A major shift is underway in the global financial cyber threat landscape, with attackers increasingly abandoning traditional banking malware in favor of credential theft, data reuse, and scalable fraud operations fueled by dark web marketplaces.
According to a new report from Kaspersky Digital Footprint Intelligence (DFI), more than one million online banking accounts linked to the world’s 100 largest banks were compromised by infostealer malware in 2025.
The stolen credentials are now circulating freely on dark web platforms, enabling widespread account takeovers. India, Spain, and Brazil recorded the highest median number of compromised accounts per bank, underscoring the global scope of the threat.
The persistence of stolen data is particularly concerning. Kaspersky found that 74% of payment cards exposed by infostealers in 2025 were still valid as of March 2026, meaning cybercriminals can exploit financial information months or even years after the initial breach.
This evolving ecosystem is being driven by infostealers – malware designed to harvest login credentials, banking details, cookies, and even cryptocurrency wallet data.
Once collected, this information is aggregated and sold on underground marketplaces, lowering the barrier to entry for cybercriminals and enabling less sophisticated actors to carry out attacks.
At the same time, the attack surface is shifting. Financial malware targeting personal computers continues to decline as users migrate to mobile banking. In contrast, mobile banking malware attacks surged by 1.5 times in 2025 compared to the previous year, reflecting criminals’ adaptation to changing user behavior.
Read More: Kaspersky Finds 1 Mln Daily Attempts to Collect User Data
Phishing remains a dominant tactic, though its focus is evolving. Fake e-commerce websites accounted for 48.5% of financial phishing attacks in 2025, marking a sharp increase from the previous year.
Bank-related phishing dropped to 26.1%, while payment system scams rose to 25.5%. Regional differences are also pronounced: e-commerce scams dominate in the Middle East, while bank-focused phishing leads in Africa, suggesting varying levels of digital maturity and user awareness.
Kaspersky’s data also highlights a surge in infostealer activity, with detections rising 59% globally between 2024 and 2025. This growth is directly fueling credential-based attacks, reinforcing a self-sustaining cycle of data theft and financial fraud.
“The dark web has become a central hub for financial cybercrime,” said Polina Tretyak, noting that stolen data and ready-made phishing kits are now widely accessible. “This creates a scalable ecosystem where fraud can be carried out with minimal expertise.”
Security experts urge both individuals and organizations to respond proactively. Users are advised to avoid suspicious links, enable multi-factor authentication, and use password managers.
Businesses, meanwhile, are encouraged to strengthen infrastructure defenses, monitor dark web activity, and deploy advanced threat detection systems to counter increasingly sophisticated attacks.
As cybercriminals refine their methods, the report signals a clear trend: the future of financial fraud lies not in breaking systems, but in exploiting the vast troves of stolen data already in circulation.
