"TurboMirai is one of the main factors that drove these new peak heights," Akamai's Advisory CISO Steve Winterfeld told ISMG.
Akamai's data: scale, duration, and who was hit hardest
Akamai reported that network- and transport-layer denial-of-service attacks against financial services reached staggering volumes in 2025, with the number of such attacks hitting 2.41 billion and attack durations within the sector stretching 738% longer than before. The company says its findings come from traffic observed through its own web application firewall and cloud-based DDoS protection service.
Within financial services, banking was disproportionately affected: banks accounted for 60% of total web attacks and for more than 80% of API-related incidents, Akamai found. The provider also flagged that virtually every financial services firm surveyed experienced an API incident in the past year. Those API and DNS strikes, the report notes, can directly disrupt account payments, third-party access to financial data and payment initiation.
TurboMirai, Aisuru and the new class of AI-enabled botnets
Akamai attributed the new peak activity to a new class of botnets, naming TurboMirai and pointing to families such as Aisuru as examples capable of multi-terabit-per-second DDoS attacks. The report references related activity and prior disruptions (see: Aisuru, KimWolf Botnets Disrupted in International Operation).
Advanced bot activities surged by almost 150% in late 2025, the company said. Akamai observed attackers using AI to mimic legitimate browser behaviors and to disguise malicious traffic. "Now we're seeing a lot of those things done through AI - the reconnaissance, the agility in how you attack, the actions after you get in - it's increased the speed and complexity of the attacks," Winterfeld said. He added, "It's not that I didn't expect it. It's just the speed it's moving is surprising."
Targets and tactics: APIs, DNS and browser mimicry
Beyond raw volumetric DDoS, Akamai's data shows attackers shifting focus to the parts of financial infrastructure that support digital accounts and automated services. APIs and the domain name system were frequent targets, and the firm tied API incidents to interruptions in account payments and to blocking third-party access for payment initiation and data exchange. The combination of high-volume DDoS and more subtle application-layer mimicry reflects both capacity and sophistication.
Geopolitical patterns: Iran, Russia, Taiwan Strait, South China Sea and spikes tied to conflict
Akamai connected portions of the malicious traffic it observed to geographic and geopolitical patterns. Malicious traffic detected in Europe and the Middle East "tended to originate from Iran and Russia," the report says. Several large-scale attacks in Asia coincided with military drills in the Taiwan Strait and with naval standoffs in the South China Sea.
The company also linked a broader surge in activity to the onset of "U.S. and Israeli-instigated war in Iran," reporting a 245% spike in attacks on businesses in North America, Europe and parts of Asia-Pacific since that onset. The Financial Industry Regulatory Authority has warned that Iranian threat actors might be targeting U.S. banks. Winterfeld offered a geopolitical reading of state tolerance for cybercriminal activity: "The United States can impose sanctions against somebody like Russia for the Ukraine war. [Russia] can't do economic sanctions against us, but they can go tell some cyber criminals, 'Hey, since you live in our country and we don't arrest you for attacking America, we would love it if you would attack European banks. If it makes the news that people lose confidence in the banks and access to money, then that would have a political impact,'" he explained.
What this means for technologists, the Financial Industry Regulatory Authority, and banks
- Technologists and security teams: Akamai's telemetry shows attackers combining multi-terabit capacity with AI-driven mimicry and reconnaissance. Teams will need to account for attacks that both overwhelm bandwidth and emulate legitimate browser behavior to bypass protections.
- The Financial Industry Regulatory Authority: FINRA has already warned of potential targeting of U.S. banks by Iranian actors; the survey-backed finding that "virtually every financial service firm experienced an API incident" gives regulators concrete incident patterns to track across institution types and third-party integrations.
- Banks and procurement leaders: banking accounted for the majority of attacks and for more than 80% of API incidents, highlighting where investment and contractual resilience — especially around APIs, payment initiation paths, and DNS redundancy — are most likely to be tested.
Akamai's report ties three clear trends together: unprecedented volumes and durations of DDoS activity, a technical leap driven by AI-enabled botnets such as those described as TurboMirai and Aisuru, and a geopolitical tempo that correlates spikes in hostile traffic with regional and international conflicts. The company's telemetry-based conclusions — and Steve Winterfeld's repeated emphasis on the rapid acceleration of attack speed and complexity — leave a pointed question for defenders and policymakers alike: can detection and mitigation systems, and the international efforts that have disrupted botnets in the past, scale quickly enough to keep pace with multi-terabit, AI-augmented attack campaigns?
https://www.govinfosecurity.com/ai-botnets-drive-surge-in-financial-sector-ddos-attacks-a-31730




