The Hidden Economy of Cybercrime: What fintech needs to know about emerging threats in 2025

Cybercrime is no longer the domain of isolated hackers operating from dimly lit basements. According to a recent study by cybersecurity firm Radware, today’s threat actors are running complex, service-based businesses that rival the sophistication of legitimate tech enterprises—posing significant risks to financial services and fintech providers.

As we have just witnessed with the run of attacks on superannuation companies in Australia, planned, coordinated and targeted attacks are capable of breaching cyber defences and exposing customers (and companies) to the risk of financial theft.

Radware’s research team analysed more than 26,000 threads across 46 deep-web hacker forums, uncovering a thriving underground economy that now operates on subscription models, bundles of attack tools, and automated social engineering tactics. Here’s what fintech leaders and cybersecurity teams need to know.

1. InfoStealer-as-a-Service: Malware Built for Scale and Specialisation

A key finding from Radware’s report is the rapid expansion of the infostealer economy, which is now organized into a service-based model. These malicious tools, designed to extract sensitive information like login credentials and browser data, are now marketed with modular plug-ins, compatibility features, and customer support.

Developers are targeting distinct customer segments:

• Individual hackers get access to low-cost, user-friendly tools.
• Advanced Persistent Threat (APT) groups are offered enterprise-targeted features. One malware variant, Mystic Stealer, for example, is optimised to extract credentials from Microsoft Outlook—making it a tailored threat for financial institutions and corporates.

Notably, 56% of infostealer mentions across deep-web forums now relate to these service offerings, underscoring a growing productisation of cybercrime.

2. Credential-as-a-Service: Breach-as-a-Subscription

The concept of breached credentials being traded on hacker forums isn’t new—but now, they’re available on subscription-based “credential clouds” that offer daily or weekly updates sorted by geography and industry.

Platforms like Combo Cloud have seen a 46% increase in mentions since 2022, reflecting their rising popularity. The delivery methods have evolved too, moving away from static text files to more dynamic and user-friendly interfaces.

For fintech firms, this means credential leaks are no longer a one-off risk—they’re part of a recurring threat model, updated in near-real time.

3. OTP Bots: Social Engineering Gets Automated

Among the most alarming trends is the automation of two-factor authentication (2FA) bypasses via OTP bots. Operated over Telegram, these bots impersonate banks and digital service providers, tricking customers into revealing their one-time passwords.

Here’s how the scam unfolds:

1. A threat actor launches a credential stuffing attack using breached username-password pairs.
2. When login attempts fail due to 2FA, the accounts are flagged for follow-up.
3. The attacker uses a Telegram-based OTP bot to contact the victim via voice or SMS, impersonating the bank and requesting the OTP “for verification purposes.”
4. Once the code is provided, the attacker gains full control of the account—changing passwords and locking out the original user.

Radware found 1,354 mentions of OTP bots in 2024 alone, a 31% year-over-year rise. These bots cost as little as $10 to $50 per attack, making them accessible to a wide swath of cybercriminals.

4. DDoS-as-a-Service: AI-Enhanced and Accessible to All

Distributed denial-of-service (DDoS) attacks are evolving rapidly. The DDoS-as-a-service market now includes 34 distinct tools, some with over 196,000 followers. What’s more, attacks can be launched from a smartphone for under $50.

AI is beginning to play a significant role. One tool, Stressed Cat, launched in May 2024, uses AI to solve captchas—allowing attackers to overwhelm websites that previously relied on these tools for basic bot mitigation.

Fintech platforms—especially those with client-facing portals and APIs—need to brace for this next generation of smarter, faster, and harder-to-block DDoS threats.

Key Takeaways for Fintech Firms

Radware’s report makes one thing clear: cybercrime has matured into a decentralised service economy, mirroring the SaaS boom of legitimate tech.

The implications for fintech are urgent:

• Static security postures are no longer sufficient.
• Threat intelligence must be continuous, external, and deeply embedded in security operations.
• Customer education and 2FA hardening must evolve alongside attacker tactics.

Cybersecurity isn’t just about firewalls and fraud detection anymore—it’s about understanding your adversary’s business model. And in 2025, that business is booming.