The Bangladesh Bank Heist
By Tanzeer Hossein
The 2016 massive cyberattack on Bangladesh Bank, the central bank of Bangladesh, remains one of the most striking examples of the sophistication of cybercrime. The goal was to steal nearly $1 billion from the bank’s accounts at the Federal Reserve Bank of New York. Although the target wasn’t met, the attackers still managed to successfully transfer $81 million to accounts in the Philippines. The attack exposed significant vulnerabilities in global financial systems, particularly in the reliance on the SWIFT network and the cybersecurity protocols of individual banks.
The attackers, likely linked to the Lazarus Group (an infamous hacking group, allegedly based in North Korea) gained unauthorized access (via phishing) to Bangladesh Bank’s SWIFT systems, manipulating it to send out fraudulent transfer requests. Through the phishing attack, they gained access to the SWIFT accounts, alongside having the opportunity to start spreading malware.
Once access was gained, the attackers were easily able to bypass the security measures, initiate the 35 transfers that totaled $951 million and finally cover their footprint by deleting all the transactions. While many of the transactions were blocked, $81 million was successfully sent to Filipino accounts, believed to be in the casino sector. They apparently chose Filipino casinos due to the lax anti-money laundering regulations that applied, allowing them to move large sums of money without drawing much attention. The hackers converted the stolen funds into casino chips and then cashed them out, effectively laundering the money.
The heist was uncovered due to incorrect spelling in some transfers, which then triggered a review of all transactions. That then led to the discovery of the fraudulent activities and allowed the bank and contracted cyber security experts to start investigating further. As of now, Bangladesh Bank hasn’t yet recovered the stolen $81 million. While a small portion of funds have been recovered, a significant amount remains missing. This case has engendered many lawsuits, but the full recovery of the money remains elusive, showing the challenge of reclaiming stolen assets in a world-wide, digitally interconnected financial system.
The Bangladesh Bank attack offers several crucial lessons for the financial industry and cybersecurity. It underscores the importance of strong cybersecurity measures, particularly in safeguarding critical financial infrastructure like SWIFT. The attack also highlights the significance of the human element in cybersecurity; falling victim to a phishing attack had catastrophic consequences in this case. Financial institutions must continuously update their security protocols, conduct regular audits to ensure system integrity, and provide comprehensive training for their staff to recognize and prevent such threats.
In response to the attack, significant changes were made within the banking industry. The SWIFT network started introducing stricter security controls, this included mandatory two-factor authentication, and enhanced monitoring systems (such as frequent audits) to detect potentially fraudulent activities. Financial institutions began adopting more protected cybersecurity practices and policies, introducing more advanced threat detection technologies. Additionally, an emphasis on greater cooperation between banks and regulatory organizations was introduced. These changes aim to strengthen the resilience of the financial system against any future cyber threats, on top of attempting to close any regulatory gaps attackers may try to exploit.
In conclusion, the heist of Bangladesh Bank is a stark warning of the growing threat posed by cybercriminals to the interconnected digital word. It underscores the necessity for thorough vigilance, continuously improving cybersecurity measures, and more international collaboration to improve protection. The lessons learned from this incident remain key teaching points for financial institutions when considering how they protect their assets and integrity.