Financial Sector Breaches Surge: 90% Financially Motivated, Average Cost $5.56M, Bybit Loses $1.5B in Supply Chain Attack

Financially motivated attacks dominated the financial sector in 2025, with data breaches making up roughly two‑thirds of incidents and ransomware the rest. Personal data, internal files and credentials were the most commonly stolen assets, enabling fraud, credential resale and prolonged network presence. Initial access came from hacking (45%), malware (37%) and social engineering (25%). AI‑enhanced reconnaissance and deepfake impersonation accelerated attacker timelines, while shadow AI and unmanaged models added internal risk. Supply‑chain compromises rose to about 30% of breaches, often via file‑transfer tools, managed‑service platforms or APIs that privileged attackers with indirect access to sensitive systems.

- 90% of breaches at financial institutions were financially motivated; 64% were data breaches, 36% ransomware. - The average cost of a data breach in finance reached $5.56 million per incident, ranking the industry second highest across all sectors. - Bybit lost approximately $1.5 billion after attackers exploited weaknesses in third‑party wallet infrastructure used for transaction signing, a classic supply‑chain compromise.

The high proportion of profit‑driven attacks means defenders must prioritize controls that stop fraud and data exfiltration rather than focusing solely on disruption. The $5.56 million average breach cost underscores the financial incentive for attackers and the need for robust incident‑response budgeting. The Bybit case shows that even organizations with strong internal defenses can be undermined by trusted third parties, making vendor risk management a critical control.

- Enforce multi‑factor authentication and least‑privilege access for all privileged accounts, especially those interacting with wallet signing APIs (MITRE ATT&CK T1078). - Apply the principle of zero trust to third‑party connections: segment networks, enforce strict API gateways, and log all signing requests for anomalies (T1195). - Regularly scan and patch third‑party libraries and dependencies; subscribe to vendor security advisories and apply updates within 48 hours of release (CVE‑managed). - Deploy behavioral analytics to detect unusual transaction patterns or abnormal wallet‑signing requests, triggering automated alerts and possible transaction holds. - Conduct regular red‑team exercises that simulate supply‑chain compromises and deepfake‑based social engineering to validate detection and response capabilities. - Maintain an inventory of AI models and enforce governance; block shadow AI deployments without approved security reviews.