The financial cyberthreat landscape in 2025 underwent a fundamental shift, with infostealers and credential theft eclipsing traditional PC banking malware as the dominant attack vector. According to data from Kaspersky Security Network, the decline of PC banking Trojans was offset by a surge in stolen credentials being traded on the dark web, enabling large-scale fraud operations.
"The era of complex banking Trojans is waning, but attackers are now weaponizing stolen data more efficiently than ever," said Ivan Kwiatkowski, a security researcher at Kaspersky. "2025 showed that cybercriminals prefer aggregation and reuse over developing new malware." This trend sets the stage for an even more dangerous 2026, where credential theft could become the backbone of financial crime.
Background
Kaspersky researchers analyzed anonymized data from KSN, dark web sources, and public reports to map evolving threats. The 2025 findings reveal a maturation of phishing operations, with attackers targeting digital platforms where users are more impulsive. Unlike prior years, e-commerce (14.17%) and web services (16.15%) overtook traditional banking lures.
The shift is not limited to desktops: mobile banking malware continues to grow, though PC malware still poses a persistent risk. Infostealers have become the central driver, allowing criminals to harvest credentials, payment data, and full identity profiles at scale.
Key Findings
Financial Phishing Goes Contextual
Phishing campaigns in 2025 showed greater targeting and regional adaptation. Attackers mimicked online stores and web services, leveraging social engineering tailored to user behavior. "They no longer spray-and-pray; every lure is designed to exploit a specific moment of trust," explained Maria Garnaeva, Kaspersky malware analyst.
Banking Malware Decline, Mobile Growth
PC banking malware dropped in relative prevalence, but established families remain active. In contrast, mobile banking malware surged—detailed in Kaspersky's separate mobile malware report. Attackers prioritize credential access over deploying complex Trojans.
Infostealers Fuel Dark Web Economy
The dark web now hosts a thriving marketplace for stolen credentials, with full identity profiles traded in bulk. This infrastructure enables widespread fraud, from account takeover to synthetic identity theft. "Infostealers are the new workhorses of financial crime," said Vladimir Dashchenko, head of Kaspersky's threat research.
What This Means
The 2025 data signals a clear warning for 2026: defenses must shift from malware detection to credential hygiene. Organizations should prioritize multi-factor authentication and dark web monitoring. Users need to recognize that phishing now targets everyday digital behavior—shopping, gaming, and messaging—not just banking.
"If credential theft continues to grow at this pace, 2026 will see unprecedented levels of financial fraud," warned Kwiatkowski. The financial sector, from banks to fintech, must adapt quickly or risk being overwhelmed by attacks that exploit human behavior rather than software vulnerabilities.
For a deeper dive into mobile threats, see our mobile malware analysis. For regional phishing patterns, refer to the top phishing categories section.