More than one million online banking accounts were compromised in 2025, as cybercriminals shifted their strategies from traditional banking malware to credential theft, according to cybersecurity company Kaspersky.
The report shows attackers are now focusing on stealing usernames, passwords, and financial data using so-called “infostealers,” then reselling or reusing them through dark web marketplaces.
“The dark web has become a central hub for financial cybercrime,” said Polina Tretyak, Digital Footprint Intelligence analyst at Kaspersky. “Stolen credentials and bank cards harvested by infostealers are aggregated, repackaged, and sold there, while phishing kits targeted at users of financial products are offered as ready-to-use services.”
Kaspersky data found that credentials linked to accounts from the world’s 100 largest banks were widely circulated online. The countries with the highest median number of compromised accounts per bank included India, Spain, and Brazil.
Financial phishing attacks also remain widespread, but with changing tactics. Fake e-commerce websites accounted for 48.5% of phishing pages in 2025, up 10.3 percentage points from the previous year. Bank-related phishing dropped to 26.1%, while payment system scams rose to 25.5%.
The shift suggests cybercriminals are targeting easier entry points, such as online shopping platforms, instead of trying to directly impersonate banks, which now have stronger protections.
Attack patterns also vary by region. In the Middle East, 85.8% of financial phishing attacks were linked to e-commerce. In Africa, phishing in banks dominated at 53.75%. Latin America showed a more balanced mix, while Asia-Pacific and Europe saw diversified attack strategies across banks, payments, and online retail.
Also, financial malware targeting personal computers continues to decline as more users move to mobile banking. However, mobile banking malware is rising fast, with attacks increasing 1.5 times in 2025 compared to the previous year.
Infostealers are driving much of this activity by collecting login credentials, cookies, bank card numbers, and even cryptocurrency wallet data from infected devices. In Asia-Pacific alone, detections of infostealers on PCs jumped 132% year on year.
Kaspersky also found that 74% of compromised payment cards identified on the dark web in 2025 were still valid as of March 2026, meaning stolen financial data can remain usable long after the initial breach.