Cyber Incident Victim: Bangladesh Bank
Date:
Feb 2016
Location:
Bangladesh
Summary
Hackers breached Bangladesh Bank's systems, stealing credentials to initiate fraudulent transfers from its account at the New York Federal Reserve. They attempted to move nearly $1 billion via dozens of requests, successfully transferring $81 million to Philippine entities before a typo in a $20 million transfer instruction to a Sri Lankan entity (misspelling "foundation" as "fandation") prompted Deutsche Bank to seek clarification, halting that transaction. The Fed also flagged the unusual volume and private recipients, aiding detection. While $81 million remained unrecovered, collaboration with Philippine anti-money laundering authorities and casinos was underway to trace funds. Forensic investigators identified external compromise origins, noting the attackers' detailed knowledge of internal systems, likely from espionage.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early February 2016, hackers breached the Bangladesh Central Bank’s systems and stole credentials used for international payment transfers. The attack occurred over the weekend of February 4-5, when the bank’s offices were closed. Using the compromised credentials, the attackers submitted approximately 35 fraudulent transfer requests from the Bangladesh Bank’s account at the Federal Reserve Bank of New York, targeting entities in the Philippines and Sri Lanka. Four transfers totaling roughly $81 million to private recipients in the Philippines were processed successfully, constituting one of the largest known bank thefts in history. A fifth transfer request for $20 million to a Sri Lankan entity listed as the "Shalika Foundation" was blocked due to a typographical error—the hackers misspelled "foundation" as "fandation." This error prompted Deutsche Bank, the routing bank, to seek clarification from Bangladesh Bank, which then halted the transaction. Investigations later revealed no registered Sri Lankan NGO under that name. The New York Fed also raised alerts due to the unusually high volume of transfer requests and their destination to private entities rather than financial institutions, prompting further scrutiny and intervention.
The incident triggered immediate operational and diplomatic repercussions. Bangladesh Bank officials, upon discovering the breach, enlisted cybersecurity firms World Informatix and FireEye’s Mandiant division to investigate the attack. Forensic analysis confirmed the hackers had infiltrated the bank’s systems from outside Bangladesh and possessed detailed knowledge of its internal operations, suggesting prolonged surveillance. Approximately $850–$870 million in additional fraudulent transfers were prevented due to the typo and heightened vigilance. Bangladesh authorities recovered the $20 million intended for Sri Lanka but struggled to trace the $81 million sent to the Philippines, suspecting funds were funneled to local casinos. The Philippine Amusement and Gaming Corp and anti-money laundering agencies launched parallel investigations. Bangladesh’s Finance Minister publicly criticized the New York Fed for not intercepting the fraudulent transactions earlier and threatened legal action, though the Fed maintained its systems were uncompromised and emphasized collaboration in the aftermath. The heist exposed systemic vulnerabilities in global financial networks and intensified scrutiny of cybersecurity practices among central banks.