← Back
Pro-Iran Cyberattacks on Financial Services: 144 Incidents
Policy
Security
Technology
Strategy
International
🛡️
CVE Intelligence
Loading CVE data...
Pro-Iran Cyberattacks on Financial Services: 144 Incidents
Financial services is the #2 most targeted sector in the entire campaign, and for reasons that are deliberate, documented, and rooted in more than a decade of Iranian cyber doctrine.
Between February 28 and April 6, 2026, SOCRadar tracked 1,583 verified incidents across Operation Epic Fury. Of those, 144 targeted financial institutions, banks, insurers, exchanges, central banks, and financial regulators across 14 countries. Attacks began within hours of the first kinetic strikes. They started as DDoS. In April, they became destructive.
Why Financial Services Is the #2 Target in Iran’s Cyber Campaign
Government institutions absorbed the most attacks overall, 486 incidents, because they are symbolic, public-facing, and relatively easy to disrupt. Financial Services ranked second with 144 incidents, ahead of Defense and Aerospace (122), Transportation (106), Energy (79), and Education (79).
That ranking is not random. It reflects a targeting doctrine Iran has been refining since 2012.
Iran’s Strategy: Using Cyberattacks to Impose Economic Costs
Iran has a well-established pattern of responding to military pressure through economic disruption rather than direct confrontation. This approach — oil supply threats, Strait of Hormuz brinkmanship, proxy networks — translated naturally into cyber operations because financial infrastructure is uniquely vulnerable to digital disruption at scale.
The clearest prior expression of this doctrine was Operation Ababil (2012–2013), launched in direct response to US sanctions and the Stuxnet attacks on Iranian nuclear infrastructure. Iranian-linked groups under the Izz ad-Din al-Qassam Cyber Fighters banner ran sustained DDoS campaigns against more than 50 US financial institutions — knocking Bank of America, JPMorgan Chase, Citigroup, and Wells Fargo offline repeatedly. US officials attributed the campaign to Iran. At the time, it was described as the largest sustained DDoS campaign against financial infrastructure in history.
The strategic logic was explicit: if the United States weaponizes the global financial system through sanctions, the financial system becomes a legitimate counter-target. That framing has never been retired. It has only been scaled.
Operation Epic Fury in 2026 reactivated this doctrine with alternative resources. What changed since 2012 is not the doctrine. It is the execution. The 2026 coalition is not a handful of IRGC-linked actors. It includes 70+ hacktivist groups, Russian-affiliated actors with independent capability and their own geopolitical grievances, MOIS-linked operators using criminal ransomware infrastructure for deniability, and state APT groups that pre-positioned access in target networks before the first strike was launched.
Why Hacktivists Target Banks Specifically
Beyond Iran’s state-level strategy, there is a separate logic driving hacktivist groups to prioritize financial institutions. It operates independently of top-down direction — it is built into how these groups frame their own mission.
Banks are symbols of the economic order being opposed. Pro-Iran and pro-Palestinian hacktivist groups do not treat Western and Gulf financial institutions as neutral infrastructure. They treat them as instruments of the geopolitical order they are fighting. Kuwait Credit Bank received four separate attacks in this campaign, not because of anything it did, but because Kuwait hosts US military installations and groups explicitly framed Gulf governments as “the backbone of America in the region.” The bank is a proxy for the state.
Financial cyberattacks generate maximum visible impact. A government portal going offline for an hour rarely makes news. A bank’s online services going down — even briefly — triggers press coverage, customer anxiety, and regulatory scrutiny. For hacktivist groups whose output is Telegram-amplifiable proof of disruption, financial institutions offer far higher returns than most target types. Check-Host verification links showing a central bank offline travel orders of magnitude further in hacktivist channels than a screenshot of an obscure government subdomain.
Financial infrastructure is deeply interconnected. Hitting the Central Bank of Cyprus affects EU institutions that interact with the Cypriot financial infrastructure. Hitting eToro is one incident in one dataset, but it touches users across dozens of countries. The connectivity of financial infrastructure means a small number of targeted attacks can produce disproportionate reach.
Disrupting finance directly delivers the economic cost the doctrine calls for. Every hour a bank’s services are degraded, every transaction that fails, and every institution forced to redirect security resources are quantifiable costs on the adversary’s economy. Across weeks and dozens of institutions simultaneously, this is precisely what the doctrine is designed to achieve.
The Data: 144 Verified Financial Sector Incidents
Of the 1,583 verified incidents in SOCRadar’s dataset, 144 targeted financial services (9.1% of the total campaign). Each incident required at least one form of supporting evidence — a Check-Host result, screenshot with access proof, leaked file sample, or equivalent. Unverified declarations and propaganda posts were excluded.
Why these geographies: Israel is the primary target. Gulf states are targeted through the perceived-alignment logic — any country hosting US military assets is considered a valid target regardless of institutional neutrality. Romania and Cyprus reflect NoName057(16)‘s simultaneous NATO campaign running through the same operational window, but initially, justified for supporting Iran as well. The US received fewer incidents in raw count but higher-sophistication events. Africa, appearing in April — Rwanda, Kenya, Cameroon, Morocco, Niger, South Africa — is entirely new and represents the campaign’s latest geographic expansion, the reason is ‘’not supporting Iran.’’
The Threat Actors Behind Financial Sector Attacks
Conquerors Electronic Army — 32 incidents. The most active financial sector attacker in the campaign focused almost entirely on Israeli banks and insurance companies through sustained DDoS.
NoName057(16) — 25 incidents. The Russian-affiliated group that runs simultaneous campaigns against Ukraine and NATO targets. Its presence as the second most active financial sector attacker in an Iran-linked conflict is a structural signal: this coalition serves multiple geopolitical agendas, and Russian-affiliated actors will not stand down when Iran-Israel kinetic operations pause.
313 Team — 10 incidents. Iraq-based, the highest overall volume actor across the full campaign (236 total incidents). Hit Chime (US) and eToro (global), confirming that financial sector targeting in this conflict is not geographically bounded.
Anonymous For Justice — 8 incidents. Appeared in the dataset for the first time on April 1 and immediately delivered all 8 destructive attacks against financial sector targets — Clal Insurance, Shem Shaham, Yaakov Burshtein & Co., and others. A new group debuting with 31 consecutive destructive attacks against a single sector in one week is not a marginal actor.
Hider_Nex — 10 incidents. Extended the campaign into Africa in April, hitting Cameroon’s Ministry of Finance, Tax Authority, and Treasury Directorate as part of a broader sweep across sub-Saharan and North African financial ministries.
Anon For Justice — 8 incidents. An emerging operation claiming destructive attacks, deletion of terabytes of data, and a possible use of wiper malware.
April 2026: Financial Sector Cyberattacks Turn Destructive
The most significant development is not the DDoS count. It is what appeared in April.
Across all sectors in March, destructive attacks represented 0.4% of all incidents. In April, that number jumped to 16.7%. The financial sector absorbed 8 of those destructive events, all in the first week of the month.
DDoS and destructive attacks are not on the same severity spectrum. DDoS takes services offline temporarily; recovery is measured in hours. A destructive attack corrupts data, destroys configurations, or renders systems unrecoverable without a full rebuild. Downtime is measured in days or weeks. For financial institutions, where transaction continuity and data integrity are both operational requirements and regulatory obligations, this is not a theoretical distinction.
The proof of concept was already delivered in this conflict. On March 12, Handala wiped data from over 200,000 devices across Stryker Corporation’s offices in 79 countries by abusing Microsoft Intune to issue mass remote wipe commands. Stryker filed an 8-K with the SEC confirming the incident. More than 5,000 workers were sent home from its Ireland hub. The financial sector has not yet absorbed a Stryker-scale event. The April data suggest that this may change.
State-Level Access: What the Incident Count Doesn’t Show
Every figure in this post represents the observable surface. The more consequential activity operates below it.
MuddyWater, an Iranian state-sponsored threat group documented by CISA, was confirmed in March 2026 to have deployed two Python-based backdoors, Dindoor and Fakeset, inside a US bank, an airport, a defense-adjacent software company, and multiple NGOs. These implants were placed before February 28, before Operation Epic Fury, before the first DDoS campaign appeared in any dataset. The access was pre-positioned and waiting.
Both implants use GitHub, Google Drive, and Telegram as command and control channels, blending into normal enterprise traffic. They remained active as of late March.
MuddyWater was also confirmed using QilinRansomware infrastructure against Israeli hospitals during the same period. This is the state-criminal convergence pattern: state actors operating through criminal ransomware infrastructure to achieve destructive objectives while maintaining deniability. The direct implication for financial institutions: a ransomware incident during this conflict cannot be assumed to be financially motivated. Paying may not restore operations if destruction, not revenue, is the goal.
Recommendations for Finance Security Teams
- Audit Microsoft Intune and cloud MDM access immediately. The Stryker attack vector — abusing cloud device management credentials to issue mass remote wipe commands — remains open for any organization that has not reviewed its environment since March. Enforce MFA on all admin accounts without exception. Audit enrolled device lists. Review bulk action logs for any wipe or factory reset not initiated by authorized personnel.
- Hunt for MuddyWater implants: Dindoor and Fakeset. Look for outbound connections to GitHub and Google Drive from non-developer endpoints — confirmed C2 channels. Check for unauthorized Atera or ScreenConnect installations. Review OAuth grants in Microsoft 365 and Google Workspace for anything not explicitly authorized.
- Validate DDoS mitigation capacity now. With 88.2% of financial sector incidents being DDoS attacks, and 78.9% of the full campaign’s 1,583 incidents being DDoS, this is the primary threat vector. Coordinate with upstream ISPs on traffic scrubbing for sustained multi-day scenarios. Test your incident response plan against simultaneous multi-group DDoS across multiple properties — that is the documented pattern.
- Reclassify ransomware risk during this period. Incoming ransomware at a financial institution during an active Iran-Israel conflict cannot be treated as standard criminal activity. Assume the objective may be destruction. Do not assume payment restores operations.
- Build a Telegram breach claim protocol before you need one. Iran’s information operations are designed to force public responses on the attacker’s timeline. Without a defined internal process, organizations make statements that serve the attacker’s narrative. Define who reviews a claim, what evidence triggers a formal response, and who speaks externally — before a claim appears.
Track This Conflict in Real Time
The Iran-linked cyber campaign against financial services is accelerating, with attacks shifting from disruption toward potential destruction. Financial institutions are the second most targeted sector, but the impact of these attacks is outsized due to their economic and systemic reach.
SOCRadar delivers clear advantages in this landscape: verified intelligence, real-time visibility, and structured tracking across threat actors, sectors, and geographies.
Data source: SOCRadar incident dataset, February 28 – April 6, 2026. Total: 1,583 verified incidents. All figures represent verified claims supported by at least one form of evidence. Claims are alleged unless independently confirmed by a third party or government authority.
Financial services is the #2 most targeted sector in the entire campaign, and for reasons that are deliberate, documented, and rooted in more than a decade of Iranian cyber doctrine.
Between February 28 and April 6, 2026, SOCRadar tracked 1,583 verified incidents across Operation Epic Fury. Of those, 144 targeted financial institutions, banks, insurers, exchanges, central banks, and financial regulators across 14 countries. Attacks began within hours of the first kinetic strikes. They started as DDoS. In April, they became destructive.
Why Financial Services Is the #2 Target in Iran’s Cyber Campaign
Government institutions absorbed the most attacks overall, 486 incidents, because they are symbolic, public-facing, and relatively easy to disrupt. Financial Services ranked second with 144 incidents, ahead of Defense and Aerospace (122), Transportation (106), Energy (79), and Education (79).
That ranking is not random. It reflects a targeting doctrine Iran has been refining since 2012.
Iran’s Strategy: Using Cyberattacks to Impose Economic Costs
Iran has a well-established pattern of responding to military pressure through economic disruption rather than direct confrontation. This approach — oil supply threats, Strait of Hormuz brinkmanship, proxy networks — translated naturally into cyber operations because financial infrastructure is uniquely vulnerable to digital disruption at scale.
The clearest prior expression of this doctrine was Operation Ababil (2012–2013), launched in direct response to US sanctions and the Stuxnet attacks on Iranian nuclear infrastructure. Iranian-linked groups under the Izz ad-Din al-Qassam Cyber Fighters banner ran sustained DDoS campaigns against more than 50 US financial institutions — knocking Bank of America, JPMorgan Chase, Citigroup, and Wells Fargo offline repeatedly. US officials attributed the campaign to Iran. At the time, it was described as the largest sustained DDoS campaign against financial infrastructure in history.
The strategic logic was explicit: if the United States weaponizes the global financial system through sanctions, the financial system becomes a legitimate counter-target. That framing has never been retired. It has only been scaled.
Operation Epic Fury in 2026 reactivated this doctrine with alternative resources. What changed since 2012 is not the doctrine. It is the execution. The 2026 coalition is not a handful of IRGC-linked actors. It includes 70+ hacktivist groups, Russian-affiliated actors with independent capability and their own geopolitical grievances, MOIS-linked operators using criminal ransomware infrastructure for deniability, and state APT groups that pre-positioned access in target networks before the first strike was launched.
Why Hacktivists Target Banks Specifically
Beyond Iran’s state-level strategy, there is a separate logic driving hacktivist groups to prioritize financial institutions. It operates independently of top-down direction — it is built into how these groups frame their own mission.
Banks are symbols of the economic order being opposed. Pro-Iran and pro-Palestinian hacktivist groups do not treat Western and Gulf financial institutions as neutral infrastructure. They treat them as instruments of the geopolitical order they are fighting. Kuwait Credit Bank received four separate attacks in this campaign, not because of anything it did, but because Kuwait hosts US military installations and groups explicitly framed Gulf governments as “the backbone of America in the region.” The bank is a proxy for the state.
Financial cyberattacks generate maximum visible impact. A government portal going offline for an hour rarely makes news. A bank’s online services going down — even briefly — triggers press coverage, customer anxiety, and regulatory scrutiny. For hacktivist groups whose output is Telegram-amplifiable proof of disruption, financial institutions offer far higher returns than most target types. Check-Host verification links showing a central bank offline travel orders of magnitude further in hacktivist channels than a screenshot of an obscure government subdomain.
Financial infrastructure is deeply interconnected. Hitting the Central Bank of Cyprus affects EU institutions that interact with the Cypriot financial infrastructure. Hitting eToro is one incident in one dataset, but it touches users across dozens of countries. The connectivity of financial infrastructure means a small number of targeted attacks can produce disproportionate reach.
Disrupting finance directly delivers the economic cost the doctrine calls for. Every hour a bank’s services are degraded, every transaction that fails, and every institution forced to redirect security resources are quantifiable costs on the adversary’s economy. Across weeks and dozens of institutions simultaneously, this is precisely what the doctrine is designed to achieve.
The Data: 144 Verified Financial Sector Incidents
Of the 1,583 verified incidents in SOCRadar’s dataset, 144 targeted financial services (9.1% of the total campaign). Each incident required at least one form of supporting evidence — a Check-Host result, screenshot with access proof, leaked file sample, or equivalent. Unverified declarations and propaganda posts were excluded.
Why these geographies: Israel is the primary target. Gulf states are targeted through the perceived-alignment logic — any country hosting US military assets is considered a valid target regardless of institutional neutrality. Romania and Cyprus reflect NoName057(16)‘s simultaneous NATO campaign running through the same operational window, but initially, justified for supporting Iran as well. The US received fewer incidents in raw count but higher-sophistication events. Africa, appearing in April — Rwanda, Kenya, Cameroon, Morocco, Niger, South Africa — is entirely new and represents the campaign’s latest geographic expansion, the reason is ‘’not supporting Iran.’’
The Threat Actors Behind Financial Sector Attacks
Conquerors Electronic Army — 32 incidents. The most active financial sector attacker in the campaign focused almost entirely on Israeli banks and insurance companies through sustained DDoS.
NoName057(16) — 25 incidents. The Russian-affiliated group that runs simultaneous campaigns against Ukraine and NATO targets. Its presence as the second most active financial sector attacker in an Iran-linked conflict is a structural signal: this coalition serves multiple geopolitical agendas, and Russian-affiliated actors will not stand down when Iran-Israel kinetic operations pause.
313 Team — 10 incidents. Iraq-based, the highest overall volume actor across the full campaign (236 total incidents). Hit Chime (US) and eToro (global), confirming that financial sector targeting in this conflict is not geographically bounded.
Anonymous For Justice — 8 incidents. Appeared in the dataset for the first time on April 1 and immediately delivered all 8 destructive attacks against financial sector targets — Clal Insurance, Shem Shaham, Yaakov Burshtein & Co., and others. A new group debuting with 31 consecutive destructive attacks against a single sector in one week is not a marginal actor.
Hider_Nex — 10 incidents. Extended the campaign into Africa in April, hitting Cameroon’s Ministry of Finance, Tax Authority, and Treasury Directorate as part of a broader sweep across sub-Saharan and North African financial ministries.
Anon For Justice — 8 incidents. An emerging operation claiming destructive attacks, deletion of terabytes of data, and a possible use of wiper malware.
April 2026: Financial Sector Cyberattacks Turn Destructive
The most significant development is not the DDoS count. It is what appeared in April.
Across all sectors in March, destructive attacks represented 0.4% of all incidents. In April, that number jumped to 16.7%. The financial sector absorbed 8 of those destructive events, all in the first week of the month.
DDoS and destructive attacks are not on the same severity spectrum. DDoS takes services offline temporarily; recovery is measured in hours. A destructive attack corrupts data, destroys configurations, or renders systems unrecoverable without a full rebuild. Downtime is measured in days or weeks. For financial institutions, where transaction continuity and data integrity are both operational requirements and regulatory obligations, this is not a theoretical distinction.
The proof of concept was already delivered in this conflict. On March 12, Handala wiped data from over 200,000 devices across Stryker Corporation’s offices in 79 countries by abusing Microsoft Intune to issue mass remote wipe commands. Stryker filed an 8-K with the SEC confirming the incident. More than 5,000 workers were sent home from its Ireland hub. The financial sector has not yet absorbed a Stryker-scale event. The April data suggest that this may change.
State-Level Access: What the Incident Count Doesn’t Show
Every figure in this post represents the observable surface. The more consequential activity operates below it.
MuddyWater, an Iranian state-sponsored threat group documented by CISA, was confirmed in March 2026 to have deployed two Python-based backdoors, Dindoor and Fakeset, inside a US bank, an airport, a defense-adjacent software company, and multiple NGOs. These implants were placed before February 28, before Operation Epic Fury, before the first DDoS campaign appeared in any dataset. The access was pre-positioned and waiting.
Both implants use GitHub, Google Drive, and Telegram as command and control channels, blending into normal enterprise traffic. They remained active as of late March.
MuddyWater was also confirmed using QilinRansomware infrastructure against Israeli hospitals during the same period. This is the state-criminal convergence pattern: state actors operating through criminal ransomware infrastructure to achieve destructive objectives while maintaining deniability. The direct implication for financial institutions: a ransomware incident during this conflict cannot be assumed to be financially motivated. Paying may not restore operations if destruction, not revenue, is the goal.
Recommendations for Finance Security Teams
- Audit Microsoft Intune and cloud MDM access immediately. The Stryker attack vector — abusing cloud device management credentials to issue mass remote wipe commands — remains open for any organization that has not reviewed its environment since March. Enforce MFA on all admin accounts without exception. Audit enrolled device lists. Review bulk action logs for any wipe or factory reset not initiated by authorized personnel.
- Hunt for MuddyWater implants: Dindoor and Fakeset. Look for outbound connections to GitHub and Google Drive from non-developer endpoints — confirmed C2 channels. Check for unauthorized Atera or ScreenConnect installations. Review OAuth grants in Microsoft 365 and Google Workspace for anything not explicitly authorized.
- Validate DDoS mitigation capacity now. With 88.2% of financial sector incidents being DDoS attacks, and 78.9% of the full campaign’s 1,583 incidents being DDoS, this is the primary threat vector. Coordinate with upstream ISPs on traffic scrubbing for sustained multi-day scenarios. Test your incident response plan against simultaneous multi-group DDoS across multiple properties — that is the documented pattern.
- Reclassify ransomware risk during this period. Incoming ransomware at a financial institution during an active Iran-Israel conflict cannot be treated as standard criminal activity. Assume the objective may be destruction. Do not assume payment restores operations.
- Build a Telegram breach claim protocol before you need one. Iran’s information operations are designed to force public responses on the attacker’s timeline. Without a defined internal process, organizations make statements that serve the attacker’s narrative. Define who reviews a claim, what evidence triggers a formal response, and who speaks externally — before a claim appears.
Track This Conflict in Real Time
The Iran-linked cyber campaign against financial services is accelerating, with attacks shifting from disruption toward potential destruction. Financial institutions are the second most targeted sector, but the impact of these attacks is outsized due to their economic and systemic reach.
SOCRadar delivers clear advantages in this landscape: verified intelligence, real-time visibility, and structured tracking across threat actors, sectors, and geographies.
Data source: SOCRadar incident dataset, February 28 – April 6, 2026. Total: 1,583 verified incidents. All figures represent verified claims supported by at least one form of evidence. Claims are alleged unless independently confirmed by a third party or government authority.