Chronicles of Compromise

The Billion-Dollar Typo

How North Korea’s phantom hackers nearly broke the global banking system

Prologue

4:00 AM, 5 February 2016.

Dhaka is sleeping. The streets around Bangladesh Bank’s headquarters on Motijheel Avenue are quiet. The overnight staff are keeping watch, but there’s nothing to watch. The SWIFT terminal hums. The servers breathe. Everything is ordinary.

Somewhere on the other side of the planet, in a country under permanent sanctions and perpetual darkness, a team of hackers is issuing instructions. Thirty-five of them. Each one a carefully worded wire transfer request, sent in the name of Bangladesh’s central bank, addressed to the Federal Reserve Bank of New York.

The requests are polite. Professional. Authenticated. They look exactly like the real thing.

They are asking for $951 million.

And they had been building toward this moment for over a year.

Person wearing a beanie working on two monitors displaying code in a dark office cubicle at night

Part 1: The Invisible Invasion

A ghost named Rasel sends an email

It started with a job application.

In January 2015, several Bangladesh Bank employees received a seemingly harmless email from a job seeker calling himself Rasel Ahlam, who included an invitation to download his CV and cover letter from a website. Rasel, however, did not exist.

He was a ghost. A fiction crafted to do one thing: get someone inside the bank to click a link.

Someone did.

According to FBI investigators, at least one person inside the bank downloaded the documents, and their computer got infected with the viruses hidden inside. From that single click, everything that followed became possible.

But there was no alarm. No flashing light. No indication that anything had gone wrong. The malware settled silently into the bank’s systems like a tenant moving in at night. It would wait, watch, and learn. For months.

The attackers may have begun planning the February 2016 heist as early as October 2014, when, according to FireEye, the North Korean hackers first began conducting online research on banks in Bangladesh. This was never a smash-and-grab. It was a slow, methodical reconnaissance mission.

Once inside, the attackers moved carefully through the bank’s internal network. The Bangladesh Bank had four computers and four servers connected to SWIFT — the Society for Worldwide Interbank Financial Telecommunication — a network that allows banking entities worldwide to perform large transfers. Those computers and servers were also connected to the real-time gross settlement system. They were unmonitored, and the network lacked a firewall. The systems were connected to the open internet.

Read that again. The computers that controlled Bangladesh’s central bank reserves, connected to the global financial transfer network, had no firewall. And were open to the internet.

A password token protecting the SWIFT international transactions network at Bangladesh Bank was left inserted in the SWIFT server for months leading up to the heist. It is supposed to be removed and locked in a secure vault after business hours each day. It wasn’t.

The attackers had everything they needed. The credentials. The knowledge of how transfers were authorised. An understanding of the bank’s communication routines. And — crucially — a plan for when to strike.

Part 2: The Reckoning

The printer that went quiet

One early morning in February 2016, a printer suddenly stopped printing records of activity.

That was the first sign. Not a blaring intrusion alarm. Not a system-wide shutdown. A printer, going quiet.

The SWIFT terminal’s printer was supposed to produce a paper record of every outgoing transaction. It was the bank’s audit trail, the physical proof that transfers were legitimate. When the paper stopped coming, nobody immediately understood what it meant. It would take hours before the full horror became clear.

Late on Thursday, 5 February 2016, hackers attempted to siphon $950 million from Bangladesh Bank’s account held at the Federal Reserve Bank of New York, through a series of 35 fraudulent messages sent through the SWIFT interbank messaging system. The messages directed that the money be transferred to private bank accounts in Sri Lanka and the Philippines. The SWIFT messages contained the credentials necessary to authenticate the transfer requests and appeared to come from a server in Dhaka used by the Bank of Bangladesh. The New York Fed approved five of the transfers, totalling over $100 million.

Thirty transfers were blocked, not through any heroic detection, but by luck. The payments were for individual accounts at the Jupiter branch of Rizal Commercial Banking Corporation near Manila. They didn’t clear as the automated system flagged the word “Jupiter,” which matched the name of a totally different business that was blacklisted for circumventing sanctions against Iran.

A sanctions blacklist, designed to catch Iranian oil traders, saved hundreds of millions of dollars belonging to one of the world’s poorest nations.

But five requests had already gone through.

$20 million went to Sri Lanka. $81 million went to RCBC Bank in the Philippines.

For the Sri Lanka transfer, there was a second stroke of luck, a rare one that came down to spelling. The fraudulent Sri Lanka transaction was foiled after correspondent bank Deutsche Bank returned the payment order to Bangladesh Bank to correct the erroneous spelling of “Fandation” in the NGO’s name. The hackers had intended to route $20 million to a fictional charity called the Shalika Foundation, and misspelled the word “Foundation.” Deutsche Bank flagged it. The transfer was frozen. The $20 million was eventually recovered.

That left $81 million. And by the time anyone understood what was happening, it was already gone.

When staff returned to the office on February 6, they found a series of messages from the New York Fed, yet it was two more days before Bangladesh Bank’s team started to piece together what had happened.

Stop-payment orders were issued on 8 February 2016. Nevertheless, on the following day, the branch manager of Rizal Bank allegedly approved the withdrawal of $81 million.

February 8 was a public holiday in the Philippines. Chinese New Year. The banks were closed, the regulators were off, and the anti-money laundering watchdog had no authority over casinos. By the time Bangladesh Bank’s desperate messages reached Manila, the money was already moving.

Four men sitting at desks using desktop computers in a dimly lit room with a portrait of Kim Jong-un on the wall

Part 3: Behind the Curtain

The ghost army of Pyongyang

For weeks, no one officially said who had done this. The scale of the attack suggested a nation-state. The sophistication pointed east. The motive — cold, hard currency for a sanctions-strangled regime — pointed north.

Investigations by Western intelligence agencies, SWIFT, and private sector firms singled out the Lazarus Group, a North Korean cyber-espionage group previously linked to the Sony Pictures hack. The malware, infrastructure, and tactics used during the attack matched the tactics of other Lazarus-linked hacks.

The attack was attributed to members of North Korea’s Bureau 121, also known as Lazarus Group, Bluenoroff, and APT38. Bureau 121 is North Korea’s elite hacking division — a unit believed to operate partly from foreign soil to access reliable internet connections unavailable inside the country.

Kaspersky researcher Vitaly Kamluk told Reuters that the finding marked “the first time we have seen a direct connection” between North Korea and Lazarus, a hacking group whose activities dating back to 2009 have been documented by the world’s biggest cyber-security firms.

The motive was stark and simple. North Korea operates under severe international sanctions. Its access to foreign currency is limited. Cyber theft — untraceable, deniable, scalable — had become a reliable revenue stream for the Kim Jong-un regime. In the past years, tech security firms have attributed many more cryptocurrency attacks to North Korea, accumulating an estimated theft of more than $2 billion.

In September 2018, US prosecutors charged North Korean Park Jin Hyok and sanctioned North Korean front company Chosun Expo Joint Venture with masterminding the raid on Bangladesh Bank, the Sony Pictures hack, and the WannaCry malware attack. Park remains unapprehended and on the FBI’s most wanted list.

Pyongyang has denied everything. They always do.

Part 4: How It Worked — The Technical Picture

This section explains the mechanics of the attack in plain language. If you’re here for the story, feel free to skip ahead — but this is where it gets remarkable.

The Attack Vector: Spear-Phishing

Spear-phishing: A targeted email attack — unlike a generic spam blast, it’s crafted to look credible to one specific person or organisation. Rasel Ahlam’s fake job application email was spear-phishing. The goal wasn’t to trick millions of people. It was to trick one person at Bangladesh Bank.

Persistence: Living in the Walls

Once the malware was installed, the attackers didn’t immediately act. The Lazarus Group had been lurking inside Bangladesh Bank’s computer systems for a year — giving them plenty of time to plan the attack. They watched the bank’s routines. They learned the authentication procedures. They understood exactly how SWIFT transfers were initiated and logged.

Keystroke logger: The hackers reportedly placed malware in the system in the form of a keystroke logger. A keystroke logger records every key pressed on a computer — including passwords. This is how they obtained the SWIFT credentials.

The Payload: SWIFT Manipulation

SWIFT (Society for Worldwide Interbank Financial Telecommunication): The global messaging system that banks use to instruct each other to transfer money. Think of it as the email system of international finance — but instead of words, the messages move billions of dollars.

The fraudsters gained access to the Bangladesh Bank’s computer terminals that interfaced with the SWIFT system. The messages were designed to look like authentic SWIFT communications. The bad guys were able to use malware that interfered with bank processes that typically create document confirmation and used Oracle databases to retain records of messages sent via SWIFT, then used other malware to delete evidence of those concealing activities.

In short: they sent fake transfer orders using real credentials, then erased the evidence before anyone could notice.

The Escape Route: Casinos

The Philippines was chosen deliberately. The group that carried out the theft sought to extract the cash from places where it was feasible to launder large amounts of cash. The money withdrawn from Rizal Bank entered casinos in the Philippines that are not subject to comprehensive anti-money laundering controls.

A significant portion of the money was laundered through high-stakes baccarat tables, where large sums of cash can be anonymously wagered and quickly converted into chips. Chips in. Chips out. Clean cash.

The Timing: Weaponised Weekends

The thieves exploited the difference in the timing of weekends in Bangladesh and New York, so that queries from one country went unanswered in the other. The attack was launched when Bangladesh was starting its weekend — Friday and Saturday — while New York was still open. By the time New York’s queries came back, Bangladesh was closed. By the time Bangladesh was open again, the Philippines had begun its Chinese New Year holiday. Three time zones. Three different weekend schedules. The gap was precision-engineered.

Part 5: The Aftermath

What $81 million costs

No patients lost their lives. No hospitals went dark. This was not a humanitarian disaster in the same register as some attacks. But the consequences were profound — and they stretched far beyond Dhaka.

Bangladesh is not a wealthy country. The central bank had approximately $32 billion in reserves as of 2022. The loss of $81 million was not catastrophic in absolute terms — but it was humiliating. It exposed the central bank of a nation as defenceless against a laptop and a fake CV.

The Bangladesh Bank governor, Atiur Rahman, resigned. He later told Reuters he had only learned of the heist after it hit the news headlines — a month after it happened.

In the Philippines, the fallout was severe. A trial court found former RCBC bank manager Maia Santos Deguito guilty of eight counts of money laundering and fined her $109 million. She faces a prison sentence of up to 56 years.

Recovery of the funds was agonisingly slow. More than four years after the attack, only $15 million had been recovered and only one person had been convicted.

Then, in a development that stunned observers, on September 21, 2025, a Dhaka court delivered a landmark verdict, formally ordering the confiscation of the $81 million that had been traced to RCBC in the Philippines. Nearly a decade after the theft, the legal wheels had finally turned. Whether the money can actually be repatriated remains uncertain.

The wider cost to the global financial system was harder to quantify but unmistakable. SWIFT — trusted by thousands of institutions worldwide — had been used as a weapon. SWIFT issued a written warning asking banks to review internal security, and staff began calling banks to highlight the importance of reviewing security measures. The message underneath was uncomfortable: the system itself was not the problem. The banks connecting to it were.

Part 6: Lessons Learned

For Organisations

1. The weakest link is almost always human. The entire $81 million heist started with one person opening a suspicious email. Phishing awareness is not a nice-to-have training exercise — it is a core security control.

2. Absence of a firewall is not a cost-saving measure. It is an invitation. Bangladesh Bank’s SWIFT terminals were connected to the open internet with no firewall between them and the world. This is an elementary failure. Critical infrastructure must be segmented from general network traffic as a baseline requirement.

3. Security tokens exist for a reason. The password token for SWIFT was supposed to be locked in a vault each night. It wasn’t. Physical security procedures around digital access are not bureaucratic theatre — they are the last line of defence.

4. Log everything. Monitor everything. The attackers were able to delete transaction logs and disable the SWIFT printer feed without triggering any alarm. Immutable audit logging — logs that cannot be modified or deleted by any user — would have surfaced the intrusion far sooner.

5. Know your weekend exposure. The attackers timed the attack to exploit three overlapping holiday schedules. Organisations with international financial exposure should map their communication blackout windows and build contingency escalation procedures for exactly these gaps.

6. Assume your credentials can be stolen. Even legitimate authentication can be compromised if the device holding the credentials is infected. Multi-factor authentication and behavioural anomaly detection on privileged accounts can catch misuse even when the credentials themselves are valid.

7. Your suppliers and network partners are part of your attack surface. RCBC allowed $81 million to be withdrawn despite a stop-payment order. Evaluate the security and compliance culture of every institution in your financial chain.

For Individuals

Think before you download. The entire attack began with someone downloading a CV from an email. If an attachment or link arrives unexpectedly — even from someone who appears credible — verify through a separate channel before you open it.

Know how your bank would actually contact you. Legitimate banks and financial institutions will not ask you to click links to verify credentials. Knowing what a real request looks like makes the fake ones easier to spot.

Use multi-factor authentication everywhere. On your banking apps, your email, your cloud storage. If your password is stolen, a second factor buys you critical time.

Part 7: The Bigger Picture

When a nation-state goes to the bank

The Bangladesh Bank heist was not a one-off. It was a proof of concept.

In the ensuing investigation, it came to light that at least two, and possibly more, other cases had recently occurred where fraudsters used similar methods. SWIFT attacks proliferated across Asia, Europe, and beyond in the years that followed. The playbook had been written and shared — or, more precisely, the same group was running it at scale.

What the Bangladesh heist demonstrated — for the first time at this level of ambition — was that a nation-state could use cyber operations as a substitute for conventional foreign exchange. North Korea, locked out of the international financial system by sanctions, had found a workaround. Not through diplomacy. Not through trade. Through malware and a fake job application.

The new attack in 2017 could foreshadow a new evolution of North Korea embracing cryptocurrency to bypass traditional banking systems. That prediction proved accurate. Since 2016, North Korean hackers have stolen billions in cryptocurrency — a domain even harder to regulate and trace than wire transfers.

There is also a systemic question that this attack raised, and that the global financial community has not fully resolved: the SWIFT network assumes its member institutions are secure. It authenticates the message, not the environment that sent it. When that environment is compromised, the authentication becomes meaningless. The trust model of international banking — built for a world of locked vaults and physical signatures — was not designed for a world in which a keystroke logger could capture your master credentials and nobody would notice for a year.

A worse version of this attack is possible. It is more than possible — it is imaginable in clear detail. A simultaneous attack on multiple central banks. Transfers routed through jurisdictions with weaker AML regimes. Laundering operations that move faster than legal mechanisms can respond. The Bangladesh heist was stopped at $81 million in part by luck, a typo, and an Iranian sanctions list. Luck is not a security strategy.

Conclusion

In the end, what stopped the theft of nearly a billion dollars from one of the world’s poorest countries was the misspelling of a single word.

Fandation.

Not a firewall. Not a security operations centre. Not an intrusion detection system. A typo.

That is the story of the Bangladesh Bank heist in a single syllable. Not a story about sophisticated defences meeting sophisticated attackers. A story about how completely unprepared a major financial institution can be, and how catastrophically the consequences can cascade before anyone is even awake enough to notice.

The money has been chased across three continents, through casinos and shell accounts and court systems, for nearly a decade. Most of it remains unrecovered. The man believed to have masterminded it is a ghost on an FBI most-wanted list in a country that refuses to acknowledge he exists.

What remains is the lesson. Not a new one — but one that keeps having to be relearned, at greater and greater cost: the most dangerous vulnerabilities in any system are not the ones in the code. They are the ones in the habits. The password token left in the server overnight. The email attachment opened without a second thought. The printer that stopped printing, and the hours it took for anyone to ask why.

Security is not a product you purchase. It is a discipline you practice — or, eventually, an $81 million price you pay for having neglected it.

Sources & Further Reading

  • Kaspersky — Lazarus Group Report (2017): 58-page technical report on the group’s tools, infrastructure, and attribution
  • FireEye / Mandiant — Bangladesh Bank investigation findings (2016)
  • Fortune — “New Evidence Links North Korea to Huge Bank Heist” (April 2017): https://fortune.com/2017/04/03/bangladesh-bank-hacking-north-korea

Chronicles of Compromise — making the cost of complacency impossible to ignore. http://www.chroniclesofcompromise.com

Stephen Daly
, , ,
, ,

Leave a comment

Designed with WordPress