By Hannah Baumgaertner, Head of Research, Silobreaker
When customers lose access to their bank accounts, even a momentary lockout can undo years of trust. In 2025, financial institutions across Europe and beyond were reminded that the threats to that trust loom large, extending beyond system failures and fraud into the realm of geopolitically motivated attacks on banks and other financial institutions.
Cybersecurity in financial services has long focused on stopping financially motivated crime. But over the past year, a different threat has accelerated. Hacktivist groups – threat actors aligned with political causes – alongside state-linked actors, have increasingly targeted banks and payment providers to disrupt services and exert pressure during moments of international tension.
These attacks are not opportunistic. They are often carefully timed and designed to cause disruption rather than direct financial gain. For financial institutions, this marks an important shift in the threat landscape. As geopolitical tensions continue to rise, the financial sector has become a prominent target in international power struggles.
Looking ahead to the rest of 2026, financial services organisations must prepare for an escalation in geopolitically motivated cyber activity, and rethink how they assess and respond to cyber risk in an increasingly politicised digital environment.
Destructive hacktivism and financial disruption
One of the most notable shifts observed over the past year has been the rise of destructive hacktivism targeting financial infrastructure. Unlike traditional cybercrime, these campaigns prioritise disruption, visibility and symbolism. Financial services organisations are targeted as a pressure point rather than a source of profit.
In 2025, several banks, payment providers and crypto exchanges were impacted by attacks designed to interrupt operations rather than extract funds. In addition to distributed denial-of-service (DDoS) attacks – which flood systems with traffic to take them offline – website defacements with slogans or threats were frequently used to overwhelm online services for financial providers. These tactics led to delays in transactions and an ultimate erosion of customer confidence. In some cases, attacks were accompanied by public statements or social media campaigns designed to maximise reputational damage.
Financial services are particularly attractive targets for this type of activity. For hacktivist groups, disrupting access to payments (or digital assets) creates immediate real-world consequences, amplifying the political message behind any attack. As a result, hacktivist groups increasingly view financial institutions as high-impact levers in wider geopolitical disputes.
Politically timed campaigns against banks and tax authorities
Last year also saw further instances of deliberate timing of cyber campaigns against financial organisations to coincide with political or diplomatic events. Across Europe in particular, banks and tax agencies were targeted during elections and periods of heightened political tension.
These attacks reflected careful alignment between cyber activity and offline events, suggesting a maturing understanding of how digital disruption can be used to influence narratives or apply political pressure. Even when attacks caused limited technical damage, their timing ensured maximum attention from media, regulators and the public.
For financial institutions, this creates a more complex risk environment. Threat levels can now spike rapidly in response to geopolitical developments far beyond the organisation’s direct control. As a result, cybersecurity planning can no longer operate in isolation from geopolitical awareness. Understanding when an institution is most likely to be targeted is becoming just as important as understanding how.
State-linked actors and the rise of financial theft
Alongside hacktivism, 2025 also saw sustained activity from state-aligned threat actors, particularly in relation to digital assets. Sanctions pressure and economic isolation have driven some state-linked groups to exploit cryptocurrency platforms and decentralised finance ecosystems as alternative sources of revenue.
While financially motivated on the surface, these campaigns often serve broader geopolitical objectives, including sanctions evasion or funding strategic programmes. Crypto exchanges and blockchain infrastructure have therefore become key battlegrounds, with attacks ranging from direct theft to sophisticated laundering operations.
The lesson for financial institutions here is that exposure to state-linked cyber activity is no longer confined to government networks or defence sectors. As financial ecosystems become more interconnected, the sector increasingly sits at the intersection of geopolitics, technology and national security.
Preparing for a geopolitically driven threat landscape
Global political fragmentation shows little sign of easing, while ongoing conflicts and economic pressures continue to incentivise both hacktivist and state-aligned activity. At the same time, financial systems remain highly visible and deeply embedded in everyday life.
To best prepare, financial institutions need to expand their cybersecurity lens beyond technical controls alone. This means integrating geopolitical intelligence into cyber risk assessments, improving monitoring of hacktivist ecosystems, and stress-testing incident response plans against politically motivated scenarios rather than purely criminal ones. Those institutions that adapt to this reality in 2026 will be far better positioned to withstand the next wave of disruption.
