Bangladesh Bank: The $81 Million Typo

It was 4:27 AM on the morning of February 5, 2016 — a Thursday, when Bangladesh Bank’s offices in Dhaka were quiet and their staff at home — when a printer in the bank’s foreign exchange department tried to print.

The printer failed. A paper jam.

A technician would have to look at it in the morning.

What that printer had been trying to print were the bank’s SWIFT transaction logs — records of the financial messages flowing through the Society for Worldwide Interbank Financial Telecommunication system, the secure messaging backbone of global finance. Over the preceding hours, the bank’s systems had been sending those messages — thirty-five of them, totaling nearly a billion dollars in transfer orders — to the Federal Reserve Bank of New York.

Nobody at Bangladesh Bank had authorized them.

By the time a technician cleared the paper jam on Friday morning, five of the thirty-five fraudulent transfer orders had already cleared.

The money was gone.

Threat Actor Profile: Lazarus Group (Bureau 121)

Designation: Lazarus Group (Mandiant); Hidden Cobra (US Government); Zinc (Microsoft); APT38 (financial operations subgroup)
Attribution: Democratic People’s Republic of Korea; Reconnaissance General Bureau, Bureau 121
Origin: Pyongyang, North Korea; operating since at least 2009
Primary Mission: A uniquely dual-purpose threat actor — state-directed geopolitical operations and financially motivated cybercrime to fund North Korea’s sanctioned nuclear and weapons programs
Known Tradecraft: Long-dwell network espionage, SWIFT financial infrastructure compromise, custom malware implants, spear-phishing, cryptocurrency theft, supply chain attacks

Notorious Operations:

• Bangladesh Bank SWIFT Heist (2016): $951 million attempted; $81 million stolen in the most audacious bank robbery in recorded history. Compromised a national central bank’s SWIFT messaging infrastructure.
• Sony Pictures (2014): Destructive wiper attack against a US entertainment studio; mass exfiltration of confidential communications and business data; triggered by North Korea’s objection to the film The Interview.
• WannaCry (2017): Global cryptoworm using NSA-developed exploits; infected over 200,000 systems across 150 countries; crippled the UK National Health Service.
• Cryptocurrency Exchange Attacks (2017–present): Over $3 billion stolen from exchanges, DeFi protocols, and developer social engineering — functioning as a direct hard-currency revenue stream for North Korea’s state programs.
• Ronin Network Hack (March 2022): $625 million stolen from the Ethereum sidechain powering the Axie Infinity blockchain game — the largest single cryptocurrency theft in history at the time.

The Setup: A Central Bank’s Account

Bangladesh Bank is the central bank of Bangladesh — the institution managing the country’s monetary policy, foreign exchange reserves, and currency issuance. Like central banks globally, it maintained a correspondent account at the Federal Reserve Bank of New York, holding approximately $1 billion in foreign reserves.

International wire transfers from that account were executed via the SWIFT network: a secure, decades-old messaging infrastructure connecting over 11,000 financial institutions in more than 200 countries. Authenticated SWIFT messages — formatted to exacting specifications and transmitted over encrypted channels — instructed the Fed to move money between accounts.

The authentication of those messages rested entirely on the legitimacy of the credentials used to operate SWIFT terminals. If an attacker could obtain those credentials and operate the terminals, they could instruct the Federal Reserve Bank of New York to transfer money anywhere in the world, in the name of the Bangladeshi central bank, with no physical presence required.

This was the vulnerability Lazarus Group set out to exploit.

The Intrusion: Ten Weeks of Patience

The intrusion timeline, reconstructed by BAE Systems researchers and the Bangladesh government’s own subsequent investigation, begins in late 2015.

The initial access vector appears to have been a fraudulent job application. Lazarus Group sent spear-phishing emails to Bangladesh Bank employees presenting what looked like a plausible recruitment message from a job seeker, with a resume document attached. The attachment delivered a custom RAT (Remote Access Trojan) implant onto at least one employee machine.

From that foothold, the attackers spent approximately ten weeks inside Bangladesh Bank’s network before moving against the SWIFT systems. During that period they:

• Mapped the network architecture and identified the specific machines connected to SWIFT terminals
• Studied the bank’s transaction patterns to understand normal timing, beneficiary names, and transfer sizes
• Harvested the SWIFT operator credentials used by bank staff to authenticate and transmit messages
• Modified the SWIFT Alliance Access software on the bank’s machines to suppress printing of transaction logs — the evidence trail that would reveal the fraudulent transfers

That final step — the printer modification — explains the paper jam. The malware was suppressing log output. When the technician cleared it Friday morning and printing resumed, the fraudulent transfer records began flowing, and the heist was discovered.

The patience was methodical. This was not an opportunistic criminal raid. It was the logistics of a bank robbery rehearsed over two months inside the target’s own systems.

The Heist: Thirty-Five Transfer Orders

On the evening of February 4, 2016, the Lazarus operators used Bangladesh Bank’s own SWIFT credentials to initiate their operation.

They sent 35 fraudulent SWIFT messages to the Federal Reserve Bank of New York, instructing the Fed to transfer funds from Bangladesh Bank’s reserve account to beneficiary accounts they controlled:

• Transfers to the Philippines were directed to four accounts at RCBC (Rizal Commercial Banking Corporation), Jupiter Street branch, Makati City. These accounts had been opened months in advance using false identities.
• Transfers to Sri Lanka were directed to an entity called the Shalika Foundation.

The total value of the 35 orders: $951 million — nearly the entirety of Bangladesh Bank’s New York Fed reserves.

The Federal Reserve began processing. Five orders totaling $81 million to the Philippines transferred successfully.

The Sri Lanka order was stopped. A routing bank flagged the transfer instruction containing the word “Fandation” — a misspelling of “Foundation” in the Shalika Foundation name — as suspicious and queried the transaction with Bangladesh Bank. Bangladesh Bank could not confirm the order. The transfer was frozen.

For the remaining Philippines-bound orders, the Federal Reserve — growing suspicious of the unusual volume — asked Deutsche Bank, one of the correspondent banks in the routing chain, to flag the transactions for Bangladesh Bank verification. Bangladesh Bank had not authorized them. The Fed halted the remaining transfers.

But five — totaling $81 million — had already landed at RCBC’s Jupiter Street branch.

The Laundering: Manila’s Casinos

The Philippines was not chosen by accident.

Philippine casinos in 2016 were, under Philippine law, exempt from the Anti-Money Laundering Act (AMLA) — a regulatory gap that made cash transactions at casinos effectively invisible to financial monitoring authorities. The four RCBC accounts were drained within days of the transfers arriving. The cash was moved into Manila’s casino ecosystem — converted to gambling chips, briefly played, and cashed out as gambling winnings.

Of the $81 million, approximately $15 million was eventually recovered — primarily because one intermediary involved in the casino laundering phase cooperated with investigators.

The remaining $66 million evaporated.

The RCBC branch manager who processed the transactions — overriding clear red flags and apparent AML violations — was subsequently convicted of regulatory violations. RCBC itself was fined $21 million by the Bangko Sentral ng Pilipinas (Philippine central bank).

Attribution: The Printer Told the Story

Attribution to Lazarus Group came through a convergence of technical and forensic evidence.

BAE Systems researchers were the first to publicly document the custom malware found at Bangladesh Bank — specifically, a modified version of the SWIFT Alliance Access software that had been altered to suppress transaction log printing and delete records of the fraudulent transfers. The module names, code structure, and binary artifacts matched tools previously documented in the Sony Pictures attack and earlier Lazarus financial operations.

Additional analysis by Symantec and Kaspersky confirmed code overlaps with Lazarus Group tooling across multiple campaigns. Infrastructure indicators tied the command-and-control servers to previously documented North Korean operations.

The US Department of Justice indicted North Korean programmer Park Jin Hyok in September 2018 for alleged roles in the Bangladesh Bank heist, WannaCry, and the Sony Pictures attack — the first formal US criminal attribution of a North Korean individual for financial cybercrime.

The Legacy: SWIFT’s Reckoning

The Bangladesh Bank heist exposed a fragility at the heart of global financial infrastructure that the industry had never been forced to confront directly.

SWIFT’s security model had been built on the assumption that if a bank’s SWIFT terminals were physically and logically secure, the messages they generated were authentic. It made no provision for a nation-state actor capable of penetrating a central bank’s network, operating from inside over months, and using the bank’s own authorized credentials to transmit fabricated transfer orders.

SWIFT’s response was the creation of the Customer Security Programme (CSP) — a framework of mandatory baseline security controls for all 11,000+ SWIFT member institutions globally, including network segmentation requirements, endpoint security standards, and anomaly monitoring on transaction patterns. Member compliance attestation became mandatory. The programme acknowledged what the Bangladesh Bank attack had made undeniable: the SWIFT messaging credentials are only as secure as the network they run on.

For central banks in developing nations — which often operate SWIFT connections from networks with significantly less security investment than major commercial institutions — the lesson was direct and sobering: the most sophisticated financial crime infrastructure in the world connects to whatever endpoint you give it.

North Korea’s Lazarus Group did not stop. The $81 million from Bangladesh Bank was a proof of concept, not a terminus. The subsequent shift toward cryptocurrency — an environment with even richer laundering opportunities and no central authority to block transfers — accelerated after 2017. By the early 2020s, UN monitors estimated North Korea had stolen the equivalent of over $1 billion per year in cryptocurrency to fund its weapons programs.

The printer had tried to warn them.

---

Attack Chain: Bangladesh Bank — SWIFT Heist

graph TD
    A["🇰🇵 Lazarus Group\n(DPRK Bureau 121)"] --> B["Target Selection\nBangladesh Bank\n~$1B USD at NY Federal Reserve"]

    B --> C["Initial Access\nSpear-Phishing Email\nFake Job Application + CV\n(RAT Payload Embedded)"]

    C --> D["Custom RAT Implant\nInstalled on Bank\nEmployee Machine\n~Late 2015"]

    D --> E["~10 Weeks of Reconnaissance\nOct–Jan 2015–2016"]

    E --> E1["Map Network Architecture\nIdentify SWIFT Terminals"]
    E --> E2["Study Transaction Patterns\nNormal Beneficiaries / Amounts / Timing"]
    E --> E3["Harvest SWIFT\nOperator Credentials"]

    E3 --> F["Modify SWIFT Alliance Access Software\nSuppresses Printing\nof Transaction Logs\n(Evidence Destruction)"]

    F --> G["February 4, 2016 Evening\n35 Fraudulent SWIFT Messages Sent\nUsing Bangladesh Bank's Own Credentials"]

    G --> H["Federal Reserve Bank NY\nBegins Processing Orders"]

    H --> I1["5 Philippines Orders\n→ RCBC Bank Makati\n$81 Million CLEARED ✓"]
    H --> I2["Sri Lanka Order\n'FANDATION' Typo Flagged\n→ Routing Bank Queries Bangladesh Bank\n→ BLOCKED"]
    H --> I3["Remaining 29 Orders\n→ Deutsche Bank Flags Volume\n→ Fed Requests Verification\n→ Bangladesh Bank Cannot Confirm\n→ BLOCKED"]

    I1 --> J["RCBC Jupiter Street\nFour False-Identity Accounts\nFunds Withdrawn in Cash"]
    J --> K["Manila Casino Laundering\n(AMLA Exemption for Casinos)\nChips → Play → Cash Winnings"]

    F --> L["Friday Morning:\nTechnician Clears Printer Jam\nLog Printing Resumes"]
    L --> M["Bangladesh Bank Discovers\nFraudulent Transfer Records\nFebruary 5, 2016"]

    M --> N["Emergency Contact:\nFederal Reserve + SWIFT\nHalt Remaining Transfers"]

    N --> O["$870M Blocked\n$81M Already Transferred"]

    K --> P["~$15M Eventually Recovered\n~$66M Permanently Lost"]

    P --> Q["BAE Systems Analysis\nCustom SWIFT Malware Identified\nCode Matches Sony / Lazarus Tools"]
    Q --> R["Attribution: Lazarus Group\n(DPRK Bureau 121)"]
    R --> S["DOJ Indicts Park Jin Hyok\nSeptember 2018"]

    O --> T["SWIFT Customer Security\nProgramme (CSP) Launched\nMandatory Baseline Controls\nAll 11,000+ Member Institutions"]
    O --> U["RCBC Fined $21M\nPhilippine Central Bank\nBranch Manager Convicted"]