Bangladesh Bank — SWIFT heist

In February 2016 attackers issued 35 fraudulent SWIFT messages from Bangladesh Bank’s account at the Federal Reserve Bank of New York, requesting the transfer of nearly $1 billion to accounts in the Philippines and Sri Lanka. Five of the messages cleared, sending $101 million on its way before the operation began to unravel. Eighty-one million reached Rizal Commercial Banking Corporation in Manila, was converted to pesos, fed through Philippine casinos, and disappeared. The remaining $20 million was caught by Deutsche Bank’s compliance team because the transfer instruction included the word “Jupiter” — the name of a sanctioned Iranian shipping line — which flagged the wire and stopped it. The robbery would have been the largest bank heist in history if every transfer had cleared.

The intrusion was traced to malware that had been resident on the bank’s systems for months. Lazarus operators had compromised the SWIFT Alliance Access software the bank used to connect to the international payment network, planted malware that intercepted and modified the bank’s confirmation messages, and disabled the printer that produced the audit trail of overnight transactions. When staff arrived on the Friday morning, the printer had been silent overnight and the alerts that should have flagged the activity had been suppressed at the source. By the time anyone checked manually, the weekend had begun in Asia and the funds were already in motion across multiple jurisdictions and time zones.

The U.S. Department of Justice attributed the heist to North Korean state-sponsored actor Park Jin Hyok in a 2018 criminal complaint, naming him as the operator behind the Bangladesh Bank intrusion, the 2014 Sony Pictures attack, and the WannaCry ransomware outbreak. The same complaint identifies Park as a member of “Lab 110”, a unit of the DPRK’s Reconnaissance General Bureau. Lazarus has since been linked to dozens of subsequent SWIFT-targeted operations against banks in South-East Asia, Latin America, and Africa — and to the multi-hundred-million-dollar crypto-exchange thefts (Bybit, Ronin, Atomic Wallet) that became the group’s preferred funding model after central banks hardened SWIFT controls.

Defender takeaway: the SWIFT credentials were not the weakness. The weakness was that the bank’s interbank-settlement environment, the network it was attached to, and the enterprise IT estate were the same network. The bank’s external-facing email server, its internal directory services, and the host running SWIFT Alliance shared the same broadcast domain. Once the attackers had any foothold on the corporate network, lateral movement to the SWIFT host was unimpeded. The 2016 SWIFT Customer Security Programme that followed mandates network segmentation between the SWIFT-connected environment and the rest of the bank’s IT estate — codifying as a control what defenders had been advising for two decades. Beyond segmentation, the heist is a reminder that detection that depends on a single output channel — in this case a printer — fails the moment that channel is compromised. Independent verification of high-value transactions through a path the attacker cannot reach is the second control that would have stopped this operation.