Updated on 10 Feb 2019

In 2016, it was determined North Korea was linked to the $81 million Bangladesh Cyber Heist. We first reported on this incident in May of that year and surmised it was a preventable attack. Our determination later proved correct as it turns out the institution knew they were unprepared but didn’t get a chance to boost their cybersecurity before the hack.

Amazingly, the attack could have been far worse – around a billion dollars would have been taken if instructions hadn’t been misspelled.

The link to North Korea was made by security researchers at the firm Symantec. In looking into the attack on the bank in Bangladesh, the researchers found a rare piece of code that has only ever been found in two other hacker attacks: Sony Pictures in December 2014, and media companies in South Korea in 2013. The FBI has said North Korea was responsible for the Sony Pictures attack.

Now the bank wants to get its $81 million back. The New York Federal Reserve is assisting Bangladesh’s central bank in a lawsuit filed Thursday to claw back $81 million in funds stolen during a 2016 North Korean hacking campaign. But they’re not going after Pyongyang directly.

Instead, Bangladesh Bank is suing a bank in the Philippines where the funds briefly landed before a complex series of transfers that diverted them to Filipino casinos after which they became untraceable. The New York Fed, which was holding the money when it was illegally transferred, is helping, including by urging people and organizations in the Philippines to help recover the funds, according to an agreement between the banks.

The case — which represents one of the biggest bank heists in modern history — demonstrates a supreme challenge facing cybercrime victims.

Old Analysis

InFebruary 2016, instructions to steal US$951 million from Bangladesh Bank, the central bank of Bangladesh, were issued via the SWIFT network.

  • CID again fail 10th time to submit charge-sheet in court over Bangladesh Bank reserves heist (17 Jan 2017)


  • The case, initiated under the Money Laundering Prevention Act and the ICT Act. The Bangladesh Bank has already sought mutual legal assistant (MLA) from the Department of Justice (DOJ) and the Anti-Money Laundering Council (AMLC) of the Philippines through attorney general official to recover the stolen money from the Southeast Asian country.

Read: Equifax Data Breach

  • The cyber fraud took place on the night of February 04, 2016, sending a total of 35 transfer orders worth the US $951 Million into the Fed – 30 were blocked amounting to $850 million. Hackers stole $101 million from Bangladesh Bank’s account at the Federal Reserve Bank of New York by sending fake orders through the SWIFT (Society for Worldwide Interbank Financial Telecommunication) transaction system. Of the money, $81 million was wire-transferred to bank accounts in the Philippines (Rizal Commercial Banking Corporation) and $20 million to Sri Lanka.
  • SWIFT is a Belgium-based cooperative of 3,000 organizations that maintain a messaging platform that banks use to move money internationally. Following the incident, the central bank was following three tiers of authentication systems – e-mail, SWIFT message and phone.
  • Attempted fund diversion to Sri Lanka

– The $20 million transfer to Sri Lanka was intended by hackers to be sent to the Shalika Foundation, a Sri Lanka-based private limited company. The hackers misspelled “Foundation” in their request to transfer the funds, spelling the word as “Fundation”. This spelling error gained suspicion from Deutsche Bank, a routing bank which put a halt to the transaction in question after seeking clarifications from Bangladesh Bank.

  • Of the stolen money, Bangladesh Bank has so far brought back $35.25 million – $20 million from Sri-Lanka shortly after the trans-national cyber-heist and $15.25 million in November last from Manila. The remaining purloined money remains traceless.
  • Bangladesh Bank’s SWIFT network was made insecure by some bank employees in connivance with some foreign people. Insider threat as well relying on cheap routers and computer systems lacking adequate firewall protection. Vulnerabilities in SWIFT global messaging and payments system. While the first two authentication instruments could be hacked or stolen, the instrument of finger print would be impossible to be hacked.

Must Read: Hackers Compromise Global Banking System

  • The Mandiant FireEye, which is investigating the cyber-heist, has reportedly identified the digital trail of hacker groups from North Korea and Pakistan. However, it is still unclear if the third unknown entity is part of a criminal network or a state-sponsored hacker. The investigation found out that malware was installed on the bank’s system sometime in January 2016, and gathered information on the bank’s operational procedures for international payments and fund transfers.
  • The BAE Systems report said the malware used against Bangladesh Bank exhibits “the same unique characteristics” as software used in “Operation Blockbuster,” a campaign documented by a coalition of security firms that dates back to at least 2009 and that includes the 2014 Sony breach. The hackers used a custom-made malware to hide evidence and go undetected by erasing records of illicit transfers. Technical similarities include encryption keys and names of programming elements known as mutual exclusion objects.

This slideshow requires JavaScript.

  • Anti-Forensic Concept

– In order to delete its configuration and log files, the bot calls an internal function that wipes these files out so that their contents cannot be forensically restored.

– The implementation of this function is very unique – it involves complete filling of the file with the random data in order to occupy all associated disk sectors, before the file is deleted. The file-delete function itself is also unique – the file is first renamed into a temporary file with a random name, and that temporary file is also deleted.


  • As per Mohammad Shah Alam (Consultant Forensic Head, CID), his investigations had discovered that some bank officials had knowingly created vulnerabilities in the bank’s connection to the SWIFT system are like negligent insider theft.
  • Bangladesh Bank Governor says to install the new SWIFT system in March. Two years ago, Martin Ullman, a Prague-based SWIFT consultant, was browsing a LinkedIn forum for SWIFT users when he saw a posting from a recently-appointed technician at the Central Bank of Solomon Islands (CBSI). The technician needed to install an upgrade to the bank’s SWIFT messaging system but didn’t know how. He wanted advice.

Must read: Mobile Banking Trojan 

Every smartphone is a compact computer equipped with its own operating system and software, and so, just like PCs, smartphones are targeted by malware. Mobile banking Trojans are one of the most dangerous species in the malware world: They steal money from mobile users’ bank accounts.

  • ANTI-MONEY Laundering Council (AMLC) Executive Director Julia C. Bacay-Abad has resigned on 31 Jan 2017.

The team has been hired by Bangladesh’s central bank to investigate the theft.

  • Criminal Investigation Department (CID) of Bangladesh Police along with the head of forensics training institute Mohammad Shah Alam.
  • Rapid Action Battalion (RAB)
  • US based cyber-security firms World Informatix and FireEye Inc.
  • BAE Systems

In Summary 

A Look into SWIFT is a messaging system used by banks and financial companies. SWIFT messages include, but are not limited to, payment orders. The SWIFT network itself was not hacked. But the hackers, operating from Egypt, penetrated the banks’ systems and installed malware. The malware modified the bank’s Alliance Access software, which reads and writes the SWIFT messages and records transactions. The malware altered payment orders, increasing transaction amounts and changing payment destinations. It also changed the SWIFT payment confirmation messages back to the original amounts or deleted them entirely. A police investigation showed that the Bangladesh Bank had no firewalls and was using second-hand, ten-dollar switches on its network. The Philippine bank was using a $25 router and default passwords. It’s little wonder that the crooks were able to get into the networks. Anyone who takes security seriously knows that security demands investment. You can’t expect good results by picking cheap components off the shelf, plugging them in, and hoping they’ll work. The components need to be part of a coherent plan.

Some banking malware : Dridex, Android/Spy.Agent.SI, Goznym, ZeuS, SpyEye.

For More:



2 Comments Add yours

  1. Pradeep Mishra says:

    Nice article Deepak representing detailed technical facts together on the issue 👍

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.