Throughout our daily monitoring of the global cyberthreat landscape, the Silobreaker Analyst Team observed a pattern of cyberattacks frequently coinciding with ongoing geopolitical events. This overlap was previously discussed in our recently published report, Global Conflicts in the Digital Era, which looks specifically at hacktivism, disinformation, and nation-state threat actor activity. Taking the same theme, we wanted to see what this means for financial services and how organizations in this industry can best deal with this kind of evolving threat landscape.

Hacktivist Attacks on Banks During Geopolitical Conflicts

Financial services are often a popular target of hacktivist groups amidst geopolitical tensions. Their distributed denial-of-service (DDoS) attacks aim to cause disruption and chaos, with any downtime of services having substantial effects on customers and trade. The groups often cite support for one side or another in a conflict for their motivation for the attacks, with notable activity observed alongside the Russia-Ukraine war and the conflicts in the Middle East.

NoName057(16) and the Rise of Pro-Russian Hacktivism

Perhaps one of the most notorious hacktivist groups active throughout the Russia-Ukraine war is NoName057(16), a hacktivist group with suspected links to the Russian government. The group has continuously targeted various industries, typically citing retaliation against Ukraine or support for Ukraine when claiming their DDoS attacks. For example, in February 2024, the group targeted various tax-related institutions in Ukraine, referencing the anniversary of the ‘special military operation’, while multiple DDoS attacks were carried out against Romanian banks. Another example, in March 2024, NoName057(16) cited the allocation of €2.5 billion for the construction of a new NATO military base as their motivation. In general, NoName057(16)’s attacks have coincided with policy decisions or meetings being held, indicating that the group pays close attention to any geopolitical moves.

The group developed its own DDoS botnet, DDoSia, which has been used to conduct these large-scale DDoS attacks. The DDoSia project relies on volunteer hackers, who are paid by the group. The funds for these payments are suspected to come from the Russian government, indicating a possible government-sponsored operation.

Despite regular disruptions to its infrastructure, NoName057(16) continues to engage in daily attacks. This has also been the case after a major international law enforcement operation in mid-July 2025, dubbed Eastwood, disrupted over 100 servers globally and led to the arrests of at least two individuals. Recently claimed attacks include ones against Ukrainian government and Belgium-based organizations in late August 2025, again coinciding with a major geopolitical event – Ukraine’s President Zelensky meeting with United States President Trump. Other attacks specifically reference the law enforcement operation, indicating that the attacks are in retaliation for the disruption of its servers. This specific operation is also joined by other hacktivist groups like Mr.Hamza and Z-Pentest Alliance, reflecting the increasingly common collaboration between different hacktivist groups.

Predatory Sparrow and State-Linked Attacks on Iranian Banks

Not only has the Israel-Hamas war sparked an increase in hacktivist activity, but so did the 12-day war between Israel and Iran that occurred in June 2025 as part of Israel’s Operation Rising Lion. Financial services were heavily targeted throughout the conflict, with a notable actor being Predatory Sparrow, believed to be linked to the Israeli government. On June 17th, 2025, the group claimed to have breached Iran’s Sepah Bank and to have destroyed all of its data. The incident reportedly disrupted customer services, causing problems with account access, withdrawals, and card payments, with several branches forced to close temporarily. A day later, the group claimed an attack on the Iranian cryptocurrency exchange, Nobitex, in which they stole and burned $90 million in funds. The attacks were reportedly over Bank Sepah’s alleged role in financing Iran’s military and nuclear programs and for Nobitex being ‘at the heart of the regime’s efforts to finance terror worldwide’.

Nation-State Cyberattacks on Financial Institutions

Nation-state advanced persistent threat (APT) groups continue to exploit the financial services sector, with North Korea standing out for its aggressive pursuit of cryptocurrency. Through attacks on exchanges, abuse of software supply chains such as npm, and schemes involving IT workers, North Korea-linked actors have stolen a significant amount of funds. These activities have not only prompted international sanctions and arrests but also underscore the growing convergence of cyber operations and financial crime.

Cryptocurrency exchanges remain prime targets for North Korea’s state-sponsored hacking groups, with recent incidents highlighting both the immense scale of theft and the sophistication of their methods. On February 21st, 2025, the Bybit exchange disclosed a breach that saw $1.4 billion stolen from one of its Ethereum cold wallets, ranking among the largest cryptocurrency heists ever recorded. The threat actor, believed to be the Lazarus Group, manipulated a transaction from a cold wallet to a hot wallet by masking the signing interface, presenting a legitimate address while secretly altering the underlying smart contract logic. Although Bybit emphasized that its other cold wallets were unaffected and worked with partners to freeze stolen assets, blockchain investigators tied the theft to earlier compromises at Phemex and BingX.

The Bybit breach is part of a broader set of Lazarus Group operations against the cryptocurrency industry. In early 2025, Sekoia researchers uncovered the ClickFake Interview campaign, believed to be a continuation of the Contagious Interview campaign, which similarly used fake job offers and interview platforms to lure job seekers in the cryptocurrency industry. Targets were tricked into downloading fraudulent drivers that deployed malware across both Windows and macOS systems, including the GolangGhost backdoor and FrostyFerret. With at least 184 fake interview invitations linked to the campaign, it highlights Lazarus’ continued reliance on social engineering alongside direct exchange compromises.

Other North Korean groups have pursued parallel efforts. Since late 2024, the Willo Campaign, attributed to TraderTraitor, has targeted cryptocurrency employees through LinkedIn job lures, GitHub issue pages, and phishing sites impersonating interview platforms. At the center of the campaign is GopherGrabber malware, which is distributed via npm packages and fake installers, and has backdoor, stealer, and C2 functionality.  A further North Korea-linked campaign, documented by Palo Alto Networks, delivered the RustDoor macOS backdoor and a new variant of Koi Stealer through malicious Visual Studio projects aimed at targeting job-seeking cryptocurrency developers.

How Nation-States Exploit Cryptocurrency for Sanctions Evasion

Sanctions and law enforcement actions have become central tools in countering the misuse of cryptocurrency exchanges for money laundering and sanctions evasion. Recent measures, notably against Garantex and its affiliates, illustrate how governments are tackling platforms that enable cybercriminals to move and launder illicit funds. The US first sanctioned the platform in April 2022, followed by the EU in January 2025, accusing it of helping Russian banks bypass restrictions. The US Secret Service later announced in March 2025 that Garantex had been shut down, with the suspected co-founders Aleksej Besciokov and Aleksandr Mira Serda also arrested. On August 14th, 2025, the US Treasury further escalated action by redesignating Garantex Europe OU, citing its direct facilitation of ransomware operations, including those linked to Conti, and its role in processing more than $100 million in illicit transactions since 2019, including thefts linked to the Lazarus Group.

TRM Labs researchers have also warned that Russian actors are increasingly abusing Kyrgyzstan-based exchanges to procure dual-use goods for the war in Ukraine and evade sanctions. The exchanges were found to have facilitated transactions linked to Russian sanctions on numerous occasions, with many Kyrgz virtual asset providers assessed to be shell companies. These cases show that while sanctions and takedowns can temporarily disrupt illicit infrastructure, determined actors often adapt quickly, underscoring the need for sustained enforcement.

Key takeaways: Geopolitical Intelligence in Financial Cybersecurity

The cases explored in this post show that cyberattacks on financial services rarely occur in isolation. Instead, they often coincide with, or directly respond to, geopolitical developments, whether through hacktivist campaigns tied to wars and conflicts or state-sponsored operations seeking financial gain and strategic advantage. This convergence makes clear that financial organizations cannot afford to view cyber risks as separate from global politics.

For security teams, this means embedding geopolitical awareness directly into day-to-day monitoring and analysis. Tracking incident reports and intelligence not only from traditional cyber sources but also from geopolitical events, sanctions announcements, and international conflicts can provide crucial context for identifying threats and anticipating attacks. By incorporating geopolitical intelligence requirements into workflows, organizations will be better positioned to connect cyber incidents to real-world triggers, prioritize defensive actions, and strengthen resilience against adversaries whose motivations are as political as they are financial.

Stay one step ahead of geopolitical cyber threats — see how Silobreaker can protect your financial services organization. Request a demo.