Warning: Use of undefined constant FILTER_VALIDATE_BOOL - assumed 'FILTER_VALIDATE_BOOL' (this will throw an Error in a future version of PHP) in /html/wp-content/plugins/woocommerce/src/Admin/WCAdminHelper.php on line 184

Warning: filter_var() expects parameter 2 to be int, string given in /html/wp-content/plugins/woocommerce/src/Admin/WCAdminHelper.php on line 184
Finance & Digital Assets - Quarkslab
Talk to an expert
Talk to an expert

Finance & Digital Assets

Banks, neobanks, insurers, exchanges

739 incidents in 2025. The most targeted sector — and the most regulated.

Lazarus Group on SWIFT, reverse-engineered mobile banking apps, drained smart contracts. DORA now mandates formal offensive testing (TLPT) every 3 years for systemic financial entities. Quarkslab is qualified to carry them out.

1
Finance data incidents in 2025, #1 across all sectors (Verizon DBIR)
$ 1 B
Stolen in crypto in 2025 (smart contracts and private keys)
DORA 0
Mandatory TLPT every 3 years, 22,000 EU entities concerned
1 %
Of banking breaches via the supply chain (doubled in 4 years)

WHY FINANCE REMAINS TARGET NUMBER 1

Lazarus Group & SWIFT: state-scale organized theft
Lazarus (Bureau 121, North Korea) runs massive theft campaigns — 11 weeks inside Bangladesh Bank's systems before detection. TA505 and Akira exploit VPN vulnerabilities (SonicWall, Fortinet) to reach EU core-banking systems.
APK RE & bypass of security controls
Banking applications are reverse-engineered to bypass jailbreak detection, bypass certificate pinning and extract cryptographic keys. Third-party SDKs (analytics, advertising) introduce unmanaged vulnerabilities into your apps.
Mandated PSD2/PSD3 APIs: a structural attack vector
PSD2/PSD3 require APIs exposed to third parties. These APIs are documented BOLA/IDOR vectors — access to other customers' accounts by manipulating identifiers. 52% of bankers anticipate a worsening in 2026.
Unaudited smart contracts & poorly protected keys
$2.9 billion stolen in crypto in 2025, mainly via vulnerable smart contracts. MiCA now mandates a security audit for CASPs. Exchanges without an audit prior to licensing risk refusal or withdrawal of authorization.

OUR SERVICES

QREDTEAM

ADVERSARY SIMULATION

  • DORA / TIBER-EU TLPT — simulation of real financial APTs (Lazarus, TA505, Scattered Spider)
  • Mobile-banking Red Team — jailbreak bypass, certificate pinning, key exfiltration
  • Open Banking PSD2/PSD3 API testing — BOLA, IDOR, injection
  • SWIFT-infrastructure Red Team — simulation of documented Lazarus vectors
  • ATM and POS terminal pentest — firmware extraction, software skimming.
Discover QRedTeam

QLAB

DEEP SECURITY RESEARCH

  • ATM/POS firmware audit — binary extraction, manufacturer proprietary protocols
  • Binary analysis of mobile banking apps (APK/IPA) — full reverse engineering
  • Smart-contract and DeFi-protocol audit — reentrancy, logic bugs, oracle manipulation
  • HSM and cryptographic-component evaluation (SCA/FIA) — physical resistance
  • Audit of third-party SDKs integrated into banking apps.
Discover QLab

QSHIELD

SOFTWARE PROTECTION

  • Protection of mobile banking apps against reverse engineering and cloning
  • Obfuscation of scoring and fraud-detection algorithms
  • Protection of POS/ATM firmware against extraction and fraudulent modification
  • Anti-tamper for mobile-payment applications
  • IP protection of AI fraud-analysis models.
Discover QShield

QUARKSLAB DIFFRENCIATOR

Large firms coordinate TLPTs but often subcontract the technical work; other players lack the offensive dimension. Quarkslab brings offensive technical depth (ATM firmware, app binary RE, smart contracts, HSM SCA/FIA) combined with the institutional qualification for DORA TLPTs — and QShield to protect what has been identified as exposed.

WHAT WOULD WE SAY TO EACH OTHER, FACE TO FACE

Is your next DORA TLPT scheduled — and who will actually run it?

DORA mandates TLPTs every 3 years. But a TIBER-EU TLPT is not a classic pentest: it requires genuine threat intelligence on the adversaries targeting your institution, a simulation of their documented TTPs, and a structured report for your regulator. The difference between a compliant TLPT and a re-labeled pentest is what your regulator will see in your file.

Real adversaries — Lazarus, TA505, Scattered Spider
Our red teams use the documented TTPs of the groups that actually target your type of institution. Not generic scenarios.
From ATM to mobile — no black box
We analyze ATM firmware, banking binaries and smart contracts with the same depth as our published research.
Zero conflict of interest — no SIEM to sell
Quarkslab sells no defensive solution. Our only interest is finding the real vulnerabilities.
Your fraud-detection algorithms, tamper-proof
QShield protects your fraud-detection models against competitor or adversary reverse engineering.
Our publications & CVEs
Request a DORA briefing