DIGITAL LIFE

AI, Blockchain, and NFC fraud mark financial cybercrime in 2025

Financial cybercrime in 2025 reached unprecedented levels of complexity, marked by the increasing use of artificial intelligence, blockchain, and NFC fraud that challenged banks and fintechs globally.

According to the Kaspersky Security Bulletin 2025, dedicated to financial cybersecurity, the year was dominated by more coordinated and technically sophisticated attacks, in which organized crime and cybercrime came closer together in an unprecedented way.

According to Kaspersky, malware spread more frequently through messaging applications, AI-assisted attacks became faster and harder to detect, and contactless payment fraud went from an emerging phenomenon to a consolidated trend.

The result is a systemic risk: institutions, critical infrastructures, and end users began to share the same digital battlefield.

The report summarizes the financial sector's exposure to attacks with a set of indicators that paint a worrying picture.

8.15% of users faced online threats related to the financial sector.

15.81% of users in the sector were targeted by local threats (malware already present on devices).

12.8% of B2B companies in the financial sector suffered ransomware attacks during the analyzed period.

The number of unique users in the financial sector who detected ransomware increased by 35.7% in 2025 compared to 2023.

1,338,357 banking trojan attacks were identified throughout the year.

These numbers confirm that financial cybercrime is not limited to isolated incidents, but functions as a global ecosystem with the capacity to adapt techniques and exploit new attack surfaces at scale.

Evolving tactics: supply chain, organized crime and AI...One of the most striking trends of the year was the intensification of attacks on the financial services supply chain. According to Kaspersky, several Incidents exploited vulnerabilities in external vendors to target national payment networks and central systems, demonstrating the domino effect that a single weak link can trigger.

The convergence between organized crime and cybercrime has also become more evident.

Groups traditionally associated with physical activities, such as trafficking or extortion, have begun to integrate digital capabilities, combining social engineering, insider contacts, and technical exploitation to increase the impact and profitability of attacks.

Artificial intelligence has added a layer of automation and speed.

According to Kaspersky, malware with AI components has incorporated automated propagation and evasion mechanisms, reducing the time between the development and execution of attacks, which makes it more difficult for security teams to respond.

Attackers have not abandoned classic malware, but have altered their distribution channels. Instead of relying primarily on email phishing campaigns, banking trojans have shifted to using popular messaging apps as their main vector, leveraging the trust users place in these platforms.

Kaspersky indicates that banking trojans have been rewritten to operate on top of messaging services, allowing for large-scale infection campaigns without the need for traditional spam infrastructure.

This movement shifts the risk to environments where detection is less mature and where the boundaries between personal conversation and professional communication are more blurred.

On the mobile front, the report highlights the role of Android malware with ATS (Automated Transfer System) capabilities, which automates fraudulent transactions and alters values ​​and recipients in real time without the user's knowledge.

According to Kaspersky, this type of malware acts on legitimate banking apps, bypassing visual checks and confusing users who believe they are operating in a secure context.

NFC-based fraud has evolved in two directions. On one hand, in-person schemes in busy locations exploit contactless payments through devices or cards illegally.

On the other hand, remote attacks resort to social engineering and fake apps that mimic genuine banks, directing the user to payment authorizations without realizing the fraud.

One of the most unsettling trends is the use of blockchain as a command and control infrastructure for financial malware.

According to Kaspersky, some groups have begun to inscribe malware commands in smart contracts, leveraging the Web3 ecosystem to orchestrate attacks.

This approach increases the resilience of malicious campaigns.

Even if traditional servers are deactivated, the control logic persists in the blockchain, making eradication significantly more difficult and raising dilemmas about the governance and oversight of decentralized networks.

Ransomware remains, some families disappear... Ransomware has remained a structural threat in the financial sector.

Globally, 12.8% of B2B financial organizations were affected in the analyzed period, with regional incidences of 12.9% in Africa, 12.6% in Latin America, and 9.4% in Russia and CIS countries.

Kaspersky also indicates that certain malware families have begun to disappear as specific groups cease operations or migrate to more modern tools.

This does not mean less risk, but a reorganization of the criminal ecosystem, which replaces old lineages with new malware platforms, often in MaaS (Malware as a Service) regimes.

What to Expect in 2026: WhatsApp, deepfakes, and “agentic AI malware”...In the predictions chapter, Kaspersky presents a vision that projects the intensification of already ongoing trends, as well as the emergence of new threat categories.

Among the points highlighted by the company for 2026 are:

Banking Trojans rewritten for distribution via WhatsApp and other messaging apps, targeting corporate and government environments that still rely on desktop banking systems.

Expansion of deepfake services and AI tools at the service of social engineering, impacting job interviews, KYC processes, and identity fraud.

Emergence of regional infostealers, inspired by families like Lumma and Redline, focused on specific countries or blocs, in the MaaS model.

More attacks on NFC payments, with new tools and malware aimed at contactless transactions in different contexts.

Arrival of “agentic” AI malware, capable of altering behavior during execution, analyzing the environment, and Adapting to the defenses and vulnerabilities it encounters.

Persistence of classic frauds, but with new distribution methods on emerging platforms.

Continued sale of counterfeit "pre-infected" smart devices, with trojans like Triada on smartphones, televisions, and other connected equipment.

These predictions describe a scenario in which technical sophistication combines with the industrialization of cybercrime, lowering barriers to entry and expanding the potential impact of less experienced actors.

Recommendations: between best practices and commercial interest...Kaspersky presents a set of recommendations for users and organizations, combining recognized best practices with the explicit promotion of its products and services.

For individual users, the company suggests:

Downloading applications only from official stores, verifying the authenticity of the developer.

Disabling NFC whenever there is no need for its use and opting for digital wallets with mechanisms to block unauthorized communications.

Monitoring accounts and transactions regularly to quickly detect suspicious activity.

Protecting financial transactions with the Kaspersky Premium solution and the Safe Money feature, which, according to the company, validates the authenticity of banking and payment websites.

For financial organizations, Kaspersky recommends a "cybersecurity ecosystem" approach that unites people, processes, and technology.

Among the measures proposed by the company are:

Assessing the entire infrastructure, correcting vulnerabilities, and using external specialists to identify hidden risks.

Implementing integrated platforms of Monitoring and control of all attack vectors, with rapid detection and immediate response; the Kaspersky Next range is presented as an example of a solution with real-time protection and EDR/XDR capabilities.

Monitor the threat landscape with Kaspersky threat intelligence services and promote regular awareness training to create a "human firewall".

Although the technical guidelines align with widely accepted industry best practices, it is important to note that the report also serves as a commercial positioning piece for Kaspersky's portfolio, which requires critical reading by decision-makers and security teams.

Information from Kaspersky