Cyber Incident Victim: Prime Bank
Date:
May 2019
Location:
Bangladesh
Summary
A financially motivated cyberattack targeted multiple Bangladeshi banks, including Prime Bank, resulting in unauthorized ATM withdrawals totaling millions of dollars. The Silence group, a Russian-speaking threat actor, is suspected of orchestrating the heist using malware such as Silence.Downloader and Silence.ProxyBot to compromise bank systems, manipulate transaction limits, and remotely control ATMs. Ukrainian money mules were arrested after withdrawing cash from compromised machines, with evidence linking the attacks to Silence's infrastructure, including a command-and-control server. While one bank suffered financial losses, others successfully prevented theft, though all were impacted by the intrusion campaign involving prolonged network access and exploitation of payment systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2019, three Bangladeshi banks—Dutch Bangla Bank Limited (DBBL), NCC Bank, and Prime Bank—were targeted in a coordinated cyberattack resulting in at least $3 million in losses from fraudulent ATM transactions. The theft was discovered when Visa requested settlement for suspicious client transactions processed in Cyprus. While DBBL confirmed financial losses, NCC Bank and Prime Bank reported successfully blocking the attackers’ transactions. Investigations revealed that Ukrainian money mules withdrew cash from ATMs by inserting payment cards while receiving remote instructions, as evidenced by a May 31 video showing one individual communicating by phone during withdrawals. Six Ukrainian nationals were arrested for stealing approximately $19,000 across nine ATMs using this method.
Security firm Group-IB attributed the DBBL breach to the Silence hacking group, citing infrastructure overlaps and tactical consistencies with prior operations. The attackers maintained access since at least February 2019, deploying tools including Silence.Downloader (TrueBot) for remote command execution, Silence.MainModule (MD5: fd133e977471a76de8a22ccb0d9815b2) for file downloads, and Silence.ProxyBot (MD5: 2fe01a04d6beef14555b2cf9a717615c) for traffic redirection. They likely manipulated ATM networks via the Atmosphere toolkit or altered transaction limits through compromised card processing systems. Group-IB identified communications between DBBL hosts and a Silence command-and-control server (103.11.138.198), confirming prolonged reconnaissance typical of high-level bank heists. This incident marked Silence’s first known international attack after previously targeting Russian financial institutions, signaling expanded operational scope.