Hacker Attacks on NBU and àbank: Why Cybersecurity Standards Are Becoming Critically Necessary

On 19 February, the National Bank of Ukraine officially reported an incident involving an online shop selling numismatic products. It is worth noting that the attackers did not target the regulator’s internal network, but rather a contractor responsible for the development and technical support of the portal. This is a classic example of a supply chain attack.

Supply chain attacks are cyber threats in which attackers infiltrate a target organisation not directly, but via its contractors, software suppliers or service partners. Hackers exploit the trust placed in third-party components: software updates, libraries, cloud services or external development teams. As a result, malicious code or unauthorised access enters the system alongside legitimate processes. The more a business relies on its partner ecosystem, the broader the potential attack surface becomes.

For the financial sector, supply chain attacks have quite significant consequences:

• Data breaches and fraud: a breach at a contractor could lead to the leakage of customers’ personal data and create opportunities for unauthorised transactions and phishing.
• Reputational damage: even an indirect incident undermines the trust of customers and partners, which directly affects the stability of the financial institution.
• Financial and regulatory risks: the large-scale nature of such attacks means direct losses, response costs and potential sanctions from regulators.

As a result of the incident, the personal data of users of the NBU store was compromised: first names, surnames, contact telephone numbers and delivery addresses. Although, thanks to the NBU’s isolated architecture, financial details and card data remained secure, the very fact that contact details were leaked is critical. These databases now serve as fuel for new waves of social engineering.

The financial sector remains the most attractive target for cybercriminals on a global scale. Indeed, in 2024, 65% of financial organisations worldwide suffered ransomware attacks, the highest rate across all sectors. Furthermore, 97% of major banks in the US simultaneously faced incidents involving third parties, confirming a systemic problem of reliance on contractors. Meanwhile, the average cost of a single data breach in the financial sector reached $5.56–6.08 million by 2025, transforming investment in cybersecurity from an IT expense into a matter of business survival.

A further risk factor has been the sharp increase in the speed of attacks. Over the past four years, the time from initial access to data exfiltration has fallen by a factor of 100 and now averages around 25 minutes. This is largely due to the use of artificial intelligence in attacks: from automated phishing to rapid privilege escalation. At the same time, financial regulators worldwide are moving towards standardising requirements: the NIST Cybersecurity Framework 2.0 is becoming the baseline, the EU’s DORA (Digital Operational Resilience Act) is already in force, and outdated risk assessment models are gradually being phased out.

One of the most high-profile cases was the breach of Evolve Bank & Trust in May 2024, when the LockBit group stole around 33 TB of data via phishing. 7.6 million bank customers and millions of users of the fintech platforms Wise, Affirm, Stripe, Shopify, Bilt and Plaid were affected. The leak included SSNs, account numbers and dates of birth, and in 2025 the bank paid out $11.9 million in compensation. Such incidents confirmed the systemic nature of the problem: a ransomware attack on LoanDepot in 2024 affected 16.9 million customers, and in 2025–2026, prolonged compromises were even detected at PayPal and the regulator, the Office of the Comptroller of the Currency.

In the EU, third-party services have become a key risk factor. In 2024, Banco Santander suffered a data breach via the cloud provider Snowflake, resulting in the compromise of information belonging to tens of millions of customers and employees. The fallout from attacks on MOVEit affected Deutsche Bank and ING, whilst in 2025 Barclays and HSBC faced a wave of DDoS attacks and phishing. Collectively, these incidents have intensified regulatory pressure and the risk of multi-million-pound fines under the GDPR, making cyber resilience a critical requirement for banks.

Unfortunately, Ukrainian àbank also suffered one of the largest cyberattacks in its history. This occurred during the night of 15–16 February 2026, when some customers experienced unauthorised debits, which immediately caused a public outcry. The team managed to swiftly contain the threat, refund all funds to the affected customers and prevent a similar scenario from recurring.

Although each incident had a relatively positive outcome, they clearly demonstrated that even banks with millions of customers are not immune to sophisticated cyberattacks. For the financial sector, this is further proof that traditional approaches to security no longer work without constant updates and proactive threat monitoring.

The greatest danger of data leaks, similar to the one that occurred at the NBU contractor, lies in their further monetization through phishing. In this type of fraud, the user is lured to a fake page via SMS or emails. In recent days, Ukrainians have been receiving messages allegedly from ‘Ukrposhta’ about ‘unsuccessful delivery’ due to a missing signature.

Fraudsters use stolen phone numbers to make the message appear personalized. The text contains a link to a fake site that mimics the design of the official postal service. The standard goal is to trick potential victims into entering their bank card information for ‘customs fee’ payment.

Analyzing the breach of the NBU contractor, the question arises about the need to implement a strict SDLC (Lifecycle of software development) for all state orders. When an external supplier works with citizens’ data, they must adhere to the same security standards as the state institution itself.

Firstly, an independent code and architecture audit should become mandatory. In the blockchain world, no serious project launches without security checks by top companies. Secondly, regular penetration tests are needed – penetration testing, where ‘white hat hackers’ simulate attacks to identify vulnerabilities before criminals find them.

Incidents around the NBU and àbank clearly demonstrated: in modern conditions, cybersecurity is not a separate product but a continuous risk management process. iIT Distribution works precisely in this direction – as a de-risking partner for all Ukrainian businesses, including financial institutions. We help reduce cyber risks at all levels: from architecture and access to supply chain and human factors.

Our key cooperation principle, “Ready for the unknown”, emphasizes that you may not know where the next attack will come from, but we at iIT Distribution prepare your organization for it in advance. We assist in building comprehensive protection ecosystems, capable of detecting previously unknown threats, preventing attacks through contractors, minimizing phishing impact, and acting in situations where time is of the essence. This proactive approach allows our partners and end customers to maintain customer trust, meet regulatory requirements, and remain resilient.

As the official distributor of the world’s market leaders, we provide access to technologies from leading cybersecurity solution manufacturers such as CrowdStrike, Cloudflare, Commvault, Vectra AI, Labyrinth, Ping Identity, GTB Technologies, Censys, and others. By choosing proven solutions, you invest in the stability of your business and the trust of millions of customers.