January 2026 Security Issues in Korean & Global Financial Sector
This report comprehensively addresses actual cyber threats and related security issues that have occurred in domestic and international financial sector companies.
It includes an analysis of malware and phishing cases disseminated targeting the financial sector, presents the top 10 major malware aimed at the financial sector, and provides statistics on industries of domestic accounts leaked via Telegram.. It also details cases of phishing emails targeting the financial sector.
Additionally, it analyzes major threats and cases related to finance that have occurred on the dark web., threats of credit card data leakage and actual cases,, threats of database leaks in financial institutions and occurrences., ransomware intrusion threats targeting the financial sector and damage cases caused by infections,, and various cyber attack threats against financial institutions along with actual damage cases.
[Summary of statistical data]
-
Statistics on malware disseminated targeting the financial sector
-
Statistics on industries of domestic accounts leaked via Telegram
[Summary of major issues related to the deep web&dark web in the financial sector]
- Cases of damage from the sale of access rights
The affected company : h***.mx
Access credentials (FTP, SSH, RDP) to the internal network of the Mexican insurance company H*** have been leaked on the cybercrime forum Leakbase.
H*** is a property and casualty insurance company headquartered in Mexico and is the Mexican subsidiary of the H*** brand, which belongs to the German insurance group ***.
The threat actor (PanchoVilla) claims to have compromised backdoor access to the H*** insurance network through an already authorized user account, mentioning that the deployment of a C2 server is possible and that this access is suitable for ransomware deployment. They presented some samples of the dumped database via an external file sharing link.
The circumstances indicating that access credentials are being traded on the dark web suggest a possibility of further breaches and ransomware attacks following the initial infiltration.
- Database leak cases
This report summarizes the top three financial damage companies based on brand awareness and revenue scale among numerous database leakage cases that occurred this month, as follows.
The affected company : v***.com
Data from the American asset management and investment advisory firm The V***, Inc. is being sold on the cybercrime forum DarkForums.
The V***, Inc. is a global asset management company based in the United States that provides ETF and asset management products, and operates investment· asset management services for individual and institutional investors.
The threat actor (Solonik) claims to have accessed a dataset containing approximately 22.5 million records related to V***’s ETF and asset management customers, and is offering to sell this data for $9,500. According to the threat actor’s claims, the data includes customer names, dates of birth, addresses, email addresses, and phone numbers. Upon reviewing the sample data posted, identifiable information includes detailed residential addresses, email addresses, and phone numbers in a format excluding the U.S. country code, with the threat actor providing an additional sample dataset of about 34,000 records.
If the claims regarding the leak are true, there is a possibility that personal information of large-scale investors is included, which could lead to impersonation,, phishing,, and financial fraud attempts through personal information exposure.
- Ransomware infection victim cases
CL0P, Eraleig (APT73), and Everest ransomware groups have compromised numerous financial-related companies and publicly disclosed the victims on their Dedicated Leak Sites (DLS). This report summarizes the top three financial victim companies based on awareness and revenue scale among the various ransomware incidents that occurred this month as follows.
Ransomware: CLOP
Victim company: t***.com
The ransomware group Clop has listed T***(t***.com) as a new victim, claiming to possess internal data.
T*** is a global payment and card processing service company headquartered in London, UK,. Due to the nature of its business, which provides online payment gateways and financial software solutions, there is a risk of exposure of customer payment information and financial transaction data in the event of a breach.
The posted page includes T***’s headquarters location,, contact information,, website,, revenue scale,, industry information, along with phrases criticizing security responses,, but no actual leaked data samples or file lists have been disclosed to date.
At this point, no actual data breaches have been confirmed, and it is necessary to continuously monitor the potential for substantial damage depending on whether Clop releases additional evidence in the future.
