July 2025 Security Issues in Korean & Global Financial Sector
This report comprehensively covers actual cyber threats and security issues that have taken place targeting financial companies in Korea and abroad.
This report includes an analysis of malware and phishing cases distributed to the financial industry, the top 10 malware strains targeting the financial sector, and statistics on the industries of the leaked Korean accounts. It also covers a case of phishing emails being distributed to the financial industry.
This report also analyzed the major financial threats and cases that occurred on the dark web. It examined the threats and cases of credit card data breaches and financial institutions’ database breaches. The report also looked into the cases of ransomware threats targeting the financial sector, the breaches and damages caused by ransomware infection, and the various cyber threat cases and actual damages that occurred in financial institutions.
[Summary of key issues on the deep and dark web related to the financial sector]
- Cases of Database Leaks
Affected Company: ***adeslas.es
A post has appeared on the cybercrime forum DarkForums advertising the sale of data belonging to *** Adeslas, the largest insurance company in Spain.
Founded in 1942, *** Adeslas is a non-life insurance specialist providing a wide range of services, including health, dental, automobile, home, accident, and life insurance. The company serves approximately 10.7 million customers, with a network of 53,000 medical professionals, 1,425 medical centers, and 219 hospitals. Its annual revenue is about 15.8 billion euros, which is approximately KRW 19.7 trillion.
The threat actor Xsskiller claims to have exfiltrated over 600,000 customer records, including names, phone numbers, and email addresses, and has released sample data. The records are said to be categorized into personal and business leads, with the latter containing additional details such as DNI/CIF numbers and insurance numbers.
This case is particularly concerning as it involves the exposure of both individual and corporate customer sensitive data, signaling a significant threat to the insurance sector as a whole. The inclusion of high-risk corporate identifiers increases the likelihood of identity theft and insurance fraud. Insurance companies are advised to strengthen sensitivity-based encryption and role-based access control, and to regularly conduct security checks on areas prone to external exposure, such as lead management, partner channels, and call center systems, while taking into account the mixed nature of contractual, medical, and financial data.
- Threats on Ransomware Breach
Ransomware: DAIXIN
Affected Company: ***usa.com
On July 2, the ransomware group DAIXIN carried out an attack targeting Insurance Office of America (IOA), an independent insurance brokerage firm in the United States.
Headquartered in Florida and founded in 1988, IOA is an American insurance company that provides a wide range of services including property and casualty insurance, employee benefits insurance, personal insurance, risk management solutions, and insurtech innovation. Its annual revenue exceeds USD 300 million.
DAIXIN announced that it plans to release the leaked data at a later date.
This attack represents a typical tactic employed by ransomware groups targeting insurance brokerages, raising the risk of exposure not only of customer information but also of sensitive business data such as insurance contracts and risk assessment reports. In particular, since insurance brokerages serve as intermediaries between a wide range of clients and insurance companies, a single breach can potentially lead to a chain of subsequent breaches. Other companies in the industry are advised to implement stricter data segregation between customer information and internal documents, and to reinforce offline backup systems.
- Cases of Cyber Attacks
Affected Company: ***.com.eg
Hacktivist group Black Ember claimed responsibility for a DDoS attack against the website of the *** Bank of Egypt.
Founded in 1898, the *** Bank of Egypt (البنك الأهلي المصري) is a comprehensive financial services company in Egypt. It provides a wide range of services including corporate and retail banking, loans, deposits, credit cards, investment and asset management, international trade finance, internet and mobile banking, wealth management for individual and corporate clients, public deposits, and state-supported project financing. The bank is headquartered at NBE Tower in the Boulak district of Cairo, Egypt, and is the country’s largest and oldest commercial bank, employing more than 10,001 staff.
CheckHost results were attached as a link, but the NBE website is currently reported to be functioning normally. This hacktivist group has been repeatedly launching DDoS attacks on websites in Israel and Egypt.
This case highlights a different threat type compared to conventional cybercrime, as it represents a politically motivated hacktivism-driven DDoS attack targeting a financial institution. The fact that a *** bank was chosen as the target poses serious risks in terms of public trust and ensuring continuity of financial services. In the short term, nationwide service disruptions may occur, while in the long term, the digital trustworthiness of financial infrastructure could be weakened. Therefore, it is recommended that financial institutions implement traffic-based anomaly detection, apply CDN and WAF solutions, and establish network-level absorption and filtering strategies to mitigate DDoS threats.
※ For more information, please refer to the attachment.
