The financial sector consistently ranks among the most targeted industries year after year, and for good reason. Cybercriminals follow the money, and banks, insurers and payment providers hold exactly what cybercriminals want – money, financial data and the personal information of millions.

A recent survey from Contrast Security revealed that two-thirds of financial organisations suffered a cyber incident in 2024. The majority of these attacks aimed to steal funds or sensitive data, but an increasing number were purely destructive, designed to disrupt operations rather than turn a profit.

Zero-day attacks, in particular, have surged, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) highlighting that most of the top exploited vulnerabilities in 2024 were attacked before patches were even available.

Beyond direct attacks on financial institutions, cybercriminals also target customer accounts, deploying banking malware against online portals and mobile banking apps to siphon off funds. The responsibility to prevent these breaches ultimately falls on financial organisations, making proactive threat intelligence critical.

This blog will explore how financial institutions can anticipate threats, detect vulnerabilities and respond faster to emerging risks by leveraging open-source intelligence (OSINT) and dark web data.

Banking malware – anticipating threats

Malware remains one of the most persistent and evolving threats to financial institutions. Cybercriminals continuously develop new strains of banking malware while updating older variants to bypass security measures and target a wider range of banking applications. Despite the variety, many of these malware families rely on the same core techniques – keylogging, phishing overlays and screen captures – to steal banking credentials from both customers and employees.

Two recent examples highlight how banking malware spreads and evolves. PixPirate, first discovered in 2023, targets Brazil’s instant payment system, Pix, by automating fraudulent money transfers. Recently, it has been observed spreading through WhatsApp, expanding its reach. Another long-running threat is Grandoreiro, which has been active since 2016. Initially targeting Latin America, it expanded to Europe in 2020 and has since reached Central and South America, leveraging large-scale phishing campaigns to infiltrate banking systems.

The expansion of malware often follows predictable patterns, whether through language similarities, shared financial infrastructures or geopolitical motives. For instance, Russian state-sponsored cyber threats have increased against Ukraine and its allies following the conflict. Similarly, malware that initially targets financial institutions in one country often migrates to others with similar banking environments. So, if banks in the UK are being hit by a particular strain of malware, U.S. institutions should prepare for a similar threat.

For financial organisations, monitoring OSINT and dark web intelligence is critical in anticipating these shifts. Threats like Grandoreiro, first observed nearly ten years ago, demonstrate that malware expansion can take years. Proactive intelligence gathering allows security teams to detect patterns, track malware evolution and take defensive measures before attacks reach their doorstep.

Using OSINT to map and mitigate malware threats

Banking malware campaigns may vary in sophistication, but their initial access techniques are strikingly similar. Malicious shortcuts, fake apps, browser extensions and, of course, phishing serve as the entry points for most financial sector attacks. Identifying these patterns early is critical, and OSINT plays a key role in mapping threats before they escalate.

Take BlotchyQuasar, a banking Trojan linked to advanced persistent threat group, Blind Eagle. By analysing open-source intelligence and aligning it with frameworks like MITRE ATT&CK, threat intelligence teams can trace its attack chain – spear phishing emails with malicious PDFs leading to data exfiltration. This structured approach allows organisations to anticipate tactics used in similar campaigns.

Another example, AppLite, an Android banking Trojan, has spread through fake job offers and phishing sites, leading to full device compromise. By comparing its techniques with past threats, defenders can identify recurring vulnerabilities, prioritise patching and refine incident response plans.

Mapping known campaigns to intelligence frameworks doesn’t just help track ongoing threats – it enables proactive defence. If 90% of recent malware campaigns rely on the same initial access vectors, then security teams can tailor their next tabletop exercises (which test response preparedness), detection rules and mitigation strategies accordingly.

Beyond malware tracking, OSINT provides valuable insight into exploited vulnerabilities, emerging attack trends and shared indicators of compromise (IOCs) across industries. When leveraged effectively, it offers financial institutions a critical advantage – staying ahead of threats before they reach the digital front door.

Beyond OSINT – Leveraging deep and dark web data

While OSINT provides valuable insights, deep and dark web data offer a different kind of intelligence that is often underutilised. Many organisations focus on tracking ransomware blogs, threat actor forums and breach sites, but stopping there means missing crucial intelligence that could bolster security efforts.

The challenge isn’t a lack of data; it’s the overwhelming volume. Effectively filtering dark web chatter requires precise keyword tracking, entity recognition and automation. With the right tools, organisations can operationalise this data in ways that significantly enhance threat detection and mitigation.

Tracking financial fraud

One of the most common deep web use cases is monitoring carding, which is the sale and exploitation of stolen payment card data. A recent example is Ghost Tap, an attack method identified by ThreatFabric researchers.

Ghost Tap enables criminals to cash out stolen payment card details tied to mobile payment systems like Apple Pay and Google Pay. Attackers intercept one-time passwords (OTPs) and funnel the stolen funds through a network of money mules, making transactions difficult to detect. Similar methods are constantly being discussed on the dark web, with criminals seeking new ways to apply these techniques to other payment systems. Payment processors (such as Apple Pay or Google Pay), banks or others with mobile payment systems need to be aware of these threats and continuously monitor the dark web for any new methods that might target them next.

Loyalty programme scams

Beyond payment card fraud, loyalty programme abuse is another growing issue. Airlines, hotels and retailers frequently see dark web advertisements offering stolen or fraudulently obtained reward points.

Sometimes, fraudsters sell points outright. Other times, they share exploitation methods, teaching others how to manipulate loyalty programmes for extra rewards. These schemes have real financial consequences – airline miles, hotel stays, and high-value retail goods can all be cashed out.

Proactive organisations are now tracking these discussions, closing security gaps in their loyalty programmes and monitoring accounts for suspicious activity before fraudulent redemptions occur.

Dark web markets for insiders

Dark web forums also serve as marketplaces for malicious insiders. Threat actors openly advertise access to corporate networks, offering credentials, VPN access or administrative privileges.

Some sellers claim to have insiders within specific organisations – critical intelligence for security teams. Even more alarming, chatter about buying access to a company can indicate an emerging threat, requiring immediate investigation. Monitoring access broker forums is essential for early warning and risk mitigation.

Executive threat monitoring

Beyond network security, dark web chatter increasingly includes direct threats against executives. Some forums feature vague hostility, while others escalate to specific threats – including home addresses and calls to action.

Recent high-profile attacks on business leaders have pushed executive protection into the spotlight. Many organisations now require continuous monitoring for mentions of executives, their contact details and personal data leaks.

Threat actors don’t need to dox an executive explicitly. Simply posting a phone number with instructions to spam it can cause significant disruption. Similar tactics apply to email addresses, physical locations and even social media accounts.

Monitoring executive-related assets isn’t just about cyber threats. It’s a critical part of physical and operational security.

Tracking exploits and vulnerabilities

Beyond direct threats, the dark web is a hub for exploit discussions. Attackers share vulnerabilities, sell zero-days and refine attack chains. Organisations that develop software, or rely on third-party vendors, must track these conversations to identify risks before they escalate.

For security teams, knowing when attackers are discussing exploits related to their organisation’s technology stack is invaluable intelligence. It allows for pre-emptive patching, enhanced monitoring and a faster response to emerging threats.

Bringing OSINT and dark web intelligence together

The financial services sector faces a relentless wave of cyber threats, fraud schemes and insider risks – many of which first surface in OSINT sources or dark web forums. While OSINT provides crucial visibility into emerging trends, vulnerabilities and attack campaigns, dark web intelligence uncovers the hidden risks that could directly impact an organisation’s security and operations.

Relying on just one data source creates blind spots. True situational awareness comes from bringing OSINT and dark web intelligence together, allowing organisations to track evolving threats, detect risks earlier and respond with confidence.

Silobreaker simplifies this process by cutting through the noise and making sense of vast amounts of structured and unstructured data. Its AI-powered threat intelligence platform automates intelligence gathering, connects relationships between entities and reduces false positives. It consolidates unstructured, dark web and premium data sources into actionable intelligence that can be delivered using bespoke dashboards, reports and alerts in real-time.

Silobreaker helps security teams stay ahead of threats – whether they originate from a mainstream news report, a leaked credential dump or a covert dark web marketplace. The ability to operationalise intelligence, not just collect it, is what separates proactive security from reactive crisis management.

The full webinar “Using OSINT and dark web data to safeguard organisations from cyberattacks is available to watch here.