Financial Theft
Info
ID: AT-IM004
Tactic: Impact
Platforms: Linux, macOS, Windows
Impact Type: Availability, Integrity
Version: 1.0
Financial Theft
Adversaries may directly siphon funds or assets from financial workflows embedded in an application. This could involve intercepting payment data, exploiting digital wallet mechanics, or injecting fraudulent transactions into legitimate processes. By abusing misconfigurations, stolen credentials, or tampered business logic, attackers can illicitly transfer or redirect monetary assets for personal gain, creating tangible financial losses for the victim organization.
Financial theft techniques often target cryptocurrency exchanges, payment processors, digital banking platforms, and other financial services that handle monetary transactions programmatically. Adversaries may exploit vulnerabilities in wallet management systems, abuse privileged access to transaction processing infrastructure, or manipulate smart contracts and blockchain interactions to redirect funds to adversary-controlled accounts.
Procedure Examples
| ID | Name | Description |
|---|---|---|
| AC-0001 | ByBit $1.5B Crypto Heist | The delegate-call upgrade drained ≈ 400,000 ETH (~US $1.5 B) from Bybit's cold wallet to attacker addresses, marking the largest single crypto heist to date. |
| AC-0002 | npm Supply Chain Attack (September 2025) | Malicious JavaScript code injected into 18 popular npm packages intercepted cryptocurrency transactions, redirecting funds to attacker-controlled wallets by manipulating Web3 wallet APIs. |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1018 | User Account Management | Implement strict access controls and approval workflows for financial operations |
| M1032 | Multi-factor Authentication | Require strong authentication for all financial system access and transactions |
| M1026 | Privileged Account Management | Limit and monitor privileged access to financial systems and transaction processing. Apply strict least-privilege roles and separation-of-duty: no single API key or user should both create and approve payments: rotate keys frequently and disable dormant ones. |
| M1041 | Encrypt Sensitive Information | Encrypt financial data and private keys both at rest and in transit |
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0015 | Application Log | Use rule-based or ML deviation scoring on transfer amount, currency, beneficiary, approval chain, and time-of-day to surface suspicious transactions. |
| DS0129 | Network Traffic Content | Inspect SWIFT/REST/FedWire messages. Trigger when destination account numbers or payment reference fields diverge from canonical vendor master-data. |
| DS0129 | Network Traffic Content | Monitor cryptocurrency transactions for suspicious patterns and known malicious addresses. |
| DS0002 | User Account Authentication | Correlate geo-impossible logins or new device fingerprints with subsequent high-value payment actions. |
| DS0010 | Cloud Storage Access | Alert on bulk export of wallet keystore archives or payroll data from rarely accessed buckets. |