Ten years on, the Bangladesh Bank cyberheist — a landmark cybersecurity incident that rewrote the rules of nation state–sponsored hacking — continues to offer lessons for the cybersecurity community.
Cyberspies hacked into Bangladesh Bank internal network and SWIFT (Society for Worldwide Interbank Financial Telecommunication) messaging environment before sending 35 fraudulent SWIFT payment instructions that attempted to steal $951 million from Bangladeshi foreign currency reserves, all held in an account with the Federal Reserve Bank of New York.
Misspelt beneficiary names and US sanctions screening meant only five of the 35 transactions went through, but they were enough to send $81 million to accounts in the Philippines, where the money was quickly withdrawn and subsequentially laundered through casinos in Macao, China.
A further $20 million sent to a Sri Lankan charitable foundation was quickly recovered.
Investigations by Western intelligence agencies, including the SWIFT and private sector firms, singled out the Lazarus Group, a North Korean cyberespionage group previously linked to the Sony Pictures hack. The malware, infrastructure, and tactics used during the attack matched the tactics of other Lazarus-linked hacks.
In September 2018, US prosecutors charged North Korean Park Jin Hyok and sanctioned North Korean front company Chosun Expo Joint Venture with masterminding the raid on Bangladesh Bank, the Sony Pictures hack, and the WannaCry malware.
Park, an alleged North Korean Reconnaissance General Bureau security agency hacker, remains unapprehended and on the FBI’s most wanted list.
Anatomy of an attack
Early investigations found that spear-phishing emails loaded with malware were sent to Bangladesh Bank employees in December 2015 or earlier, months before the main attack. These incursions succeeded in planting malware, creating both a backdoor and the means to map the network and identify SWIFT-connected systems.
The attackers obtained valid SWIFT operator credentials, compromised access to databases and sabotaged a printer that printed SWIFT transaction logs so that it printed blank pages. The attack was carefully timed to trigger on Thursday, Feb. 4, 2016, at the start of the weekend in Bangladesh, and just before the Chinese New Year holiday in the Philippines.
The Governor of the Central Bank of Bangladesh called Rakesh Asthana, chief exec of World Informatix Cyber Security, about the breach on Feb. 18, around two weeks after the hack.
“The call was cryptic, indicating that he should travel immediately to Dhaka on urgent business which could not be discussed on the phone,” a World Informatix Cyber Security spokesman tells CSO.
Asthana, a former director of IT at the World Bank, had previously signed an IT consulting agreement with the Central Bank, hence the call. Nothing could have prepared him for the scale of the problem he discovered when he handed in Bangladesh.
“Upon arrival, the situation was explained: 35 payment transactions worth $951 million were processed on Feb. 4 via the SWIFT network, and $101 million was missing from the Central Bank’s FRBNY accounts,” the spokesman adds. “The Bank did not have an understanding of what happened, or more importantly how this could have happened — a cyberattack of this scale and method was unknown at the time.”
World Informatix brought in Mandiant to handle the subsequent investigation and incident response, as a blog post containing a timeline on the hack by SWIFT explains.
“What we saw in Bangladesh, as a result of our investigation, alongside the investigations done by industry partners, the FBI, and third-party entities, identified a new-wave of modus operandi involving deep reconnaissance, manipulation of the cross-border SWIFT messaging global systems, clever operational deception and strategic structured attack plans,” the World Informatix spokesman said.
Security shortcomings
Adrian Cheek, senior cybercrime researcher at threat exposure management firm Flare, said the Bangladesh Bank heist was possible because of a number of security shortcomings, including a failure to air gap critical infrastructure.
“The Bank of Bangladesh had four servers and the same number of desktops connected to SWIFT,” Cheek says. “This infrastructure, however, was also connected to the wider banking network and thus exposed to the internet.”
“Critical infrastructure should be air gapped or, at the very least, segregated from any central network by multiple firewalls and a robust SWIFT [identity and access management] policy, including SWIFT [multi-factor authentication],” Cheek adds. “The bank had none of this.”
Other elements of basic cybersecurity at the central bank were also lax.
“The attackers were able to install a keylogger [a form of malware that records users’ credentials and activity] on the bank network and disable a printer that recorded activity connected to the bank network,” according to Cheek. “The bank had no capability to identify or detect this malware.”
Cheek adds: “The logger was able to collect credentials, including passwords to the bank’s international money transfer system.”
Strains of malware linked to the attack include the Lazarus/BeagleBoyz toolset (a mix of custom loaders, backdoors, and wipers) and the Dridex banking trojan.
Security information and event management (SIEM) platforms appeared on the scene in the late 2000s, and the first versions of endpoint detection and response (EDR) tools were available in the early 2010s.
“Both of these solutions may have detected the initial intrusion, the printer error, or access to restricted areas,” Cheek says. “The bank relied on a physical printer that printed access activity for the money transfer system. With the printer offline, the bank was blind.”
Collin Spears, senior director of product management at application security firm Black Duck Software, says that the Bangladesh Bank attackers demonstrated a level of nation-state operational discipline that exceeded that of most legitimate software teams.
“They tested their malware against Oracle database libraries, built custom implants to maintain persistence, and timed execution to exploit a 72-hour window across the banking holidays of three countries,” says Spears. “That’s not opportunistic crime. That’s a funded engineering organization with better release management than half the fintechs I’ve assessed.”
Prior to 2016, the SWIFT network was thought or considered to be impenetrable, to the point that anything arriving via the SWIFT system was taken at face value and often left to operate unmonitored.
In the wake of the Bangladesh Bank heist, SWIFT warned customers that the hack was part of a broader series of attacks on customer environments rather than an attack on its messaging network. Banco del Austro in Ecuador and TPBank in Vietnam fell victim to similar but smaller assaults in 2015.
Tightened security controls fail to eliminate evolving threat
SWIFT introduced its Customer Security Program (CSP) as a mandatory framework in May 2016. The program requires member banks to implement a set of mandatory security controls, known as the Customer Security Controls Framework (SWIFT), and attest to compliance annually.
Nik Kale, principal engineer Cisco Systems, told CSO although security controls have been tightened up since the Bangladesh Bank cyberheist wider problems remain unaddressed.
“Many institutions have improved controls around SWIFT and similar rails — better monitoring, tighter audits, more realistic assumptions about endpoint compromise risk,” according to Kale.
However, on the debit side, the workflow trust issue exploited during the Bangladesh Bank cyberheist continues to cause problems.
“The techniques evolve, but the underlying vulnerability is stable,” says Kale. “And notably, the same pattern — trusting workflow rails while endpoints are compromised — is now re-emerging in AI and automation contexts, where autonomous agents inherit credentials and act on trusted channels without adequate verification boundaries.”
Attackers pivoting to target crypto assets
Jason Baker, senior threat intelligence consultant at GuidePoint Security, tells CSO that North Korean state-backed attackers have continued to financial and cryptocurrency organizations in the years since the Bangladesh Bank cyberheist.
“DPRK [Democratic People’s Republic of Korea] actors have pivoted heavily to cryptocurrency versus ‘traditional’ banking assets, with Chainalysis reporting $2 billion in cryptocurrency theft by DPRK actors in 2025 and an all-time total to $6.75 billion despite fewer attacks,” according to Baker.
Michael Bell, founder and CEO at offensive security services firm suzu labs, says that attackers learned was that cryptocurrency exchanges have weaker security, faster liquidity, and less regulatory oversight than traditional banks.
“The industry patched the vulnerability that was exploited in 2016 and the adversary moved to where the defenses were weaker,” Bell says.
CISOs need better threat intel programs
Ensar Seker, CISO at extended threat intelligence platform provider SOCRadar, argues that the Bangladesh Bank heist shows that financially motivated attacks can be patient, stealthy, and well-resourced. Defenders need to up their game to meet the challenge of such stealthy attacks because they present an ongoing threat.
“The attackers anticipated manual checks, fallback procedures, and human delays,” Seker says. “Modern threat intel programs must model attacker understanding of defender workflows, not just attacker tools.”