DDoS, Deepfakes, and State Actors: How Cyber Threats Evolved Against European Banks in 2025
The Threat Landscape DORA Was Built For
DORA did not emerge from regulatory imagination. It emerged from a decade of escalating cyber incidents against European financial infrastructure — incidents that exposed the gap between the financial sector's digital dependency and its operational resilience posture. The regulation's five pillars map directly to the failure modes that real attacks have exploited: inadequate risk management frameworks, delayed incident detection and reporting, insufficient resilience testing, unmanaged third-party dependencies, and fragmented threat intelligence sharing.
The data from ENISA's Threat Landscape report for the finance sector documents this trajectory with empirical precision. Between January 2023 and June 2024, ENISA catalogued 488 publicly reported cyber incidents targeting the European financial sector. Banks bore the heaviest burden: 46% of all documented incidents — approximately 301 events — targeted banking institutions specifically. The remaining incidents distributed across insurance, payment services, investment firms, and market infrastructure.
But the ENISA dataset, comprehensive as it is, captures only publicly reported incidents. The actual incident volume is substantially higher. Many cyber events — particularly DDoS attacks that are absorbed without visible service disruption, phishing campaigns that are blocked at the perimeter, and data exfiltration attempts that are detected but not disclosed — never enter the public record. The 488 figure is a floor, not a ceiling.
The DDoS Escalation: NoName057(16) and Hacktivist Warfare
The most prolific threat actor against European financial institutions in 2024-2025 was not a sophisticated APT group or a ransomware cartel. It was NoName057(16), a pro-Russian hacktivist collective that conducted over 1,500 DDoS attacks against European financial infrastructure between March 2022 and June 2025.
NoName057(16)'s operational model is significant for what it reveals about the evolving threat landscape:
| Characteristic | NoName057(16) Profile | DORA Implication |
|---|---|---|
| Attack type | Volumetric DDoS (application and network layer) | Art. 9(2): protection must cover DDoS-specific scenarios |
| Target selection | Politically motivated — banks in NATO-aligned countries | Art. 17: incidents may be classified differently when geopolitically driven |
| Attack frequency | Multiple attacks per week against same targets | Art. 11: recovery must account for persistent, repeated disruption |
| Tooling | DDoSia (crowdsourced attack platform) | Art. 45: sharing IOCs helps correlate attacks across institutions |
| Sophistication | Moderate — relies on volume, not zero-days | But effective: 30-60 minute outages per attack are operationally significant |
| Disruption achieved | Limited — operational despite law enforcement pressure; arrests of affiliates in multiple countries | Law enforcement action slows but does not eliminate the threat |
Law enforcement operations have targeted NoName057(16) affiliates with arrests in multiple European countries, but the group's operational capability has proven resilient. Copycat groups and successor organizations continue to emerge. For EU financial institutions, the lesson is clear: politically motivated DDoS campaigns against financial infrastructure are now a permanent feature of the threat landscape.
DORA's relevance is direct. Art. 17 requires financial entities to "establish and implement an ICT-related incident management process." Art. 9 requires protection and prevention measures. For DDoS specifically, this means having absorption capacity (CDN, scrubbing services), detection capability (traffic analysis, anomaly detection), response procedures (traffic rerouting, rate limiting), and communication protocols (customer notification, NCA reporting if thresholds are met).
The Deepfake Frontier: CEO Fraud Goes Synthetic
In 2025, deepfake technology crossed a threshold that transforms social engineering from a phishing problem into an identity problem. The Deutsche Bank India incident crystallized this shift: an executive authorized a transfer of INR 1.08 crore (approximately EUR 120,000) after receiving what appeared to be a video call from the CEO — generated entirely by AI.
The attack exploited a fundamental assumption in financial controls: that seeing and hearing a known colleague on a video call constitutes sufficient identity verification. Deepfake technology — now available as commodity software for as little as USD 25 per month — can generate real-time video and audio that is indistinguishable from legitimate communication under normal business conditions.
For European banks, the implications extend beyond individual fraud events:
Transaction authorization. DORA's Art. 9(3)(b) requires "strong authentication mechanisms" for access to ICT systems. But most transaction authorization workflows rely on human verification at the approval stage — a manager confirms a payment instruction by voice or video. Deepfake-capable adversaries can now generate synthetic approval that passes human verification.
Incident classification. A deepfake-enabled fraud that results in unauthorized transaction execution is simultaneously a cybersecurity incident (Art. 17), a potential data breach (if customer data was used to construct the deepfake), and a financial crime. DORA's incident classification framework (Art. 18) does not explicitly address synthetic media attacks — institutions must map these novel attack vectors to existing categories.
Third-party exposure. Financial institutions' customers, counterparties, and suppliers are all potential deepfake targets. A deepfake attack against a treasury management counterparty could result in misdirected payments that flow through the banking system. Art. 28-29's third-party risk requirements must extend to assess counterparty vulnerability to synthetic media attacks.
The Third-Party Breach Epidemic
SecurityScorecard's 2025 report on Europe's top 100 financial institutions delivered perhaps the most sobering data point in the year's threat landscape: 96% were impacted by at least one third-party breach — up from 78% the previous year. Fourth-party exposure (breaches at suppliers' suppliers) reached 97%.
These are not marginal findings. They indicate that third-party breach exposure is effectively universal among Europe's largest banks. The question is not whether your institution will be affected by a third-party breach — it is how often and how severely.
The concentration dynamics are stark. Just 15 companies represent 62% of the global technology market. When those companies experience security incidents, the blast radius spans the financial sector:
| Country | Avg. Third-Party Breaches per Bank | Year-over-Year Change |
|---|---|---|
| Switzerland | 171.5 | +38% |
| Netherlands | 148.4 | +42% |
| United Kingdom | 136.2 | +29% |
| Germany | ~120 (estimated) | +35% |
| France | ~110 (estimated) | +31% |
The geographic distribution correlates with the sophistication and interconnectedness of each country's financial sector. Swiss banks, with extensive global operations and technology partnerships, carry the highest per-institution breach exposure. But the trend is uniform: every major European banking market showed double-digit year-over-year increases in third-party breach exposure.
DORA's Pillar IV (Art. 28-44) was designed for exactly this reality. The Register of Information (Art. 28(3)), concentration risk assessment (Art. 29), and contractual requirements for audit rights and incident notification (Art. 30) create the governance infrastructure needed to manage a third-party risk landscape where breach exposure is universal and growing.
The Ransomware Evolution
While DDoS and deepfakes captured headlines, ransomware remained the most financially damaging threat category for European financial institutions. The attack model evolved in three significant ways in 2024-2025:
Double and triple extortion. Attackers encrypt systems AND exfiltrate data AND threaten to report the victim to regulators. Under DORA, the regulatory reporting threat takes on a specific dimension: attackers can threaten to disclose incident details that would trigger the victim's own Art. 19 reporting obligations, creating a perverse incentive to negotiate.
Supply chain targeting. Rather than attacking banks directly — where perimeter defenses are strongest — attackers target technology suppliers whose products are deployed across multiple financial institutions. The ION Trading attack of January 2023, when LockBit ransomware disabled a derivatives clearing platform used by 42 of the world's largest banks, remains the paradigmatic example. A single third-party compromise cascaded across the sector.
Living-off-the-land techniques. Advanced ransomware groups increasingly use legitimate system administration tools (PowerShell, WMI, RDP) rather than custom malware. This makes detection harder because the tools are identical to those used by legitimate administrators. Art. 9's protection requirements and Art. 25's testing requirements must account for attack techniques that do not trigger signature-based detection.
10 Groups, 44% of Global Incidents
ENISA and Europol data indicate that 10 cybercriminal groups account for approximately 44% of global cyber incidents targeting the financial sector. This concentration of threat capability has strategic implications:
| Threat Actor Category | Estimated Share | Primary Techniques | DORA-Relevant Impact |
|---|---|---|---|
| Ransomware cartels (LockBit, ALPHV/BlackCat successors) | 20-25% | Encryption, data exfiltration, triple extortion | Art. 17-23: major incident reporting; Art. 11: recovery capability |
| Hacktivist collectives (NoName057, Anonymous Sudan successors) | 10-15% | DDoS, website defacement, data leaks | Art. 9: protection; Art. 17: incident management |
| APT/state-sponsored groups (Lazarus, various Chinese APTs) | 8-12% | Persistent access, intellectual property theft, SWIFT targeting | Art. 8: identification; Art. 24-27: TLPT scenarios |
| Financial fraud groups (Scattered Spider, social engineering specialists) | 10-15% | Deepfakes, SIM swapping, credential theft, wire fraud | Art. 9: authentication; Art. 17: incident classification |
| Data brokers and initial access brokers | 5-8% | Credential harvesting, access monetization | Art. 28-29: third-party risk (compromised vendor credentials) |
The concentration of threat capability means that effective threat intelligence — shared across institutions — can disproportionately improve the sector's collective defense. If 10 groups generate nearly half of all incidents, intelligence on those 10 groups protects against nearly half of all incidents. This is the logic behind DORA's Pillar V (Art. 45): information sharing arrangements. Organizations like FS-ISAC facilitate this intelligence exchange.
DORA's Information Sharing Mandate: Pillar V
Art. 45 encourages — though does not mandate — financial entities to participate in "voluntary information sharing arrangements" on cyber threats and intelligence. The article specifies that such arrangements must:
- Operate within trusted environments, with participation limited to entities meeting security and confidentiality requirements
- Use standardized formats for threat intelligence exchange (TTPs, indicators of compromise, threat actor profiles)
- Respect data protection requirements, particularly regarding personal data embedded in threat intelligence
- Notify competent authorities of participation in sharing arrangements
Pillar V is DORA's least prescriptive pillar. It imposes no specific sharing obligation, no minimum participation requirement, and no reporting format. But the threat landscape data argues that it should be among the most operationally valued.
The 488 incidents documented by ENISA, the 1,500+ DDoS attacks by NoName057(16), and the 96% third-party breach rate represent collective threats that no single institution can defend against in isolation. The institutions that participate in structured information sharing — through ISACs (Information Sharing and Analysis Centers), FS-ISAC, or bilateral arrangements with peer institutions — gain early warning capability that materially reduces response time and attack surface.
Mapping Threats to DORA Readiness
For institutions assessing their DORA readiness against the current threat landscape, the following mapping identifies where the most critical gaps are likely to exist:
Highest risk gaps:
- Incident detection and classification capability that can handle the 4-hour initial notification window (Art. 19(4)(a)) for major ICT incidents triggered by cyber attacks
- Recovery capability validated through testing against realistic attack scenarios (Art. 11, Art. 25) — not just infrastructure failures but adversary-driven destruction
- Third-party risk assessment that accounts for the 96% breach rate reality (Art. 28-29)
Moderate risk gaps:
- DDoS resilience validated against NoName057-scale attacks (sustained, repeated, multi-vector)
- Social engineering and deepfake defenses integrated into authentication and authorization controls
- Information sharing participation and intelligence integration into risk assessment
Emerging gaps:
- AI-enabled attack detection (deepfakes, automated phishing, polymorphic malware)
- Supply chain integrity monitoring beyond direct third-party relationships (fourth-party risk)
- Geopolitical risk integration into ICT risk management framework (Art. 6)
The Regulation Meets Reality
DORA was drafted between 2020 and 2022, finalized in December 2022, and became applicable in January 2025. The threat landscape it was designed to address has intensified in every dimension during that period: more attacks, more sophisticated techniques, more concentrated threat actors, more interconnected supply chains, more pervasive third-party dependencies.
The regulation's requirements — risk management frameworks, incident reporting, resilience testing, third-party governance, information sharing — are not theoretical exercises. They are operational necessities mapped against empirical threat data. The 488 ENISA incidents, the 1,500 NoName057 attacks, the 96% third-party breach rate, and the EUR 120,000 deepfake fraud are the evidence base that validates DORA's design.
The institutions that treat DORA compliance as a box-ticking exercise will meet the letter of the regulation while remaining vulnerable to the threats it addresses. The institutions that treat DORA as a framework for genuine operational resilience — mapping their defenses to the actual threat landscape, testing against realistic scenarios, and sharing intelligence with peers — will be materially better protected than they were before January 17, 2025.
This analysis draws on ENISA Threat Landscape Finance 2024, Europol operational communications, SecurityScorecard EU Banking Report 2025, and public incident disclosures. Threat intelligence data is current as of March 2025.