More than one million online banking accounts were compromised by infostealers last year, as financial cyberthreats shifted toward credential theft and data reuse. Attackers are moving away from traditional PC banking malware and increasingly relying on social engineering and dark web marketplaces, while mobile financial malware continues to grow.
Detailed information on current financial cyberthreat trends is available in Kaspersky’s new report.
Financial phishing
Traditional financial phishing has not gone away. Pages that mimicked e-shops dominated the financial phishing landscape (48.5% in 2025, up 10.3% from 2024), followed by banks (26.1% in 2025, down by 16.5% from 2024) and payment systems (25.5% in 2025, up by 6.2% from 2024). The decline in bank phishing may suggest that these services are becoming increasingly difficult to successfully impersonate, and fraudsters are turning to easier ways to access users' finances.
Attackers are adapting campaigns to regional digital habits. In the Middle East, financial phishing is overwhelmingly concentrated on e-commerce (85.8%), indicating a heavy reliance on online retail lures, whereas in Africa bank-related phishing leads (53.75%), which may indicate that user account security there is still insufficient. LATAM shows a more balanced distribution but with a higher share of e-commerce (46.3%) and bank targeting (42.25%), while APAC and Europe display a more even spread across all three categories, pointing to diversified attack strategies.
The
distribution of detections of financial phishing pages by category
(banks/online stores/payment systems), globally and per region, 2025
Financial malware
In 2025, the decline in users affected by financial PC malware continued as users increasingly rely on mobile devices to manage their finances. Contrary to PC banking malware, mobile banker attacks grew by 1.5 times in 2025 compared to the previous year.
The
dynamics of the number of users attacked by traditional PC banking malware,
per month, 2023–2025
Financial threats and the dark web
Complementing traditional financial malware, infostealers played a significant role in enabling financial crime both on PCs and mobile devices by harvesting login credentials, cookies, bank card numbers, crypto wallet seed phrases, and autofill data from browsers and applications, which attackers then used for account takeovers or direct banking fraud. Kaspersky data pointed to a surge in infostealer detections (up by 59% globally on PCs from 2024 to 2025), fueling credential-based attacks.
According to Kaspersky Digital Footprint Intelligence (DFI), in 2025 over one million online banking accounts served by the world’s 100 largest banks fell victim to infostealers: credentials for these accounts were being freely shared on the dark web. The countries with the highest median number of compromised accounts per bank were India, Spain, and Brazil.
The
median number of compromised accounts per bank for the TOP-10 countries
74% of payment cards that were compromised by infostealer malware, published on dark web resources and identified by Kaspersky DFI team in 2025, remained valid as of March 2026. This means that attackers could still use cards that had been stolen months or even years prior.
“The dark web has become a central hub for financial cybercrime. Stolen credentials and bank cards that have been harvested by infostealers are aggregated, repackaged, and sold there, while phishing kits targeted at users of financial products are offered as ready-to-use services. This creates a self-sustaining ecosystem where data theft and fraud operations reinforce each other, making attacks scalable and easy to carry out by fraudsters with minimal experience. Breaking this cycle requires proactive threat intelligence on the part of organizations, and increased awareness and scrutiny from individual users,” comments Polina Tretyak, Kaspersky Digital Footprint Intelligence analyst.
Detailed information is available in the full report on Securelist.
Kaspersky recommends the following to stay protected.
For individual users:
- Use multifactor authentication where possible, create strong unique passwords and safely store them in a password manager.
- Do not follow links from suspicious messages and double-check web pages before entering your credentials or banking card details.
- To protect yourself from fake e-shops and phishing pages use a reliable security solution. Kaspersky Premium protects users from fraudulent online stores and phishing websites through advanced detection technology that analyzes website characteristics and URLs to identify suspicious patterns.
For businesses:
- Assess the entire infrastructure, fix vulnerabilities, and consider external specialists for fresh perspectives that reveal concealed risks.
- Deploy integrated platforms to monitor and control all attack vectors with rapid detection and swift response across the organization. Solutions from the Kaspersky Next product line can help with this, as they provide real-time protection, threat visibility, investigation, and EDR/XDR capabilities scalable to organizations of any size and in any industry.
- Continuous monitoring of dark web resources significantly improves the coverage of various sources of potential threats, and allows customers to track threat actor’s plans and trends in their activities. This type of monitoring is a part of Kaspersky’s Digital Footprint Intelligence service.
