2 min read

Hong Kong's Cyber Threat Landscape: Inside the 2025 Data

ThreatBook Research Team : March 15, 2026

Threat Research

Inside the Cyber Threats Targeting Asia's Financial Hub

As a crossroads of Eastern and Western commerce, Hong Kong has become one of the most complex and high-stakes cybersecurity battlegrounds in the Asia-Pacific. Our 2025 Threat Landscape Report documents who is attacking, how, and why.

Download the Full Report ⤓

Ransomware Payment Rate — Far Above the 28% Global Average

4.2

Average Dwell Time for Data Theft Attacks (Global Avg: 2.8mo)

39.8

Phishing Success Rate vs. 24% Global Average

The Threat Landscape

A City Built on Commerce — and Cross-Border Risk

Hong Kong's cyberattack landscape reflects the city's unique position. Unlike other financial centers, data held by Hong Kong enterprises carries inherent cross-border value — a single customer list may span high-net-worth clients across Asia, Europe, and North America.

In 2025, the dominant attack types were data theft, phishing, APT infiltration, and ransomware. Each exploits a specific structural vulnerability of Hong Kong's business environment: its multilingual culture, its web of international regulatory obligations, its role as Asia-Pacific headquarters for global multinationals, and its time-zone position bridging East and West.

"Successful APT attacks on Hong Kong multinational headquarters typically grant access to branches across 8–12 Asia-Pacific countries."

30%

Data Theft

Attackers maintain 4.2-month average dwell times — collecting, analyzing, and maximizing the value of stolen intelligence before monetizing.

20%

Phishing

Hong Kong's multilingual environment and complex regulatory landscape produce a 39.8% phishing success rate — 65% above the global average.

19%

Data Breaches

Large-scale exfiltration of financial records, trade data, and investment strategies with direct monetization potential.

17%

APT Inflitration

60% of APT attacks target commercial entities — particularly Asia-Pacific HQs — rather than government agencies, reversing the global norm.

Why Hong Kong Ransomware Payments Are So High

At 43%, Hong Kong's ransomware payment rate dramatically exceeds the global 28% average. This is not accidental. Attackers have mapped Hong Kong's vulnerabilities with surgical precision: 60% of ransomware attacks are deliberately timed to fall one week before quarterly financial report deadlines, when any system disruption risks regulatory inquiry, stock price volatility, and investor confidence collapse.

Hong Kong's highly interconnected business ecosystem amplifies each attack. A single targeted company triggers a chain reaction — on average affecting 3–5 associated businesses. The city's multi-jurisdictional compliance burden (Hong Kong Monetary Authority, U.S. SEC, UK FCA) means that a credible data leak threat carries costs that far exceed the ransom itself.

APT Groups

The Three Primary Threat Sources

In 2025, APT attacks in Hong Kong maintained an average dwell time of 8.7 months — twice the global average — underscoring how deeply threat actors recognize the city's strategic value.

Lazarus	Stole $1.5B from a crypto exchange via a supply chain attack on Safe Wallet's AWS S3 bucket — the largest single cryptocurrency theft ever. Leverages social engineering across LinkedIn and WhatsApp to recruit insiders at target firms.	Finance . Crypto
Earth Bluecrow	Deploys the BPFDoor backdoor — operating at the Linux kernel level, triggered by "magic packet" sequences invisible to firewalls and port scans. Maintains dwell times of months or years. Intensified telecoms targeting in 2024–2025.	Telecoms . Infrastructure
LotusBlossom	Active since 2012 and continuously evolving its toolchain. Targets Hong Kong's commercial intelligence layer — trade flows, investment strategies, and regulatory communications — typically residing in networks for 8–12 months.	Government . Commerce

Ransomware Groups

Most Influential Groups Targeting Hong Kong

Three ransomware groups dominated Hong Kong's threat landscape in 2025, each demonstrating strong localized adaptation — with 94% of ransom notes written in Traditional Chinese and 67% accepting Hong Kong dollar payments.

Nightspire

Emerging · Double Extortion

Active since February 2025, NightSpire seized 250GB from a Hong Kong-based property development group in March. Operates in small teams, applying extreme time pressure — demanding payment within 48 hours.

RansomHub

RAAS · Exfiltration-First

Among the fastest-growing RaaS ecosystems globally. Exfiltrates data before deciding whether to encrypt — targeting financial services, insurance, and accounting outsourcing. Supply chain propagation is a hallmark.

Akira

RAAS · Multi-Mode Encryption

Linked to former Conti group members. Over 250 global victims and $40M+ in demanded ransoms in two years. Widely leverages LOLBins and legitimate remote tools to extend average detection times to 37 days.

Read the Full 2025 Hong Kong Threat Landscape Report

Silver Fox: Not an Organization, But a Tool - Uncovering the Underground Ecosystem

ThreatBook Research Team : 1 July 2023, 03:07 PM

Executive Summary For months, the cybersecurity community tracked what appeared to be a sophisticated cybercrime organization dubbed "Silver Fox"....

Threat Research

Understanding the Difference: Threat Intelligence, DRPS, and EASM — A Practical Guide

Nicholas Tan : 19 February 2026, 08:02 AM

As a cyber threat intelligence vendor, we've noticed a persistent confusion between Threat Intelligence, Digital Risk Protection Services (DRPS), and...

Security Operations

Why Enterprises Need Commercial Threat Intelligence

Nicholas Tan : 9 February 2026, 08:02 AM

In today's threat landscape, enterprises face sophisticated adversaries who operate with the resources and coordination of nation-states or organized...

Security Operations

Threat Intelligence

Threat Detection & Response

Digital Risk & Surface Protection

Use Cases

Industry

Resources

For Users

About ThreatBook