September 2025 Security Issues in Korean & Global Financial Sector
This report comprehensively covers real cyber threats and security issues that have occurred in financial corporations both in Korea and abroad.
The post includes analysis of malware and phishing cases distributed to the financial sector, the top 10 malware strains targeting the financial sector, and statistics on the leaked Korean account credentials by industry through Telegram. A case of phishing emails distributed to the financial sector is also covered in detail.
This report also analyzed the major financial threats and cases that occurred on the dark web. It investigated the threats and actual cases of credit card data breach and database breach in financial institutions. The report also analyzed the cases of ransomware breach targeting the financial sector, the damage caused by the breaches, and the cases of various cyber attack threats against financial institutions.
Summary of Statistics
-
Statistics of Malware Distributed to the Financial Sector
Figure 1. Statistics of malware distribution targeting the financial sector
-
Statistics of leaked accounts by industry in South Korea via Telegram
Figure 2. Statistics of leaked accounts by industry in South Korea
[Summary of key issues on the deep and dark web related to the finance sector]
- Cases of Database Leaks
Affected Company: b***.co
Data of Bank ***, the largest private bank in Indonesia, is being sold on the cybercrime forum DarkForums. Bank *** (B***) is a private commercial bank in Indonesia established in 1957. The bank is headquartered in Jakarta and provides a wide range of services, including transaction banking, corporate banking, SME banking, retail banking, and international banking and financial services.
The threat actor (COMMUNISM) claimed to have stolen a database containing the information of 20 million users, which includes their full names, ID numbers, dates of birth, addresses, phone numbers, emails, tax numbers (NPWP), and detailed bank information such as account numbers and bank codes. However, the data is believed to have been recycled from a different post, and the threat actor’s account has been permanently suspended due to their attempt to sell the data. Upon inspecting the samples, it was confirmed that at least one row in the sample from the left post matches the one posted on the right about a month ago.
 |
 |
Figure 3. Database breach case
This case highlights the threat environment faced by the financial industry, as attempts to sell large-scale bank customer data continue even though the breach status is unclear. If forged or recycled data is exposed, it can lead to customer anxiety and reputational damage, which may in turn decrease the trust in financial services. Therefore, banks and financial institutions are advised to strengthen their customer data integrity verification systems and establish communication strategies that allow them to respond immediately to threat actors’ false claims.
- Case of Ransomware Damage
The Daixin, INC Ransom, and Qilin ransomware groups breached multiple financial companies and posted their data on their dedicated leak sites (DLS). The following are the cases of breach.
Ransomware: Qilin
Affected Company: 29 Asset Management Companies in Korea Breached
In September 2025, the Qilin ransomware group breached 28 asset management firms in Korea simultaneously and posted the victims on Dedicated Leak Sites (DLS) under the name “Korean Leak.” This breach is not a simple individual attack, but a large-scale organized attack targeting the financial industry in Korea. All affected companies were identified as asset management and investment firms.
The threat actor followed a consistent pattern when creating posts about each affected company. The first line specified the company name and business type, followed by a detailed description of the type and scale of data leaked from the company. In particular, all posts ended with a common phrase that announced the threat actor’s plan to release more information in the future, along with a message stating that they had accessed data from various financial companies in Korea. Some posts even mentioned the need for investigations by law enforcement agencies, showing their intention to deliberately spread social unrest.
What is particularly notable is that some affected companies were operating their file servers through the cloud service of an IT management company. As the server of this IT management company was infected with ransomware, other asset management companies using the same service were also affected at the same time. This suggests that the Qilin group did not individually attack each company, but breached multiple asset management companies simultaneously through a common IT service provider. It is analyzed as a case of infiltrating multiple financial institutions at once through a supply chain attack.
Figure 4. Case of ransomware attack
