APAC banks hit by 92% of network attacks as fintech risk grows

Real-time payments and mobile services have expanded the number of exposed endpoints.

Financial institutions across Asia-Pacific (APAC) are facing a growing share of global cyberattacks as the region accounted for 52% of all global Layer 7 distributed denial-of-service (DDoS) attacks in 2025.

Akamai's latest State of the Internet Security report found that this marks the fourth consecutive year that the region has been the most targeted for application-layer attacks.

Layer 7 DDoS attacks are designed to overwhelm online banking portals, payment APIs and customer-facing applications with traffic that appears legitimate, making them more difficult to detect and block than traditional network-based attacks.

Within APAC, banking and fintech firms were the main targets, accounting for 44% and 38% of Layer 7 DDoS attacks, respectively. 

Banking institutions also represented 92% of lower-level network attacks recorded in the region.

The report said the growing complexity of financial services ecosystems is increasing exposure to cyber threats. 

Real-time payment systems, mobile banking platforms, fintech partnerships and customer-facing digital services have expanded the number of endpoints that organisations must secure. 

At the same time, competitive pressures and AI-assisted software development are accelerating the launch of new digital services.

Akamai warned that many organisations lack full visibility over their application programming interfaces (APIs), creating potential security gaps. 

Although 77% of financial services IT and security leaders in APAC believe they have a complete view of their API environments, only 27% know which APIs return sensitive data.

Globally, 96% of financial services organisations reported at least one API security incident in the past 12 months, the highest rate amongst all industries surveyed.

The report also highlighted the growing sophistication of cyber threats. 

Akamai recorded a 147% increase in advanced bot activity in late 2025, driven by AI-powered botnets that can mimic legitimate browser behaviour and evade conventional security controls.

Reuben Koh, Director of Security Technology and Strategy for APAC and Japan at Akamai, said many banks are building new digital services on top of legacy systems that can be difficult to patch or integrate securely. 

He warned that organisations that lack visibility over their APIs and sensitive data exposures are operating with elevated levels of risk.

The report said financial institutions should strengthen protections against application-layer DDoS attacks, network-based attacks and API exploitation, whilst investing in tools that can identify sensitive data exposure and abnormal API activity.

It also found that organisations using microsegmentation, which isolates critical applications to limit attacker movement within networks, responded to cyber incidents 33% faster than those without the technology. 

According to Akamai, faster response times can help reduce operational disruption and limit potential financial, regulatory and reputational impacts.