Kaspersky report shows shift to credential theft as over one million bank accounts exposed

Infostealers and dark web distribution are reshaping financial cybercrime, reducing reliance on traditional banking malware

A new report from Kaspersky indicates a change in how financial cyberattacks are carried out, with a growing focus on credential theft and reuse rather than direct compromise through traditional banking malware. According to the findings, more than one million online banking accounts linked to the world’s largest financial institutions were exposed in 2025 after credentials were harvested and circulated on dark web marketplaces.

The report outlines how attackers are shifting their methods toward tools that collect login data, cookies, payment information, and other sensitive details from both computers and mobile devices. These tools, known as infostealers, enable account takeovers and financial fraud without requiring direct access to banking systems. The stolen data is later aggregated and redistributed, creating a secondary layer of risk that can persist long after the initial compromise.

This change in approach comes alongside a broader transition in user behavior. As more financial activity moves to mobile devices, attacks targeting mobile banking environments have increased, while incidents involving traditional PC-based banking malware continue to decline. At the same time, phishing campaigns remain active but have adapted their focus. Pages imitating e-commerce platforms accounted for the largest share of financial phishing activity in 2025, followed by banking services and payment systems, suggesting that attackers are prioritizing entry points that are easier to replicate and scale.

The report also highlights regional variations in attack patterns. In some markets, phishing campaigns are heavily concentrated on online retail platforms, while in others they continue to target banking services more directly. This variation reflects differences in user behavior, digital adoption, and the perceived effectiveness of impersonation tactics.

Data from Kaspersky Digital Footprint Intelligence shows that credentials obtained through infostealers are widely traded, often remaining usable for extended periods. In 2025, a significant portion of compromised payment cards identified on dark web platforms was still valid months later, allowing attackers to reuse previously stolen data.

“The dark web has become a central hub for financial cybercrime. Stolen credentials and bank cards that have been harvested by infostealers are aggregated, repackaged, and sold there, while phishing kits targeted at users of financial products are offered as ready-to-use services. This creates a self-sustaining ecosystem where data theft and fraud operations reinforce each other, making attacks scalable and easy to carry out by fraudsters with minimal experience. Breaking this cycle requires proactive threat intelligence on the part of organisations, and increased awareness and scrutiny from individual users,” said Polina Tretyak.

The findings point to a model in which financial cybercrime depends less on exploiting banking systems directly and more on collecting and reusing access data at scale. In this context, monitoring exposed credentials, strengthening authentication mechanisms, and identifying compromised data in circulation become central elements of defense for both individuals and organizations.