# Bangladesh Bank SWIFT Heist (2016)
Overview
On the night of February 4-5, 2016, attackers sent 35 payment instructions through the Society for Worldwide Interbank Financial Telecommunication (SWIFT) messaging system, directing the Federal Reserve Bank of New York to transfer $951 million from Bangladesh Bank's account. It was the most audacious bank robbery in history, conducted entirely through a keyboard.
What stopped it from being a billion-dollar theft was not a security control. It was a spelling error. A $20 million transfer to a Sri Lankan organization named "Shalika Foundation" was routed through Deutsche Bank, where a compliance officer noticed the name on the transfer was spelled "Shalika Fandation." The misspelling flagged the transaction for review, and the transfer was blocked. By then, $81 million had already been transferred to accounts at Rizal Commercial Banking Corporation (RCBC) in the Philippines, where it was rapidly moved through a network of personal accounts and into Manila's casino industry, a sector that was at the time not subject to the Philippines' anti-money laundering laws.
The $81 million was almost entirely unrecovered. The principal suspects include the individuals who collected the funds in Manila; no one has been held accountable in a court with jurisdiction over the theft itself.
The Lazarus Group, a North Korean state-sponsored threat actor operating under the direction of the Reconnaissance General Bureau (RGB), North Korea's primary signals intelligence and cyber operations organization, has been attributed this attack with high confidence by multiple governments and private threat intelligence organizations. North Korea has denied involvement. The U.S. Department of Justice indicted three North Korean nationals in connection with the attack as part of a broader 2021 indictment covering multiple Lazarus Group operations.
Attack Chain
Phase 1: Initial Compromise via Spear Phishing
The attack began in late 2015 when Lazarus Group sent spear phishing emails to Bangladesh Bank employees. These emails contained malicious attachments or links that, when opened, installed malware on the recipient's workstation. The specific initial malware samples included components that established persistent access and allowed the attackers to surveil the infected systems.
Bangladesh Bank's network environment at the time was reported to have significant security weaknesses including, according to subsequent forensic analysis, the use of second-hand, uncertified network switches and the absence of a firewall separating the SWIFT terminals from the broader bank network.
Phase 2: Network Reconnaissance and Learning
After establishing initial access, the attackers did not immediately attempt to submit fraudulent transactions. Instead, they spent weeks, possibly months, conducting careful reconnaissance. The goal was to understand the internal network topology, identify the systems connected to Bangladesh Bank's SWIFT interface, observe how legitimate SWIFT transactions were submitted and authorized, and map the schedules and workflows of the people and systems involved in the payment process.
This patient, methodical reconnaissance is a hallmark of Lazarus Group operations and of sophisticated nation-state financial threat actors generally. The attackers needed to understand not just how to submit a SWIFT message but how to submit one that would look indistinguishable from Bangladesh Bank's normal transaction patterns.
Phase 3: Preparation of Fraudulent Instructions
Before submitting the fraudulent transactions, the attackers established the destination accounts. The Philippine accounts at RCBC were opened months in advance by individuals using false identification. The accounts sat largely dormant until the period of the attack. The Sri Lanka transfer, the one eventually blocked by the spelling error, was directed to the Shalika Foundation, a real registered organization that appears to have been selected as a plausible-sounding destination.
Phase 4: Execution of the SWIFT Transfers
The attackers timed the execution carefully. Bangladesh Bank observes a Thursday-Friday weekend. February 4, 2016 was a Thursday, meaning Bangladesh Bank would be closed until Saturday. The Federal Reserve Bank of New York, where Bangladesh Bank maintained its USD correspondent account, operated on the U.S. calendar and would begin processing the transactions during normal business hours on Friday, February 5, with Bangladesh Bank offices closed and unlikely to respond to any queries.
On the night of February 4-5 (Dhaka time), the attackers submitted 35 SWIFT payment instructions from Bangladesh Bank's SWIFT terminals totaling $951 million. The instructions were formatted correctly according to SWIFT message standards and carried authentic-looking sender credentials because they were submitted through Bangladesh Bank's own SWIFT interface.
The Federal Reserve Bank of New York processed five of the transfers before automated risk screening systems began flagging anomalies. The five transfers totaled $101 million, directed to accounts in the Philippines ($81 million) and Sri Lanka ($20 million).
Phase 5: Detection and Partial Blocking
The $20 million Sri Lanka transfer was flagged by Deutsche Bank, which was acting as a routing intermediary, when a compliance officer identified the "Shalika Fandation" misspelling. Deutsche Bank queried Bangladesh Bank for clarification. Bangladesh Bank, whose offices had reopened, became aware of the fraudulent transfers and contacted the Federal Reserve Bank of New York to request that the transfers be blocked or reversed. The Federal Reserve blocked the remaining 30 transfers that had not yet been processed.
Bangladesh Bank also attempted to contact RCBC to freeze the $81 million in the Philippine accounts. The timing was unfortunate: the funds had arrived at RCBC on February 5, a Friday. February 8, the following Monday, was a public holiday in the Philippines (Chinese New Year). By the time RCBC could act, the funds had already been moved through a series of accounts and into casino junket operators, where cash transactions occurred without AML documentation.
Phase 6: Covering Tracks
Before departing Bangladesh Bank's systems, the attackers deployed malware designed to delete transaction logs and manipulate Bangladesh Bank's SWIFT printer, which printed confirmations of all transactions. The printer manipulation was intended to delay Bangladesh Bank's awareness of the fraudulent transfers. The log deletion complicated forensic analysis of exactly how the attack was executed.
Why It Happened: Root Causes
Root Cause 1: Inadequate network segmentation at Bangladesh Bank. The SWIFT terminals at Bangladesh Bank were connected to the broader bank network without adequate segmentation. A properly architected SWIFT environment isolates the SWIFT interface on its own network segment with strict controls over what systems can communicate with it. This isolation limits who can reach the SWIFT terminals and makes the kind of lateral movement the attackers performed significantly more difficult.
Root Cause 2: No authentication controls beyond the SWIFT interface itself. SWIFT's security model has always required that member institutions protect the integrity of their own SWIFT infrastructure. The system authenticates that a message was submitted through a particular institution's registered SWIFT interface, not that the person or process submitting it was authorized to do so by the institution's internal controls. Bangladesh Bank lacked the internal access controls that would have detected or prevented unauthorized use of its SWIFT terminals.
Root Cause 3: Extended dwell time without detection. The attackers had persistent access to Bangladesh Bank's network for weeks to months before the attack. This dwell time was undetected. Behavioral monitoring capable of identifying the reconnaissance activity, the testing of SWIFT-adjacent systems, and the unusual patterns of internal access would have surfaced indicators of the intrusion before the fraudulent transfers were submitted.
Root Cause 4: No anomaly detection on outbound SWIFT transfers. Bangladesh Bank had no automated controls to flag a set of 35 outbound SWIFT payment instructions totaling $951 million as anomalous. The Federal Reserve's risk filters caught some of the transfers based on transaction volume and destination patterns, but those controls are designed for correspondent banking fraud generally, not specifically tuned to a particular institution's normal transaction patterns. The originating institution bears primary responsibility for detecting anomalous activity in its own outbound messaging.
Root Cause 5: The SWIFT ecosystem's security posture was only as strong as its weakest member. This is the systemic vulnerability the Bangladesh Bank heist exposed. SWIFT itself was not compromised. The cryptographic integrity of the SWIFT network remained intact. What the attackers exploited was the fact that SWIFT's trust model presumes that each institution has adequately protected its own SWIFT interface. When Bangladesh Bank's interface was controlled by the attackers, every message submitted through it appeared legitimate to the Fed and to the broader SWIFT network. This vulnerability is not unique to Bangladesh Bank; the subsequent SWIFT Intelligence Center disclosures identified multiple banks worldwide where similar attack patterns had been attempted or succeeded.
Impact and Consequences
Bangladesh Bank recovered approximately $15 million through negotiations with the Sri Lanka-side transfers. The $81 million in the Philippines was largely unrecovered. The Bangladesh Bank Governor resigned. Multiple RCBC employees were eventually sanctioned and prosecuted in the Philippines for failing to properly freeze the accounts. RCBC itself was fined $21 million by the Bangko Sentral ng Pilipinas for anti-money laundering failures.
The attack triggered a comprehensive review of security practices across the SWIFT network. SWIFT launched its Customer Security Programme (CSP) in 2016, establishing mandatory security controls for all SWIFT member institutions covering architecture, access controls, and monitoring. The CSP requirements have been updated annually since then.
At least eight other central banks and financial institutions were targeted by similar Lazarus Group SWIFT attacks between 2015 and 2016, with varying degrees of success. Banco del Austro in Ecuador lost $12 million in a similar attack in January 2015. Vietnam's Tien Phong Bank reportedly repelled a similar attempt in late 2015.
The Philippines subsequently amended its Anti-Money Laundering Act to cover casinos, closing the legal gap that had allowed the funds to disappear through Manila's casino industry without AML documentation requirements.
The U.S. Department of Justice indictment in 2021 against three North Korean nationals (Park Jin Hyok, Jon Chang Hyok, and Kim Il) covered the Bangladesh Bank attack as part of a broader pattern of North Korean state-sponsored financial crime estimated to have generated over $1.3 billion for the North Korean regime.
CDA Perspective
The Bangladesh Bank SWIFT heist is a masterclass in how a sophisticated threat actor with adequate time and patience can leverage institutional access control gaps into outsized financial damage.
TID (Threat Intelligence and Defense): Lazarus Group's months-long dwell time inside Bangladesh Bank's network is the most instructive element of this attack from a detection standpoint. The attackers did not rush. They learned the environment. They watched transaction patterns. They prepared destination accounts months in advance. This is not a smash-and-grab: it is a patient, deliberate operation. Predictive Defense Intelligence (PDI) has to operate on the assumption that sophisticated attackers will have patience. Detection programs must look for subtle indicators: unusual internal access patterns, reconnaissance of SWIFT-adjacent systems, and low-and-slow data collection behaviors, not just high-volume, high-velocity indicators. The question is always: what would this attacker's behavior look like thirty days before the damage event, and do we have sensors positioned to see it?
DPS (Data Protection and Sovereignty): The integrity of financial messaging is a form of data sovereignty. When a message is submitted through Bangladesh Bank's SWIFT interface, it carries the implicit assertion that Bangladesh Bank authorized it. The Sovereign Data Protocol (SDP) extends beyond confidentiality to cover integrity: data must not only be protected from unauthorized disclosure but from unauthorized modification or creation. SWIFT messages are a form of high-value data whose integrity underpins the entire correspondent banking system. Bangladesh Bank's failure to protect the integrity of its SWIFT interface meant that the "data" (the payment instructions) the Fed acted on was fraudulent. Integrity controls at the data layer, including transaction signing, anomaly detection on outbound message volumes, and dual-control authorization for large transfers, are direct SDP applications.
IAT (Identity Access and Trust): Zero Possession Architecture (ZPA) is not just about passwords. It is about every trust assertion in a system. The SWIFT system trusted that Bangladesh Bank's interface was controlled by Bangladesh Bank. Bangladesh Bank trusted that access to its internal systems came from authorized users. Both trust assertions were violated. ZPA demands that trust be verified continuously, not established once at authentication and then assumed. Privileged access to SWIFT terminals should require step-up authentication, session recording, and approval workflows for transactions above defined thresholds. These controls would not have prevented the initial compromise, but they would have significantly complicated the attackers' ability to submit fraudulent SWIFT instructions even from a compromised internal system.
RGA (Risk Governance and Assurance): SWIFT's Customer Security Programme exists because the Bangladesh Bank heist proved that individual institution security posture is a systemic risk for the entire correspondent banking network. Perpetual Compliance Assurance (PCA) in a networked financial system context means that governance obligations extend to your counterparties. If your institution sends and receives SWIFT messages, your security posture is a risk factor for every institution that trusts your messages. The PCA framework supports this with continuous monitoring, mandatory control attestations, and third-party assessments, not just annual self-certification. The broader lesson for any interconnected system (financial messaging, operational technology networks, healthcare data exchange) is that security governance cannot stop at your own perimeter.
Key Takeaways
SWIFT security is only as strong as each connected institution's security posture. The cryptographic integrity of the SWIFT network was not compromised. The attack succeeded because Bangladesh Bank's local SWIFT infrastructure was compromised. Every financial institution using SWIFT is a trust anchor in the system, and inadequate security at any anchor creates risk for all.
Attackers with patience are the most dangerous attackers. The months-long dwell time before the February 2016 attack is not unusual for nation-state financial threat actors. Detection programs built to catch high-speed, high-volume attacks will miss slow, methodical operations. Behavioral baselines and anomaly detection must be calibrated to surface patient reconnaissance, not just active exploitation.
Dual-control and transaction anomaly detection are non-negotiable for high-value financial systems. No single process should be able to submit large-volume, large-value payment instructions without a second authorization step and automated anomaly review. The Bangladesh Bank attack involved 35 transfers totaling $951 million. That volume and value, relative to Bangladesh Bank's normal transaction patterns, should have been flagged automatically at the originating institution before the messages ever left the SWIFT interface.
Jurisdiction and AML coverage gaps are part of the attack surface. The $81 million disappeared into Manila casinos because Philippine AML law at the time did not cover casinos. This is not a cybersecurity control gap; it is a legal and regulatory gap that the attackers exploited deliberately. Risk governance frameworks must account for the legal and regulatory environment of every jurisdiction where funds could land, not just the technical controls at the point of origination.
The security of networked financial infrastructure requires collective governance. SWIFT's Customer Security Programme is a direct response to Bangladesh Bank. The lesson is that interconnected systems require collective security standards, and those standards must be mandatory and verifiable, not voluntary and self-attested.
Related Articles
- SWIFT Customer Security Programme
- Nation-State Cyber Threats and Financial Sector Targeting
- Lazarus Group (DPRK APT)
- Correspondent Banking and Wire Fraud
- Zero Possession Architecture (ZPA)
- Anomaly Detection and Behavioral Analytics
- Anti-Money Laundering Controls and Financial Crime
- Incident Response for Financial Institutions
Sources
- U.S. Department of Justice. Indictment of Park Jin Hyok, Jon Chang Hyok, and Kim Il. February 17, 2021.
- SWIFT. "Customer Security Programme: Mandatory Controls and Security Attestation." swift.com.
- Bangladesh Bank Financial Intelligence Unit. Incident response and forensic reports, 2016.
- Bangko Sentral ng Pilipinas. Administrative penalty assessment against RCBC, 2016.
- Symantec Security Response. "Bangladesh Bank Heist: Attackers Wiped SWIFT Messages." May 2016.
- Novetta. "Operation Blockbuster: Unraveling the Long Thread of the Sony Attack." February 2016.
- Reuters. "Hackers took $81 million from Bangladesh Bank account at New York Fed." March 2016.
- SWIFT Institute. Working Paper: "Correspondent Banking and De-risking." 2016.
- Kaspersky Lab Global Research and Analysis Team. Lazarus Group threat intelligence reporting.
- Financial Stability Board. "Cyber Lexicon." fsb.org.