Cyber Incident Victim: Crelan

In January 2016, Belgian bank Crelan publicly disclosed a significant financial fraud resulting in losses exceeding €70 million (approximately $75.8 million). The theft was discovered during routine internal audit procedures, prompting immediate notification to Belgian regulatory authorities and the bank's risk and audit committees. Crelan's leadership attributed the incident to external actors, noting the potential involvement of foreign perpetrators without specifying their origin. CEO Luc Versele emphasized the bank's ability to absorb the financial impact through accumulated reserves, assuring clients and partners that the loss would not affect service continuity or institutional stability. The bank implemented enhanced security measures following the discovery, though specific technical controls were not detailed in public statements. No operational disruptions or client data breaches were reported in connection with the incident.

Forensic analysis cited by Belgian newspaper Het Nieuwsblad identified the attack methodology as a Business Email Compromise (BEC) scam, commonly termed CEO fraud. Perpetrators either compromised or spoofed executive email accounts to send fraudulent payment instructions to Crelan's financial department, leveraging authority impersonation to bypass verification protocols. The fraudulent transfer request contained characteristics typical of BEC operations, including urgency mandates and instructions to avoid standard oversight procedures. This incident coincided with a similar $50 million BEC fraud against Austrian aerospace manufacturer FACC, highlighting concurrent targeting of European financial systems. Crelan's public disclosure aligned with global law enforcement warnings about escalating BEC threats, though the bank did not specify whether funds were recovered or suspects identified. The confirmed financial impact remained isolated to the €70 million transfer without subsequent reports of secondary compromises or systemic vulnerabilities.