What are the Biggest Cyber Threats to Banks on the Dark Web?

No business or industry is immune to cyber threats. Year after year, the rate of financial services cyber threats and threats to other sensitive industries like healthcare only continues to increase.

The financial industry, and the banking sector, in particular, is among the most popular targets for cyberattacks because of the potential profit that is on the line. In July 2024 in the US alone, Patelco Credit Union had to shut down customer-facing systems to contain the fallout from a ransomware attack, while a breach at Evolve Bank & Trust released sensitive financial information of nearly 8 million customers.

Why are banking firms one of the most targeted sectors by cybercrime?

1. Banks store a lot of sensitive information relating to their customers in their internal databases – from account balances, credit card numbers and transactional information to detailed PII. In comparison to companies in other industries, cybercriminals may generate the largest amount of revenue from stealing that information, which makes attacking banks and financial services firms more worthwhile.
2. Finance data or wire transfers have become more accessible with the growth of financial technologies and platforms such as mobile payments and online banking. There are now more platforms than ever before, as well as many other infrastructure systems and portals operated by banking firms, which provide more room for cybercriminals to exploit.  
3. Since banking firms hold a lot of sensitive client information, they are more likely to pay ransom in case they are hit by a cyberattack in an attempt to protect their clients, prevent data loss, and maintain their reputation. According to a recent survey, 62% of financial services organizations paid ransoms to get data back following ransomware attacks in 2023, compared with 56% who paid in other industries.

Threats against banking institutions on the dark web

By using Lunar, our dark web monitoring platform we were able to identify a clear upward trend which indicates that there is an increase in the number of potential cyber threats banks face in 2024 and most likely will continue to face in 2025. The following chart shows the volume of mentions of banks on deep and dark websites related to financial crime and threat intelligence. In October 2023, there were very few mentions of banks and as of October 2024 there are 18.7 M.

Let’s take a deeper dive into the top threats banks are facing on the dark web.

What are the top cyber threats for banks on the dark web?

Financial Trojans

Financial trojans are a type of malware designed to steal sensitive financial information, such as banking credentials, credit card details, and account data, from users or organizations. They often operate by embedding themselves into legitimate applications or websites, where they can capture login details, initiate unauthorized transactions, or manipulate account balances without detection. 

Financial services organizations face increasing threats from these trojans as cybercriminals become more sophisticated, leveraging techniques like phishing, social engineering, and software vulnerabilities to distribute the malware. The rise of digital banking, mobile payments, and online financial services has expanded the attack surface, providing more opportunities for trojans to infiltrate systems. These attacks can lead to significant financial losses, reputational damage, and regulatory penalties for organizations. As the methods used by attackers evolve, the need for robust cybersecurity in the financial sector grows more urgent.

In 2023 and 2024 the Brazilian banking malware Grandoreiro spread to over 40 countries, targeting more than 900 banks globally. These trojans are designed to steal financial data and execute fraudulent transactions by gaining remote access to victims’ devices. 

Ransomware

One of the most popular and destructive types of cyberattacks in recent years is ransomware attacks.

Ransomware, which is a type of malware, is designed to penetrate into the system of an organization, steal its internal information and encrypt the files so they won’t be accessible anymore. In return for decrypting the files and for not leaking out the compromised data, the cybercriminals are likely to demand a ransom from the victim, which makes this business usually very profitable and popular.

Due to the sensitive nature of data banks usually save on their customers, ransomware gangs consider banks to be attractive targets. This is likely why, according to the American Banking Association (ABA), ransomware attacks against the financial services industry grew by a staggering 64% in 2023.

The recent Evolve bank attack (mentioned above), carried out by the LockBit gang, compromised the sensitive data of over 7.6 million individuals. The attack began in May 2024, when Evolve initially misidentified the breach as hardware failure. Upon investigation, they discovered the attack had started months earlier, likely in February. LockBit exfiltrated personal details such as names, Social Security numbers, and bank account information. After Evolve refused to pay the ransom, LockBit leaked the stolen data online. Although customer funds remained secure, the breach impacted personal data and exposed millions to potential identity theft.

Phishing

Phishing attacks are a significant threat to banks and financial institutions, targeting both customers and internal staff to gain unauthorized access to sensitive data. Cybercriminals craft realistic emails or messages that appear to be from legitimate financial entities, prompting recipients to click on malicious links or disclose confidential information. This not only jeopardizes customer trust but also exposes institutions to substantial financial losses. After a successful phishing attempt, banks may face costly remediation efforts, regulatory penalties, and reputational damage. Financial institutions need to implement robust security training programs for their employees in order to mitigate these risks and implement advanced email filtering solutions to detect and block potential phishing threats before they reach end users.  

According to Trustwave’s 2024 Risk Radar Report, 49% of attacks on the financial service sector originated from phishing. This comes as little surprise since we can find many phishing tools readily available on the deep and dark web. Among the tools we can find are phishing kits and phishing tutorials which are frequently sold at affordable prices, and which enable cybercriminals to plan and execute phishing attacks with little effort. We can find those kits and tools being sold in hacking forums, dark web marketplaces, and chat platforms. Without dark web monitoring, companies may continue operating for some time before they will detect the phishing scam that compromised their systems.

Take for example the following post, which recently appeared in a hacking forum. You can see a threat actor offering to build custom phishing kits for a fee. His pricing list includes special prices for phishing kits for specific banks including Citibank, the Bank of America, and Wells Fargo.

Distributed Denial of Service (DDoS) Attacks

DDoS attack is an attempt by a threat actor to overwhelm a web server or network infrastructure with many requests in order to slow down or crash the service temporarily, preventing legitimate user requests from being processed.

Just like ransomware attacks, DDoS attacks are also motivated by financial gain as many of them are driven by ransom demands. But another interesting motive for DDoS attacks, which have become very popular in recent years, is hacktivism. 

According to the FS-ISAC and Akamai, in 2023 over one-third (35%) of all DDoS attacks targeted the financial services sector, which has now overtaken gaming as the most frequently attacked industry. This shift was largely fueled by a significant expansion in the strength of botnets and a surge in hacktivism, driven in part by geopolitical tensions from the Russia-Ukraine conflict. The financial sector saw a staggering 154% rise in DDoS incidents from 2022 to 2023, reflecting how much cybercriminals are increasingly focused on disrupting this critical industry.

The following post, which Webz.io crawled from a dark web hacking forum serves as the perfect example of targeted DDoS attacks against banks on the basis of hacktivism:

In this specific case, the bank website services of KSA (Kingdom of Saudi Arabia), Dubai, and Kuwait were the subject of the attacks.

Financial identity theft

Financial identity theft is the most common cyber threat to banking and financial institutions on the deep and dark web, with the aim of exploiting an individual’s personal information for financial gain. There are a variety of ways this type of attack occurs, with attackers using different malware or phishing methods, gaining access to leaked databases with stored credit card information, or even manually skimming credit card numbers with illegal card readers. 

How does an incident of financial identity theft occur? A threat actor aiming to steal someone’s financial identity typically begins by obtaining personal data through methods like credential stuffing, where breached username-password pairs are reused across multiple accounts, or keylogging malware that captures a user’s keystrokes. Once access is gained, they can execute fraudulent transactions, apply for loans or credit under the victim’s name, and create new accounts that bypass detection by traditional security checks. This leads not only to financial losses for the individual but also can cause significant reputational and operational damage for financial institutions, who may face regulatory penalties and erosion of customer trust.

What are the most common types of financial identity theft on the deep and dark web?

Credit card dump

This is a type of crime in which credit card information is stolen from customers and put up for sale. Using the stolen information, the cybercriminal can also make fraudulent purchases online. Some 215,000 incidents of credit card fraud were reported to the FTC in H1 2024 – a 6% rise from the previous six months. In 2023, 425,977 such cases were reported. 

Here’s one example:

Bank drops

This is the act of using stolen bank account details, such as full name, date of birth, driver’s license details, contact information, SSN, financial account number, and credit score in order to open fake bank accounts. The whole package of this stolen information is called “Fullz” and is being sold on dark web marketplaces and hacking forums at affordable prices. They may be used by cybercriminals to store stolen money that will cover their tracks or to steal money by ordering credit cards fraudulently. This is hard for victims to detect sometimes, as in some cases, they will not receive a bill or statement if a new account is created with their stolen bank account details.

Backdoors Attacks

A backdoor is a security vulnerability that is able to remotely bypass an organization’s existing security systems and gain access to corporate systems without the need for authentication. The backdoor attack is designed not to be detected so easily, which also allows the threat actor to keep a low profile, leaving no traces behind. Using a backdoor, the cybercriminals are able to take many malicious actions on the system such as deploying spyware and stealing sensitive information.

On the deep and dark web, there are many cybercriminals that were successful in gaining access to the internal systems of organizations by using various types of backdoors. But many of them would rather sell it to a third party instead of using them to attack.

The following post is an example of one of those cases in which a threat actor offers a backdoor to Tajikistan Commercial Bank for sale on a widely known hacking forum:

In the post, the threat actor specifies the type of access he managed to obtain into the bank’s system. If an organization monitors such existing backdoors in real-time, which are difficult to detect, it would be better positioned to minimize the damage and even prevent the cyberattack altogether.

Counterfeit

One of the popular products on dark web marketplaces that poses a threat to the financial sector is counterfeit enablers. Among the products that fall under this category are fake templates for bank and credit card statements, cheque copies, bank drafts, and even bank notes. Many of the documents are sold as PSD templates (usually pretty cheap) which the client can edit, and some of them are customized by the vendor for a higher price. These documents can be used by cybercriminals to commit a series of illegal activities such as bypassing online verifications.

Malicious insider threats

Malicious insiders are people with lawful access to internal tools, information, or systems within an organization who intentionally abuse this access (using legitimate credentials) for financial or personal gain. Malicious insiders are often current or former employees, contractors, or business associates. Insiders, whose main goal is usually making a profit, are either using their legitimate access to offer fraud services or sell the raw sensitive information they are able to access to a third party. In the financial sector, that sensitive information might be confidential customer information (such as bank account details) or other classified data related to the company.

Supply chain attacks

Supply chain attacks are carried out to breach a bank’s third-party vendor in its chain that is compromised. Usually, vendors take cybersecurity less seriously than their clients, and since they store sensitive data that belongs to clients, cybercriminals can exploit their vulnerability to attack the banks. 

Since vendors are known to take fewer cybersecurity measures than their clients, they are an easier target to compromise. But the impact is far-reaching. Because third-party vendors store sensitive data of different clients, a single compromise could impact hundreds and sometimes thousands of companies.

Many banks use different vendors and third parties, making them susceptible to various attacks. From backdoor attacks to malware attacks and vulnerability exploitation, cybercriminals can use a weaker spot in their vendor’s system to access their own system.

ATM jackpotting is one of the classic examples of supply chain attacks for banks, in which physical or software vulnerabilities in automated banking machines (which are manufactured by banks’ vendors) are exploited to disburse cash. This also requires physical access to an ATM machine. ATM jackpotting essentially allows criminals to access the machine’s cash reserves, which are not linked to the balance of any one bank account. 

We can see many discussions about ATM Jackpotting on the deep and dark web, including the trade of guides. In the following post, a threat actor says he is planning to carry out an attack on an ATM manufactured by Wincor Nixdorf using Ploutus (ATM Malware). The actor also asks for advice from the dark web forum Dread members regarding some problems he encountered:

The deep and dark web platforms that consist of many different marketplaces, hacking discussions, and closed chat rooms are fertile grounds for the trade of malicious information. This includes the trade of hacking tools and exploits, malicious guides, phishing kits, special malware, compromised databases, and even zero days. Cybercriminals also use these platforms to share with fellow threat actors their intentions to carry out a certain cyber attack, some in an effort to get feedback, and others seek partners to carry out their attack. All this is taking place in the planning stage before and the beginning of the attack, but also during and after the attack. Monitoring these platforms to identify potential cyber threats, and an attack in the making is critical for any organization.

Actionable insights and recommendations

In response to escalating cyber threats, banks must adopt a multi-layered defense strategy that includes dark web monitoring. Dark web monitoring is crucial for early detection of threat chatter and potential breaches. Tools like Lunar provide continuous surveillance of dark web activity, helping banks identify and act on risks quickly. 

Employee education and insider threat prevention are an essential part of the mitigation mix. Robust training programs and insider threat programs should be prioritized, especially for employees in sensitive roles. These programs should combine training with continuous monitoring to detect anomalous access or data handling activities. Vendor security must not be overlooked, either – third-party vulnerabilities are a growing attack vector. Banks should implement stringent security protocols and invest in dedicated third-party risk management systems to assess and monitor vendor security continuously. 

To counter DDoS and ransomware attacks, banks should develop rapid-response plans that include data backups, encryption, and collaboration with DDoS mitigation services to handle high-traffic disruptions. Finally, banks should strengthen their counterfeit detection capabilities by using AI-based monitoring for document verification, ensuring that fraudulent documents do not slip through. By adopting these strategies, banks can build a resilient defense posture that not only mitigates current threats but is also agile enough to adapt to future threats in the evolving cyber landscape.