LLMpediaThe first transparent, open encyclopedia generated by LLMs

2016 SWIFT Bangladesh heist

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Financial Stability Board Hop 4
Expansion Funnel Raw 77 → Dedup 20 → NER 14 → Enqueued 13
1. Extracted77
2. After dedup20 (None)
3. After NER14 (None)
Rejected: 6 (not NE: 6)
4. Enqueued13 (None)
Similarity rejected: 1
2016 SWIFT Bangladesh heist
Title2016 SWIFT Bangladesh heist
DateFebruary 2016
LocationDhaka, Bangladesh
TargetBangladesh Bank accounts at Federal Reserve Bank of New York
TypeCyberheist
MethodsMalware, fraudulent SWIFT messages, insider assistance
AmountUS$81 million successfully stolen; US$850 million attempted
PerpetratorsAttributed to groups linked to Lazarus Group and North Korea
OutcomePartial recovery, international investigations, reforms

2016 SWIFT Bangladesh heist was a large-scale cyberheist in which attackers used compromised credentials to issue fraudulent SWIFT payment orders from accounts at the Bangladesh Bank maintained at the Federal Reserve Bank of New York. The operation resulted in the theft of US$81 million and the attempted diversion of nearly US$1 billion, triggering multinational investigations involving law enforcement, central banks, and cybersecurity firms. The incident influenced SWIFT messaging security, Bank of England dialogues on correspondent banking, and policy discussions among IMF and World Bank officials.

Background

In late 2015 and early 2016, the Bangladesh Bank maintained correspondent accounts at the Federal Reserve Bank of New York and used the SWIFT network to settle international bank transfers. The bank's infrastructure relied on vendors and local operators who interacted with systems from companies such as FedEx-shipped equipment and software made by international firms. The regional financial environment included relationships with Commercial Bank of Sri Lanka, Sonali Bank, and Standard Chartered Bank, and regulatory oversight involved the Bangladesh Bank governor, Abdul Hamid era policies and interactions with the Ministry of Finance. Prior cyber incidents worldwide—linked to actors like Carbanak and groups targeting Banco del Austro and SWIFT corridors—set precedents that shaped institutional awareness at entities such as Deutsche Bank, JPMorgan Chase, and Citigroup.

The Heist

Attackers gained access to the Bangladesh Bank internal network, installed custom malware, and obtained SWIFT credentials used to submit 35 fraudulent payment messages to the Federal Reserve Bank of New York. The messages sought transfers to accounts at RCBC subsidiary accounts in the Philippines routed through correspondent banks including Deutsche Bank and Standard Chartered. Errors in one transfer instructed a payment to a Shalika Foundation-like charity account and a finance firm, while the most notable successful transfers reached casinos and shell entities such as accounts at RCBC and Asia United Bank. The attackers also attempted to conceal their activities by deleting transaction logs and disrupting print services using malware similar in behavior to tools attributed to Lazarus Group and observed in incidents affecting Sony Pictures Entertainment and Bangladeshi political targets.

Investigation and Attribution

Investigations involved the FBI, Bangladesh Bank, Interpol, Europol, and cybersecurity firms such as Symantec, Kaspersky Lab, and FireEye. Forensic analysis linked code fragments and operational patterns to the Lazarus Group and malware families associated with North Korean operations, drawing parallels to intrusions tied to Sony Pictures Entertainment hack and later operations directed at Bangladeshi NGOs. Legal and intelligence authorities in the United States, Philippines, Japan, and India cooperated with Dhaka Metropolitan Police and the CID. Financial tracing followed flows through Deutsche Bank and DBS Bank correspondent rails to casinos in Manila and shell corporations in Hong Kong. Attribution to North Korea remained contested in diplomatic venues involving United Nations Security Council members and prompted sanctions discussions at the UN.

Financial and Operational Impact

The immediate financial loss was US$81 million successfully withdrawn; an additional US$850 million in fraudulent requests were blocked or returned. The heist exposed weaknesses in correspondent banking controls and precipitated liquidity and reputational stress for Bangladesh Bank and affected correspondent banks like Deutsche Bank and Standard Chartered. Insurance markets, including Lloyd's of London, re-evaluated cyber coverage, while clearing systems overseen by CPMI and BIS participants assessed settlement risk. Stock movements at regional banks such as RCBC and policy responses from the Ministry of Finance (Bangladesh) and central banks in the ASEAN reflected heightened scrutiny of anti-money laundering frameworks and KYC practices.

Prosecutions and asset recovery involved defendants and suspects in the Philippines and Bangladesh. Arrests included executives and staff linked to intermediary banks and remitters; entities such as RCBC faced regulatory fines and litigation. The Bangladesh Bank filed civil suits and pursued recovery through coordination with law enforcement including the FBI and Philippine National Police. International legal instruments—mutual legal assistance treaties between Bangladesh and partners such as the United States and Philippines—were invoked to seize casino-linked proceeds. Trials and extradition requests intersected with corporate compliance disputes involving global banks such as Deutsche Bank and regional actors like Asia United Bank.

Security Reforms and Industry Response

In the aftermath, SWIFT accelerated mandatory security controls and introduced the Customer Security Programme and enhanced message validation guidelines adopted by member institutions including Bangladesh Bank and Deutsche Bank. Central banks and payment authorities—BIS, CPMI, Bank of England, and Reserve Bank of India—published guidance on cyber resilience and third-party risk. Cybersecurity vendors such as Symantec, Kaspersky Lab, and FireEye released technical reports and indicators of compromise used by banks and national CERTs like Bangladesh CERT and US-CERT. Correspondent banking corridors implemented transaction screening, enhanced KYC measures, out-of-band verification protocols, and employee cybersecurity training inspired by standards from ISO and industry groups including SWIFT User Group and GFMA.

Legacy and Continuing Concerns

The case remains a reference in discussions about state-linked cybercrime, influencing policy debates at the United Nations, G20, and among financial regulators such as the FATF. It informed assessments of Lazarus Group activities and catalyzed collaborative frameworks between law enforcement agencies including the FBI, Interpol, and regional bodies in Asia. Continuing concerns include resilience of correspondent banking, emerging threats to real-time payment systems like RTGS and retail rails, and the difficulty of cross-border asset recovery involving jurisdictions such as the Philippines and Hong Kong. The episode is frequently cited alongside incidents involving Carbanak and the Sony Pictures Entertainment hack in analyses by cybersecurity firms, academic researchers at institutions like Massachusetts Institute of Technology and Stanford University, and policy analysts at the Center for Strategic and International Studies.

Category:Cybercrime