Cyber Incident Victim: Banorte
Date:
Apr 2018
Location:
Mexico
Summary
Hackers conducted a cyberattack on Mexican financial institutions, including Banorte, generating fraudulent transfer orders to siphon hundreds of millions of pesos into bogus accounts, with accomplices rapidly withdrawing cash from branch offices. The theft involved unauthorized interbank transfers through compromised third-party software interfaces, though the central bank's core payment system remained intact. While some fraudulent transactions were blocked, the incident prompted institutions to adopt slower, alternative technologies for payment system connectivity. Authorities confirmed no client deposits were impacted, as the transfers targeted institutional accounts, and investigations indicated potential insider collaboration due to the scale of cash withdrawals. The central bank characterized the attack as unprecedented and implemented corrective measures amid ongoing analysis.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In April 2018, unidentified attackers executed a coordinated cyber heist against multiple Mexican banks, including Banco Mercantil del Norte (Banorte), Mexico’s second-largest bank. The perpetrators generated fraudulent electronic transfer orders through compromised bank systems, directing funds ranging from tens of thousands to hundreds of thousands of pesos to fictitious accounts at other financial institutions. According to two government investigation sources, the thieves siphoned over 300 million pesos ($15.4 million), while Mexican newspaper El Financiero cited an anonymous source claiming approximately 400 million pesos was stolen. The fraudulent transfers targeted accounts held by financial institutions at the central bank, with accomplices rapidly withdrawing the illicitly transferred funds in cash from dozens of bank branches. Investigators noted the unusually large cash withdrawals suggested potential insider collaboration at branch offices. Not all fraudulent transfers succeeded, as some were intercepted and blocked by security measures.
The attack disrupted Mexico’s SPEI interbank electronic payment system in late April 2018, causing transaction delays and raising concerns about systemic vulnerabilities in Latin America’s second-largest economy. Mexico’s central bank governor Alejandro Diaz de Leon described the incident as unprecedented, confirming five financial institutions experienced unauthorized transfers but declining to identify specific banks or validate exact losses. Central bank officials clarified that the SPEI infrastructure itself remained uncompromised, attributing the breach to vulnerabilities in third-party software or bank-developed applications interfacing with the payment system. In response, many institutions temporarily migrated to an alternate, slower connection technology to enhance security. Banorte issued a statement on May 9 confirming an unspecified “incident” but asserting client deposits remained unaffected. Central bank payment system chief Lorenza Martinez emphasized ongoing forensic analysis of branch security protocols while reiterating that no end-user accounts were impacted. The central bank implemented corrective measures to mitigate future incidents but acknowledged uncertainty regarding whether the attack campaign had fully concluded.