What happened
Cyber-threat groups linked to China and North Korea continue to heavily target financial services and cryptocurrency ecosystems across the Asia-Pacific region, according to CrowdStrike’s 2026 Financial Services Threat Landscape Report. Six of the nine most active threat groups targeting financial organizations in Q1 2026 were attributed to these regions. At least 78 organizations across Asia-Pacific and Oceania were impacted by data-leak and ransomware-driven operations. North Korean actors remain especially active, having stolen an estimated $2.02 billion in cryptocurrency in 2025, underscoring how cybercrime has become a significant funding channel for state-linked activity.
Tactics are also evolving. Chainalysis researcher Eric Jardine noted that threat actors are increasingly impersonating recruiters from Web3 and AI firms, running fake hiring processes to harvest credentials, VPN access, and single sign-on data. Groups are also posing as investors or acquirers to identify entry points into high-value infrastructure. Despite fewer visible attacks, large-scale thefts, such as the $1.5 billion ByBit crypto heist, highlight continued operational maturity.
Who is affected
Financial institutions, cryptocurrency exchanges, fintech platforms, and digital asset service providers in the Asia-Pacific region remain primary targets. However, the impact extends beyond the region due to global crypto flows and cross-border laundering networks. Scam ecosystems in Cambodia, Myanmar, and Laos further amplify the threat, generating billions in illicit revenue and affecting victims worldwide.
Why CISOs should care
These campaigns combine advanced social engineering with industrialized fraud operations. “Pig butchering” scams, recruitment impersonation, and business email-style infiltration attempts are increasingly common entry points. North Korean groups also rely on Chinese-language laundering networks, mixers, and DeFi protocols, often delaying fund movement for weeks to evade detection.
Government and private-sector coordination is improving, with actions such as the US Scam Center Strike Force targeting the Shunda cybercrime compound in Myanmar, freezing hundreds of millions in assets alongside OFAC sanctions. However, the speed and adaptability of threat actors continue to challenge traditional security controls. For CISOs, the convergence of financial fraud, identity deception, and crypto-enabled laundering demands a more proactive defense posture.
3 practical actions
- Strengthen identity verification controls for hiring pipelines, vendor onboarding, and investment-related communications
- Implement continuous monitoring of credential misuse, SSO anomalies, and VPN access patterns tied to social engineering
- Enhance blockchain and financial transaction intelligence integration to detect and disrupt suspicious fund movements early
