Cybercrime Just Spiked 245% in Two Weeks—And Your Bank Is the Biggest Target

Two Weeks That Changed the Threat Landscape

On February 28, 2026, the Iran conflict crossed a threshold that threat intelligence analysts had been watching for months. Within days, the internet's background noise of probes, scans, and credential stuffing attempts transformed into something far more deliberate. According to data published by Akamai, global cybercrime activity has surged 245% since the conflict escalated—a figure that security teams describe as unlike anything seen outside of major wartime events.

This is not a gradual trend. It is a spike. And it is hitting financial institutions hardest.

Why Banks Are the Primary Target

Akamai's sector breakdown leaves little ambiguity about who is being targeted. Banking and fintech absorb 40% of all malicious traffic in the current wave. Ecommerce follows at 25%, with video games at 15%, technology companies at 10%, and media and streaming platforms at 7%. The remaining 3% is spread across other sectors.

The concentration on financial services is not accidental. Banks represent the most direct route to economic disruption. Destabilizing a major financial institution creates cascading effects across supply chains, payroll systems, and consumer confidence. For state sponsored actors and the hacktivist networks operating under their indirect cover, that disruption has both strategic and psychological value.

One unnamed US financial services company disclosed that it blocked 13 million packets originating from Iranian infrastructure over a 90 day period. The peak came on February 9, when the company absorbed more than 2 million blocked packets in a single day—weeks before the wider conflict escalation that triggered the 245% spike.

The Attack Types That Are Surging

The 245% headline figure encompasses a broad range of attack categories, but Akamai's data identifies the specific techniques driving the increase:

• Botnet discovery traffic is up 70%
• Automated reconnaissance has increased 65%
• Infrastructure scanning is up 52%
• Credential harvesting attempts have risen 45%
• DDoS reconnaissance activity is up 38%

The pattern these numbers reveal is methodical preparation rather than opportunistic chaos. Reconnaissance precedes exploitation. Infrastructure scanning maps attack surfaces before intrusion attempts begin. Botnet traffic establishes the distributed platforms needed to launch sustained campaigns. The credential harvesting surge is particularly significant for financial services, where stolen login data translates directly into account takeovers and fraudulent transfers.

What security teams are observing is not simply more attacks. It is more organized attacks, with the kind of coordination that suggests centralized direction rather than independent actors acting on shared ideological motivation.

The Russia, China, and Iran Axis

Source IP attribution in the current wave shows a distinct geographic pattern. Russia accounts for 35% of malicious source traffic, China for 28%, and Iran for 14%. The remaining 23% is distributed across other origins.

The Russia and China figures require careful interpretation. Researchers at Palo Alto Unit 42 have described the current situation as effectively expanding the Middle East's attack surface into global infrastructure. Hacktivists and state aligned groups are routing attack traffic through proxy services hosted in Russia and China, generating what Unit 42 calls "billions of designed for abuse connection attempts." The infrastructure in those countries functions as a laundry for attribution—attacks that originate with Iranian or Iran aligned actors arrive at their targets wearing Russian or Chinese source addresses.

This proxy layering is not new, but the scale at which it is being deployed in the current conflict is unprecedented. It complicates both attribution and response. Organizations attempting to block Iranian traffic discover they are also blocking large volumes of traffic that routes through commercial cloud and VPN infrastructure in allied or neutral countries.

What Organizations and Individuals Should Do Now

The threat environment created by geopolitical conflict does not respect the distinction between enterprise and individual targets. Credential harvesting campaigns sweep up personal accounts alongside corporate ones. DDoS attacks on financial infrastructure affect retail banking customers as much as institutional clients. Here is what both organizations and individuals can do to reduce exposure:

For organizations:

• Treat the current period as an elevated threat window and increase monitoring cadence on authentication systems, network ingress, and anomaly detection thresholds
• Review and tighten rate limiting on login endpoints—credential stuffing tools are calibrated to stay below default detection thresholds
• Audit your external attack surface now, before automated reconnaissance tools do it for you; the 52% increase in infrastructure scanning means exposed services are being catalogued in real time
• Validate that DDoS mitigation contracts and runbooks are current; the 38% increase in DDoS reconnaissance typically precedes volumetric attacks by days to weeks
• Brief incident response teams on the proxy attribution problem so that blocking decisions account for the Russia and China routing layer

For individuals:

• Enable multifactor authentication on every financial account you hold—credential harvesting only succeeds when a stolen password is sufficient to access an account
• Check whether your email address and password appear in recent breach databases using a service like Have I Been Pwned
• Be alert to phishing attempts that exploit conflict anxiety; attackers use news events to craft convincing pretexts for urgent account verification requests
• Avoid reusing passwords across financial and email accounts; if one credential set is harvested, unique passwords contain the damage

The 245% spike documented by Akamai is a data point, not a ceiling. Conflict driven cyber campaigns typically intensify before they subside. The organizations and individuals who treat the current moment as a reason to audit and harden their defenses are the ones least likely to appear in the next wave of incident reports.