Anatomy of a Breach

Anatomy of a Breach: The Bangladesh Bank Heist — $81 Million Stolen Through the Global Banking System

> series: anatomy_of_a_breach —— part: 085 —— target: bangladesh_bank —— attempted: $951,000,000 —— stolen: $81,000,000<span class="cursor-blink">_</span>_

Hedgehog Security 31 January 2016 14 min read
swift bangladesh-bank lazarus-group north-korea banking financial-theft nation-state series
Breach #085

They tried to steal $951 million. A typo saved $870 million. $81 million vanished.

On 4 February 2016, hackers submitted 35 fraudulent transfer requests through Bangladesh Bank's connection to the SWIFT (Society for Worldwide Interbank Financial Telecommunication) network — the messaging system used by over 11,000 financial institutions worldwide to authorise interbank transfers. The requests, totalling approximately $951 million, instructed the Federal Reserve Bank of New York to transfer funds from Bangladesh Bank's account to accounts in the Philippines and Sri Lanka.

Most of the transfers were blocked — some by the Fed's automated compliance systems, and one because a transfer to a Sri Lankan entity named 'Shalika Fandation' was flagged due to the misspelling of 'Foundation'. But five transfers totalling $101 million were processed before the fraud was detected. Of that, $20 million to Sri Lanka was recovered, but $81 million routed to accounts in the Philippines — funnelled through casinos and money changers — was never fully recovered. The attack was later attributed to North Korea's Lazarus Group, the same state-sponsored unit behind the Sony Pictures attack.

How They Did It
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Compromising the connection to the world's banking backbone.

Bangladesh Bank Heist — Attack Chain
── Initial Compromise ──────────────────────────────────────
Bangladesh Bank's SWIFT terminal computers compromised
Custom malware installed to manipulate SWIFT software
Malware suppressed printer output of transfer confirmations

── Fraudulent Transfers ────────────────────────────────────
35 transfer requests submitted totalling $951 million
Requests sent during Bangladesh weekend (Friday-Saturday)
Timed for when New York was open but Dhaka was closed

── Partial Success ────────────────────────────────────────
30 transfers blocked by Fed compliance systems
1 transfer flagged due to 'Fandation' misspelling
5 transfers totalling $101M processed successfully
$20M to Sri Lanka recovered; $81M to Philippines laundered
Why This Matters

The global banking system is only as secure as its weakest member.

SWIFT Is a Trust Network
SWIFT operates on trust — when a bank sends a transfer request through SWIFT, the receiving bank trusts that it is legitimate. The Bangladesh Bank attackers exploited this trust by compromising the bank's own SWIFT terminal, making fraudulent requests appear authentic. For UK <a href="/blog/sector-under-the-microscope-financial-services">financial services firms</a>, the security of SWIFT connections and payment messaging systems is existentially critical.
North Korea Funds Its Regime Through Cybercrime
The Lazarus Group — behind both <a href="/blog/anatomy-of-a-breach-sony-pictures">Sony Pictures</a> and the Bangladesh Bank heist — demonstrated that North Korea uses cybercrime as a revenue-generating programme for the regime. This blurs the line between nation-state warfare and financial crime, creating a threat actor that is both sophisticated (state-sponsored) and financially motivated.
The Printer Hack
The malware specifically suppressed the SWIFT system's printer output — preventing the automatic printing of transfer confirmations that would have alerted bank staff to the fraudulent transactions. This level of operational planning (disabling specific monitoring mechanisms) demonstrates the sophistication of the attack. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for the disabling of logging and monitoring functions that attackers use to cover their tracks.
Timezone Exploitation
The attackers timed the transfers for Thursday evening New York time — the beginning of Bangladesh's weekend — ensuring that Dhaka staff would not be available to respond to queries from New York while the transfers were processed. <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides 24/7/365 monitoring that covers weekends, holidays, and timezone gaps.
Financial Services Defence

Payment systems require the highest security bar.

The Bangladesh Bank heist demonstrated that payment messaging systems — SWIFT, BACS, Faster Payments, CHAPS — require the highest level of security controls: dedicated, hardened terminals for payment messaging, multi-person authorisation for high-value transfers, real-time monitoring of payment activity, and continuous security testing of the infrastructure that supports payment operations.

For UK financial services firms, our penetration testing assesses payment system security including SWIFT terminal hardening. Cyber Essentials establishes baseline controls. SOC in a Box for Financial Services monitors payment system activity 24/7. And UK Cyber Defence provides incident response when payment system compromise is suspected.

Payment System Security

A typo saved $870 million. Is your payment infrastructure tested?

Our <a href="/penetration-testing/infrastructure">penetration testing</a> assesses payment system security. <a href="https://www.socinabox.co.uk/sectors/ifas-wealth-managers">SOC in a Box</a> monitors payment activity. Because the next heist might not have a misspelling to save you.

Commission a Financial Services Test Next: Hollywood Presbyterian Ransomware
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 28 February 2025

Anatomy of a Breach: Bybit — $1.4 Billion Stolen in the Largest Cryptocurrency Heist in History

Breach #194. In February 2025, cryptocurrency exchange Bybit was hit by the largest cryptocurrency theft in history — approximately $1.4 billion in Ethereum stolen in a single transaction. The attack, attributed to North Korea's Lazarus Group, more than doubled the previous record set by the Ronin Network heist ($620 million, 2022). The attackers compromised the multi-signature cold wallet signing process, manipulating the transaction to redirect funds. The theft demonstrated that North Korea's state-sponsored cyber theft programme had reached a new level of scale and sophistication.

bybit cryptocurrency
13 min read
Anatomy of a Breach 31 March 2023

Anatomy of a Breach: 3CX — A Supply Chain Attack Born from Another Supply Chain Attack

Breach #171. In March 2023, 3CX — a VoIP communications platform used by over 600,000 organisations and 12 million daily users — was compromised in a supply chain attack attributed to North Korea's Lazarus Group. The attackers had poisoned the 3CX desktop application's build process, distributing malware through legitimate software updates. But the investigation revealed something unprecedented: the 3CX compromise had itself originated from an earlier supply chain attack on a financial trading software company (Trading Technologies). A supply chain attack born from a supply chain attack — supply chains all the way down.

3cx supply-chain
13 min read
Anatomy of a Breach 30 April 2022

Anatomy of a Breach: Ronin Network — $620 Million Stolen in the Largest Crypto Heist in History

Breach #160. On 29 March 2022, the Ronin Network — a blockchain bridge used by the popular play-to-earn game Axie Infinity — was breached, with approximately $620 million in Ethereum and USDC stolen. The theft was not detected for six days — it was only discovered when a user could not withdraw funds. The attack was attributed to North Korea's Lazarus Group, which used social engineering (a fake job offer via LinkedIn) to compromise a senior engineer's credentials and gain access to five of the nine validator nodes required to authorise transactions. The largest cryptocurrency theft in history — and it started with a LinkedIn message.

ronin-network axie-infinity
13 min read
All Posts Get in Touch