August 2025 Security Issues in Korean & Global Financial Sector
This report comprehensively covers actual cyber threats and security issues related to financial companies in South Korea and abroad.
This article includes an analysis of malware and phishing cases distributed to the financial sector, the top 10 malware strains targeting the financial sector, and the industry statistics of leaked Korean accounts on Telegram. A detailed look into the phishing email distribution case targeting the financial sector is also covered.
This report also analyzed the major financial threats and cases that occurred on the dark web. It examined the threats and cases of credit card data breaches and financial institutions’ database breaches. The report also looked into the cases of ransomware threats targeting the financial sector, the breaches and damages caused by ransomware infection, and the various cyber threat cases and actual damages that occurred in financial institutions.
Summary of Deep Web and Dark Web Issues Related to the Financial Sector
- Database Leak Cases
Affected Company: ****ra.com
A post was made on the cybercrime forum DarkForums claiming that a large amount of customer data from the Hong Kong business division of ****ra Group, an international corporate and fund services firm, had been leaked. ****ra Group is a global service provider specializing in managing complex regulatory environments and offshore corporations, including corporate establishment, trusts, and fund management. The company is headquartered in Hong Kong.
The threat actor (chase461) claims that the stolen data is about 90 GB in size and includes 450,000 files related to about 2,000 foreign entities (British Virgin Islands, Cayman Islands, Seychelles, etc.). The leaked data includes a corporate registry, which contains the articles of incorporation, bylaws, registry of directors, shareholders, beneficial owners, and officers, share certificates, corporate approval documents, board and shareholder resolutions, identification, such as passports, national IDs, and proof of address, and sensitive financial information such as financial statements, bank account numbers, sources of funds, and invoices. They claim that the data is valued at about 10,000 XMR (Monero), and the information is up to date until 2025.
This breach involved a case where a large amount of offshore corporate-related documents and sensitive financial and identification information were leaked from a global corporation and fund service provider. The breach is considered risky because the company holds data that falls under the legal systems of multiple countries and regions, and a single breach can cause damage in multiple jurisdictions. Companies in the same industry and related fields are advised to conduct a thorough reexamination of the accounts with access privileges and the document access paths. It is also recommended to apply strong encryption and access controls when storing and transmitting data, as well as to conduct regular penetration tests and log monitoring on the offshore corporate management platform and document management system to detect potential threats early.
Figure 1. Database breach
- Case of Ransomware Infection
Affected Company: ***group.com
The ransomware group D4RK 4RMY has claimed responsibility for the attack on *** Financial Group, a financial holding company in Japan. *** Financial Group was established in 2002 through the merger of *** Bank, *** Bank, and Industrial Bank of ***. It is a large financial institution that provides comprehensive financial services including banking, securities, trust, asset management, and research and consulting services. The headquarters is located in Otemachi Tower in Chiyoda, Tokyo, and the company has an annual revenue of approximately 578 billion yen.
The group claims to have stolen data amounting to approximately 845 GB and has set the deadline for the ransom payment by the affected company at August 21, 2025. As of now, the specific details of the stolen data have not been disclosed. However, given the nature of financial institutions, it may have included a large amount of sensitive customer information and internal management data, so further investigation is required.
As of September 8, the date this article was written, the information of the affected company has been deleted from DLS. There are several possibilities behind the deletion, and generally, it occurs when a ransom is paid through negotiation. However, since there is no specific information available at the moment, it is unclear whether the deletion was based on the result of a negotiation, a technical error, or other reasons.
This incident demonstrated that global financial institutions that hold a large amount of financial data can become direct targets of ransomware attacks. The financial sector handles high-value data such as customer identification information, account information, and investment history, making them prime targets for threat actors to maximize their negotiating power. Therefore, similar organizations are advised to immediately review their multi-layered security measures for core systems, data encryption, and access control enhancement, and network segmentation. They should also establish a real-time monitoring system for detecting large data transfers and abnormal traffic, as well as ransomware recovery procedures and external crisis communication plans.
Figure 2. Case of ransomware infection
- Cases of Cyber Attacks
Affected Company: ***bank.iq, ***.iq, ***.iq
The hacktivist group Keymous claimed to have successfully prevented DDoS attacks against three major banks in Iraq. The targeted banks were the *** International Bank for Investment, National Bank of ***, and *** Bank for Investment, all of which are large banks in the Iraqi financial industry providing comprehensive financial services to individuals and businesses. The group shared an ideological motivation of ‘Hacking for Humanity’ through their hashtags, and their actions were seen as more than just cyberattacks, conveying political and social messages.
Since its establishment in 2005, International Bank has been providing a variety of services including deposits, loans, cards, foreign exchanges, and investments. The bank also operates digital channels, including online banking. National Bank of *** is a comprehensive financial institution established in 1995. It provides services that cross borders, such as trade finance and international remittances, so the impact of the attack could spread globally. Trans *** Bank was established in 2006 and operates branches nationwide with its headquarters in Baghdad. The bank provides various digital services, including electronic and mobile banking and investment finance.
This attack may cause a chain of damages, such as financial transaction delays, loss of customer trust, and a decrease in reputability. As it also involves services related to international transactions, it is considered a potential risk that may affect the financial flow both domestically and internationally.
As a response, it is recommended that the financial industry strengthen the availability monitoring of external service channels such as Internet and mobile banking and payment and remittance APIs, and establish a multi-layered response structure by integrating DDoS mitigation devices, cloud-based defense systems, and CDNs. It is also important to enhance the capability for real-time abnormal traffic analysis to respond to low and slow attacks that have patterns similar to normal traffic. In addition, it is important to conduct a pre-validation of business continuity plans (BCPs) that provide customers with the service status and alternative channels during a crisis.
Figure 3. Cases of cyber attacks
