Bangladesh Bank: $81 Million Stolen via Forged SWIFT Messages
Attackers with months of access to Bangladesh Bank's SWIFT terminals sent fraudulent transfer instructions to the Federal Reserve Bank of New York, successfully stealing $81 million before a typo in a fifth transfer triggered suspicion.
Background
The SWIFT interbank messaging network connects over 11,000 financial institutions worldwide. Bangladesh Bank held accounts at the Federal Reserve Bank of New York and used SWIFT terminals to transfer money internationally. The bank's SWIFT infrastructure was connected to the internet and lacked basic security controls.
The Attack
Attackers — attributed to North Korea's Lazarus Group — gained access to Bangladesh Bank's SWIFT operator terminals months before the attack. They studied the bank's transfer patterns and prepared five fraudulent transfer requests totalling nearly $1 billion, to be sent to accounts in the Philippines and Sri Lanka. On February 5, 2016, they sent the instructions while Bangladesh was closed for a weekend, submitted on a Thursday so that New York would process them on a Friday before Bangladesh could respond. Four transfers totalling $81 million succeeded. The fifth was flagged because attackers misspelled "fandation" instead of "foundation" in the beneficiary name.
Response
Bangladesh Bank contacted the Federal Reserve, which had already processed four of five transfers. The Philippines transfers had already been converted to cash and moved through casinos, making recovery extremely difficult. SWIFT issued mandatory security updates requiring two-factor authentication and better network isolation for all member banks.
Outcome
$81 million was stolen — $63 million was never recovered. The attack exposed catastrophic security gaps in the global banking messaging infrastructure. SWIFT launched a mandatory Customer Security Programme requiring member banks to meet minimum security standards.
Key Takeaways
- Critical financial infrastructure must never be internet-connected without extreme controls
- Geographic and time-zone gaps in operations can be weaponised — monitor continuously
- A single typo saved $920 million — human review of large transfers is essential
- Nation-state actors target financial infrastructure for direct monetary gain, not just intelligence