What CrowdStrike’s Latest Report Means for Australian FSIs

The CrowdStrike 2026 Financial Services Threat Landscape Report presents analysis from the CrowdStrike Intelligence team covering activity observed from April 1, 2025, through March 31, 2026. This report details the current trends and events shaping the financial services threat landscape.

The Australian Signals Directorate Cyber Threat Report saw the financial services sector rose to be the most frequently reported non-government sector for cyber incidents in the 2024-25 year period.

Why the Australian Financial Services Sector is uniquely exposed:

• • High digital adoption and cloud maturity
  • Concentrated banking sector (Big Four = systemic risk)
  • Attractive identity and financial datasets
  • Strong regulatory pressure → mandatory reporting → more visibility
  • Proximity to active APAC threat actors

In this blog, I’m highlighting some of the key observations from this 28 page report, and my take on the landscape for Australian financial services institutions.

Big Game Hunting On The Rise

BGH adversaries gain initial access to victims via various techniques, including leveraging exploits, brute-forcing account credentials, and procuring network access from IABs. After gaining access, these adversaries often deploy ransomware, steal data, and threaten to publicly expose the stolen data on their DLSs, capitalizing on victims’ desire to avoid the financial and reputational consequences of data leaks.

CrowdStrike intelligence predicts that BGH operations will remain a significant threat to financial services entities over the next 12 months. Incidents impacting financial services entities increased 27% compared to the previous reporting period.

They use fraudulent online investment platforms that promise victims unrealistic returns on their investments in cryptocurrencies, currencies, and technology products, enabling large-scale victimization across multiple jurisdictions. Their operations use ostensibly legitimate investment platforms to facilitate fraud and convert stolen funds into cryptocurrency.

Identity is the #1 attack surface for Australian FSIs

CrowdStrike’s global finding - that 80%+ of intrusions involve compromised credentials - is amplified in Australia. Initial Access Brokers (IABs) enable eCrime operations by selling pre-compromised access, reducing the time and effort required by downstream threat actors to identify and compromise targets. Identity is now the primary attack surface for financial institutions.

Australian FSIs are seeing:

• MFA fatigue attacks
• Token theft
• Session hijacking
• Abuse of dormant or orphaned accounts
• Compromise of privileged cloud roles

CrowdStrike predicts that threat actors offering FSS compromised accounts have formed private partnerships with BGH operators, resulting in a 40% decrease in advertisements for financial services entities. Throughout the reporting period, advertised asking prices for access to financial services entities ranged from 100 USD to 1,000,000 USD. The average price was 23,252.41 USD, and the median price was 920.25 USD. Not that expensive!! It’s profitable if you target the right individual at the right organisation.

Identity is now the primary control gap in Australian financial services.

Aggressive eCrime & Ransomware

CrowdStrike’s report outlines the top adversaries that post a persistent threat to FSS. Extortion pressures on high-availability banking infrastructure are intensifying, with a 27% year-over-year increase in financial organisations exposed on dedicated leak sites.

Mutant Spider has been the most active recent threat to financial sector orgs, with the highest volume of intrusions. It poses a significant threat to financial services organisations via vishing campaigns – leveraging voice phishing, often impersonating internal IT support to manipulate users into resetting credentials and MFA. They’re now using AI to scale operations and reduce dwell time.

CrowdStrike observed Scattered Spider resume aggressive ransomware operations against insurance entities in Q2 2025, following a significant operational pause from December 2024 through March 2025.

Solar Spider targets financial sector with RATs, Custom Java-Based Tooling, and Updated Meduza Stealer. And Plump Spider, a Brazil-based eCrime adversary also uses vishing, posing as IT support, prompting users to download / execute various tools to harvest web browser credentials. It has now shifted to email-based phishing.

State-Sponsored Industrial Deception

The China-nexus, via Panda adversaries, continue to exploiting edge devices, conducting DLL search-order hijacking, using compromised infrastructure for command and control (C2) communications, and targeting cloud environments.

These adversaries’ sustained focus on South and Southeast Asian financial services entities likely demonstrates their strategic interest in gaining access to regional financial systems and economic intelligence across multiple developing markets. The report outlines their local activity.

In Australia, CrowdStrike saw DPRK-nexus (North Korea) adversaries dominate. This group stole a record-breaking $2.02 billion in digital assets (globally) in 2025, a 51% year-over-year increase. Pressure Chollima executed the largest single financial theft globally reported to date as $1.46B by compromising Safe{Wallet}, using trojanised software delivered via a compromised supply chain.

In contrast, Stardust Chollima tripled their operations in the observed period, relying on social engineering tactics and impersonating recruiters on LinkedIn. Golden Chollima and Famous Chollima use a similar method, encouraging potential victims to apply for roles.

These operations will likely continue to intensify in 2026, as international sanctions against the DPRK continue and military activities require ongoing funding.

What Australian FSIs Should Prioritise in 2026

The line between cyber intrusion and financial fraud is disappearing. The financial services sector will be combating sustained attacks through 2026, driven by profit-motivated eCrime threat actors, state-sponsored adversaries pursuing strategic intelligence objectives, and hacktivists seeking to advance an ideological cause.

My recommendations, tuned for the Australian context:

1. Identity protection as the #1 control

Organisations should focus on:

• Continuous identity threat detection
• Protection of tokens, sessions, and service accounts
• Privileged access hardening
• Real-time behavioural analytics

Hardening identity security (MFA, behavioral analysis) is critical.

2. Unified detection and response across endpoint, cloud, identity, and data

Tool sprawl is a major issue in Australian FSIs. Consolidation = visibility + speed.

3. Prioritise edge device and perimeter patching and monitoring

Reduce your blind spots by prioritising patching of perimeter technologies and externally exposed surfaces. Use extended logging and detection coverage across the environment to uncover stealthy activity early.

4. Third‑party risk visibility

Pay attention to supply chain risk, as aligned to CPS 230 and CPS 234 expectations. Continuous attack surface management and strict vendor risk assessments are essential to mitigate cross-domain blind spots.

5. Cloud security posture and identity governance

Australian FSIs must demonstrate:

• Identity governance
• Third‑party assurance
• Cloud security maturity
• Incident response readiness
• Real-time visibility across hybrid environments

Compliance is no longer enough — regulators expect proactive threat management.