By Keaton Fisher, Senior Solutions Consultant, Customer Success US, Silobreaker
Financial institutions have long been in the crosshairs of cybercriminals. It’s simple to see why, with financial services organisations managing massive volumes of sensitive data and handling high-value transactions across national infrastructure.
As attackers become more sophisticated and exploit previously unseen vulnerabilities, traditional security measures are no longer enough. To stay ahead, financial institutions are turning to open-source intelligence (OSINT) and dark web data to gain deeper visibility into threats and sharpen their defences.
The evolving threat landscape in finance
The financial sector remains one of the most targeted industries in the cyber threat landscape. In 2024, over two-thirds of financial organisations reported experiencing cyber incidents. Many of these involved advanced persistent threats (APTs), increasingly aggressive ransomware campaigns and a surge in zero-day attacks that exploited vulnerabilities before patches were available.
Malware continues to pose a major threat to financial institutions. Cybercriminals are developing new types of banking malware and updating old ones to target an even wider range of banking applications. Many of these malware families rely on the same principle techniques, like keylogging, phishing and screen captures of a victim’s device screen, to steal banking credentials from both customers and employees.
Some recent examples include PixPirate, which targets Brazil’s Pix payment system by automating fraudulent money transfers and has been spreading through WhatsApp, and Grandoreiro, which has been active since 2016, and has expanded to Europe, Central and South America, leveraging large-scale phishing campaigns to infiltrate banking systems.
Malware often spreads predictably, influenced by similarities in language, financial systems or geopolitical motives. Banking malware that successfully targets institutions in one country frequently spreads to others with comparable financial infrastructures. If UK banks face a specific malware, US banks should prepare for it too. Likewise, when attacks are geopolitically motivated, such as Russian state-sponsored attacks against Ukraine, its vocal allies should implement defensive measures in anticipation of similar threats.
For financial organisations, monitoring open-source intelligence (OSINT) and dark web intelligence is critical in anticipating these shifts. Threats like Grandoreiro demonstrate that malware expansion can take years. Proactive intelligence gathering allows security teams to detect patterns, track malware evolution and take defensive measures before attacks reach their doorstep.
Using OSINT to mitigate threats
Open-source intelligence provides financial organisations with the context and visibility needed to track these threats more effectively. Publicly available information – including news reports, technical blogs, vulnerability disclosures, social media and public code repositories – offers valuable insights into threat actor behaviours and emerging attack vectors. Understanding who is targeting the financial sector, how they operate and what tools they use enables institutions to prioritise risks and make informed decisions faster.
Mapping known threat campaigns to established intelligence frameworks helps security teams do more than just monitor active risks; it enables a more proactive defence. For example, if most recent malware attacks use the same methods to gain initial access, that insight can inform how teams adjust their attack simulations, refine detection methods and enhance defence plans.
In addition to tracking malware, OSINT offers visibility into system vulnerabilities, new attack patterns and common indicators of breach that are affecting organisations across the financial sector and beyond.
By monitoring these sources, financial institutions can gain a significant defensive advantage.
Leveraging dark web intelligence
Cybercriminals frequently operate in hidden corners of the internet – on marketplaces, forums and chat platforms – where they sell stolen credentials and share malware variants.
For financial services firms, monitoring these spaces is essential. It allows for early detection of customer data being traded, leaked internal documents and even insider threat activity. Intelligence from these sources can alert organisations to compromised login credentials or planned attacks targeting their digital infrastructure.
Combining OSINT and dark web intelligence
The true value of OSINT and dark web data lies in how it’s applied. Relying on just one data source creates blind spots when it comes to monitoring for threats – effective situational awareness comes from bringing OSINT and dark web intelligence together.
Ultimately, intelligence isn’t just about responding to threats – it’s about anticipating them. In an environment where a few hours’ head start can mean the difference between a blocked attack and a costly breach, intelligence-led security is not a luxury – it’s a necessity for the finance industry.
