Akamai and FS-ISAC reveal how Asia-Pacific’s financial institutions are under siege from persistent, sophisticated DDoS campaigns — and why the next wave of cyber resilience begins with APIs, cloud hygiene, and zero-trust ecosystems.
A new report jointly published by FS-ISAC and Akamai Technologies has sounded the alarm across the Asia-Pacific financial sector, revealing a staggering 245% year-on-year surge in distributed denial-of-service (DDoS) attacks. The 2025 edition of From Nuisance to Strategic Threat: DDoS Attacks Against the Financial Sector paints a stark picture: financial institutions in APAC accounted for 38% of all Layer 3 and 4 volumetric DDoS attacks globally in 2024 — up from just 11% the year prior.
Once dismissed as low-level cyber noise, DDoS attacks have become multi-dimensional threats targeting APIs, DNS, and cloud-based applications with precision and persistence. In Q4 2024 alone, over 20 financial institutions across six APAC nations were impacted by sustained, coordinated campaigns, many of which bore the signature of the same threat actor.
“Partners using free or basic DDoS protections are introducing avoidable risks into the BFSI ecosystem.”
— Anshuman Pund, CISO, Suryoday Small Finance Bank
Financial Institutions in the Crosshairs
“DDoS attacks are becoming increasingly sophisticated, evolving from simple network flooding to targeted, multi-vector assaults that exploit intricate vulnerabilities across the entire supply chain,” said Teresa Walsh, Chief Intelligence Officer, FS-ISAC. “It is critical that we harden our infrastructure and foster a culture of continuous vigilance and collaboration to protect continuity and customer trust.”
The report highlights a dangerous trend: application-level (Layer 7) DDoS attacks are rapidly rising, driven by the proliferation of APIs in the banking and fintech space. These APIs, often deployed at scale in cloud-native environments, are creating new and often unseen vulnerabilities.
“DDoS attacks in APAC are no longer blunt-force attempts, but sophisticated multi-vector campaigns that exploit vulnerable systems and exposed APIs,” said Reuben Koh, Director of Security Technology & Strategy, APJ at Akamai. “As highly coveted target sectors like financial services accelerate digital growth, these continuous attacks pose growing operational and reputational risks.”
“Multi-vector DDoS campaigns now exploit APIs, mimic real users, and overwhelm defenses quietly.”
— Debojit Maitra, Cybersecurity Analyst
A Supply Chain Blind Spot
For Anshuman Pund, CISO at Suryoday Small Finance Bank, the biggest concern isn’t just the sophistication of the attackers — it’s the complacency of digital partners.
“With growing business requirements and ongoing digitization, banks are increasingly connecting with FinTechs and third-party digital service providers for use cases like digital lending, salary advances, insurance, sweep accounts, and more,” Pund said. “Most of these partners are cloud-native, and while they may offer basic security at launch, maturity across People, Process, and Technology takes time — and investment.”
He added that in many cases, these partners rely on free-tier DDoS protections provided by cloud providers — a risky shortcut that’s proving costly in today’s threat landscape.
“DDOS is the first line of defense where incoming traffic gets filtered. But basic DDoS services offer only rudimentary protection and are not designed to withstand targeted, volumetric, or application-layer attacks,” Pund warned.
He strongly recommends that all cloud service providers supporting BFSI workloads invest in standard or advanced DDoS mitigation solutions from day one.
“Nothing comes free in cybersecurity. Basic DDoS protection only addresses common network-layer threats like SYN floods. But for modern, layered attacks, standard or premium protection with advanced inspection and mitigation capabilities is not optional — it’s foundational.”
“Downtime can trigger regulatory scrutiny, erode trust, and open doors to deeper intrusions.”
— Rushikant Shastri, VP – Technology, State Bank of India
The API Explosion: Asset or Attack Vector?
Debojit Maitra, a leading cybersecurity analyst, reinforced the growing concern around APIs as an overlooked attack surface.
“Financial institutions, managing vast sensitive data and high-value transactions, have become prime targets,” Maitra said. “The dramatic jump in APAC’s share of global DDoS attacks reflects a shift toward multi-vector campaigns that go beyond bandwidth exhaustion. These attacks are increasingly exploiting exposed and undocumented shadow APIs.”
He added that while digital transformation is necessary, rapid deployment without strong governance often introduces blind spots, allowing attackers to mimic legitimate user behavior and slip through traditional defenses.
“The move from blunt-force attacks to precision-targeted ones — that simulate real traffic — is especially dangerous. They evade signature-based protections and overwhelm systems quietly,” Maitra noted. “These are not just attacks on networks. They’re disruptions that ripple through supply chains, business operations, and even regulatory oversight.”
“Institutions must harden infrastructure and foster continuous vigilance and collaboration.”
Teresa Walsh, Chief Intelligence Officer, FS-ISAC
Global Patterns, Local Risks
The report aligns regional data with global findings, noting that 37% of all volumetric DDoS attacks globally in 2024 targeted financial services, followed by gaming (20%) and manufacturing (17%). The financial sector has now topped the list for two consecutive years.
Importantly, geopolitical tensions — including the ongoing Russia-Ukraine and Israel-Hamas conflicts — have contributed to a rise in ideologically driven hacktivism. Many attacks, while unclaimed, are suspected to be part of broader campaigns to destabilize institutions viewed as symbols of economic power.
“For banks and fintechs in the region, DDoS is no longer just a nuisance — it’s a reputational and operational risk,” said Rushikant Shastri, VP – Technology at State Bank of India. “Downtime can trigger regulatory scrutiny, erode customer trust, and open the door to broader intrusions.”
“DDoS threats in APAC are no longer blunt-force attempts but persistent, multi-vector attacks.”
— Reuben Koh, Director, Security Tech & Strategy, APJ, Akamai
Defending the New Digital Perimeter
To help institutions bolster their defenses, FS-ISAC and Akamai have co-developed a DDoS Maturity Model, a benchmarking framework that guides financial institutions in assessing their readiness and implementing structured defense strategies.
Core recommendations include:
- Real-time behavioral analytics for anomaly detection
- Threat intelligence-led automation to speed mitigation
- Continuous testing and hardening of DNS, API gateways, and edge infrastructure
- Geo-IP filtering to limit traffic from known hostile regions
- Cross-sector collaboration through information-sharing platforms like FS-ISAC
Maitra praised the model as a pragmatic step but raised critical points: “While the report offers deep technical and strategic insight, there’s a strong narrative around Akamai’s mitigation capabilities. That raises concerns about vendor dependence. Institutions must ensure they’re not creating new single points of failure by outsourcing too much.”
He also warned about data interpretation bias, suggesting that the 245% surge could be partly due to better detection capabilities or underreporting in previous years.
Future Outlook: Proactive Resilience
As cybercriminals grow bolder and more organized, APAC’s financial institutions must build resilience — not just with tools and vendors, but through organizational culture and policy enforcement.
“Adaptive, intelligence-led defenses must be treated as core to business continuity, not as an IT function,” said Teresa Walsh. “Boards must ensure cyber risks are understood, funded, and regularly tested — especially as supply chain complexity increases.”
Pund echoed this: “We can’t just protect ourselves. We have to demand and enforce stronger controls across our digital ecosystem — partners, vendors, platforms — everyone. Otherwise, we’re only as strong as our weakest link.”
Conclusion: A Call to Rethink Cyber Readiness
The FS-ISAC–Akamai report is a powerful wake-up call. It exposes a rapidly shifting cyber threat landscape in which DDoS is no longer just digital noise, but a targeted, persistent, strategic weapon. In APAC’s financial sector — where APIs drive innovation, third-party integrations accelerate service delivery, and geopolitical instability fuels hacktivism — the stakes have never been higher.
To defend against this next generation of DDoS threats, institutions must move beyond reactive controls. As Maitra emphasized, “This threat is far from a mere nuisance. It’s an orchestrated assault on trust, uptime, and economic stability.”
