on BreachForums
