May 2026 brought two significant warnings for everyone working in finance, crypto, and fintech. The IMF and CrowdStrike independently documented the same shift: artificial intelligence has fundamentally changed the nature of cyber threats, and the financial sector is at the center of it.
When Attacking Is Cheaper Than Defending
On May 7, 2026, the International Monetary Fund published «Financial Stability Risks Mount as Artificial Intelligence Fuels Cyberattacks». The central message is stark: AI is making cyberattacks faster, cheaper, and more scalable — and the pace at which offensive capabilities are growing is outstripping the pace of defensive improvement.
The IMF points to a structural vulnerability: the global financial system is built on shared digital infrastructure — the same cloud providers, payment networks, and software platforms used across institutions. Advanced AI models can dramatically reduce the time and cost required to discover vulnerabilities in these common systems, raising the likelihood of simultaneously targeting weaknesses across many institutions at once.
The practical consequences go beyond IT security. According to the Fund, extreme cyber incidents could trigger liquidity strains, raise solvency concerns, and disrupt broader markets. In other words, the IMF is reclassifying cybersecurity from a technical risk category to a financial stability category — alongside banking supervision and market structure.
Emerging markets receive particular attention: they face the highest exposure due to weaker existing defenses.
Numbers That Speak for Themselves
A week later, on May 14, 2026, CrowdStrike released the 2026 Financial Services Threat Landscape Report — an industry study based on tracking more than 280 named adversary groups. The data confirmed and quantified the IMF’s warnings.
Key figures:
- $2.02 billion in digital assets stolen by North Korea-linked (DPRK) groups in 2025 — a 51% year-over-year increase.
- $1.46 billion taken in a single operation by Pressure Chollima through a software supply chain compromise. The largest single financial theft ever recorded.
- +43% surge in hands-on-keyboard intrusions against financial institutions globally over two years. In North America, the figure reaches 48%.
- 423 financial sector organizations appeared on data leak sites in 2025 — a 27% year-over-year increase.
The mechanics of attacks have changed fundamentally. North Korean groups Famous Chollima and Stardust Chollima deploy AI-generated identities, fake recruiters, and synthetic video conferencing environments to infiltrate crypto exchanges, fintech platforms, and traditional banks. Famous Chollima doubled its operational volume specifically through AI-generated identities.
Adam Meyers, Head of Counter Adversary Operations at CrowdStrike, put it plainly: “The cost to create convincing identities, automate reconnaissance, and accelerate credential theft is near zero. Adversaries are using AI to compress the time from initial access to impact, moving through trusted paths faster than legacy defenses can respond.”
What Is Being Targeted and Why
Both reports converge on the same diagnosis: the financial sector attracts attacks from multiple directions simultaneously.
First, it concentrates both money and sensitive data. Second, financial institutions are deeply interconnected, so compromising one node opens pathways to others. Third, the regulatory and reputational consequences of an attack create additional pressure on the victim, raising the probability of ransom payment.
Crypto infrastructure remains a special-category target. The irreversibility of transactions, the cross-border nature of settlements, and the uneven compliance standards across jurisdictions create opportunities that don’t exist in traditional banking. According to CrowdStrike, stolen proceeds almost certainly fund the DPRK regime’s military programs, meaning cyberattacks have become an instrument of state financing.
The Infrastructure Response
Both reports point in the same direction: resilience matters more than perimeter.
The traditional security model (build a barrier and keep the attacker out) breaks down against AI-accelerated attacks. The speed at which vulnerabilities are discovered and exploited now outpaces the speed at which patches are released. What’s needed is infrastructure that keeps functioning under pressure, not infrastructure designed only for normal operating conditions.
The IMF emphasizes three components: resilience, supervision, and international coordination. For payment and settlement systems operating across multiple jurisdictions, the last point is particularly critical: an attack launched in one country crosses borders instantly, while regulatory responses remain slow and local.
CrowdStrike frames it differently, but the logic is the same: to close the gap, defenders must meet AI with AI by pairing threat intelligence with continuous hunting to outpace the adversary.
What This Means for Cross-Border Operations
For companies operating in cross-border settlements, crypto infrastructure, and fintech, the implications are operational.
The compliance layer has become an attack vector. Adversaries are no longer forcing their way through technical vulnerabilities. They are creating fictitious counterparties that pass KYC. AI-generated identities with synthetic documentation and fabricated transaction histories are already standard tools for North Korean groups.
The software supply chain is a critical risk. The $1.46 billion Pressure Chollima operation wasn’t a direct exchange hack. It was a compromise of software the exchange trusted. For any platform integrating third-party solutions, this means rethinking the trust model applied to vendors.
Response speed matters more than complete prevention. In an environment where AI compresses the window from access to impact from hours to minutes, architecture must assume compromise and deliver isolation and recovery, not just blocking.
Conclusion
Two independent reports, published within the same month, paint a single picture: AI has fundamentally shifted the balance of power between attack and defense. The financial sector, both traditional and crypto, is at the center of this shift.
The answer cannot simply be more tools or a larger security budget. What’s needed is a different architecture, one designed on the assumption that an attack will eventually succeed, and that ensures continuity of settlements, transaction visibility, and regulatory compliance even under stress.
That is what separates infrastructure that is ready for 2026 from infrastructure that was sufficient in 2023.
RUTA builds IT infrastructure for companies where treasury, compliance, and settlement operations must function under pressure, across cross-border environments in the UAE, GCC, and Eastern Europe.
Our focus is the operational layer: resilient payment rails, improved transaction visibility, and compliance systems that are built into the architecture from the start, not bolted on after the fact. We don’t sell a defensive perimeter. We build infrastructure that keeps working when the perimeter has been breached.
If you are building or scaling a fintech product in the region and want to discuss how to make it resilient against the threats of 2026, get in touch.
