In February 2016, instructions to steal US$951 million from Bangladesh Bank, the central bank of Bangladesh, were issued via the SWIFT network.

  • CID again fail 10th time to submit charge-sheet in court over Bangladesh Bank reserves heist (17 Jan 2017)


  • The case, initiated under the Money Laundering Prevention Act and the ICT Act. The Bangladesh Bank has already sought mutual legal assistant (MLA) from the Department of Justice (DOJ) and the Anti-Money Laundering Council (AMLC) of the Philippines through attorney general official to recover the stolen money from the Southeast Asian country.

Read: Equifax Data Breach

  • The cyber fraud took place on the night of February 04, 2016, sending a total of 35 transfer orders worth the US $951 Million into the Fed – 30 were blocked amounting to $850 million. Hackers stole $101 million from Bangladesh Bank’s account at the Federal Reserve Bank of New York by sending fake orders through the SWIFT (Society for Worldwide Interbank Financial Telecommunication) transaction system. Of the money, $81 million was wire-transferred to bank accounts in the Philippines (Rizal Commercial Banking Corporation) and $20 million to Sri Lanka.
  • SWIFT is a Belgium-based cooperative of 3,000 organizations that maintain a messaging platform that banks use to move money internationally. Following the incident, the central bank was following three tiers of authentication systems – e-mail, SWIFT message and phone.
  • Attempted fund diversion to Sri Lanka

– The $20 million transfer to Sri Lanka was intended by hackers to be sent to the Shalika Foundation, a Sri Lanka-based private limited company. The hackers misspelled “Foundation” in their request to transfer the funds, spelling the word as “Fundation”. This spelling error gained suspicion from Deutsche Bank, a routing bank which put a halt to the transaction in question after seeking clarifications from Bangladesh Bank.

  • Of the stolen money, Bangladesh Bank has so far brought back $35.25 million – $20 million from Sri-Lanka shortly after the trans-national cyber-heist and $15.25 million in November last from Manila. The remaining purloined money remains traceless.
  • Bangladesh Bank’s SWIFT network was made insecure by some bank employees in connivance with some foreign people. Insider threat as well relying on cheap routers and computer systems lacking adequate firewall protection. Vulnerabilities in SWIFT global messaging and payments system. While the first two authentication instruments could be hacked or stolen, the instrument of finger print would be impossible to be hacked.

Must Read: Hackers Compromise Global Banking System

  • The Mandiant FireEye, which is investigating the cyber-heist, has reportedly identified the digital trail of hacker groups from North Korea and Pakistan. However, it is still unclear if the third unknown entity is part of a criminal network or a state-sponsored hacker. The investigation found out that malware was installed on the bank’s system sometime in January 2016, and gathered information on the bank’s operational procedures for international payments and fund transfers.
  • The BAE Systems report said the malware used against Bangladesh Bank exhibits “the same unique characteristics” as software used in “Operation Blockbuster,” a campaign documented by a coalition of security firms that dates back to at least 2009 and that includes the 2014 Sony breach. The hackers used a custom-made malware to hide evidence and go undetected by erasing records of illicit transfers. Technical similarities include encryption keys and names of programming elements known as mutual exclusion objects.

This slideshow requires JavaScript.

  • Anti-Forensic Concept

– In order to delete its configuration and log files, the bot calls an internal function that wipes these files out so that their contents cannot be forensically restored.

– The implementation of this function is very unique – it involves complete filling of the file with the random data in order to occupy all associated disk sectors, before the file is deleted. The file-delete function itself is also unique – the file is first renamed into a temporary file with a random name, and that temporary file is also deleted.


  • As per Mohammad Shah Alam (Consultant Forensic Head, CID), his investigations had discovered that some bank officials had knowingly created vulnerabilities in the bank’s connection to the SWIFT system are like negligent insider theft.
  • Bangladesh Bank Governor says to install the new SWIFT system in March. Two years ago, Martin Ullman, a Prague-based SWIFT consultant, was browsing a LinkedIn forum for SWIFT users when he saw a posting from a recently-appointed technician at the Central Bank of Solomon Islands (CBSI). The technician needed to install an upgrade to the bank’s SWIFT messaging system but didn’t know how. He wanted advice.

Must read: Mobile Banking Trojan 

Every smartphone is a compact computer equipped with its own operating system and software, and so, just like PCs, smartphones are targeted by malware. Mobile banking Trojans are one of the most dangerous species in the malware world: They steal money from mobile users’ bank accounts.

  • ANTI-MONEY Laundering Council (AMLC) Executive Director Julia C. Bacay-Abad has resigned on 31 Jan 2017.

The team has been hired by Bangladesh’s central bank to investigate the theft.

  • Criminal Investigation Department (CID) of Bangladesh Police along with the head of forensics training institute Mohammad Shah Alam.
  • Rapid Action Battalion (RAB)
  • US based cyber-security firms World Informatix and FireEye Inc.
  • BAE Systems

In Summary 

A Look into SWIFT is a messaging system used by banks and financial companies. SWIFT messages include, but are not limited to, payment orders. The SWIFT network itself was not hacked. But the hackers, operating from Egypt, penetrated the banks’ systems and installed malware. The malware modified the bank’s Alliance Access software, which reads and writes the SWIFT messages and records transactions. The malware altered payment orders, increasing transaction amounts and changing payment destinations. It also changed the SWIFT payment confirmation messages back to the original amounts or deleted them entirely. A police investigation showed that the Bangladesh Bank had no firewalls and was using second-hand, ten-dollar switches on its network. The Philippine bank was using a $25 router and default passwords. It’s little wonder that the crooks were able to get into the networks. Anyone who takes security seriously knows that security demands investment. You can’t expect good results by picking cheap components off the shelf, plugging them in, and hoping they’ll work. The components need to be part of a coherent plan.

Some banking malware : Dridex, Android/Spy.Agent.SI, Goznym, ZeuS, SpyEye.

For More:



2 Comments Add yours

  1. Pradeep Mishra says:

    Nice article Deepak representing detailed technical facts together on the issue 👍

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.