December 2025 Security Issues in Korean & Global Financial Sector
This report comprehensively covers real-world cyber threats and security issues that have occurred in the financial industry in Korea and worldwide. It includes an analysis of malware and phishing cases targeting the financial industry, a list of the top 10 malware strains targeting the industry, and statistics on the sectors of Korean accounts leaked on Telegram. A detailed analysis of a phishing email campaign targeting financial institutions is also included.
The report also covers the major financial-related threats and cases that have occurred on the dark web. It explores the threats and real-world cases of credit card data breaches and database leaks from financial institutions. It also covers the cases of ransomware attacks and the threats and cases of various cyber attacks targeting financial institutions and the damages caused by these attacks.
[Key Issues on the Deep and Dark Web Related to the Financial Sector]
- Database Leakage Case
Affected Company: bank***.id
Customer financial data from Bank ***, Indonesia’s largest commercial bank, is being sold on the cybercrime forum DarkForums.
Bank *** is Indonesia’s largest bank by assets and deposits, with annual revenue reaching approximately $25 billion ($25B).
The threat actor (BreachLaboratory) claims to have stolen a total of 480MB, approximately 3 million records of sensitive financial data. They assert this data includes customer names, account types, SWIFT codes, deposit and balance threshold information, phone numbers, emails, and other bank customer identification and account details. Sample data has been partially disclosed via the channel.
Bank *** is a major institution at the core of Indonesia’s financial ecosystem, responsible for the entire deposit, loan, and payment infrastructure. The information exposed in this incident consists not of simple personal details, but of high-risk data directly used for financial transactions, fund transfers, and KYC verification, including account types, balance thresholds, and SWIFT codes. Furthermore, with the scale of the leak reaching 3 million records, there is a risk that the damage could expand to encompass the entire national financial system. Proactive measures against potential chain attacks are recommended among Indonesian financial institutions, fintech companies, and electronic payment operators.
-
Ransomware Incident Case
Ransomware: INC Ransom
Affected Company: ***-finance.com
The ransomware group INC Ransom claimed responsibility for an attack on *** Finance Group and published the victim company’s data on the group’s leak site.
*** Finance Group is a leading financial services company operating in Africa, providing specialized financial solutions including credit, loans, and leasing to individuals and businesses. It operates in over 9 countries including Burkina Faso, Cameroon, Kenya, Mali, and Senegal, with recent annual revenue reported at approximately 79.6M USD.
The group claims to have stolen 100GB of fresh data accumulated over the past three years, stating the breach occurred on December 10, 2025. While specific details were not disclosed, given the nature of a financial institution, the data likely includes customer loan and credit information, internal documents, contracts, and employee information.
The entire dataset was published after December 10, 2025.
While financial services firms typically handle sensitive data like customers’ unique identifiers, credit information, and loan details, the publicly available materials from this incident so far appear limited to internal employee-related materials and operational documents. The disclosed directory and file structure primarily consists of internal reports, system operation data, and documents for internal communication and management purposes.
