Introduction
In 2025, the financial cyberthreat landscape underwent significant evolution. While traditional PC banking malware saw a relative decline, this shift was counterbalanced by a surge in credential theft through infostealers. Attackers increasingly focused on aggregating and reusing stolen data rather than developing entirely new malware capabilities. This analysis draws on anonymized data from Kaspersky Security Network (KSN), supplemented by publicly available sources and dark web intelligence, to paint a comprehensive picture of the threats facing financial institutions and users.
Key Findings
The year 2025 was marked by three major trends: a pivot in phishing toward e-commerce and digital services, a persistent but evolving threat from banking malware, and the rise of infostealers as a central driver of financial cybercrime. Each of these areas reflects a maturation of attack methodologies, with social engineering becoming more targeted and credential theft fueling a thriving dark web economy.
Financial Phishing
Online fraudsters continued to lure users to phishing and scam pages that mimic trusted brands and financial organizations. In 2025, these campaigns featured increasingly convincing social engineering and brand impersonation, exploiting user trust through contextual adaptation rather than sheer volume. The distribution of top phishing categories reveals a clear shift toward digital platforms that aggregate multiple user activities: web services (16.15%), online games (14.58%), and online stores (14.17%) led globally. Compared to 2024, the rise of online games and the decline of social networks and banks indicate that attackers are targeting environments where users are more likely to act impulsively. Categories like instant messaging apps and global internet portals remain significant, serving as communication hubs ripe for credential harvesting.
Regional patterns further underscore the adaptive nature of phishing campaigns. Attackers tailor their lures to local trends and user behaviors, making each region a unique battleground. For deeper insights, see our analysis of regional variations.
Regional Patterns
The data shows that phishing campaigns in 2025 were highly localized. For instance, e-commerce phishing dominated in regions with strong online shopping cultures, while online games were more prevalent in areas with high gaming populations. This targeted approach increases the effectiveness of social engineering, as users are more likely to engage with familiar interfaces and offers.
Banking Malware
Although financial PC malware declined in overall prevalence, it remains a persistent threat. Established families of banking Trojans continue to operate, but attackers are increasingly prioritizing credential access and indirect fraud over deploying complex malware. In contrast, mobile banking malware is on the rise, as detailed in our separate mobile malware report. This shift reflects attackers' adaptation to user behavior: as more financial transactions occur on mobile devices, so too do the threats.
Infostealers and the Dark Web
Infostealers have become a central driver of financial cybercrime in 2025. These stealthy programs capture credentials, payment data, and full identity profiles, which are then traded at scale on the dark web. This has fueled a thriving underground economy where stolen data enables widespread and destructive fraud operations. The aggregation and reuse of data from infostealers allow attackers to launch targeted attacks without developing new malware, making them a key component of the modern threat landscape.
Outlook for 2026
Looking ahead, we expect the trends of 2025 to intensify. Credential theft via infostealers will likely continue to grow, with attackers refining their data aggregation techniques. Phishing will become even more contextually aware, leveraging AI and regional data. Mobile malware will expand as financial services go increasingly mobile. The dark web economy will become more organized, with stolen data sold in bundles and used for sophisticated fraud chains. Financial institutions and users must remain vigilant, adopting multi-factor authentication, regular monitoring, and employee training to mitigate these evolving threats.