Cyber Incident Victim: Banco del Austro
Date:
Jan 2015
Location:
Ecuador
Summary
Hackers stole Banco del Austro employee credentials to initiate fraudulent SWIFT transfer requests, altering previously canceled transactions to redirect funds. The attackers transferred $12 million via Wells Fargo and $1.8 million through Citibank to global accounts, with Citibank fully reimbursing the Ecuadorian bank while Wells Fargo refunded only a partial amount. BDA sued Wells Fargo for failing to detect suspicious transactions, while Wells Fargo attributed the breach to the victim's security failures. Neither bank initially reported the incident to SWIFT, reflecting broader industry reluctance to disclose such attacks despite systemic risks to interbank trust. The dispute exposed vulnerabilities in relying solely on SWIFT's authentication without additional verification protocols.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 12, 2015, attackers initiated fraudulent transfers from Banco del Austro (BDA) in Ecuador using compromised SWIFT credentials. Between 7 p.m. that day and over the following ten days, twelve authenticated SWIFT messages directed Wells Fargo in San Francisco to transfer $12 million from BDA accounts to global destinations, including Hong Kong. The hackers had obtained a BDA employee’s SWIFT login credentials and manipulated the bank’s system by retrieving canceled or rejected payment requests from BDA’s SWIFT outbox, altering their amounts and recipient details before resubmitting them. BDA discovered the theft more than a week after the first transfer. Citibank New York also processed $1.8 million in fraudulent transfers from BDA’s SWIFT terminal during this period but later reimbursed the full amount. Wells Fargo refunded $958,700 of the $1,486,230 it sent to an account under the name Jose Mariano Castillo, though Castillo’s existence could not be verified. Neither BDA nor Wells Fargo initially reported the breach to SWIFT, which learned of the incident through Reuters’ inquiry.
BDA sued Wells Fargo in New York, alleging the bank failed to flag transactions executed outside BDA’s normal business hours and involving atypical sums. Wells Fargo denied liability, asserting in court filings that BDA’s security failures enabled the theft and that SWIFT’s authentication protocols absolved it of verification responsibilities. SWIFT, not a party to the lawsuit, issued a statement urging all users to report cyberattacks affecting its services following Reuters’ disclosure of the incident. The case highlighted systemic risks in SWIFT’s oversight framework, including inconsistent breach reporting by member banks and overreliance on SWIFT’s message authentication without supplementary verification. SWIFT’s board, dominated by large Western banks, faced criticism for lacking mandatory breach disclosure rules, as banks often withhold incident details to avoid reputational damage or regulatory scrutiny. The theft exposed vulnerabilities in correspondent banking relationships, with experts noting that SWIFT’s security guarantees do not replace banks’ obligations to validate transaction legitimacy. The legal dispute remained unresolved, with Wells Fargo seeking dismissal of BDA’s claims.