Cyber Incident Victim: Dutch Bangla Bank
Date:
May 2019
Location:
Bangladesh
Summary
A cyberattack targeting a Bangladeshi financial institution resulted in approximately $3 million in losses through unauthorized ATM transactions domestically and internationally. The Silence group, a financially motivated threat actor, is suspected of orchestrating the heist using malware including Silence.Downloader, Silence.MainModule, and Silence.ProxyBot to establish persistent access, execute remote commands, and manipulate transaction systems. Evidence indicates prolonged network compromise facilitating reconnaissance prior to executing fraudulent cash withdrawals. Ukrainian nationals acting as money mules were apprehended after video evidence captured coordinated ATM cashouts, with transactions potentially controlled remotely. Forensic analysis linked the attack infrastructure to known Silence command-and-control servers and operational tactics consistent with the group's previous bank targeting methodologies.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2019, hackers targeted three Bangladeshi banks—Dutch Bangla Bank Limited (DBBL), NCC Bank, and Prime Bank—resulting in the theft of at least $3 million through unauthorized ATM transactions. The incident came to light when Visa, the payment solution provider, requested DBBL to settle payments for suspicious client transactions processed in Cyprus. Investigations revealed that DBBL was the only institution among the three to suffer confirmed financial losses, while the other two banks reported thwarting the attacks. On May 31, 2019, Ukrainian money mules were captured on video withdrawing cash from ATMs by inserting payment cards and receiving dispensed money without manually initiating transactions. The individuals communicated via phone before each withdrawal, indicating remote control of the ATMs by operators. Six Ukrainian nationals were arrested in connection with the thefts after executing similar withdrawals across nine ATMs, stealing approximately $19,000.
Cybersecurity firm Group-IB attributed the attack to the Silence hacking group based on infrastructure analysis, malware signatures, and operational patterns matching previous campaigns. The threat actors maintained access to DBBL’s systems since at least February 2019, communicating with a command-and-control server at IP 103.11.138.198. They deployed tools including Silence.Downloader (TrueBot) for remote execution, Silence.MainModule (MD5: fd133e977471a76de8a22ccb0d9815b2) for file downloads, and Silence.ProxyBot (MD5: 2fe01a04d6beef14555b2cf9a717615c) for traffic redirection. Attack methods involved either compromising the bank’s ATM network to install jackpotting malware (Atmosphere toolkit) or manipulating the card processing system to alter transaction limits—both techniques previously linked to Silence. The group, known for Russian-language operations since 2016, expanded internationally after refining tactics in domestic attacks. Financial losses were confined to DBBL, with no confirmed data breaches or secondary compromises reported beyond the ATM fraud.