Timeline of Cyber Incidents Involving Financial Institutions

Newsletter
About the Timeline

About the Timeline

The timeline tracks cyber incidents involving financial institutions dating back to 2007. The timeline is based on Carnegie research and data BAE Systems’s threat intelligence team shares with Carnegie on a monthly basis and are subsequently added to the timeline. The incidents are coded using several indicators and can be filtered accordingly:

incident type;
target country and target region, which include information about the physical location of the victim(s);
actor type, which includes information about the attacker to the extent known;
attribution, which includes an assessment of the level of confidence in the information about the attacker; and
other details about the incident summarized in a short narrative text.

With respect to associating a specific date with a cyber incident, which may be part of a longer cyber operation, the dates for each event are chosen intuitively either using the starting date/month of the incident, if known, or when the incident was first reported. For further questions about the methodology, please contact the team here.

When citing this resource, please use the following format:

Carnegie Endowment for International Peace and BAE Systems. Timeline of Cyber Incidents Involving Financial Institutions. FinCyber Initiative, Carnegie Endowment for International Peace. https://carnegieendowment.org/specialprojects/protectingfinancialstability/timeline (access date).”

About the FinCyber Timeline

This timeline chronicles ~200 cyber incidents targeting financial institutions since 2007, and can be filtered by country, region, year, attribution, incident type, and actor type. Cybersecurity risks to the financial system have grown in recent years, in part because the cyber threat landscape is worsening; in particular, state-sponsored cyberattacks targeting financial institutions are becoming more frequent, sophisticated, and destructive. In 2017, the G20 warned that cyberattacks could “undermine the security and confidence and endanger financial stability.”

To keep track of the evolution of the threat landscape, Carnegie’s Technology and International Affairs Program updates this timeline with data from provided by the Cyber Threat Intelligence unit of BAE Systems. The timeline has not been designed to cover every single incident but rather to provide insight into key trends and how the threat landscape is evolving over time.

The FinCyber Project

The FinCyber Strategy Project

Type: Unknown
Attribution: Unknown

Description

On February 25, 2022, global insurance and reinsurance broker, Aon was hit by a ransomware attack, causing limited disruption to a number of their services. The attack reportedly left no significant impact on the company, and Aon has not disclosed further details about the incident.

Ukrainian government and banking sector DDoS

February 15

Learn More

Target

Location: Ukraine Date Breach First Reported: 2/16/2022

Incident

Method: DDoS
Type: Disruption

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On February 15, 2022, the web portal of Ukraine’s defence ministry and the banking and terminal services at several large state-owned lenders were downed in the largest DDoS attacks to hit the country to date. The Ukrainian government publicly attributed the incident to Moscow. The Kremlin has denied involvement for the operation, which hit Ukraine at a time when the country is bracing itself for a possible invasion from Russian forces.

IRA Financial Trust cryptocurrency theft

February 8

Type: Unknown
Attribution: Unknown

Description

Qubit Finance cryptocurrency theft

January 27

On January 27, 2022, decentralized finance platform Qubit Finance suffered a breach, in which threat actors were able to steal $80 million worth of cryptocurrency.

Type: Unknown
Attribution: Unknown

Description

On January 17, 2022, Multichain, a platform that allows users to swap tokens between blockchains, lost approximately $1.4 million when hackers exploited a vulnerability in the blockchain service. One of the attackers is now negotiating with the victims to return 80% of the stolen funds and keep the remaining 20% as a ‘tip’.

Crypto.com 2FA bypass hack

January 17

Learn More

Target

Location: Multiple Date Breach First Reported: 1/17/2022

Incident

Method: Other
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On January 17, 2022, major cryptocurrency exchange Crypto.com suffered a cyber attack that led to unauthorized withdrawals of bitcoin and Ether worth $35 million and affected at least 483 user accounts. The exchange has subsequently instituted strict 2FA measures a fund restoration program for qualifying users.

OP Financial Group cyberattack

January 9

On January 9, 2022, the biggest bank in Finland, OP Financial Group suffered a cyberattack which disrupted its services.

Learn More

Target

Location: Finland Date Breach First Reported: 1/11/2022

Incident

Method: Unknown
Type: Disruption

Actor

Type: Unknown
Attribution: Speculated

Description

National Bank of Pakistan attack

October 29

Target

Location: United States Date Breach First Reported: 10/25/2021

Incident

Method: Other
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On October 28, 2021, researchers from Positive Technologies discovered vulnerabilities in the Wincor Cineo ATMs, owned by Diebold Nixdorf, an American multinational financial and retail technology company. With access to the dispenser controller's USB port, outdated or modified firmware could be installed to bypass the encryption and make cash ATM withdrawals.

Method: Malware
Type: Theft

Actor

Type: N/A
Attribution: N/A

UK Insurer Recovers from Ransomware Attack

May 25

On May 25, 2021, UK-based insurance firm One Call stated that it had successfully restored its systems onto a new environment separate from the one that was impacted by a ransomware attack on May 13, adding that a ransomware note purportedly from DarkSide could not be verified as authentic.

Learn More

Target

Location: United Kingdom
Date Breach First Reported: 5/25/2021

Incident

Method: Ransomware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

Small Banks Face Ransomware Attacks

May 24

On May 24, 2021, two ransomware groups, DarkSide and Ragnar Locker, demanded ransom from three small banks after posting evidence of stolen customer data belonging to the banks.

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On May 12, 2021, Sophos, a cybersecurity firm, identified 167 fake Android and iOS financial trading, banking, and cryptocurrency apps being used by hackers to steal money. The attackers used social engineering techniques, counterfeit websites including a fake iOS App Store download page, and an iOS app-testing website to distribute the fake apps to unsuspecting users.

Learn More

Target

Location: North Korea
Date Breach First Reported: 2/17/21

Incident

Method: N/A
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On February 17, 2021, a federal indictment charged three North Korean computer programmers with participating in a wide-ranging criminal conspiracy including conducting a series of destructive cyberattacks, stealing and extorting more than $1.3 billion of money and cryptocurrency from financial institutions and companies, creating and deploying multiple malicious cryptocurrency applications, and developing and fraudulently marketing a blockchain platform. The suspects were believed to have been working for the North Korean military and were linked to the prolific North Korean threat group Lazarus. The trio are thought to be behind cyberattacks beginning as early as November 2014 targeting the media industry.

January 1

At the beginning of January 2021, a cybersecurity firm discovered a new Android banking trojan dubbed as TeaBot.

Learn More

Target

Location: N/A
Date Breach First Reported: 05/10/21

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

Description

On Monday, November 16, Australia's stock exchange halted trading 20 minutes after opening due to a software issue that caused inaccurate market data. The problem was remedied overnight and the exchange reopened on Tuesday.

September 23

Type: Non-state actor
Attribution: High confidence

Payments Processor Juspay Data Leak

August 18

On August 18, 2020, payments processor Juspay's was hacked through a compromised server, resulting in the leak of over 100 million debit and credit card users.

July 15

On July 15, several notable Twitter accounts including Joe Biden and Elon Musk were hacked to post a Bitcoin address purporting to double any contributions to the address.

Learn More

Target

Location: United States
Date Breach First Reported: 7/15/20

Incident

Method: Multiple
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On July 15, several notable Twitter accounts including Joe Biden and Elon Musk were hacked to post a Bitcoin address purporting to double any contributions to the address. The spear phishing operation targeted Twitter employees and was able to gain access to admin-level tools; in all, the hackers made more than $113,500.

On July 31, a 17-year-old suspect related to the recent Twitter Bitcoin scam was arrested in Florida.

Argenta ATM Attack

July 13

On July 13, Argenta, a Belgian savings bank shut down 143 cash machines after suffering a cyber-attack from unknown criminals.

Learn More

Target

Location: Belgium
Date Breach First Reported: 7/13/20

Incident

Method: Multiple
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On July 13, Argenta, a Belgian savings bank shut down 143 cash machines after suffering a cyber-attack from unknown criminals. The attack was self-reported by Argenta, who refused to say how much money was affected. The criminals tried to leverage the technique known as 'jackpotting' to take control of the cash machines.

Spanish Crypto App Malware

July 12

In July 2020, Avast found Cerberus malware hidden in a cryptocurrency converter app used to infect victims of Android devices.

Learn More

Target

Location: N/A
Date Breach First Reported: 7/12/20

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In July 2020, Avast found Cerberus malware hidden in a cryptocurrency converter app used to infect victims of Android devices.

Primarily used by Spanish speaking users, the dropper embedded in the app later became active to download another malicious APK. Shortly after the malicious C&C communication was seized and the malware became dormant/harmless once again. The app had amassed thousands of downloads before being taken down.

SEC Warning of Ransomware Attacks on US Banks

July 10

On July 10, the SEC issued a warning about a rise in ransomware attacks on U.S. financial firms.

Method: Multiple
Type: Multiple

Actor

Type: Speculated
Attribution: Speculated

Description

On June 25, 2020, researchers identified a new backdoor trojan, dubbed 'GoldenSpy,' in Chinese tax software. Shortly after the discovery, the actors behind it delivered a silent uninstaller to remove all traces of the said malware. While the attribution remains unknown, researchers speculated that it has the characteristics similar to a coordinated APT campaign that focuses on foreign companies operating in China.

Researchers further uncovered an earlier campaign tied to GoldenSpy malware that came installed with Chinese tax software. New evidence suggests that GoldenSpy was preceded by another piece of malware that employed similar capabilities to infect taxpayers within China. This earlier version of GoldenSpy is called GoldenHelper."

IcedID Banking Trojan Using COVID-19 lures

June 22

On June 22, 2020, researchers identified a new variant of the IcedID banking trojan that uses COVID-19 related phishing lures.

Type: Unknown
Attribution: Unknown

Description

Banco BCR Data Breach

May 21

On May 21, 2020, the operators of the Maze Ransomware released 2GB of data, including credit card credentials, from Banco BCR, the state-owned Bank of Costa Rica.

Learn More

Target

Location: Costa Rica
Date Breach First Reported: 5/23/20

Incident

Method: Ransomware
Type: Theft

Actor

Type: Non-state actor
Attribution: Unknown

Description

On May 21, 2020, the operators of the Maze Ransomware released 2GB of data, including credit card credentials, from Banco BCR, the state-owned Bank of Costa Rica. Notably, the attackers claimed they decided not to encrypt Banco BCR data with ransomware because “the possible damage was too high.”

Three weeks previously on May 1, 2020, the operators announced that they had breached Banco BCR, first in August 2019, and then in February 2020 at which point they stole 11 million credit card credentials and other data.

Nigerian Hacking Group Targets US Unemployment Systems

May 14

On May 14, the U.S. Secret Service Bulletin alerted citizens to multiple fraudulent claims targeting state unemployment benefit programs.

Learn More

Target

Location: United States
Date Breach First Reported: 5/14/20

Incident

Method: Multiple
Type: Theft

Actor

Type: Non-state actor
Attribution: Speculated

Method: Malware
Type: Theft

Actor

Type: Non-state actor
Attribution: Unknown

Description

On April 13, 2020, IBM researchers reported that Spanish banks had been the target of by a Brazilian banking Trojan, Grandoreiro, in a campaign lasting months. The campaign exploits the Coronavirus outbreak by using videos themed on the pandemic that convince users to run a hidden executable.

Grandoreiro is a remote-overlay banking trojan that, upon a user accessing their online banking, can display images to impersonate said bank. This allows attacks to then then move money from the victims accounts. The malware executes upon access to a hardcoded list of entities, mostly local banks.

South Korean and US Payment Card Leak

April 9

On April 9, 2020, a cache of 400,000 payment card records from banks in South Korea and the U.S. were uploaded to a well-known underground marketplace.

Learn More

Target

Location: South Korea, United States
Date Breach First Reported: 4/24/20

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On April 9, 2020, a cache of 400,000 payment card records from banks in South Korea and the U.S. were uploaded to a well-known underground marketplace.

According to Group-IB, a security firm, the data dump was identified as the biggest sale of South Korea related bank records in 2020. The database contained mostly Track 2 information, meaning the data stored on the magnetic stripe of a card such as the bank identification number (BIN), the account number, expiration date and CVV.

Turkey Dog Continues To Claim Victims

April 1

Operating since April 2020, Turkey Dog activity has been luring unaware Turkish speakers into downloading malicious Android trojans through fake click-baits.

Learn More

Target

Location: Turkey
Date Breach First Reported: 2/24/20

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

Operating since April 2020, Turkey Dog activity has been luring unaware Turkish speakers into downloading malicious Android trojans through fake click-baits. The banking trojans, Cerberus and Anubis, have been used to steal user credentials to gain access to bank accounts.

US, Canadian, Australian Banks Hit By Banking Trojan

March 30

On March 30, researchers reported that U.S., Canadian, and Australian banks were being increasingly targeted by Zeus Sphinx, a banking trojan that had been dormant for three years.

Learn More

Target

Location: United States, Canada, Australia
Date Breach First Reported: 5/11/20

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On March 30, researchers reported that U.S., Canadian, and Australian banks were being increasingly targeted by Zeus Sphinx, a banking trojan that had been dormant for three years. The attackers target those waiting on government relief payments from Covid-19.

The campaign used COVID-19 as a lure, such as sending booby-trapped document files named “COVID 19 relief.” Zeus Sphinx gained notoriety in 2015 for being used to target major financial institutions in the UK, and eventually in Brazil, Australia and North America. This version of the malware underwent core changes in its persistence mechanism, injections tactics, and bot configuration.

Monte de Paschi Bank Attack

March 30

On March 30, 2020, attackers breached email accounts of employees at Monte dei Paschi bank, an Italian state-owned bank, and sent messages to clients with voice mail attachments.

Method: Ransomware
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

Description

On April 7, 2021, VISA warned that threat actors are increasingly deploying web shells on compromised servers to exfiltrate credit card information stolen from online store customers. At least 45 eSkimming attacks occured in 2020 using web shells.

2019

Travelex Hit with Sodinokibi

December 31

Target

Location: United States
Date Breach First Reported: 12/19/2019

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On December 10, 2019, Wawa Inc., a U.S.-based convenience store chain, discovered that its payment card processing systems had been breached for a 9-month long period in which customers in any of its worldwide locations could have had their card data stolen. On January 27, 30 million card details believed to be part of the breach posted for sale online, including card numbers and expiration dates. Pins and CVV records were not exposed.

Iranian Debit Card Breach

December 10

Learn More

Target

Location: Iran
Date Breach First Reported: 12/10/2019

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Method: Unknown
Type: Theft

Actor

Type: Non-state actor
Attribution: High confidence

Description

On November 1, 2019, authorities apprehended twelve individuals over a cyber-fraud attempt on Equity Bank Rwanda. The individuals include eight Kenyans, three Rwandans, and one Ugandan who were attempting to hack the local bank. Officials noted that the hack was thwarted and that the fraudsters did not steal any funds.

460,000 Turkish Card Details for Sale

October 28

Learn More

Target

Location: Turkey
Date Breach First Reported: 12/11/19

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On December 11, 2019, it was reported that 463,378 Turkish payment cards from Turkish banks had been posted for sale online between late October and late November, for an estimated total value of USD $500,000. Full card details were available as well as personal data including emails and phone numbers. Security researchers from Group-IB speculated the payment card information was stolen from online card payments using a JavaScript-based skimmer, such as Magecart.

Johannesburg City Breach

October 24

On October 24, 2019, the City of Johannesburg reported a breach of its network and shut down its website and all e-services.

Learn More

Target

Location: South Africa
Date Breach First Reported: 10/25/19

Incident

Method: Unknown
Type: Data breach

Actor

Type: Non-state actor
Attribution: Speculated

Description

On October 24, 2019, the City of Johannesburg reported a breach of its network and shut down its website and all e-services. Earlier that day, the city had received a bitcoin ransom note from a group called the Shadow Kill Hackers, who demanded payment of 4.0 bitcoins by October 28. The hack appeared to occur at the same time as several South African banks reported internet problems believed to also be related to cyber attacks.

SABRIC DDoS Attacks

October 23

Learn More

Target

October 4

Target

Location: Germany
Date Breach First Reported: 9/16/2019

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On September 16, the European Central Bank (ECB) shut down its Banks’ Integrated Reporting Dictionary (BIRD) site after routine maintenance uncovered a cyberattack compromising the information of the site’s newsletter subscribers. The ECB reported that no market-sensitive data was compromised in the attack, and it planned to contact the 481 individuals whose names, email addresses, and titles may have been accessed by hackers.

Hong Kong Exchanges and Clearing Limited DDoS Attack

September 6

Type: Non-state actor
Attribution: High confidence

Description

On August 23, 2019, it was reported that financial institutions in Bulgaria, Chile, Costa Rica, and Ghana were compromised by the Silence Group. Since 2016, the Silence Group had stolen a cumulative $4.2 million USD from banks in Eastern and Western Europe and Asia.

Since 2018, Silence has sent over 170,000 phishing attacks to financial institutions. The group has refined its techniques since it was first spotted in 2016. Silence now uses fileless techniques, repurposed open-source projects, and old vulnerabilities.

Binance Ransomware

August 6

Learn More

Target

Location: Malta
Date Breach First Reported: 8/6/2019

Incident

Method: Ransomware
Type: Unknown

Actor

Type: Unknown
Attribution: Unknown

Description

On August 6, Malta-based cryptocurrency exchange Binance became the victim of ransomware when attackers demanded 300 bitcoin (around $3.5 million at the time) in exchange for a Know Your Customer (KYC) database containing the personal information of around 10,000 users. The KYC database allegedly contained personal identification information and photographs of users with documents like passports. The company contested the authenticity of the documents, claiming that they lacked digital watermarks, refused to pay the ransom, and contacted law enforcement for assistance in pursuing the attacker(s).

Type: Non-state actor
Attribution: High confidence

Description

On May 31, 2019, the Silence Group stole $3 million from Bangladesh’s Dutch Bangla Bank via ATM cash outs. Three other undisclosed financial institutions in India, Sri Lanka, and Kyrgyzstan were also attacked in the same timeframe. Until recently, Silence had focused on Russia and the Commonwealth of Independent States.

Local media found a video of two Ukrainian men visiting Dutch Bangla Bank ATMs, making a phone call, and then withdrawing large sums of money.

Upbit Attempted Crypto Heist

May 25

On May 25, 2019, attackers attempted to steal from Upbit, a South Korean cryptocurrency exchange, but were thwarted by East Security, a security firm.

Learn More

Target

Location: South Korea
Date Breach First Reported: 08/30/2019

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On May 25, 2019, attackers attempted to steal from Upbit, a South Korean cryptocurrency exchange, but were thwarted by East Security, a security firm. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.

Attackers sent phishing emails to Upbit users in an attempt to steal their funds. It appears as though no losses have resulted from the emails.

First American Financial Corp.

May 24

On May 24, First American Financial Corp. suffered a data breach compromising around 885 million files related to mortgage deeds.

Method: Malware
Type: Unknown

Actor

Type: Unknown
Attribution: Unknown

Description

In May, U.S. security company Proofpoint reported the return of the Retefe banking Trojan in Germany and Switzerland. Retefe is a malware that installs the Tor internet browser to redirect infected devices to spoofed banking sites. The Trojan is typically delivered through email attachments and often attempts to trick users into downloading spoofed mobile Android applications to bypass two-factor authentication.

In the past, Retefe campaigns have targeted several European countries. In November 2016, Retefe targeted Tesco Bank and other UK financial institutions. In September 2017, an updated version of Retefe leveraged the EternalBlue exploit in a campaign against Swiss targets. Since April, the Trojan has reemerged in German and Swiss banks.

Silence Targets Banks in UK, India, and South Korea

April 23

On April 23, 2019, it was reported the Silence Group had targeted financial institutions in the UK, India, and South Korea since the end of 2018, and had stolen from at least one institution.

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On March 27, 2019, attackers stole $49 million from a bank in Kuwait. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.

While the UN Security Council Panel of Experts did not reveal the name of the bank in Kuwait, the Gulf Bank of Kuwait announced a technical failure in its system of international remittances on Twitter on March 27.

DragonEx Crypto Heist

March 24

On March 24, 2019, $7 million in virtual currency was stolen from DragonEx, a Singapore based cryptocurrency exchange.

Learn More

Target

Location: Singapore
Date Breach First Reported: 03/24/2019

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

Description

On February 13, the Bank of Valletta (BOV), Malta’s largest and oldest bank, shut down operations after an attempted theft of €13 million. In August 2019, the UNSC Panel of Experts indicated DPRK-affiliated actors were behind the attack.

Attackers made multiple transfer requests from the Maltese bank to accounts in the UK, United States, Czech Republic, and Hong Kong. The bank’s employees discovered the fraudulent activity during their daily reconciliation of international orders. Within the hour, BOV notified other banks in an attempt to freeze the transactions. It also closed all its branches, shut down its ATMs and point-of-sale system, and stopped all other electronic services, which were restored the following day. In a statement, BOV said it was working with local and international police authorities to track down the attackers. On January 30, 2020, the UK's National Crime Agency issued arrests in London and Belfast, suspected to be in connection to the BOV heist.

U.S. Credit Union Spear-Phishing

February 8

Multiple credit unions in the United States were hit by spear-phishing emails impersonating compliance officers from other credit unions.

Target

Location: United Kingdom
Date Breach First Reported: 2/2/2019

Incident

Method: Other
Type: Disruption

Actor

Type: Unknown
Attribution: Unknown

The U.S. Secret Service has identified a number of criminal rings turning to Fuze cards in an attempt to avoid detection by U.S. law enforcement. A Fuze card is a data storage device that looks like a bank card, but can hold account data for up to thirty cards. Using smartcard technology can help criminals avoid raising suspicions at payment points or if stopped by authorities, as it reduces the need for them to carry large numbers of counterfeit cards on their person.

Janeleiro Malware Targets Brazilian Organizations

January 1

On April 6, 2021, a security firm reported a new banking trojan called Janeleiro that has been targeting corporate users in Brazil since 2019.

Learn More

Target

Location: Brazil
Date Breach First Reported: 4/6/2021

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On April 6, 2021, a security firm reported a new banking trojan called Janeleiro that has been targeting corporate users in Brazil since 2019. The affected sectors include engineering, healthcare, retail, manufacturing, finance, transportation, and government. The malware steals the personal information and banking credentials of users through fake pop-ups that imitate Brazilian banks websites.

2018

Evercore Breach

December 23

In November, hackers breached Evercore gaining access to thousands of sensitive documents from the global investment bank.

Type: Nonstate actor
Attribution: Speculated

Description

In mid-December, a report revealed that over 2,000 mobile banking users in Brazil downloaded an Android-based Trojan through Google Play applications. Victims unknowingly downloaded the malware, allowing attackers to gain access to user devices and data. The “Android.BankBot.495” malware was designed to read the victim’s information when they logged into their mobile banking app. Reports suggest that the malware also targeted apps such as Uber, Netflix, and Twitter using phishing tactics.

ThreadKit Exploit

December 11

Type: Nonstate actor
Attribution: High Confidence

Description

On November 14, two Venezuelan men were found guilty of jackpotting, where they installed malicious software or hardware on ATMs to force the machines to dispense huge volumes of cash on demand. From February to March, the duo stole $125,000 from four ATMs in Indiana, Kentucky, Wisconsin, and most recently Michigan, where they were apprehended.

Postbank Internal Data Breach and Fraud

December 1

Learn More

Target

Location: South Africa
Date Breach First Reported: 06/18/2020

Incident

Method: Multiple
Type: Theft

Actor

Type: Insider
Attribution: Speculated

Description

Description

On September 14, 2018, approximately $60 million in virtual currency was stolen from Zaif, a Japanese cryptocurrency exchange.

The attackers accessed the exchange’s hot wallets to steal roughly $60 million in bitcoin, bitcoin cash, and MonaCoin. The identity of the attackers remains unknown.

Russian Bank Heists by Silence Group

September 5

First reported in 2018, Russian-speaking hackers, dubbed Silence by researchers at Group IB, targeted Russian banks, stealing $550,000 within a year.

Target

Location: India
Date Breach First Reported:8/11/2018

Incident

Method: Multiple
Type: Theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In August 2018, it was reported that Cosmos Bank, the second-biggest cooperative bank in India, lost $13.5 million through ATMs in twenty-eight countries as well as through unauthorized interbank transactions. The attackers seem to have stolen card information and also set up their own proxy server so transactions with stolen details would not trigger alarms. In August 2019, the UNSC Panel of Experts indicated DPRK-affiliated actors were behind the attack.

Over the course of just a few hours on August 11, the group coordinated almost 15,000 transactions to cash out funds through ATMs worldwide using compromised Visa and Rupay cards. Two days later, the attackers made further fraudulent transactions through the bank’s interface to the SWIFT messaging system—a technique used in numerous bank attacks, including against fellow Indian lender City Union Bank (CUB) in February.

The parallels with the CUB heist continued after police arrested several suspects accused of taking the funds from ATMs. Four of the people involved also admitted playing a role in the earlier theft, according to investigators in September.

The attack left Cosmos’s online banking service offline for more than a week, and the funds have not been recovered. There were signs that an attack on a bank was coming. Two days before the incident, the FBI issued a warning to banks about an imminent ATM cash-out scheme, without providing further public details.

May 12

Learn More

Target

Location: Mexico
Date Breach First Reported:5/12/2018

Incident

Method: Software vulnerability
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

Banco de Mexico warned a dozen banks to upgrade their security following $15 million in fraudulent cash withdrawals from five institutions linked to the central bank’s electronic payments system, SPEI. A vulnerability in third-party software connected to SPEI was used by unknown attackers to get into the system and make a series of fraudulent transactions before cashing out.

The investigators have not made clear whether each victim bank was compromised, or whether the attackers moved between them following the initial breach. It is also unclear whether the gang had insider help to clear large transactions through the banks’ security checks. The incidents delayed legitimate transfers but the central bank said client money and the SPEI infrastructure were unaffected.

Following the thefts, Banco de Mexico set up a new cybersecurity unit and asked its members to move to an in-house, encrypted software with SPEI. The incident came five months after Bancomext, the state-owned trade bank, blocked attempts to siphon off $110 million via a compromise in the network that granted attackers access to the global SWIFT interbank system.

DDoS-for-Hire

April 1

Learn More

Target

Location: Western Europe
Date Breach First Reported:4/1/2018

Incident

Method: DDOS
Type: Disruption

Actor

Type: Nonstate actor
Attribution: Speculated

Description

In April 2018, it was revealed that authorities in five countries worked together to take down Webstresser, a DDoS-for-hire site they said was behind up to 6 million attacks around the world over three years. The site was used to launch a coordinated attack on seven UK banks in November 2017, according to the UK’s National Crime Agency. Several people have been arrested, and the U.S. Department of Defense seized the website.

Malaysian Central Bank Attempted SWIFT Heist

March 29

On March 29, 2018, attackers attempted to use fraudulent SWIFT transactions to steal $390 million from the Malaysian Central Bank.

Learn More

Target

Location: Malaysia
Date Breach First Reported: 08/30/2019

Incident

Method: Multiple
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On March 29, 2018, attackers attempted to use fraudulent SWIFT transactions to steal $390 million from the Malaysian Central Bank.

According to the Malaysian Central Bank no funds were stolen during the incident and the bank's payment systems remained unaffected and operational. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.

Rapid Raids Jackpotting

March 19

In March 2018, two Venezuelan men were arrested for jackpotting, where they installed malicious software or hardware on ATMs to force the machines to dispense huge volumes of cash on demand.

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On February 9, 2018, BitGrail, a small Italian cryptocurrency exchange, announced that attackers had stolen $170 million in Nano, a cryptocurrency. The identity of the attackers remains unknown.

Infraud Gang

February 7

Type: State-sponsored actor
Attribution: High confidence

Description

On January 26, 2018, $534 million worth of NEM, a cryptocurrency was stolen from Coincheck, a Japanese cryptocurrency exchange, forcing Coincheck to freeze all transactions.

In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the theft. NEM Foundation president Lon Wong called the incident, “the biggest theft in the history of the world.” Group-IB, a Singapore-based security firm, also attributed the theft to Lazarus, a group of North Korean hackers, in October 2018.

National Bank of Kenya Fraud

January 17

On January 17, fraudsters stole Sh29 million from the National Bank of Kenya.

Type: State-sponsored actor
Attribution: High confidence

Description

In January 2018, attackers attempted to steal $19 million from a private Costa Rican financial institution. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.

In a submission to the United Nations Security Council Panel of Experts, the Costa Rican government confirmed that an investigation was launched by the Office of the Public Prosecutor’s Division on Fraud.

2017

NiceHash Crypto Heist

Type: State-sponsored actor
Attribution: Speculated

Description

In October 2017, the Korean Internet Security Agency thwarted an attack on 10 cryptocurrency exchanges in South Korea. The attack used sophisticated Business Email Compromise. South Korean media reported the attack was carried out by DPRK-affiliated hackers.

Far Eastern International Bank

October 1

Type: State-sponsored actor
Attribution: High confidence

Description

On September 23, 2017, virtual currency was stolen from Coinis, a South Korean cryptocurrency exchange, worth an estimate $2.19 million according to reports. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the theft. In December 2017, South Korean newspaper Chosun Ilbo reported that the South Korean government has attributed the attack to DPRK-affiliated actors.

SEC Edgar Hack

Type: State-sponsored actor
Attribution: High confidence

Description

On June 29, approximately $7 million in virtual currency was stolen from BitHumb, a South Korean cryptocurrency exchange for the second time in four months. The South Korean National Intelligence Services attributed the theft to the DPRK, and in August 2019, the UN Security Council Panel of Experts also indicated DPRK-affiliated actors were behind the theft.

The attackers gained access to an employee’s personal computer. From there they managed to exfiltrate the details of 3% of the platforms total users including names, emails and phone numbers. The company stated they would compensate customers affected.

YouBit Crypto Heist

April 22

On April 22, 2017, approximately $5.6 million in cryptocurrency was stolen from YouBit, a South Korean cryptocurrency exchange then named Yapizon.

Learn More

Target

Location: South Korea
Date Breach First Reported: 12/05/2017

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On April 22, 2017, approximately $5.6 million in cryptocurrency was stolen from YouBit, a South Korean cryptocurrency exchange then named Yapizon. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the theft. Group-IB, a Singapore-based security firm, also attributed the theft to Lazarus, a group of North Korean hackers, in October 2018.

BitHumb Crypto Heist #1

February 1

In February 2017, at least $7 million in virtual currency was stolen from BitHumb, a South Korean cryptocurrency exchange.

Learn More

Target

Location: South Korea
Date Breach First Reported: 12/05/2017

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

In February 2017, at least $7 million in virtual currency was stolen from BitHumb, a South Korean cryptocurrency exchange. The hackers also stole PII from 30,000 customers.

In December 2017, the South Korean government attributed the attack to North Korea. In January 16, 2018, Recorded Future, a security firm known for analyzing state-sponsored attacks, attributed the attack to the Lazarus Group in the North Korean government. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the theft.

2016

Visa and Mastercard had both previously warned of an increase in the type of fraud seen in this case, which used the magnetic strip to verify the transaction. On November 5, 2016, as the weekend began, the gang started making fraudulent transactions with the card details it had calculated. Almost 9,000 accounts were affected, or 6.6 percent of the bank’s entire customer base. One customer had twenty-two fraudulent transactions totaling £65,000 on his account.

Tesco Bank halted all online and contactless transactions after a day of struggling to block all the fake purchases reported in the United States, Spain, and Brazil. In October 2018, Tesco was fined £16.4 million by the UK’s Financial Conduct Authority for deficiencies in its bank card policies and its response to the incident.

Liberia Mirai Botnet Attack

October 31

On October 31, a distributed denial-of-service attack was launched against Lonestar MTN, a Liberian network provider.

Method: Multiple
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

In July 2016, attackers attempted to use fraudulent SWIFT transactions to steal $100 million from a Nigerian bank, but the money was ultimately recovered.

The attackers initiated fraudulent SWIFT transactions of $100 million from the unnamed Nigerian Bank to bank accounts in Asia, similar to the techniques seen in the 2016 Bangladesh heist. The funds were later returned at the request of the Nigerian bank. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attack on the Nigerian bank, referencing the “African Bank” named in the U.S. Department of Justice 2018 indictment of Park Jin Hyok.

Standard Bank Theft

May 5

On May 15, 2016, attackers stole $19 million from South Africa’s Standard Bank by making 14,000 withdrawals over 3 hours from 1,700 ATMs across Japan.

Learn More

Target

Location: South Africa, Japan
Date Breach First Reported: 08/30/2019

Incident

Method: Multiple
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On May 15, 2016, attackers stole $19 million from South Africa’s Standard Bank by making 14,000 withdrawals over 3 hours from 1,700 ATMs across Japan.

UN Security Council Panel of Experts indicated in August 2019 that DPRK-affiliated actors were behind the attack. According to the Japanese government, the attackers used forged cards with data of roughly 3,000 pieces of customer information stolen from Standard Bank to withdraw cash from ATMs located in Tokyo and 16 prefectures across Japan. 260 suspects, including organized crime group members, have been arrested as of July 2019.

Central Banks DDoS Attack

May 4

In May 2016, hacktivists briefly took down the Bank of Greece’s website, and later did the same to the central banks of Mexico, Panama, Kenya, and Bosnia and Herzegovina.

Type: Nonstate actor
Attribution: High confidence

Description

On February 22, 2016, a hacking group called DownSec Belgium shut down the website for Belgium’s National Bank for most of the morning using DDoS attacks. Little information has been reported about the attack, but it followed similar DDoS attacks by the same group against the websites for the Belgian Federal Agency for Nuclear Control, the country’s Crisis Center, and its federal cyber emergency team. DownSec Belgium claims to fight against corrupt government abuses.

Bangladesh Bank SWIFT Hack

February 1

Learn More

Target

Location: Bangladesh
Date Breach First Reported: 2/1/2016

Incident

Method: Malware
Type: Theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In February 2016, media outlets reported that hackers had breached the network of the Bangladesh central bank and sent thirty-five fraudulent transfer requests to the Federal Reserve Bank of New York, totaling nearly $1 billion. Four of these fraudulent requests succeeded, and the hackers were able to transfer $81 million to accounts in the Philippines, representing one of the largest bank thefts in history. A fifth request for $20 million to be sent to an account in Sri Lanka was stopped due to the recipient’s name, Shalika Foundation, being misspelled “fandation.” The remaining transfers, which totaled somewhere between $850 and $870 million, were also stopped before they could be completed due to a stroke of good fortune: the name of the destination bank branch included the word “Jupiter,” which was the name of an unrelated company on a sanctions blacklist. In August 2019, the UNSC Panel of Experts indicated DPRK-affiliated actors were behind the attack.

The hackers had introduced malware onto the Bangladesh central bank’s server and deployed keylogger software that allowed them to steal the bank’s credentials for the SWIFT system. The hackers also custom-designed a malware toolkit that compromised SWIFT’s Alliance Access system and was designed to cover their tracks. This toolkit allowed them to delete records of transfer requests, bypass validity checks, delete records of logins, manipulate reporting of balances, and stop attached printers from printing transaction logs. Although the malware was custom-designed to steal from the Bangladesh central bank, the toolkit could potentially be used against other banks in the SWIFT system running Alliance Access software.

The intruders had monitored the bank’s routine activity in order to create money transfer requests that appeared genuine. Furthermore, they timed the thefts so that it would be the weekend in Bangladesh when the Federal Reserve reached out to confirm the transactions, and then it would be the weekend in New York when the Bangladesh central bank employees instructed the Federal Reserve to cancel the transactions. "

2015

Guatemalan Financial Institution Theft

December 01

In December 2015, attackers stole $16 million from a Guatemalan financial institution.

Method: Unknown
Type: Data breach, disruption

Actor

Type: Unknown
Attribution: Unknown

Description

Beginning on June 12, 2015, the Shanghai Composite Index began to plummet, and by June 19 it had fallen by 13 percent. Chinese stock markets continued to fall throughout July and August, and again in January and February 2016. Although there is no public evidence, some have speculated that the initial sudden crash may have been caused by a cyber attack.

Tien Phong Commercial Joint Stock Bank

May 15

Learn More

Target

Location: Vietnam
Date Breach First Reported: 5/15/2015

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In May 2015, the Vietnamese bank Tien Phong announced it had blocked a fraudulent SWIFT transaction worth €1m several months before attackers successfully stole from the Bank of Bangladesh using the same method. Tien Phong did not name the bank that had been the source of the fraudulent transfer request.

Dyre Wolf Campaign

April 2

In April 2015, a threat group twinned malware with a sophisticated social engineering tactic to steal more than $1 million from businesses.

Learn More

Target

Location: Multiple
Date Breach First Reported: 4/2/2015

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In April 2015, a threat group twinned malware with a sophisticated social engineering tactic to steal more than $1 million from businesses. A variant of Dyre malware named Upatre, which spread through victims’ email contacts, was used to block hundreds of bank websites on the victim’s device. The victim was then prompted to call a helpline number—actually staffed by a member of the gang who would then harvest the victim’s banking credentials and subsequently make fraudulent wire transfers.

Health Insurer Hacks

February 4

Learn More

Target

Actor

Type: Unknown
Attribution: Unknown

Description

The Metel banking Trojan, which was discovered in 2011, was repurposed by a criminal gang in 2015 to steal directly from bank ATMs and even manipulate the Russian exchange rate. The group used spearphishing emails or browser vulnerabilities to deliver Metel, also known as Corcow, and access the bank’s systems before pivoting into areas that allowed them to roll back ATM transactions. This meant they could withdraw unlimited amounts of money, automatically resetting the account balance after each transaction. Researchers at Kaspersky, who first reported on the operation, said the gang comprised fewer than ten members and had made no infections outside Russia. In February 2015, Energobank fell victim to a Metel infection that allowed attackers to place some $500 million in currency orders, sending the ruble swinging with extreme volatility between 55 and 66 rubles per dollar for a period of fourteen minutes. However, there is no evidence the attackers profited from the movement. Metel had infected 250,000 devices and more than 100 financial institutions in 2015, according to researchers at Group IB.

2014

Gautrain Management Agency Insider Threat Thwarted

November 1

Target

Location: Poland
Date Breach First Reported: 10/1/2014

Incident

Method: Unknown
Type: Data breach

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In October 2014, a group claiming to be affiliated with the so-called Islamic State hacked the internal networks of the Warsaw Stock Exchange and posted dozens of login credentials for brokers online. The means by which the group gained access to the exchange’s networks are unknown, but they were reportedly able to infiltrate an investment simulator and a web portal for managing the stock exchange’s upgrade to a new trading system, as well as render the exchange’s website unavailable for two hours. The exchange’s employees say that the trading system itself was not breached. NATO officials later indicated privately that they believed that the hacking group’s claim of being affiliated with Islamic militants was a false flag operation, and that in fact the breach was conducted by APT 28, a group widely believed by security researchers to be affiliated with the Russian government.

JPMorgan Chase Data Breach

August 1

In August 2014, the first reports emerged that account information and home addresses for 83 million customers were exposed after attackers stole login credentials from a JPMorgan Chase employee.

Learn More

Target

Location: United States
Date Breach First Reported: 8/1/2014

Incident

Method: Stolen password
Type: Data breach

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In August 2014, the first reports emerged that account information and home addresses for 83 million customers were exposed after attackers stole login credentials from a JPMorgan Chase employee. The group entered the network through a single-factor authentication server that had not been upgraded with the rest of the firm’s estate, before gaining access to more than ninety bank servers for several months. However, the bank said the attackers had not accessed more sensitive information, such as social security numbers.

JPMorgan discovered the breach after reportedly finding the same group on a website for a charity race that it sponsors. The size of the incident prompted the National Security Agency and the FBI to join the investigation. Other companies targeted in the attacks included Dow Jones, Fidelity, E*Trade, and Scottrade. The U.S. authorities believe the harvested information was used in securities fraud, money laundering, credit-card fraud, and fake pharmaceuticals.

Nine people so far have been charged in the ongoing probe. A Russian national was extradited from Georgia to the United States in September 2018, although he denied that he was the central hacker in the attacks. The federal authorities in New York said the man worked with an international syndicate from 2012 to 2015 to steal customer information, which was used in numerous crimes including a spam email campaign to falsely tout stocks and shares to ramp up the price. In September 2019, he pleaded guilty to six felony charges in connection with the data breach and other cybercrimes, and he faces up to a lifetime in prison.

In January 2017, a Florida man pleaded guilty to charges linked to funds processed through Coin.mx, an unlicensed bitcoin exchange owned by an Israeli who the United States has alleged masterminded the information stealing campaign. The supposed ringleader was extradited to the United States in 2016 and, according to media reports, entered a plea deal with prosecutors."

Description

In 2013, the source code for the Carbanak banking Trojan was leaked online. Since then, the malware has been used by several gangs to steal from dozens of financial institutions. The attack strategies have changed many times in order to avoid detection.

The malware is often pushed into financial companies by luring employees to click malicious documents, which provide the attackers a foothold to move across the network to remotely manipulate ATMs, known as “jackpotting,” or to compromise point-of-sale data. The gangs planned each theft carefully, taking between two and four months to complete each intrusion, ultimately using mules to withdraw the funds from ATMs and transfer them to the criminals’ accounts.

Fin7, the most prolific group using Carbanak, has stolen more than €1 billion from banks in more than thirty countries over the past three years, according to Europol. As well as using Carbanak, the gang is understood to use widely available tools such as the Cobalt Strike framework. The group recruited developers to work for an Israeli-Russian front company named Combi Security, and it is not clear whether the employees knew the nature of the work.

The authorities arrested a man thought to be the gang’s ringleader in Spain in March 2018, while in August the U.S. Department of Justice arrested three Ukrainian suspects. The United States claims the group stole the details of 15 million payment cards by attacking more than 120 U.S. companies, including the Chipotle and Arby’s restaurant chains.

Another Trojan, which is named Odinaff and bears a resemblance to Carbanak, was spotted attacking banking, trading, and payroll companies in 2016. It is unclear whether this is the work of Fin7 or another gang. While Fin7 appears to have gone quiet, it is unclear whether this is because activity stopped following the arrests or its techniques have changed again.

South Korea Attacked III

March 20

Learn More

Target

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In September 2012, a group called the Cyber Fighters of Izz ad-Din al-Qassam launched several waves of DDoS attacks against U.S. financial institutions. Naming the campaign Operation Ababil, the group justified their attacks as retribution for an anti-Islam video released by the U.S. pastor Terry Jones. The attacks were powerful, sending 100 gigabits per second of data to the victim sites, prompting claims that this was beyond the capabilities of a hacktivist group. Some reports said the group had ties to Anonymous, while others made links to the Iranian government—however, the group claimed it acted independently. The campaign launched two additional waves of attacks on December 10, 2012, and March 5, 2013.

PayGate Breach

August 1

In August 2012, online payment service provider PayGate suffered a system breach where credit card and banking details were leaked.

Type: Unknown
Attribution: Unknown

Description

In June 2012, the Shanghai Composite Index saw a severe drop on the anniversary of the Tiananmen Square massacre of 1989. While there is no confirmation of any wrongdoing in this case, the Shanghai Composite Index opened at 2,346.98 and fell exactly 64.89 points, matching the date of the incident (June 4, 1989). This led to widespread but unproven speculation about a protest hack that had manipulated trading that day. The Chinese censors blocked online references to the Shanghai Composite Index and several other terms on the anniversary.

Iranian Banking Data Breaches

April 16

Type: Nonstate actor
Attribution: High confidence

Description

In January 2012, the hacktivist collective Anonymous used DDoS attacks to bring down numerous Brazilian banking websites to protest corruption and inequality in the country. Banco do Brasil, Itaú Unibanco, Citibank, and Bradesco were among those affected by the #OpWeeksPayment campaign. The attackers reprised their campaign around the World Cup in 2014, which Brazil hosted.

Brazilian Payments System Attack

January 1

Learn More

Target

Location: Brazil
Date Breach First Reported: 1/1/2012

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

From 2012 to 2014, Boleto Bancario, a payments system used for almost half of non-cash transactions in Brazil, was targeted by malware that manipulated the victim’s browser to reroute payments to attacker-controlled accounts. The technique compromised $3.75 billion in payments within a two-year period, using several different versions of malware including Eupuds, Boleteiro, and Domingo, according to researchers at RSA. The unidentified gang responsible later changed its “bolware” strategy to introduce DNS poisoning as a means to install the malware, lessening the need for spam emails to spread the malware.

Postbank Heist

A Turkish man named as the gang’s leader, Ercan Findikoglu, was jailed for eight years in the United States in 2017 after extradition from Germany. He has also been convicted in Turkey for conspiring to produce fake cards—with a nineteen-and-a-half-year sentence he is expected to serve upon release in the United States. Three other men were jailed in 2014.

Iranian DDoS Attacks on U.S. Banks

January 1

Learn More

Target

Location: United States
Date Breach First Reported: 1/1/2011

Incident

Method: DDOS
Type: Disruption

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On March 24, 2016, the United States unsealed an indictment of seven Iranians allegedly responsible for the DDoS attacks targeting U.S. financial institutions across a two-year period on behalf of the Iranian government and Islamic Revolutionary Guard Corps. The indictment followed the landmark international deal to limit Iran’s nuclear capabilities in July 2015. Over forty-six financial organizations were targeted over the course of 176 days between December 2011 and mid-2013, the indictment said. The victims, which included Bank of America, the New York Stock Exchange, and Capital One, spent tens of millions of dollars to counteract the attacks, which at their height were occurring on a near-weekly basis.

The seven men were accused of managing several “botnets” consisting of thousands of compromised computers to send malicious traffic to victim website, blocking access for legitimate users. They built the botnet by exploiting a known vulnerability in a popular content management software to install malware. The men worked for two private computer security companies in Iran that allegedly performed tasks for the government. Several were also accused of belonging to hacking groups that have claimed responsibility for attacks on NASA in February 2012.

The political fallout from the attack was far-reaching. The U.S. Treasury Department imposed sanctions against eleven individuals and organizations in September 2017 over their links to Iran, some of whom were accused of participating in the DDoS attack. Meanwhile, U.S. President Donald Trump announced the United States’ withdrawal from the Iran nuclear deal in May 2018.

Lebanese Banks Espionage Operation

January 1

In early 2011, a virus named Gauss was used to steal inside information from multiple Lebanese banks.

Learn More

Target

Location: Lebanon
Date Breach First Reported: 1/1/2011

Incident

Method: Malware
Type: Espionage

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In early 2011, a virus named Gauss was used to steal inside information from multiple Lebanese banks. Gauss, which bore resemblances to the Flame and Stuxnet malware, stole passwords, banking credentials, and browser cookies from infected devices. Most of the 2,500 infections detected by researchers at Kaspersky were on personal computers in Lebanon. News outlets have speculated that this cyber surveillance tool was designed by the U.S. and Israeli governments to circumvent Lebanon’s strict banking secrecy laws, which have made it difficult for global authorities to access information of suspected wrongdoing. These speculations were fueled by a statement made by the United States in March 2011, accusing a Lebanese bank of laundering money for a Mexican drug ring with links to Hezbollah.

2010

Absa Land Bank Fraud

December 24

On December 24, 2010, South African financial services firm Absa noticed a series of transfers from the Land Bank and froze the accounts.

Target

Location: Latvia
Date Breach First Reported: 2/24/2010

Incident

Method: Unknown
Type: Data breach

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In early 2010, a hacker leaked financial details of banks, tax records, and state-owned firms to a TV station, to raise public awareness of lucrative public sector salaries during a period of austerity in Latvia. Ilmars Poikans, an IT researcher who used the alias Neo, was arrested shortly afterward and sentenced in 2015 to community service for accessing 7.5 million tax records. He was pardoned in December 2017.

2009

South Korea and United States Attacked

July 4

In July 2009, financial institutions in the United States and South Korea were among several targets of a widespread DDoS attack.

Type: Nonstate actor
Attribution: High confidence

Description

Between 2007 and 2011, a Trojan malware known as Zeus was used in numerous criminal operations to steal data on Windows devices. Zeus was widely traded on criminal forums as a way to harvest online credentials. Its source code was made public in 2011 after its purported creator announced his retirement, which allowed multiple versions to spread. The Trojan included a keylogger that recorded bank login credentials and a botnet that executed attacks using infected devices.

In March 2009, a security firm discovered an online data trove of stolen information from 160,000 computers infected by Zeus malware, including devices at Metro City Bank. A criminal gang also used Zeus in a global scheme to wire millions of dollars from five banks to overseas accounts, according to U.S. and UK officials who made more than 100 arrests in October 2010. The gang recruited mules to launder the stolen funds and withdraw money from ATMs around the world.

The variant Gameover Zeus was controlled by a group of hackers in Russia and Ukraine from October 2011 onward, according to the FBI. Among its many uses was as a platform to infect systems with Cryptolocker ransomware. Operation Tovar, an international law enforcement effort in June 2014, resulted in the seizure of key Gameover Zeus infrastructure and the release of up to 1 million victim machines from the botnet. The authorities believe the gang stole more than $100 million. The Russian man accused of authoring both Zeus and Gameover Zeus remains at large.

Skimer ATM Malware Attack

March 1

In 2009, security researchers discovered Skimer, an advanced multifunctional malware employed in several ATM heists across the world.

Learn More

Target

Location: Multiple
Date Breach First Reported: 3/1/2009

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In 2009, security researchers discovered Skimer, an advanced multifunctional malware employed in several ATM heists across the world. Skimer is capable of executing over twenty malicious commands, including withdrawing ATM funds and collecting customer information such as bank account numbers and payment card PINs. To install Skimer, attackers had to access ATMs and install backdoors in the device’s Windows operating system. Then, the attackers could silently siphon card numbers and customer information for later use in fraudulent transactions. Once correct details were entered into the ATM pin pad, Skimer gave attackers a control panel to execute multiple commands from cashing out an ATM to deleting traces of the infection from the system. The malware has continued to evolve with later variants still in use around the world.

2008

RBS WorldPay Hack

November 1

Toward the end of 2008, Atlanta-based credit card processing company RBS WorldPay was breached by an international crime ring.

Type: State-sponsored actor
Attribution: High confidence

Description

Between July and August, Georgia became the victim of a coordinated defacement and DDoS campaign that disrupted government and bank websites during the lead up to a war with Russia. The first incident occurred on July 20, when the website of then Georgian president Mikheil Saakashvili was disrupted by a DDoS attack, just weeks before Russia invaded the country. The DDoS attack was directed using a strain of Pinch malware frequently used in Russia, which flooded websites with traffic that included the phrase “win love in Russia.”

As part of the conflict and war that took place from August 7 to 12, 2008, numerous Georgian government and media sites were defaced and disrupted, including depictions of Saakashvili next to Hitler on the president’s website. The only impact on the financial sector throughout this campaign was the defacement of the National Bank of Georgia’s website. A group by the name of South Ossetia Hack Crew claimed responsibility for the attacks. However, Georgia would later attribute the attack to the Russia government, which denied the allegations.

HSBC Insider Fraud

July 7

On April 18, a clerk at HSBC’s headquarters in London fraudulently wired €90 million to accounts in Manchester and Morocco.

Type: Nonstate actor
Attribution: High confidence

Description

In January 2008, a junior trader at the French bank Société Générale executed fraudulent transactions to cover up $7.2 billion in losses from risky futures trades. The rogue trader hid his losses by booking fake offsetting trades on colleagues’ accounts and using knowledge from his previous role in the back office to alter internal risk controls so he would not trigger internal alerts. At one point, the portfolio of unauthorized trades was worth over €50 billion, approximately the same value as the entire firm. The employee was arrested and sentenced to three years in prison in 2010. The bank suffered one of the biggest trading losses on record due to the incident, and the French banking regulator imposed a $6 million penalty for its lax controls.

2007

DA Davidson Data Breach

December 25

On December 25–26, 2017, confidential information from 192,000 customers was stolen from financial services holding company DA Davidson.

Target

Location: Estonia
Date Breach First Reported: 4/26/2007

Incident

Method: DDoS
Type: Disruption

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

Following the contentious relocation of a Soviet-era statue in Tallinn, Estonia fell victim to a series of coordinated DDoS attacks against government, bank, university, and newspaper websites that lasted three weeks. The attacks began on April 26, when government and political party email servers and websites were disrupted. The following week, a second wave began that disrupted access to Estonian news websites. The final wave, which began on May 9, was the heaviest and targeted the Estonian banking sector. The attack forced two major Estonian banks to suspend online banking, disabling bank card transactions and ATM withdrawals. The disruption did not end until the attackers’ botnet contracts expired on May 19. The attacks were carried out by Russian hacktivists communicating openly on Russian-language chatrooms, where users shared precise instructions on how to conduct the attacks. Estonia accused the Russian government of ordering the attacks but was unable to produce definitive proof.

Developed in association with

BAE Systems logo

Blogs

Podcasts

Shortcuts

Centers