Cyberattacks Surge 245% Amid Iran War, Threatening Banking and Fintech Infrastructure

Since the beginning of the Iran war, there has been a significant escalation in cyber activity linked to the conflict. Akamai has reported a staggering 245% increase in malicious traffic, which includes various forms of cyber threats such as credential harvesting, automated reconnaissance, and preparations for denial-of-service attacks. This surge has particularly affected sectors crucial to the financial infrastructure of modern economies.

Banking and Fintech Under Siege

The banking and fintech sectors have been the primary targets of this cyber onslaught, with e-commerce, gaming, technology, and media platforms also facing substantial threats. This trend indicates that cyber operations tied to geopolitical tensions are increasingly focusing on the digital frameworks that support payment systems, consumer engagement, and daily commercial activities, rather than just symbolic government entities.

Cybersecurity analysts have warned that armed conflicts are rapidly extending into private infrastructure. As organizations migrate more of their operations to cloud environments and public-facing platforms, periods of geopolitical escalation place considerable strain on civilian networks that are distanced from traditional battlefields. Unit 42 has noted that Iranian-linked and pro-Iran hacktivist groups are active in this context, with campaigns potentially targeting not only military participants but also regional and Western-linked entities.

Much of the cyber activity observed appears to be preparatory rather than overtly destructive. Akamai’s analysis indicates significant increases in botnet-driven discovery traffic, automated reconnaissance, infrastructure scanning, credential harvesting, and initial probing ahead of distributed denial-of-service attacks. This suggests that the internet is increasingly populated by actors searching for exposed services, weak credentials, and systems that could become serious targets in the future.

The early stages of cyber conflict typically manifest as mapping rather than dramatic breaches. Attackers identify reachable targets, exposed vulnerabilities, and weak defenses. By the time an organization experiences a more visible disruption, much of the groundwork may have already been laid.

This pattern has become familiar to security teams during international crises. Unit 42 has documented how pro-Iran and aligned hacktivist ecosystems employ disruptive tactics, influence operations, and destructive campaigns that can quickly broaden the attack surface. Additionally, opportunistic cybercriminal groups may exploit public unrest through phishing and other social engineering tactics, using the crisis itself as bait.

The Role of Proxy Infrastructure

A notable finding in Akamai’s report is that only a small percentage of the source IP addresses were traced back to Iran. A larger portion appeared to originate from Russia and China, which are being utilized as proxy infrastructures for numerous malicious connection attempts.

This does not necessarily imply that the operators are Russian or Chinese. In the realm of cyber conflict, the origin points and actual authorship rarely align. Proxy networks, permissive hosting environments, and abuse-friendly services can obscure the true geography of cyber activities. What is operationally significant is that attackers have access to infrastructure that enables them to scale quickly and mask their origins.

Security researchers have long cautioned that geopolitically motivated groups often route their activities through jurisdictions where cybercriminal ecosystems operate with relative impunity. Unit 42 has also highlighted the risks of false-flag and proxy-style operations during periods of tension, including the potential for actors outside Iran to exploit Iranian-linked infrastructure or branding to achieve their own objectives.

From Digital Threats to Corporate Disruption

The implications of this surge in scanning and probing extend beyond the digital realm. A recent incident involving Stryker, a global medical technology company, exemplifies this risk. An Iran-linked group named Handala claimed responsibility for a destructive cyber operation that disrupted internal systems, affected employee devices, and interfered with ordering, manufacturing, and shipping processes. Although Stryker reported that patient-related services and connected medical products remained unaffected, the incident caused significant business disruption across a company operating in 61 countries.

This case underscores a growing concern among security officials: the boundary between geopolitical signaling and commercial disruption is increasingly blurred. A campaign may begin with scanning and credential theft, but the immediate consequences are often felt by hospitals, banks, utilities, and multinational firms whose systems are integral to daily life.

For businesses, the lesson is clear: cyber risk escalates during wartime, but this increase is uneven and often unpredictable. Organizations under the greatest strain are not always those closest to the conflict. Instead, they are often those with visible networks, essential services, and disruptions that can send the most significant signals.

According to publicly available reporting, the current landscape necessitates heightened vigilance and preparedness among organizations, particularly those in critical sectors.

As reported by cyberwarriorsmiddleeast.com.

Follow the latest developments and breaking updates in the Latest News section.

Published on 2026-03-17 19:15:00 • By Editorial Desk