Trusted, Credentialed, Dangerous: The New Insider Threat Facing Banks

When something becomes the new normal, it stops registering. Cyber threats target banks. Geopolitical actors attack their adversaries. Daily security intrusions barely make the headlines.  

Yawn. It’s Tuesday.  

Here’s what’s not normal — attackers are already inside your network, and their motive isn’t money like we’re conditioned to believe.  

The U.S. Treasury confirmed in March 2026 that North Korean IT workers generated nearly $800 million by sitting inside U.S. company networks on legitimate payrolls. That money was funneled into military and political activities, not for personal gain.  

At the same time, Iran publicly named U.S. banks as military targets and deployed wiper malware through stolen administrator credentials. This wasn’t to steal money but to delete servers and shut operations down entirely.  

These are inside jobs, running on access that was granted, not stolen.  

Credentialed access has become the attack path, and it exposes a gap that traditional security controls were never designed to handle.  

To address it, banks must focus on limiting lateral movement and containing threats already inside their environment, not just preventing initial access.  

Legitimate access is a major attack vector

These state-sponsored threats targeting banks right now have one thing in common. The attack doesn’t break through your defenses. It becomes them.  

At the recent RSA Conference in San Francisco, Capital One Chief Technology Risk Officer Andy Ozmet warned that North Korean operatives are securing remote employment at U.S. financial institutions using stolen American identities.  

They’re clearing background checks, receiving corporate laptops, and sitting on bank networks with valid credentials issued by the institutions themselves. The FBI has warned since January 2025 that these workers also steal proprietary data and position themselves for long-term sabotage.  

In addition, following U.S. and Israeli military strikes in late February 2026, Iran’s military command issued a public statement explicitly naming U.S.-linked banks as military targets. Within days, U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency alert to financial institutions confirming the threat vector was already in use.  

The Iranian-linked group Handala Hack had demonstrated the method. They steal an administrator’s credentials through phishing, log into Microsoft Intune with legitimate access, and wipe tens of thousands of systems across dozens of countries.  

In both cases, the attackers are credentialed, trusted, and freely moving across your network.  

The blind spot banks haven’t fixed

The Ponemon Institute’s 2026 Cost of Insider Risks Global Report documents multiple cases of bank employees using legitimate access to assist criminal networks. This includes a fraud detection specialist sharing customer financial data with a crime ring, and a bank employee jailed for laundering on behalf of criminals.

These weren’t stolen credentials. They were verified employees with cleared backgrounds and valid access. The assumption that a known identity equals trusted behavior is wrong — and has been wrong for years.  

What makes the current moment structurally different is where that exploit enters. At RSAC 2026, Ozmet explained that recruiters tend to see themselves as the friendly face of the institution rather than corporate risk managers.  

The result is that the hiring process — the moment a foreign operative receives valid credentials from your own IT team — sits in an organizational no-man’s-land where nobody owns the security mandate.  

Banks have built layered defenses around their networks. They haven’t built equivalent defenses around the process that determines who gets access to those networks in the first place.  

That is the blind spot. And it isn’t a technology gap. It’s a governance gap.  

Fraud monitoring was built to detect financial anomalies, such as unusual transactions, suspicious transfers, or behavioral deviations from spending patterns. It was never designed to detect a politically motivated operative who shows up on time, does their job, and moves laterally through your systems with perfect plausibility.  

Transaction monitoring can’t surface a North Korean operative who isn’t stealing money. Perimeter controls can’t stop an Iranian actor who already has the administrator password.  

The controls that most banks have invested in most heavily are precisely the wrong tools for the threat they are facing right now.  

Your regulator is asking the same question

On March 3, 2026 — nine days before Iran publicly named U.S. banks as military targets — the New York State Department of Financial Services (NYDFS) sent an industry letter to the CISOs of every institution it regulates.  

The NYDFS called out three specific controls:  

• Least-privilege access  
• Enhanced monitoring for unauthorized activity ‍ ‍
• Operational resilience testing  

Read those three controls against everything above and the alignment isn’t coincidental:  

• Least-privilege access. This limits how far a credentialed attacker, whether a North Korean operative or an Iranian actor with stolen admin rights, can move once inside. ‍ ‍
• Monitoring for unauthorized activity. This is how you detect lateral movement from someone who cleared your hiring process. ‍ ‍
• Operational resilience testing. This is how you verify — not assume — that your containment architecture actually works under pressure.  

The NYDFS isn’t describing future requirements. Every NYDFS-regulated institution must certify compliance with Part 500 by April 15, 2026.  

The regulatory conversation and the threat conversation are now the same conversation. Most banks are still having them in separate rooms.  

The question that actually matters

Banks have spent years building walls to keep threats out. But those walls are useless against legitimate access. Whether an operative is hired directly, steals credentials, or uses a physical stand-in for a drug test, they are already past the gate.  

Here’s the question every CISO needs to be able to answer for themselves:  

If a credentialed user on your network started moving laterally right now, how far would they get, how quickly would you know, and what would stop them?  

The issue is no longer whether banks need to act on lateral movement containment. It’s whether banks can show that they have acted — to their board, to their regulator, and to themselves.  

See how Illumio helps financial institutions reduce risk and maintain operational resilience.