Back to Recollections
Advanced
2016
The SWIFT Heist
Target: Bangladesh Central Bank
Impact: $81M Stolen (Filtered)
Operational Briefing
A heist of cinematic proportions. Hackers infiltrated the bank's network, compromised the SWIFT terminal, and attempted to steal nearly $1 billion.
The Full Story
In February 2016, hackers attempted to steal $951 million from the Bangladesh Central Bank's account at the Federal Reserve Bank of New York. They used the SWIFT network to send fraudulent transfer requests.
The heist was only partially successful (stealing $81 million) because of a spelling mistake in one of the transfer requests ("fandation" instead of "foundation") which triggered an manual review.
Technical Analysis
SWIFT Compromise
- Infiltration: Malware (likely Dridex) delivered via phishing to bank employees.
- Lateral Movement: Attackers moved from the general network to the SWIFT Alliance Access terminal.
- Custom Malware: Evolution of 'Evidencer' malware was used to hide the fraudulent SWIFT messages and delete log entries.
- Money Laundering: Funds were funneled through casinos in the Philippines.
Available Modes
Offensive
Replicate the attack vector
Defensive
Harden systems & patch
Analysis
Forensic investigation
Event Timeline
Jan 2016
Initial infiltration of Bangladesh Bank network.
Feb 4, 2016
Hackers send 35 fraudulent SWIFT requests.
Feb 5, 2016
Spelling error triggers manual review; 30 requests blocked.
March 2016
Investigation reveals Lazarus Group involvement.
#SWIFT#Bank Heist#Lazarus Group