November 2025 Security Issues in Korean and Global Financial Sector
This report comprehensively covers real-world cyber threats and security issues that have occurred in the financial industry in Korea and worldwide. It includes an analysis of malware and phishing cases targeting the financial industry, a list of the top 10 malware strains targeting the industry, and statistics on the sectors of Korean accounts leaked on Telegram. A detailed analysis of a phishing email campaign targeting financial institutions is also included.
The report also covers the major financial-related threats and cases that have occurred on the dark web. It explores the threats and real-world cases of credit card data breaches and database leaks from financial institutions. It also covers the cases of ransomware attacks and the threats and cases of various cyber attacks targeting financial institutions and the damages caused by these attacks.
Summary of Statistics
-
Statistics on the Distribution of Malware Strains Targeting the Financial Industry
Figure 1. Statistics on the distribution of malware to the financial sector
-
Statistics of the industry sector accounts leaked on Telegram
Figure 2. Statistics of the leaked Korean accounts by industry group on Telegram
[Summary of key issues on the deep and dark web related to the financial sector]
-
Cases of Database Leaks
Affected Company: ***nder.com
Data from the global financial institution Banco ***nder (***nder.com) in Spain is being sold on the cybercrime forum DarkForums.
Banco ***nder is a large bank in Europe that provides a wide range of services globally, including retail banking, corporate banking, investment banking, and asset management. It is known to generate an annual revenue of approximately 4.85 billion dollars and have a workforce of about 197,000 employees.
The threat actor (BreachParty) claimed to possess a total of 10,000 customer records. They stated that the data includes names, dates of birth, phone numbers, IDs, and International Bank Account Numbers (IBANs). This breach is consistent with the ING Bank Spain data leak that occurred in early November 2025, and was also posted by the same threat actor. This shows a pattern of continuous attacks targeting financial institutions in Spain.
The fact that the IBAN and personally identifiable information (PII) of a bank customer were included in the data breach, is highly likely to be exploited for financial fraud, phishing, and loan scams. This incident also highlights the need for a check on customer information breach response protocols along with the enhancement of multi-factor authentication (MFA) in the financial sector across Europe.
Figure 3. Data breach cases
-
Cases of Ransomware Damage
Ransomware: CLOP
Affected Company: ***v.com
The Clop ransomware group claimed responsibility for the attack on the large UK insurance company *** Company Limited.
*** Insurance is a leading UK mutual insurance company established in 1843, providing a wide range of personal and commercial insurance products including car, home, travel, and life insurance. The company has about 4,000 to 5,000 employees and is highly recognized in the UK insurance market under the ***V brand.
While the Clop group claimed to have posted the company’s data on their leak site, the data has not been made public, and there has been no mention of the specific amount or nature of the stolen files. In reality, it is known that a part of the customer data was leaked from the UK-based Oracle E-Business Suite system of ***V=’s parent company.
Clop recently exploited the Oracle EBS zero-day vulnerability (CVE-2025-61882) to perform large-scale data exfiltration from the ERP systems of global corporations and organizations. It appears that the threat actor behind this attack also exfiltrated data without encrypting files.
There is a precedent of past attacks that exploited the MOVEit file transfer vulnerability to extensively attack the financial and insurance sectors. Therefore, this recent attack may also pose a risk of data exfiltration or breach of the cloud storage infrastructure. Insurance companies store a large amount of data, including customer credentials, medical records, and financial data, so the impact of a data breach can be significant. For this reason, financial and insurance institutions need to take measures such as applying security patches to their file transfer and backup systems, regularly checking the data access logs, and enhancing the security requirements of their cyber insurance policies to prepare for similar threats.
Figure 4. Case of ransomware attack
