ACCORDING to SOCRadar, between 28 February and 6 April 2026 the Iran-linked campaign tracked 1,583 verified incidents, of which 144 targeted financial institutions across 14 countries. Financial services was the second most targeted sector, accounting for 9.1% of the total campaign, with banks, insurers, exchanges, central banks, and regulators affected.
The month of April saw a shift from disruption to potential destruction, with eight destructive events in the first week and 16.7% of all incidents across sectors becoming destructive, compared with 0.4% in March.
The data also notes that Hacktivist and state-linked actors were involved, with Conquerors Electronic Army, NoName057(16), 313 Team, Anonymous For Justice, and Hider_Nex among those targeting finance, while a March 12 incident involving Handala wiped data from more than 200,000 devices at Stryker across 79 countries. It is also highlighted that MuddyWater had pre-positioned access prior to the main campaign, via two Python-based backdoors in a US bank, an airport, and other targets.