May 2025 Security Issues in Korean & Global Financial Sector
This report comprehensively covers actual cyber threats and security issues that have taken place targeting financial companies in Korea and abroad.
This report includes an analysis of malware and phishing cases distributed to the financial industry, the top 10 malware strains targeting the financial sector, and statistics on the industries of the leaked Korean accounts. It also covers a case of phishing emails being distributed to the financial industry.
The report also analyzes major financial threats and cases that occurred in the dark web. It looks into threats and actual cases of credit card data breach, database breach, ransomware, and other cyber attacks that targeted the financial sector.
Statistical Summary
-
Statistics on Malware Distributed to the Financial Sector
-
Statistics on Accounts of Korean Industries Exfiltrated via Telegram
[Summary of key issues on the deep and dark web related to the financial sector]
-
Cases of Ransomware Infection
The Arkana, LockBit, Play, SafePay, and Stormous ransomware groups have breached multiple financial companies and posted their information on the DLS (Dedicated Leak Sites) operated by the groups. The cases of the breaches are as follows.
Ransomware: Arkana
Affected Company: https://www.in***.com/
The ransomware group Arkana has claimed responsibility for the attack on the global online brokerage firm, In***.
IN*** is a foreign exchange and contract for difference (CFD) broker founded in 2009 in the UK. It offers a diverse range of over 900 trading products, including FX, indices, commodities, stocks, and cryptocurrencies. IN*** also supports trading platforms such as MT4, MT5, and IX Social.
The group claimed to have stolen about 50 GB of customer data, and the leaked data allegedly includes more than 202,000 pieces of KYC (Know Your Customer) submission data and the information of more than 163,000 customers. They released a sample data that included various pieces of identifying information such as names, birthdates, emails, ID card images, and server logs (IP, UA). The group also warned that if the ransom was not paid by June 10, they would leak or sell the entire data set. In*** has a history of being fined by the Financial Conduct Authority (FCA) in January 2025 for breaching their reporting obligations.
Given that this breach involved a significant leak of customer information, it indicates that the overall identity verification and account protection systems of trading platforms could be a major attack surface. The fact that this breach occurred at a company with a history of being fined by the FCA shows the gap between regulatory compliance and actual security. Companies in the same industry must check the entire storage, retrieval, and transmission paths for sensitive information such as user authentication data, ID card images, and access logs. They need to go beyond simple measures like strengthening firewalls and implementing multi-factor authentication (MFA) and establish security systems that are actionable, such as encrypting and access-controlling the KYC document storage process and enhancing the internal access log monitoring system.
Figure 3. Cases of ransomware infection
※ Please refer to the attachment for more details.
