The $1,000,000,000 North Korean Bank Heist

Kento Bento

6 Aug 201814:44

Summary

TLDRIn February 2016, Bangladesh Bank fell victim to one of the largest cyber heists in history, losing nearly $1 billion. Hackers, later linked to North Korea's Lazarus Group, exploited malware to access the bank's SWIFT system, timing their attack around weekends and holidays to maximize delays. While most transfers were blocked by lucky coincidences and vigilant banks, $81 million was successfully laundered through Philippine accounts and Macau, likely funding North Korea’s programs. This audacious operation highlighted vulnerabilities in global banking security, the sophistication of nation-state cybercrime, and the high stakes of international finance in the digital age.

Takeaways

💰 In February 2016, Bangladesh Bank suffered a cyber heist where nearly $1 billion was nearly stolen via fraudulent SWIFT transfers.
🖨️ The theft was partly facilitated by a printer malfunction, which delayed the bank staff from noticing the suspicious transactions in time.
📧 The hackers gained access to the bank's systems by sending a malicious email to an employee, which installed malware on the network.
🕵️‍♂️ The malware allowed the attackers to spy on operations and gather legitimate SWIFT credentials to manipulate international transfers.
🌍 The fraudulent transfers targeted Bangladesh Bank's account at the Federal Reserve Bank of New York, sending funds to accounts across Asia.
🇵🇭 Four of the remaining transfers ended up in dormant accounts in the Philippines, which were later used to launder money through casinos.
🇱🇰 One $20 million transfer was intercepted in Sri Lanka due to employee suspicion, helping recover some of the stolen funds.
⏱️ Timing and delays across weekends and holidays in Bangladesh, the US, and the Philippines were exploited to aid the heist.
👥 The group behind the attack, Lazarus, had ties to North Korea, as evidenced by IP addresses and Korean language in the malware code.
💻 Lazarus has a history of cybercrime, including attacks on financial institutions, South Korean infrastructure, and Sony Pictures.
🏦 The attack demonstrates the importance of robust cybersecurity measures at the institutional level, not just relying on secure networks like SWIFT.
🔄 The stolen funds were likely funneled through Macau to North Korea, potentially supporting the country’s nuclear program and elite expenditures.

Q & A

What event triggered the Bangladesh Bank heist in February 2016?
-The heist was triggered by a bank employee inadvertently clicking on a malicious email in January 2016, which installed malware on the central bank's computer systems and gave hackers access to SWIFT credentials.
How did the hackers manipulate the Bangladesh Bank's SWIFT system?
-Using malware to steal the bank's legitimate SWIFT credentials, the hackers were able to send fraudulent transfer requests as if they were authorized bank employees.
Why did the bank’s printer malfunction play a key role in the heist?
-The printer malfunction delayed the printing of real-time transfer confirmations, preventing bank employees from noticing the suspicious transactions immediately and buying the hackers crucial time.
How much money was attempted to be stolen, and how much was actually lost?
-The hackers attempted to steal $951 million through 35 transactions. Most of it was blocked, but $101 million was successfully stolen.
Why did some of the fraudulent transactions get flagged in New York?
-Thirty transactions were flagged for manual review due to coincidences such as blacklisted shipping companies and unusually large amounts, which alerted the Federal Reserve Bank to potential fraud.
Where did the successfully stolen funds end up?
-Twenty million went to a fake NGO in Sri Lanka but was recovered. The remaining $81 million was sent to four fake accounts at the RCBC Bank in the Philippines and laundered through casinos, eventually reaching Macau.
Who were the intermediaries involved in laundering the stolen funds?
-Two Chinese men, Ding and Gao, set up fake accounts in the Philippines as middlemen to facilitate the transfer of funds to Macau, likely for North Korea.
Which group was responsible for the Bangladesh Bank heist and other cyberattacks?
-The Lazarus Group, a cybercrime and cyberterrorism organization, was identified as responsible, with ties to North Korea.
What evidence linked Lazarus to North Korea?
-Server logs revealed at least one North Korean IP access, and Korean language code was embedded in the malware. While it's possible this could have been a false flag, most cybersecurity experts believe North Korea was behind the attacks.
What is SWIFT and why is it normally secure?
-SWIFT is a global payment network for sending trusted international payment orders securely. It is considered secure because it transmits instructions rather than actual funds, relying on banks’ internal security measures.
How did international holidays impact the heist's success?
-The timing of the Bangladesh weekend, the U.S. weekend, and Chinese New Year in the Philippines created delays in stopping the fraudulent transfers, benefiting the hackers at every step.
What broader implications could a state-sponsored cyber heist like this have?
-If a nation-state like North Korea is indeed behind the heist, it demonstrates the potential for governments to fund themselves through cybercrime, target political or financial systems, and possibly interfere in global infrastructure and security.