Timeline of Cyber Incidents Involving Financial Institutions

About the Timeline

The timeline tracks cyber incidents involving financial institutions dating back to 2007. The timeline is based on Carnegie research and data BAE Systems’s threat intelligence team shares with Carnegie on a monthly basis and are subsequently added to the timeline. The incidents are coded using several indicators and can be filtered accordingly:

  1. incident type;
  2. target country and target region, which include information about the physical location of the victim(s);
  3. actor type, which includes information about the attacker to the extent known;
  4. attribution, which includes an assessment of the level of confidence in the information about the attacker; and
  5. other details about the incident summarized in a short narrative text.

With respect to associating a specific date with a cyber incident, which may be part of a longer cyber operation, the dates for each event are chosen intuitively either using the starting date/month of the incident, if known, or when the incident was first reported. For further questions about the methodology, please contact the team here.

When citing this resource, please use the following format:

Carnegie Endowment for International Peace and BAE Systems. Timeline of Cyber Incidents Involving Financial Institutions. FinCyber Initiative, Carnegie Endowment for International Peace. https://carnegieendowment.org/features/fincyber-timeline (access date).”

About the Fincyber Timeline

This timeline chronicles ~200 cyber incidents targeting financial institutions since 2007, and can be filtered by country, region, year, attribution, incident type, and actor type. Cybersecurity risks to the financial system have grown in recent years, in part because the cyber threat landscape is worsening; in particular, state-sponsored cyberattacks targeting financial institutions are becoming more frequent, sophisticated, and destructive. In 2017, the G20 warned that cyberattacks could “undermine the security and confidence and endanger financial stability.”

To keep track of the evolution of the threat landscape, Carnegie’s Technology and International Affairs Program updates this timeline with data from provided by the Cyber Threat Intelligence unit of BAE Systems. The timeline has not been designed to cover every single incident but rather to provide insight into key trends and how the threat landscape is evolving over time.

2022

Beanstalk Farms cryptocurrency theft

April 17

On April 17, 2022, the decentralised finance platform Beanstalk Farms lost $180 million in a cryptocurrency heist.

Learn More

Target

Location: United States
Date Breach First Reported: 4/18/2022

Incident

Method: Other
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On April 17, 2022, the decentralised finance platform Beanstalk Farms lost $180 million in a cryptocurrency heist. The attackers took out a large enough loan to acquire enough voting rights to make the necessary governance changes to move all of Beanstalk’s reserves. The price of each Bean has since plumeted to near zero before coming back up to around one dollar.

Fakecalls banking trojan

April 11

On April 11, 2022, researchers reported on the banking trojan Fakecalls, which has the ability to ‘talk’ to victims and pretend to be a employee of the bank.

Learn More

Target

Location: South Korea
Date Breach First Reported: 4/11/2022

Incident

Method: Malware
Type: Multiple

Actor

Type: Unknown
Attribution: Unknown

Description

On April 11, 2022, researchers reported on the banking trojan Fakecalls, which has the ability to ‘talk’ to victims and pretend to be a employee of the bank. Fakecalls mimics the mobile apps of popular Korean-based banks. The trojan seeks to gain access to the victims contacts, microphone, camera, location and call handling, and attackers attempt to gain payment data or confidential information from the victim. Fakecalls also has a spyware toolkit.

CashMama data breach

April 6

On April 6, 2022, India-based loans app CashMama reported a data breach, in which customer data that was invasively collected and stored was exposed.

Learn More

Target

Location: India Date Breach First Reported: 4/6/2022

Incident

Method: Other
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On April 6, 2022, India-based loans app CashMama reported a data breach, in which customer data that was invasively collected and stored was exposed. CashMama’s Amazon S3 bucket was left in open form, which exposed customers’ personal data and other sensitive information.

Lazarus ‘Trojanised’ decentralised finance app

April 1

On April 1, 2022, North Korean state-sponsored threat group Lazarus was found to be using ‘Trojanised’ decentralised finance apps to deliver malware in their latest spearphishing campaign.

Learn More

Target

Location: Multiple
Date Breach First Reported: 4/1/2022

Incident

Method: Malware
Type: Multiple

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On April 1, 2022, North Korean state-sponsored threat group Lazarus was found to be using ‘Trojanised’ decentralised finance apps to deliver malware in their latest spearphishing campaign. The malware is a full-featured backdoor containing sufficient capabilities to control the compromised victim.

Ronin cryptocurrency theft

March 23

On March 23 2022, blockchain project Ronin lost $615 million in ether and USD Coin tokens in the second largest cryptocurrency heist to date.

Learn More

Target

Location: Canada
Date Breach First Reported: 3/29/2022

Incident

Method: Other
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On March 23 2022, blockchain project Ronin lost $615 million in ether and USD Coin tokens in the second largest cryptocurrency heist to date. Hackers exploited a feature allowing users to transfer their digital assets from crypto network to another. Ronin is used to power the popular online blockchain game Axie Infinity. The US subsequently attributed the incident to North Korean state-backed hacking collective Lazarus Group and announced new sanctions against an ethereum wallet belonging to the group.

TransUnion SA data breach

March 17

Credit bureau TransUnion SA suffered a cyber attack which saw around three million customer's data stolen by a criminal third party.

Learn More

Target

Location: South Africa
Date Breach First Reported: 3/17/2022

Incident

Method: Malware
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

Credit bureau TransUnion SA suffered a cyber attack which saw around three million customer's data stolen by a criminal third party. The attackers demanded a ransom but TransUnion refused to pay.

Moscow Stock Exchange and Sberbank cyber attack

February 28

On February 28, 2022, the Moscow Stock Exchange and Sberbank, Russia’s largest lender, were hit by DDoS attacks that took their websites offline.

Learn More

Target

Location: Russia
Date Breach First Reported: 2/28/2022

Incident

Method: Unknown
Type: Disruption

Actor

Type: Non-state actor
Attribution: Speculated

Description

On February 28, 2022, the Moscow Stock Exchange and Sberbank, Russia’s largest lender, were hit by DDoS attacks that took their websites offline. The incidents were claimed by the Ukrainian IT Army, a crowdsourced community of hackers created by the Ukrainian government.

Aon ransomware attack

February 25

On February 25, 2022, global insurance and reinsurance broker, Aon was hit by a ransomware attack, causing limited disruption to a number of their services.

Learn More

Target

Location: United States
Date Breach First Reported: 2/28/2022

Incident

Method: Ransomware
Type: Disruption

Actor

Type: Unknown
Attribution: Unknown

Description

On February 25, 2022, global insurance and reinsurance broker, Aon was hit by a ransomware attack, causing limited disruption to a number of their services. The attack reportedly left no significant impact on the company, and Aon has not disclosed further details about the incident.

Ukrainian government and banking sector DDoS

February 15

On February 15, 2022, the web portal of Ukraine’s defence ministry and the banking and terminal services at several large state-owned lenders were downed in the largest DDoS attacks to hit the country to date.

Learn More

Target

Location: Ukraine
Date Breach First Reported: 2/16/2022

Incident

Method: DDoS
Type: Disruption

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On February 15, 2022, the web portal of Ukraine’s defence ministry and the banking and terminal services at several large state-owned lenders were downed in the largest DDoS attacks to hit the country to date. The Ukrainian government publicly attributed the incident to Moscow. The Kremlin has denied involvement for the operation, which hit Ukraine at a time when the country is bracing itself for a possible invasion from Russian forces.

IRA Financial Trust cryptocurrency theft

February 8

On February 8, 2022, IRA Financial Trust, which offers self-directed retirement accounts, lost $36 million in cryptocurrency when unknown threat actors drained $21 million in Bitcoin and $15 million in Ethereum from the accounts of IRA customers.

Learn More

Target

Location: United States
Date Breach First Reported: 2/14/2022

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On February 8, 2022, IRA Financial Trust, which offers self-directed retirement accounts, lost $36 million in cryptocurrency when unknown threat actors drained $21 million in Bitcoin and $15 million in Ethereum from the accounts of IRA customers. IRA Financial allows its customers to purchase cryptocurrency through a partnership with the cryptocurrency exchange Gemini Trust Co.

Medusa malware phishing attacks

February 7

On February 4, 2022, researchers reported that the Medusa Android banking Trojan has increased infection rates and the scope of geographic regions targeted.

Learn More

Target

Location: Multiple
Date Breach First Reported: 2/7/2022

Incident

Method: Malware
Type: Multiple

Actor

Type: Unknown
Attribution: Unknown

Description

On February 4, 2022, researchers reported that the Medusa Android banking Trojan has increased infection rates and the scope of geographic regions targeted. The malware aims to steal online credentials to go on and perform financial fraud. Medusa has begun targeting victims in North America and Europe, using the same distribution service as FluBot malware to carry out their smishing campaigns.

Wormhole cryptocurrency theft

February 2

On February 2, 2022, cryptocurrency platform Wormhole lost an estimated $322 million worth of Ether currency when a threat actor exploited a vulnerability in the platform’s smart contracts, making it the second largest hack of a decentralized platform to date.

Learn More

Target

Location: Switzerland
Date Breach First Reported: 2/2/2022

Incident

Method: Other
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On February 2, 2022, cryptocurrency platform Wormhole lost an estimated $322 million worth of Ether currency when a threat actor exploited a vulnerability in the platform’s smart contracts, making it the second largest hack of a decentralized platform to date. Wormhole is offering the hacker $10 million in exchange for return of the stolen funds.

Qubit Finance cryptocurrency theft

January 27

On January 27, 2022, decentralized finance platform Qubit Finance suffered a breach, in which threat actors were able to steal $80 million worth of cryptocurrency.

Learn More

Target

Location: United Kingdom
Date Breach First Reported: 1/28/2022

Incident

Method: Other
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On January 27, 2022, decentralized finance platform Qubit Finance suffered a breach, in which threat actors were able to steal $80 million worth of cryptocurrency. The attackers exploited a vulnerability in one of its Ethereum blockchain contracts. Qubit has offered to pay the attacker a bounty to return the stolen funds.

TeaBot and FluBot banking trojan resurgence

January 26

On January 26, 2022, the TeaBot and FluBot banking trojans were detected to be targeting Android devices once again.

Learn More

Target

Location: Multiple
Date Breach First Reported: 1/26/2022

Incident

Method: Phishing
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On January 26, 2022, the TeaBot and FluBot banking trojans were detected to be targeting Android devices once again. The banking trojans steal banking, contact, and SMS data from infected machines, and are being dispatched in phishing campaigns.

Multichain cryptocurrency theft

January 17

On January 17, 2022, Multichain, a platform that allows users to swap tokens between blockchains, lost approximately $1.4 million when hackers exploited a vulnerability in the blockchain service.

Learn More

Target

Location: Multiple
Date Breach First Reported: 1/19/2022

Incident

Method: Other
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On January 17, 2022, Multichain, a platform that allows users to swap tokens between blockchains, lost approximately $1.4 million when hackers exploited a vulnerability in the blockchain service. One of the attackers is now negotiating with the victims to return 80% of the stolen funds and keep the remaining 20% as a ‘tip’.

Crypto.com 2FA bypass hack

January 17

On January 17, 2022, major cryptocurrency exchange Crypto.com suffered a cyber attack that led to unauthorized withdrawals of bitcoin and Ether worth $35 million and affected at least 483 user accounts.

Learn More

Target

Location: Multiple
Date Breach First Reported: 1/17/2022

Incident

Method: Other
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On January 17, 2022, major cryptocurrency exchange Crypto.com suffered a cyber attack that led to unauthorized withdrawals of bitcoin and Ether worth $35 million and affected at least 483 user accounts. The exchange has subsequently instituted strict 2FA measures a fund restoration program for qualifying users.

OP Financial Group cyberattack

January 9

On January 9, 2022, the biggest bank in Finland, OP Financial Group suffered a cyberattack which disrupted its services.

Learn More

Target

Location: Finland Date Breach First Reported: 1/11/2022

Incident

Method: Unknown
Type: Disruption

Actor

Type: Unknown
Attribution: Speculated

Description

On January 9, 2022, the biggest bank in Finland, OP Financial Group suffered a cyberattack which disrupted its services. The attack also affected logins to the site but online services were restored shortly after and no customer’s information or funds were compromised.

2021

OCBC phishing scam

December 23

On December 23, 2021, around 790 banking customers of Singporean bank OCBC were targeted in a phishing scam resulting in a loss of at least $13.7 million.

Learn More

Target

Location: Multiple
Date Breach First Reported: 1/11/2022

Incident

Method: Phishing
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On December 23, 2021, around 790 banking customers of Singporean bank OCBC were targeted in a phishing scam resulting in a loss of at least $13.7 million. Once victims clicked on the link provided and typed in their credentials, attackers were able to gain access to victim’s bank accounts and drain it of its entire funds.

AscendEX hot wallet breach

December 11

On December 12, 2021, crypto exchange AscendEX lost $77.7 million in a breach of its hot wallet.

Learn More

Target

Location: Multiple
Date Breach First Reported: 12/11/2021

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On December 12, 2021, crypto exchange AscendEX lost $77.7 million in a breach of its hot wallet. Assets were taken across three blockchains—Ethereum, Binance Smart Chain, and Polygon—with stolen tokens including significant amounts of stablecoins. The firm subsequently froze deposits and withdrawals.

Bitmart security breach

December 4

On December 4, 2021, Bitmart, a crypto trading platform, experienced a major security breach, resulting in hackers withdrawing almost $200 million in assets.

Learn More

Target

Location: Multiple
Date Breach First Reported: 12/5/2021

Incident

Method: Multiple
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On December 4, 2021, Bitmart, a crypto trading platform, experienced a major security breach, resulting in hackers withdrawing almost $200 million in assets. The security breach was mainly caused by a stolen private key, which affected two of its ethereum and binance smart chain hot wallets. Bitmart says it will reimburse victims for all losses.

BadgerDAO DeFi protocol hack

December 2

On December 2, 2021, decentralied finance ("DeFi") protocol BadgerDAO was hit by a cyber attack in which hackers stole $120.3 million in crypto.

Learn More

Target

Location: Multiple Date Breach First Reported: 12/2/2021

Incident

Method: Multiple
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On December 2, 2021, decentralied finance ("DeFi") protocol BadgerDAO was hit by a cyber attack in which hackers stole $120.3 million in crypto. The DAO paused all smart contracts in order to prevent further withdrawals. Crypto lender Celsius Network subsequently confirmed the company had lost money from the hack.

Monox cryptocurrency theft

December 1

On December 1, 2021, blockchain startup MonoX Finance lost $31M when a threat actor exploited a vulnerability in the software the company uses to draft smart contracts.

Learn More

Target

Location: Singapore
Date Breach First Reported: 12/07/2021

Incident

Method: Other
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On December 1, 2021, blockchain startup MonoX Finance lost $31M when a threat actor exploited a vulnerability in the software the company uses to draft smart contracts. The threat actor was able to inflate the price of the MONO token and use it to cash out all the other deposited tokens.

Taiwanese financial institutions cyber espionage

November 30

From the end of November 2021, Taiwan’s financial sector was hit by a months-long cyber espionage campaign attributed to Chinese state-sponsored group APT 10.

Learn More

Target

Location: Taiwan
Date Breach First Reported: 2/21/2022

Incident

Method: Malware
Type: Espionage

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

From the end of November 2021, Taiwan’s financial sector was hit by a months-long cyber espionage campaign attributed to Chinese state-sponsored group APT 10. Attackers ran malicious code on local systems and installed a RAT that allowed them to maintain persistent remote access to the infected system.

Incident notification requirements for U.S. banks

November 18

On November 18, 2021, the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency issued a joint final rule to establish computer security incident notification requirements for banking organisations and their service providers.

Learn More

Target

Location: United States
Date Breach First Reported: 11/18/2021

Incident

Method: N/A
Type: N/A

Actor

Type: N/A
Attribution: N/A

Description

On November 18, 2021, the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency issued a joint final rule to establish computer security incident notification requirements for banking organisations and their service providers. The rule seeks to provide agencies with early warnings of suspected threats.

Robinhood data breach

November 8

On November 8, 2021, Robinhood, the American stock trading platform, disclosed a data breach after their systems were hacked.

Learn More

Target

Location: United States
Date Breach First Reported: 11/8/2021

Incident

Method: Other
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On November 8, 2021, Robinhood, the American stock trading platform, disclosed a data breach after their systems were hacked. A threat actor gained access to the personal information of around 7 million customers.

bZx cryptocurrency theft

November 6

On November 6, 2021, threat actors stole an estimated $55 million from bZx, a decentralised finance platform that allows users to borrow, loan, and speculate on cryptocurrency price varations.

Learn More

Target

Location: Multiple
Date Breach First Reported: 11/6/2021

Incident

Method: Phishing
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On November 6, 2021, threat actors stole an estimated $55 million from bZx, a decentralised finance platform that allows users to borrow, loan, and speculate on cryptocurrency price varations. A bZx developer was sent a phishing email with a malicious Word document attached. Threat actors compromised the developer's mnemonic wallet phrase and emptied their personal wallet before stealing two private keys for bZx's Polygon and Binance Smart Chain (BSC) blockchains.

FBI warns of ATM crypto scams

November 4

On November 4, 2021, the FBI warned that scams involving cryptocurrency ATMs and QR codes are on the rise.

Learn More

Target

Location: United States
Date Breach First Reported: 11/4/2021

Incident

Method: Other
Type: Theft

Actor

Type: Non-state actor
Attribution: Unknown

Description

On November 4, 2021, the FBI warned that scams involving cryptocurrency ATMs and QR codes are on the rise. Cybercriminals have started to abuse QR codes to receive fraudulent cryptocurrency payments from their victims.

Zloader banking malware

November 1

Since November 2021, the banking trojan Zloader has been exploiting Microsoft’s digital signature verification method to inject malicious code into a signed system dynamic link library (DLL).

Learn More

Target

Location: Multiple Date Breach First Reported: 01/07/2022

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

Since November 2021, the banking trojan Zloader has been exploiting Microsoft’s digital signature verification method to inject malicious code into a signed system dynamic link library (DLL). The banking trojan leverages Atera, an enterprise remote monitoring and management application, for intial access to targeted machines, and as of January 2022, the malicious DLL had been downloaded to 2000+ unique victim IPs.

UK and Italian banks targeted by SharkBot banking trojan

November 1

In late October 2021, researchers from Cleafy and ThreatFabric discovered a new Android banking Trojan called SharkBot.

Learn More

Target

Location: Italy, United Kingdom Date Breach First Reported: 11/1/2021

Incident

Method: Malware
Type: Multiple

Actor

Type: Unknown
Attribution: Unknown

Description

In late October 2021, researchers from Cleafy and ThreatFabric discovered a new Android banking Trojan called SharkBot. The trojan tricks targets into downloading malicious apps from Google Play Store and grants itself admin rights, collects keystrokes, intercepts/hides F2A SMS messages, and accesses mobile banking and crypocurrency apps to transfer funds. SharkBot has been detected targeting international banks from the United Kingdom and Italy and five different cryptocurrency services.

FBI warns of novel ransomware extortion methods

November 1

On November 1, 2021, the FBI warned that ransomware actors have been using significant financial events and stock information, specifically, publicly available information such as upcoming mergers to inform their targeting and extortion of victims.

Learn More

Target

Location: United States Date Breach First Reported: 11/1/2021

Incident

Method: Ransomware
Type: Multiple

Actor

Type: Unknown
Attribution: Unknown

Description

On November 1, 2021, the FBI warned that ransomware actors have been using significant financial events and stock information, specifically, publicly available information such as upcoming mergers to inform their targeting and extortion of victims.

National Bank of Pakistan attack

October 29

On October 29, 2021, the National Bank of Pakistan suffered a destructive cyber attack, which is said to have impacted some of its services including the bank's ATMs, internal network, and mobile apps.

Learn More

Target

Location: Pakistan Date Breach First Reported: 11/2/2021

Incident

Method: Multiple
Type: Disruption

Actor

Type: Unknown
Attribution: Unknown

Description

On October 29, 2021, the National Bank of Pakistan suffered a destructive cyber attack, which is said to have impacted some of its services including the bank's ATMs, internal network, and mobile apps. Steps were taken immediately to isolate the incident, and the bank stated that no data was breached and no funds were stolen.

DeFi platform Cream Finance $130 million theft

October 27

On October 27, 2021, in their third attack this year, attackers stole around $130 million from Cream Finance, a decentralized finance ("DeFi") platform.

Learn More

Target

Location: Poland Date Breach First Reported: 10/27/2021

Incident

Method: Other
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On October 27, 2021, in their third attack this year, attackers stole around $130 million from Cream Finance, a decentralized finance ("DeFi") platform. The attackers exploited a vulnerability in the platform's lending system (flash loaning) to steal all of their assets and tokens running on the Ethereum blockchain.

Diebold Nixdorf ATM vulnerability

October 25

On October 28, 2021, researchers from Positive Technologies discovered vulnerabilities in the Wincor Cineo ATMs, owned by Diebold Nixdorf, an American multinational financial and retail technology company.

Learn More

Target

Location: United States Date Breach First Reported: 10/25/2021

Incident

Method: Other
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On October 28, 2021, researchers from Positive Technologies discovered vulnerabilities in the Wincor Cineo ATMs, owned by Diebold Nixdorf, an American multinational financial and retail technology company. With access to the dispenser controller's USB port, outdated or modified firmware could be installed to bypass the encryption and make cash ATM withdrawals.

Flubot targets Android devices with fake security updates and apps

October 22

On October 26, 2021, the Nigerian Communications Commission announced the discovery of a new malware, dubbed Flubot, targeting Android devices with fake security updates and application installations.

Learn More

Target

Location: Nigeria Date Breach First Reported: 10/1/2021

Incident

Method: Malware
Type: Multiple

Actor

Type: Unknown
Attribution: Unknown

Description

On October 26, 2021, the Nigerian Communications Commission announced the discovery of a new malware, dubbed Flubot, targeting Android devices with fake security updates and application installations. The malware draws fake web views on infected devices, with the goal of stealing personal data, particularly credit card details or online banking credentials.

Russian-linked TA505 targets financial institutions with phishing campaign

October 15

On October 15, 2021, researchers discovered that Russian-linked TA505 was targeting financial institutions globally in a new malware campaign, tracked as MirrorBlast.

Learn More

Target

Location: Russia Date Breach First Reported: 10/15/2021

Incident

Method: Malware
Type: Multiple

Actor

Type: Non-state actor
Attribution: High confidence

Description

On October 15, 2021, researchers discovered that Russian-linked TA505 was targeting financial institutions globally in a new malware campaign, tracked as MirrorBlast. The infection begins with an email attachment document. After clicking the URL, targets will be directed to a fake OneDrive site, a compromised SharePoint, displaying a sign-in requirement to evade sandboxes.

Ecuadorian Pichincha Bank disrupted by cyber attack

October 10

On October 10, 2021, Pichincha Bank in Ecuador was hit by a cyber attack that disrupted customers' access to bank services, including their online and mobile app tools.

Learn More

Target

Location: Ecuador Date Breach First Reported: 10/12/2021

Incident

Method: Other
Type: Disruption

Actor

Type: Unknown
Attribution: Unknown

Description

On October 10, 2021, Pichincha Bank in Ecuador was hit by a cyber attack that disrupted customers' access to bank services, including their online and mobile app tools. The bank stated that they had identified a cybersecurity incident that had partially disabled their services.

Brazilian insurance giant cyber attack

October 2

On October 2, 2021, Porto Seguro, Brazil's third-largest insurance company, suffered a cyberattack.

Learn More

Target

Location: Brazil Date Breach First Reported: 10/15/2021

Incident

Method: Multiple
Type: Disruption

Actor

Type: Unknown
Attribution: Unknown

Description

On October 2, 2021, Porto Seguro, Brazil's third-largest insurance company, suffered a cyberattack. The attack resulted in temporary instability to its service channels and some of its systems. No data leakage has been identified in relation to the company or its subsidiaries, customers, or partners, including any personal data.

Online retailers hit by banking trojan

October 1

In late 2021, a long list of brands and online retailers were infected with the banking Trojan, Ramnit.

Learn More

Target

Location: Multiple Date Breach First Reported: 1/31/2022

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In late 2021, a long list of brands and online retailers were infected with the banking Trojan, Ramnit. Ramnit aims to take over targets online accounts to steal their card payment data and has been detected in use since 2010. Ramnit was the top active banking Trojan for 2021.

PixStealer targets Brazilian banking applications

September 29

On September 29, 2021, researchers from Check Point Research discovered a new wave of malicious Android applications targeting Brazilian banking applications, including the Central Bank's Pix payment system.

Learn More

Target

Location: Brazil Date Breach First Reported: 9/29/2021

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Speculated

Description

On September 29, 2021, researchers from Check Point Research discovered a new wave of malicious Android applications targeting Brazilian banking applications, including the Central Bank's Pix payment system. One of the malicious applications contains a never-seen-before functionality which steals victims' money using Pix transactions, dubbed PixStealer.

Banking trojan targets Indian Android-based financial customers

September 22

On September 22, 2021, researchers reported that Android phone banking customers in India were being targeted the Drinik banking trojan malware.

Learn More

Target

Location: India Date Breach First Reported: 9/22/2021

Incident

Method: Malware
Type: Multiple

Actor

Type: Unknown
Attribution: Unknown

Description

On September 22, 2021, researchers reported that Android phone banking customers in India were being targeted the Drinik banking trojan malware. The malware stole users' personal data and funds using phishing techniques.

New Zealand banks hit by outages in suspected cyber attack

September 8

On September 8, 2021, the websites of various New Zealand financial institutions and the national postal service were down due to a suspected cyber attack.

Learn More

Target

Location: New Zealand, Australia Date Breach First Reported: 9/8/2021

Incident

Method: DDOS
Type: Disruption

Actor

Type: Unknown
Attribution: Unknown

Description

On September 8, 2021, the websites of various New Zealand financial institutions and the national postal service were down due to a suspected cyber attack. The financial institutions included Australia and New Zealand Banking Grp Ltd and Kiwibank, with the latter facing challenges into the next week.

Kaspersky detects fraudulent resources targeting cryptocurrency users

September 1

On September 1, 2021, Kapersky reported that it had detected over 1,500 fraudulent global resources targeting potential crypto investors/users interested in mining, and prevented over 70,000 user attempts to visit such sites, since the beginning of 2021.

Learn More

Target

Location: Multiple Date Breach First Reported: 9/1/2021

Incident

Method: Malware
Type: Theft

Actor

Type: N/A
Attribution: N/A

Description

On September 1, 2021, Kapersky reported that it had detected over 1,500 fraudulent global resources targeting potential crypto investors/users interested in mining, and prevented over 70,000 user attempts to visit such sites, since the beginning of 2021.

Taiwanese DeFi Platform hit by cyber attack

August 30

On August 30, 2021, Cream Finance, a Taiwanese decentralised finance platform, lost over $29 million in cryptocurrency assets to hackers.

Learn More

Target

Location: Taiwan Date Breach First Reported: 8/30/2021

Incident

Method: Other
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On August 30, 2021, Cream Finance, a Taiwanese decentralised finance platform, lost over $29 million in cryptocurrency assets to hackers. The hackers exploited a bug and used a re-entrancy attack to steal AMP tokens and ETH coins.

FIN8 targets U.S. financial organizations

August 25

On August 25, 2021, FIN8, the financially motivated cybercriminal gang, backdoored and breached the network of two unidentified U.S. financial organizations.

Learn More

Target

Location: United States
Date Breach First Reported:8/25/2021

Incident

Method: Malware
Type: Theft

Actor

Type: Non-state actor
Attribution: High confidence

Description

On August 25, 2021, FIN8, the financially motivated cybercriminal gang, backdoored and breached the network of two unidentified U.S. financial organizations. The attack was conducted using the new Sardonic malware, an updated version of the BadHatch backdoor.

Japanese Crypto Exchange Liquid hit by cyber attack

August 18

On August 18, 2021, Liquid, a Japanese cryptocurrency exchange, was the target in a cyber attack that resulted in a loss of $97 million worth of digital coins.

Learn More

Target

Location: Japan
Date Breach First Reported: 8/18/2021

Incident

Method: N/A
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On August 18, 2021, Liquid, a Japanese cryptocurrency exchange, was the target in a cyber attack that resulted in a loss of $97 million worth of digital coins. According to researchers, $45 million were in ethereum tokens, which were converted to ether, to prevent the assets from being frozen.

Nigerian fraudster reveals bank theft methods

August 16

On August 16, 2021, Nigerian police arrested a suspected fraudster, who revealed that the country's Access Bank and First Bank were the easiest banks to hack.

Learn More

Target

Location: Nigeria
Date Breach First Reported:8/16/2021

Incident

Method: Multiple
Type: Theft

Actor

Type: Non-state actor
Attribution: High confidence

Description

On August 16, 2021, Nigerian police arrested a suspected fraudster, who revealed that the country's Access Bank and First Bank were the easiest banks to hack. The fraudster further disclosed how his gang emptied the bank accounts of Nigerians using missing or stolen SIM cards.

Brazilian National Treasury ransomware

August 13

On August 13, 2021, Brazil's National Treasury was hit by a ransomware attack.

Learn More

Target

Location: Brazil
Date Breach First Reported:8/15/2021

Incident

Method: Ransomware
Type: Multiple

Actor

Type: Unknown
Attribution: Unknown

Description

On August 13, 2021, Brazil's National Treasury was hit by a ransomware attack. Assessments found there was no damage to the structuring systems of the National Treasury or to programs that enable the purchase of Brazilian government bonds.

Poly Network temporary theft

August 10

On August 10, 2021, Poly Network, a Chinese blockchain site, lost $600 million after hackers exploited a vulnerability in their system to steal thousands of digital tokens.

Learn More

Target

Location: China
Date Breach First Reported:8/11/2021

Incident

Method: Other
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On August 10, 2021, Poly Network, a Chinese blockchain site, lost $600 million after hackers exploited a vulnerability in their system to steal thousands of digital tokens. While dubbed one of the largest cryptocurrency heists ever, the hackers subsequently returned all of the funds stolen in the hack

Oscorp malware returns as an Android botnet

July 27

On July 27, 2021, Cleafy researchers reported that users of banking applications in Spain, Poland, Germany, Turkey, the United States, Japan, Italy, Australia, France, and India were being targeted by a botnet campaign dubbed UBEL.

Learn More

Target

Location: Spain, Poland, Germany, Turkey, United States, Japan, Italy, Australia, France, India
Date Breach First Reported:7/27/2021

Incident

Method: Malware
Type: Multiple

Actor

Type: Unknown
Attribution: Unknown

Description

On July 27, 2021, Cleafy researchers reported that users of banking applications in Spain, Poland, Germany, Turkey, the United States, Japan, Italy, Australia, France, and India were being targeted by a botnet campaign dubbed UBEL. UBEL can gain access to sensitive information and exfiltrate it back to a remote server, hiding its presence and achieving persistence. The campaign relied on a botnet created from the Android malware Oscorp. The malware was previously observed abusing accessibility services to hijack user credentials from European banking applications.

BackNine data breach

July 16

On July 16, 2021, BackNine, an insurance tech start-up, exposed thousands of sensitive insurance applications in a data breach.

Learn More

Target

Location: United States
Date Breach First Reported:7/16/2021

Incident

Method: Other
Type: Data breach

Actor

Type: N/A
Attribution: N/A

Description

On July 16, 2021, BackNine, an insurance tech start-up, exposed thousands of sensitive insurance applications in a data breach. One of BackNine’s storage servers, hosted on Amazon’s cloud, was misconfigured to allow anyone access to the 711,000 files inside, including completed insurance applications that contain highly sensitive personal and medical information on the applicant and their family.

FBI warns of ongoing attacks on virtual assets

July 9

On July 9, 2021, the FBI warned cryptocurrency owners, exchanges, and third-party payment platforms of threat actors actively targeting virtual assets.

Learn More

Target

Location: United States
Date Breach First Reported:7/9/2021

Incident

Method: Multiple
Type: Theft

Actor

Type: N/A
Attribution: N/A

Description

On July 9, 2021, the FBI warned cryptocurrency owners, exchanges, and third-party payment platforms of threat actors actively targeting virtual assets. According to the FBI, attackers are using several tactics to steal and launder cryptocurrency, including technical support fraud, SIM swapping (aka SIM hijacking), and taking control of their targets' cryptocurrency exchange accounts via identity theft or account takeovers.

Morgan Stanley targeted in Accellion hack

July 8

On July 10, 2021, Morgan Stanley, the American investment banking giant, reported a data breach tied to zero-day attacks on Accellion's legacy File Transfer Appliance.

Learn More

Target

Location: United States
Date Breach First Reported:7/10/2021

Incident

Method: Ransomware
Type: Theft

Actor

Type: Non-state actor
Attribution: High confidence

Description

On July 10, 2021, Morgan Stanley, the American investment banking giant, reported a data breach tied to zero-day attacks on Accellion's legacy File Transfer Appliance. Attackers stole personal information belonging to its customers by hacking into the Accellion FTA server of its third-party vendor, Guidehouse.

Bit2check identified in card skimming ecosystem

June 16

On June 16, 2021, researchers at RiskIQ discovered that a Google IP address briefly hosted a malicious card skimmer domains.

Learn More

Target

Location: N/A
Date Breach First Reported:6/16/2021

Incident

Method: Other
Type: Theft

Actor

Type: Non-state actor
Attribution: High confidence

Description

On June 16, 2021, researchers at RiskIQ discovered that a Google IP address briefly hosted a malicious card skimmer domains. This IP then hosted a domain offering a helpful service for card skimmers (bit2check), allowing them to authenticate stolen payment data for a fee. Researchers found that the individual behind bit2check is a Kurdish actor calling themself Hama.

Intuit discloses TurboTax data breach

June 12

On June 12, 2021, Intuit, an American financial software company, notified TurboTax customers that some of their personal and financial data has been compromised in account takeover attacks.

Learn More

Target

Location: United States
Date Breach First Reported:6/12/2021

Incident

Method: Credential Stuffing
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On June 12, 2021, Intuit, an American financial software company, notified TurboTax customers that some of their personal and financial data has been compromised in account takeover attacks. Criminals gained access to victims' account using credentials stolen from previously breached online services.

German banks hit by DDoS attack on IT provider

June 4

On June 4, 2021, Fiducia & GAD IT, a German company that operates technology on the nation's cooperative banks, was hit by a DDoS attack, disrupting more than 800 financial institutions in the country.

Learn More

Target

Location: Germany
Date Breach First Reported:6/4/2021

Incident

Method: DDoS
Type: Disruption

Actor

Type: Unknown
Attribution: Unknown

Description

On June 4, 2021, Fiducia & GAD IT, a German company that operates technology on the nation's cooperative banks, was hit by a DDoS attack, disrupting more than 800 financial institutions in the country.

UK Insurer Recovers from Ransomware Attack

May 25

On May 25, 2021, UK-based insurance firm One Call stated that it had successfully restored its systems onto a new environment separate from the one that was impacted by a ransomware attack on May 13, adding that a ransomware note purportedly from DarkSide could not be verified as authentic.

Learn More

Target

Location: United Kingdom
Date Breach First Reported:5/25/2021

Incident

Method: Ransomware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On May 25, 2021, UK-based insurance firm One Call stated that it had successfully restored its systems onto a new environment separate from the one that was impacted by a ransomware attack on May 13, adding that a ransomware note purportedly from DarkSide could not be verified as authentic.

Small Banks Face Ransomware Attacks

May 24

On May 24, 2021, two ransomware groups, DarkSide and Ragnar Locker, demanded ransom from three small banks after posting evidence of stolen customer data belonging to the banks.

Learn More

Target

Location: United States
Date Breach First Reported:5/24/2021

Incident

Method: Ransomware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On May 24, 2021, two ransomware groups, DarkSide and Ragnar Locker, demanded ransom from three small banks after posting evidence of stolen customer data belonging to the banks.

Chase Bank phishing attacks

May 15

From May to August 2021, researchers from Cyren reported a 300% increase in phishing attacks targeting Chase Bank.

Learn More

Target

Location: United States
Date Breach First Reported:10/5/2021

Incident

Method: Phishing
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

From May to August 2021, researchers from Cyren reported a 300% increase in phishing attacks targeting Chase Bank. The XBALTI phishing kits were designed to mimic the Chase banking portal. Researchers stated that the phishing kits were highly sophisticated and designed to harvest more than just email addresses and passwords, including banking and credit card information, social security numbers, and home addresses.

AXA hit by ransomware

May 15

On May 16, 2021, French insurer Axa said that its branches in Thailand, Malaysia, Hong Kong and the Philippines had been struck by a ransomware attack.

Learn More

Target

Location: N/A
Date Breach First Reported:5/16/2021

Incident

Method: Ransomware
Type: Theft

Actor

Type: Non-state actor
Attribution: Known

Description

On May 16, 2021, French insurer Axa said that its branches in Thailand, Malaysia, Hong Kong and the Philippines had been struck by a ransomware attack. A day before, the Avaddon ransomware group claimed to have stolen 3 TB of sensitive data from AXA's Asian operations and initiated DDoS attacks.

Finance Related Counterfeit Android and iOS Apps Identified

May 12

On May 12, 2021, Sophos, a cybersecurity firm, identified 167 fake Android and iOS financial trading, banking, and cryptocurrency apps being used by hackers to steal money.

Learn More

Target

Location: N/A
Date Breach First Reported:5/12/2021

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On May 12, 2021, Sophos, a cybersecurity firm, identified 167 fake Android and iOS financial trading, banking, and cryptocurrency apps being used by hackers to steal money. The attackers used social engineering techniques, counterfeit websites including a fake iOS App Store download page, and an iOS app-testing website to distribute the fake apps to unsuspecting users.

Lazarus Group Behind CryptoCore Heists

May 1

On May 24, 2021, researchers from ClearSky determined that the North Korean state-sponsored group Lazarus was behind multiple attacks on cryptocurrency exchanges, previously attributed to a threat actor they named CryptoCore.

Learn More

Target

Location: United States, Israel, Japan
Date Breach First Reported:5/24/2021

Incident

Method: Multiple
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On May 24, 2021, researchers from ClearSky determined that the North Korean state-sponsored group Lazarus was behind multiple attacks on cryptocurrency exchanges, previously attributed to a threat actor they named CryptoCore. The group is believed to have stolen hundreds of millions of U.S. dollars by breaching cryptocurrency exchanges in the U.S., Israel, Europe, and Japan over the past three years.

Bizarro Expands To Europe

May 1

On May 17, 2021, a cybersecurity firm uncovered a new banking trojan family dubbed "Bizarro" that rampantly scaled up its operations from Brazil to Europe.

Learn More

Target

Location: N/A
Date Breach First Reported:5/17/2021

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On May 17, 2021, a cybersecurity firm uncovered a new banking trojan family dubbed "Bizarro" that rampantly scaled up its operations from Brazil to Europe. These trojans have been used to try and steal credentials from customers of 70 banks from different European and South American countries.

Upstox Suffers Ransomware Attack

April 11

On April 11, 2021, stockmarket broker Upstox announced a data breach that compromised contact data and KYC details of its users from third-party data-warehouse systems.

Learn More

Target

Location: India
Date Breach First Reported:4/11/2021

Incident

Method: Ransomware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On April 11, 2021, stockmarket broker Upstox announced a data breach that compromised contact data and KYC details of its users from third-party data-warehouse systems. Hackers apparently demanded a ransom of $1.2 million in order to not go public with the data.

South African debt collector ransomware attack

April 1

On September 22, 2021, Debt-IN Consultants, a South African debt collector, was hit by a major ransomware attack, resulting in a significant data breach of consumer and employee personal information.

Learn More

Target

Location: South Africa
Date Breach First Reported:9/22/2021

Incident

Method: Ransomware
Type: Data breach

Actor

Type: Non-state actor
Attribution: Speculated

Description

On September 22, 2021, Debt-IN Consultants, a South African debt collector, was hit by a major ransomware attack, resulting in a significant data breach of consumer and employee personal information. The data of more than 1.4 million South Africans was illegally accessed from the company’s servers, with confidential consumer data and voice recordings of calls between Debt-IN debt recovery agents and financial services customers posted on the dark web.

US Insurance Firm CNA Hit by Cyberattack

March 21

On March 21, 2021, CNA Financial suffered a ransomware attack which disrupted the company’s employee and customer services for three days.

Learn More

Target

Location: United States
Date Breach First Reported:3/23/21

Incident

Method: Ransomware
Type: Theft

Actor

Type: Non-state actor
Attribution: High confidence

Description

On March 21, 2021, CNA Financial suffered a ransomware attack which disrupted the company’s employee and customer services for three days. The insurance company engaged third-party forensic experts and also alerted law enforcement to begin further investigations. CNA later revealed that over 75,000 people's personal data was exposed during the attack. Subsequent reporting revealed the firm paid $40 million in ransom.

Cybercrime Forum Swarmshop Database Leaked

March 17

On March 17, 2021, the database of the card shop Swarmshop was leaked on a rival underground forum.

Learn More

Target

Location: N/A
Date Breach First Reported:4/8/2021

Incident

Method: Unknown
Type: Theft

Actor

Type: Non-state actor
Attribution: Unknown

Description

On March 17, 2021, the database of the card shop Swarmshop was leaked on a rival underground forum. The compromised data contained 623,036 payment-card records, 498 sets of online banking account credentials, 69,592 sets of American Social Security Numbers and Canadian Social Insurance Numbers, and 12,344 records of user data. The leak was discovered on April 8, 2021 by a computer intelligence firm.

FTC Warns Of New Phishing Email Scam

March 17

On March 17, 2021, the Federal Trade Commission (FTC) issued an alert warning individuals of an e-mail scam about COVID-19 stimulus payments.

Learn More

Target

Location: United States
Date Breach First Reported:3/17/21

Incident

Method: N/A
Type: Theft

Actor

Type: N/A
Attribution: N/A

Description

On March 17, 2021, the Federal Trade Commission (FTC) issued an alert warning individuals of an e-mail scam about COVID-19 stimulus payments. The new scam emails appear to be from acting FTC Chairwoman Rebecca Slaughter.

FBI Attributes Loss of $4 billion to Cybercrime

March 17

On March 17, 2021, the FBI released its Internet Crime Report 2020 which stated that American victims reported $4.2 billion in losses as a result of cybercrime and internet fraud to the FBI last year.

Learn More

Target

Location: United States, Canada, South Africa, Panama, Italy
Date Breach First Reported:3/17/21

Incident

Method: N/A
Type: Theft

Actor

Type: N/A
Attribution: N/A

Description

On March 17, 2021, the FBI released its Internet Crime Report 2020 which stated that American victims reported $4.2 billion in losses as a result of cybercrime and internet fraud to the FBI last year. The FBI’s Internet Crime Complaint Center claimed that it received an average of more than 2,000 complaints per day through 2020. Losses of $1.8 billion, $29.1 million, and $146 million were suffered due to BEC scams, ransomware attacks, and technology support scams respectively in the United States.

New Billing Fraud Apps Found On Google Play Store

March 12

On April 19, 2021, a cybersecurity firm reported a new set of fraudulent Android apps in the Google Play store, primarily targeting users in Southwest Asia and the Arabian Peninsula.

Learn More

Target

Location: N/A
Date Breach First Reported:4/19/2021

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On April 19, 2021, a cybersecurity firm reported a new set of fraudulent Android apps in the Google Play store, primarily targeting users in Southwest Asia and the Arabian Peninsula. The apps, suspected to belong to the "Joker" malware, work by hijacking SMS message notifications to carry out billing fraud. More than 700,000 downloads were recorded before the apps were removed from the platform.

FIN8 Releases New Variant of BADHATCH kit

March 10

On March 10, 2021, Bitdefender reported re-emergence of the threat actor FIN 8 in 2020 and the subsequent updated versions of its point-of-sale malware, BadHatch.

Learn More

Target

Location: United States, Canada, South Africa, Panama, Italy
Date Breach First Reported:3/10/21

Incident

Method: Ransomware
Type: Theft

Actor

Type: Non-state actor
Attribution: High confidence

Description

On March 10, 2021, Bitdefender reported re-emergence of the threat actor FIN 8 in 2020 and the subsequent updated versions of its point-of-sale malware, BadHatch. FIN8 has been using new versions of BadHatch backdoor to compromise companies in chemical insurance, retail, and technology in the United States, Canada, South Africa, Panama, and Italy.

FINRA Sends Scam Alert To Brokerage Industry

March 4

On March 04, 2021, the Financial Industry Regulatory Authority (FINRA) warned member firms of an ongoing phishing campaign involving emails sent by impersonators.

Learn More

Target

Location: United States
Date Breach First Reported:3/4/21

Incident

Method: Phishing
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On March 04, 2021, the Financial Industry Regulatory Authority (FINRA) warned member firms of an ongoing phishing campaign involving emails sent by impersonators. The emails urged recipients to respond to a non-compliance issue by opening a corrupt link or document.

Wall Street Targeted In New Capital Call Fraud Scheme

March 3

On March 3, 2021, a cybersecurity firm reported Capital Call Investment scams as the latest threat vector used to swindle exorbitant amount of money from Wall Street firms and their clients.

Learn More

Target

Location: United States
Date Breach First Reported:3/3/21

Incident

Method: Other
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On March 3, 2021, a cybersecurity firm reported Capital Call Investment scams as the latest threat vector used to swindle exorbitant amount of money from Wall Street firms and their clients. Scammers have been impersonating investment firms to seek funds for investment commitments.

Ploutus Variant Targets ATMs in Latin America

March 2

On March 02, 2021, a cybersecurity firm disclosed a new variant of the malware Ploutus which has been targeting ageing ATM devices produced by Itautec.

Learn More

Target

Location: N/A
Date Breach First Reported:3/2/21

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On March 02, 2021, a cybersecurity firm disclosed a new variant of the malware Ploutus which has been targeting ageing ATM devices produced by Itautec. Ploutus-I operates by communicating directly with XFS to command the ATMs to disgorge cash.

CNA reports data breach after ransomware attack

March 1

On July 9, 2021, CNA Financial Corporation, a leading US-based insurance company, notified customers of a data breach following a March 2021 ransomware attack.

Learn More

Target

Location: United States
Date Breach First Reported: 7/9/2021

Incident

Method: Ransomware
Type: Data breach

Actor

Type: Non-state actor
Attribution: High confidence

Description

On July 9, 2021, CNA Financial Corporation, a leading US-based insurance company, notified customers of a data breach following a March 2021 ransomware attack. Over 75,000 individuals are estimated to be affected.

Sequoia Capital Discloses Data Breach

February 19

On February 19, 2021, Sequoia Capital informed its investors of a data breach jeopardizing some of their personal and financial information.

Learn More

Target

Location: United States
Date Breach First Reported:2/20/21

Incident

Method: Phishing
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On February 19, 2021, Sequoia Capital informed its investors of a data breach jeopardizing some of their personal and financial information. The company claimed to have been a victim of a phishing attack.

US Indicts Three North Korean Cybercriminals

February 17

On February 17, 2021, a federal indictment charged three North Korean computer programmers with participating in a wide-ranging criminal conspiracy including conducting a series of destructive cyberattacks, stealing and extorting more than $1.3 billion of money and cryptocurrency from financial institutions and companies, creating and deploying multiple malicious cryptocurrency applications, and developing and fraudulently marketing a blockchain platform.

Learn More

Target

Location: North Korea
Date Breach First Reported: 2/17/21

Incident

Method: N/A
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On February 17, 2021, a federal indictment charged three North Korean computer programmers with participating in a wide-ranging criminal conspiracy including conducting a series of destructive cyberattacks, stealing and extorting more than $1.3 billion of money and cryptocurrency from financial institutions and companies, creating and deploying multiple malicious cryptocurrency applications, and developing and fraudulently marketing a blockchain platform. The suspects were believed to have been working for the North Korean military and were linked to the prolific North Korean threat group Lazarus. The trio are thought to be behind cyberattacks beginning as early as November 2014 targeting the media industry.

New York State Warns Against COVID-19 Relief Fund Targeting

February 16

On February 16, 2021, the New York State Department of Financial Services (DFS) alerted all its regulated entities of a cybercampaign stealing customer’s personal information from public-facing websites.

Learn More

Target

Location: United States
Date Breach First Reported:2/16/21

Incident

Method: Phishing
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On February 16, 2021, the New York State Department of Financial Services (DFS) alerted all its regulated entities of a cybercampaign stealing customer’s personal information from public-facing websites. The criminals are suspected of using the stolen data to illegally access pandemic and unemployment benefits.

IRS Warns of Phishing Attacks

February 10

On February 10, 2021, the Internal Revenue Service (IRS) warned US tax professionals of a phishing scam attempting to steal the tax preparer’s identity.

Learn More

Target

Location: United States
Date Breach First Reported:2/10/21

Incident

Method: Phishing
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On February 10, 2021, the Internal Revenue Service (IRS) warned US tax professionals of a phishing scam attempting to steal the tax preparer’s identity. The scammers have been impersonating the IRS to trick tax preparers to disclose sensitive information that would allow them to file fraudulent tax returns.

Cuba Ransomware Attacks Payment Processors

February 3

On February 3, 2021, Automatic Funds Transfer Services, a payment processor, suffered a ransomware attack by a group called Cuba Ransomware.

Learn More

Target

Location: United States
Date Breach First Reported:2/18/21

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On February 3, 2021, Automatic Funds Transfer Services, a payment processor, suffered a ransomware attack by a group called Cuba Ransomware. The group claimed to have stolen sensitive information including financial documents, correspondences with bank employees, account movements, balance sheets, and tax documents. The attack sparked data breach notifications from numerous US state agencies.

Spear-Phishing Campaign Impersonates Financial Insitutions

February 1

On May 12, 2021 the FBI warned of a spear-phishing campaign impersonating Truist Bank, in an attempt to get recipients to download a fake Windows application.

Learn More

Target

Location: United States
Date Breach First Reported:5/12/21

Incident

Method: Multiple
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On May 12, 2021 the FBI warned of a spear-phishing campaign impersonating Truist Bank, in an attempt to get recipients to download a fake Windows application. Other U.S. and UK financial institutions have also been impersonated in the campaign, spoofing these institutions through registered domains, email subjects, and applications.

FIN7 Backdoor Masquerades as Ethical Hacking Tool

February 1

On May 13, 2021, a cybersecurity firm discovered a new backdoor malware called Lizar being employed by the FIN7 cybercrime gang.

Learn More

Target

Location: N/A
Date Breach First Reported: 5/13/21

Incident

Method: Malware
Type: Theft

Actor

Type: Non-state actor
Attribution: Known

Description

On May 13, 2021, a cybersecurity firm discovered a new backdoor malware called Lizar being employed by the FIN7 cybercrime gang. The group has been impersonating a legitimate cybersecurity company to distribute Lizar as a penetration testing tool for Windows networks.

Reserve Bank of New Zealand Data Breach

January 10

The Reserve Bank of New Zealand suffered a data breach after actors illegally accessed its information through one of the bank's third-party file sharing services.

Learn More

Target

Location: New Zealand
Date Breach First Reported:1/10/21

Incident

Method: Unknown
Type: Data Breach

Actor

Type: Unknown
Attribution: Unknown

Description

The Reserve Bank of New Zealand suffered a data breach after actors illegally accessed its information through one of the bank's third-party file sharing services. The Bank is now actively seeking a new platform to replace the previously compromised file sharing service.

Microsoft Exchange Servers Breach

January 6

Claiming over 30,000 victims within the US, the large-scale cyberattack on Microsoft Exchange servers was first discovered by a security testing firm on January 6, 2021.

Learn More

Target

Location: N/A
Date Breach First Reported:1/6/21

Incident

Method: N/A
Type: Data Breach

Actor

Type: Non-state actor
Attribution: Speculated

Description

Claiming over 30,000 victims within the United States, the large-scale cyberattack on Microsoft Exchange servers was first discovered by a security testing firm on January 6, 2021. The hackers dubbed Hafnium exploited four zero-day vulnerabilities in the servers to claim hundreds of thousands of victims globally including the European Banking Authority and Chile's Comisión para el Mercado Financiero. On March 5 2021, Microsoft released security updates to patch the vulnerabilities which prompted the hackers to hasten their operation.

American Express Leak

January 5

A hacker posted data of 10,000 Mexico-based American Express card users on a forum for free.

Learn More

Target

Location: Mexico
Date Breach First Reported:1/5/21

Incident

Method: Unknown
Type: Data Breach

Actor

Type: Unknown
Attribution: Unknown

Description

A hacker posted data of 10,000 Mexico-based American Express card users on a forum for free. Information included full credit card numbers and personal information such as emails and addresses, but did not contain passwords or expiration dates. In the forum post, the hacker also claimed to have more data information from Mexican bank customers of Santander, American Express, and Banamex.

Rocke Group Targets Apache, Oracle, and Redis web servers

January 1

Chinese cybercrime group Rocke released an improved version of its cryptojacking malware Pro-Ocean targeting cloud applications with the goal of mining Monero, a decentralized cryptocurrency.

Learn More

Target

Location: N/A
Date Breach First Reported:1/27/21

Incident

Method: Malware
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

Chinese cybercrime group Rocke released an improved version of its cryptojacking malware Pro-Ocean targeting cloud applications with the goal of mining Monero, a decentralized cryptocurrency. The latest variant comes with better worm and rootkit capabilities and has been leveraging known vulnerabilities to target Apache ActiveMQ, Oracle WebLogic, and Redis.

PayPal SMS Phishing Scheme

January 1

A new SMS-based phishing scheme has been targeting PayPal in an attempt to gain access to accounts.

Learn More

Target

Location: N/A
Date Breach First Reported:1/4/21

Incident

Method: Phishing
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

A new SMS-based phishing scheme has been targeting PayPal in an attempt to gain access to accounts. The messages impersonate the payment processor, warning users that their accounts have been limited and that they need to verify their identities.

New Android Malware TeaBot Targets European Banks

January 1

At the beginning of January 2021, a cybersecurity firm discovered a new Android banking trojan dubbed as TeaBot.

Learn More

Target

Location: N/A
Date Breach First Reported:05/10/21

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

At the beginning of January 2021, a cybersecurity firm discovered a new Android banking trojan dubbed as TeaBot. The malware aims to steal victim’s credentials and SMS messages to carry out fraudulent transactions against a predefined list of banks.

2020

Indian Fintech Chqbook Suffers Breach

December 25

Two million credit score records from Chqbook, an Indian FinTech startup, were found on the dark web.

Learn More

Target

Location: India
Date Breach First Reported:1/27/21

Incident

Method: Unknown
Type: Data Breach

Actor

Type: Unknown
Attribution: Unknown

Description

Two million credit score records from Chqbook, an Indian FinTech startup, were found on the dark web. The leaked data contained users’ names, contact details, and loan detail information. The hacking group ShinyHunters was believed to have been responsible for the leak.

Hackers Leak Data from Scottish Environmental Protection Agency

December 24

On January 22, hackers published over 4,000 documents from the Scottish Environmental Protection Agency (SEPA) after the organization refused to pay a ransom.

Learn More

Target

Location: United Kingdom
Date Breach First Reported:1/22/21

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On January 22, hackers published over 4,000 documents from the Scottish Environmental Protection Agency (SEPA) after the organization refused to pay a ransom. SEPA fell victim to a hack on December 24, where around 1.2GB of data was stolen from its servers. However, the agency has refused to entertain ransom demands.

Accellion Data Breach

December 16

Starting in mid-December 2020, cybercriminal groups linked to FIN11 and the Clop group began exploiting multiple zero-day vulnerabilities in Accellion's legacy File Transfer Appliance.

Learn More

Target

Location: Australia, New Zealand, United States
Date Breach First Reported:12/20/20

Incident

Method: Malware
Type: Theft

Actor

Type: Non-state actor
Attribution: Known

Description

Starting in mid-December 2020, cybercriminal groups linked to FIN11 and the Clop group began exploiting multiple zero-day vulnerabilities in Accellion's legacy File Transfer Appliance. Globally, around 100 Accellion customers using the software were targeted including the Australian Securities and Investment Commission (ASIC), Michigan FlagStar bank, and New Zealand’s central bank.

FBI Warns of Third-Party Service Attacks

December 8

On December 8, FBI Director Christopher Wray warned banks to be wary of "cyber criminals targeting the vulnerabilities in third-party services” as a way in to financial institution data.

Learn More

Target

Location: United States
Date Breach First Reported:12/8/20

Incident

Method: Multiple
Type: Theft

Actor

Type: N/A
Attribution: N/A

Description

On December 8, FBI Director Christopher Wray warned banks to be wary of "cyber criminals targeting the vulnerabilities in third-party services” as a way in to financial institution data. Wray issued this warning at a conference on financial crimes enforcement.

Mobile Spoofing Enables Massive Bank Theft

December 1

Researchers from IBM Trusteer discovered that criminals had been using mobile device emulators to steal millions from European and American banks.

Learn More

Target

Location: N/A
Date Breach First Reported:12/16/20

Incident

Method: Multiple
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

Researchers from IBM Trusteer discovered that criminals had been using mobile device emulators to steal millions from European and American banks. The hackers used around 20 emulators to spoof more than 16,000 phones belong to customers with compromised accounts. By entering usernames and passwords through these emulators, hackers were able to initiate fraudulent money orders and siphon money from mobile accounts.

Shirbit Ransomware Attack

December 1

Shirbit, an Israeli-based insurance company, was hit by a ransomware attack that appears to be the work of the hacker group BlackShadow.

Learn More

Target

Location: Israel
Date Breach First Reported:12/4/20

Incident

Method: Ransomware
Type: Theft

Actor

Type: Non-state actor
Attribution: High confidence

Description

Shirbit, an Israeli-based insurance company, was hit by a ransomware attack that appears to be the work of the hacker group BlackShadow. The group demanded 50 bitcoin at first, gradually increasing its demands to 200 bitcoin. Although BlackShadow released several rounds of sensitive data, Shirbit refused to pay the ransom.

South African Bank Breach

December 1

On December 3, Absa, a South African bank, confirmed that an employee working as a credit analyst sold the personal information of some 200,000 customers to third parties.

Learn More

Target

Location: South Africa
Date Breach First Reported:12/3/20

Incident

Method: Insider Threat
Type: Theft

Actor

Type: Non-state actor
Attribution: High confidence

Description

On December 3, Absa, a South African bank, confirmed that an employee working as a credit analyst sold the personal information of some 200,000 customers to third parties.

Scam-as-a-Service Operator Classiscam Steals Over $6.5M From Users

December 1

In 2020, a Russian-based cybercrime operation, known as "Classiscam," helped classified ad scammers steal more than $6.5M from users in Europe and the United States.

Learn More

Target

Location: N/A
Date Breach First Reported:1/14/21

Incident

Method: Multiple
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In 2020, a Russian-based cybercrime operation, known as "Classiscam," helped classified ad scammers steal more than $6.5M from users in Europe and the United States. Scammers expanded operations by employing native speakers to lure potential buyers into conversations on WhatsApp and other messaging platforms.

ElectroRAT Campaign Targets Cryptocurrency Users

December 1

A new remote access tool (RAT) has become prevalent in a new campaign against cryptocurrency users.

Learn More

Target

Location: N/A
Date Breach First Reported:12/1/20

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

A new remote access tool (RAT) has become prevalent in a new campaign against cryptocurrency users. Dubbed "ElectroRAT," the new tool is written in the Go programming language and appears to target a variety of operating systems, including Windows, MacOS, and Linux. Security researchers believe that the RAT has been in use for at least a year.//frst-timeline-block

Denmark’s central bank exposed in SolarWinds hack

December 1

On June 29, 2021, Denmark’s central bank disclosed that it was compromised in the 2020 global SolarWinds hacking operation.

Learn More

Target

Location: Denmark
Date Breach First Reported:6/29/2021

Incident

Method: Multiple
Type: Data breach

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

On June 29, 2021, Denmark’s central bank disclosed that it was compromised in the 2020 global SolarWinds hacking operation. While a backdoor to its network was open for seven months, the bank said there's been no evidence of compromise beyond the first stage of attack.

SolarWinds Puts U.S. Banks on High Alert

December 1

Earlier in 2020, hackers broke into SolarWinds' "Orion" system, an IT-management instrument used by multiple U.S. government agencies and many major companies.

Learn More

Target

Location: United States
Date Breach First Reported:12/13/20

Incident

Method: Malware
Type: Espionage

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

Earlier in 2020, hackers broke into SolarWinds' "Orion" system, an IT-management instrument used by multiple U.S. government agencies and many major companies. The hack appears to be the work of state-sponsored actors operating out of Russia. Although no initial reports indicated that major U.S. banks were targets, FS-ISAC has been partnering with Wall Street to offer strategic risk mitigation strategies.

South Korean Supply Chain Attack

November 16

On November 16, security researchers discovered that a widespread security application used by South Korean banks and government agencies had been compromised through a novel supply-chain attack.

Learn More

Target

Location: South Korea
Date Breach First Reported:11/16/20

Incident

Method: Malware
Type: Theft

Actor

Type: Non-state actor
Attribution: High confidence

Description

On November 16, security researchers discovered that a widespread security application used by South Korean banks and government agencies had been compromised through a novel supply-chain attack. The attack compromised the digital security certificates of two firms, corrupting browser software and enabling the spread of trojan malware. The Lazarus Group is thought to be behind the attacks.

Australian Stock Exchange Software Glitch

November 16

On Monday, November 16, Australia's stock exchange halted trading 20 minutes after opening due to a software issue that caused inaccurate market data.

Learn More

Target

Location: Australia
Date Breach First Reported:11/16/21

Incident

Method: N/A
Type: Disruption

Actor

Type: N/A
Attribution: N/A

Description

On Monday, November 16, Australia's stock exchange halted trading 20 minutes after opening due to a software issue that caused inaccurate market data. The problem was remedied overnight and the exchange reopened on Tuesday.

GoDaddy Scam on Cryptocurrency Trading Platforms

November 15

Over the course of the week of November 15, fraudsters scammed employees at GoDaddy, the world's largest domain name registrar, into transferring ownership and/or control of targeted domains to unauthorized users.

Learn More

Target

Location: N/A
Date Breach First Reported:11/20/20

Incident

Method: Multiple
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

Over the course of the week of November 15, fraudsters scammed employees at GoDaddy, the world's largest domain name registrar, into transferring ownership and/or control of targeted domains to unauthorized users. Then, these scammers were able to redirect email and web traffic destined for several crytocurrency trading platforms.

Ghimob Banking Malware Spreads

November 9

Ghimob, a banking malware originating from Brazil, has recently begun spreading globally.

Learn More

Target

Location: Brazil
Date Breach First Reported:11/9/20

Incident

Method: Malware
Type: Theft

Actor

Type: Non-state actor
Attribution: Unknown

Description

Ghimob, a banking malware originating from Brazil, has recently begun spreading globally. The malware is a fully featured trojan that allows hackers to access the infected device remotely and complete the fraudulent transaction with the victim's smartphone, thereby avoiding anti-fraud behavioral systems run by financail institutions.

German Users Targeted by Gootkit Resurgence

November 1

On November 23, security researchers became aware of a resurgence in Gootkit infections in Germany.

Learn More

Target

Location: Germany
Date Breach First Reported:11/23/20

Incident

Method: Multiple
Type: Theft

Actor

Type: Non-state actor
Attribution: Speculated

Description

On November 23, security researchers became aware of a resurgence in Gootkit infections in Germany. Gootkit is a capable banking trojan designed to steal financially-related information. In this latest campaign, attackers used compromised websites to trick users into downloading malicious files.

Indonesian Fintech Data Breach

October 31

On October 31, Indonesian fintech company Cermati reported 2.9 million users' information was leaked and sold in a hacker forum.

Learn More

Target

Location: Indonesia
Date Breach First Reported:10/31/20

Incident

Method: Unknown
Type: Data Breach

Actor

Type: Unknown
Attribution: Unknown

Description

On October 31, Indonesian fintech company Cermati reported 2.9 million users' information was leaked and sold in a hacker forum. User information included full names, email addresses, physical addresses, phone numbers, bank accounts, and tax and national ID numbers.

European Central Bank Technical Glitch

October 23

On October 23, a software defect led to a disruption to the European Central Bank’s main payment system for almost 11 hours.

Learn More

Target

Location: Germany
Date Breach First Reported:10/28/20

Incident

Method: N/A
Type: Disruption

Actor

Type: N/A
Attribution: N/A

Description

On October 23, a software defect led to a disruption to the European Central Bank’s main payment system for almost 11 hours. The disruption affected ECB's Target2 critical function.

Vizom Banking Malware

October 19

On October 19, 2020, researchers from IBM uncovered a new form of malware using remote overlay attacks to strike Brazilian bank account holders, which has been dubbed Vizom.

Learn More

Target

Location: Brazil
Date Breach First Reported:10/19/20

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On October 19, 2020, researchers from IBM uncovered a new form of malware using remote overlay attacks to strike Brazilian bank account holders, which has been dubbed Vizom. It is being utilized in an active campaign across Brazil designed to compromise bank accounts via online financial services. Vizom spreads through spam-based phishing campaigns and disguises itself as popular videoconferencing software, tools that have become crucial to business and social life due to the coronavirus pandemic.

FIN11 Ransomware Campaign

October 14

On October 14, FireEye reported that FIN11, a financial cybercrime group active since 2016, has recently switched to ransomware as its primary mode of attack.

Learn More

Target

Location: N/A
Date Breach First Reported:10/14/20

Incident

Method: Ransomware
Type: Theft

Actor

Type: Non-state actor
Attribution: High confidence

Description

On October 14, FireEye reported that FIN11, a financial cybercrime group active since 2016, has recently switched to ransomware as its primary mode of attack. FIN11 has been conducting attacks around the world since 2016. FIN11 campaigns initially focused on entering networks to steal data, with researchers noting that the hacking group commonly deployed BlueSteal, a tool used to steal banking information from Point-of-Sale (POS) terminals.

BetterSure Attempted Phishing Attack

October 11

On October 11, nearly 4000 clients of BetterSure, a South African home insurance company, experienced a phishing attack but no data was comprised.

Learn More

Target

Location: South Africa
Date Breach First Reported:10/12/20

Incident

Method: Phishing
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On October 11, nearly 4000 clients of BetterSure, a South African home insurance company, experienced a phishing attack but no data was comprised. Using a phishing e-mail, the attackers gained access to an internal e-mail account of a BetterSure administration employee. However, the bank says its firewall and e-mail security system immediately picked up on the threat. The bank claims that no personal data was accessed.

Ugandan Mobile Money Hack

October 3

On October 3, 2020, hackers targeted Pegasus Technologies, a firm that processes mobile money transactions for two telecom firms, MTN Uganda and Airtel.

Learn More

Target

Location: Uganda
Date Breach First Reported:10/5/20

Incident

Method: SIM Card Fraud
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On October 3, 2020, hackers targeted Pegasus Technologies, a firm that processes mobile money transactions for two telecom firms, MTN Uganda and Airtel. The service was temporarily suspended, causing a halt to much of the mobile money transfer ecosystem in the country. At least $3.2 million is estimated to have been stolen in the hack.

Japanese Exchanges Technical Glitch

October 1

On October 1, 2020, a technical glitch halted trading on Japan’s stock exchanges, including the Nikkei 225.

Learn More

Target

Location: Japan
Date Breach First Reported:10/1/20

Incident

Method: N/A
Type: Disruption

Actor

Type: N/A
Attribution: N/A

Description

On October 1, 2020, a technical glitch halted trading on Japan’s stock exchanges, including the Nikkei 225. The disruption happened when a backup system failed to kick in after a hardware malfunction, according to the Japan Exchange Group. The halt wasn't connected to a cyber attack. Trading was suspended at the main Tokyo stock exchange along with connected bourses in Nagoya, Fukuoka and Sapporo.

Hungarian Banks DDoS Attack

September 23

On September 23, 2020, several Hungarian banking and telecommunication services were disrupted by a powerful DDoS attack launched from computer servers in Russia, China, and Vietnam, telecoms firm Magyar Telekom reported.

Learn More

Target

Location: Hungary
Date Breach First Reported:9/26/20

Incident

Method: DDoS
Type: Disruption

Actor

Type: Unknown
Attribution: Unknown

Description

On September 23, 2020, several Hungarian banking and telecommunication services were disrupted by a powerful DDoS attack launched from computer servers in Russia, China, and Vietnam, telecoms firm Magyar Telekom reported. The volume of data traffic in the attack was 10 times higher than the amount usually seen in DDoS events, the company said.

Russian Banks Ransomware Campaign

September 23

On September 23, 2020, Group-IB reported that a cybercrime gang dubbed 'OldGremlin' had been targeting banks and other businesses in Russia with ransomware since early March, 2020.

Learn More

Target

Location: Russia
Date Breach First Reported:9/23/20

Incident

Method: Ransomware
Type: Theft

Actor

Type: Non-state actor
Attribution: Unknown

Description

On September 23, 2020, Group-IB reported that a cybercrime gang dubbed 'OldGremlin' had been targeting banks and other businesses in Russia with ransomware since early March, 2020. OldGremlin uses spear-phishing emails to enter networks and then encrypts data for a ransom of around $50,000. The Russian-speaking group is also notable for its apparent focus on Russian-based companies.

Chilean Banco Estado Ransomware Attack

September 6

On September 6, 2020, Banco Estado, the only public bank in Chile and one of the three largest in the country, had to shut down its nationwide operations on Monday due to a ransomware cyberattack launched by REvil.

Learn More

Target

Location: Chile
Date Breach First Reported: 9/6/20

Incident

Method: Ransomware
Type: Theft

Actor

Type: Non-state actor
Attribution: High confidence

Description

On September 6, 2020, Banco Estado, the only public bank in Chile and one of the three largest in the country, had to shut down its nationwide operations on Monday due to a ransomware cyberattack launched by REvil.

CIH Bank Theft

August 28

On August 28, 2020, Morocco’s CIH Bank experienced a breach customer accounts resulting in unauthorized transactions.

Learn More

Target

Location: Morocco
Date Breach First Reported:8/29/20

Incident

Method: Skimmer
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On August 28, 2020, Morocco’s CIH Bank experienced a breach customer accounts resulting in unauthorized transactions. According to the bank, the customers’ accounts were hacked after their owners used their credit cards to make online purchases from a scam website, indicating a card skimming scheme. CIH bank has assured customers it will reimburse them for any fraudulent transactions and advised its users to turn off international transactions between use to prevent further fraud.

North Korean 'BeagleBoyz' Global Campaign

August 26

On August 26, 2020, the U.S. government issued a joint alert to warn the public about an ongoing cyber campaign by North Korea-backed 'BeagleBoyz' group which is using remote access malware tools to steal millions from financial institutions in at least 38 countries around the world.

Learn More

Target

Location: Argentina, Brazil, Bangladesh, Bosnia and Herzegovina, Bulgaria, Chile, Costa Rica, Ecuador, Ghana, India, Indonesia, Japan, Jordan, Kenya, Kuwait, Malaysia, Malta, Mexico, Mozambique, Nepal, Nicaragua, Nigeria, Pakistan, Panama, Peru, Philippines, Singapore, South Africa, South Korea, Spain, Taiwan, Tanzania, Togo, Turkey, Uganda, Uruguay, Vietnam, Zambia
Date Breach First Reported: 8/26/20

Incident

Method: Malware
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On August 26, 2020, the U.S. government issued a joint alert to warn the public about an ongoing cyber campaign by North Korea-backed 'BeagleBoyz' group which is using remote access malware tools to steal millions from financial institutions in at least 38 countries around the world.

The U.S. government considers BeagleBoyz to be a subset of HIDDEN COBRA activity. According to U.S. CISA, 'BeagleBoyz overlap to varying degrees with groups tracked by the cybersecurity industry as Lazarus, Advanced Persistent Threat 38 (APT38), Bluenoroff, and Stardust Chollima and are responsible for the FASTCash ATM cash outs reported in October 2018, fraudulent abuse of compromised bank-operated SWIFT system endpoints since at least 2015, and lucrative cryptocurrency thefts'.

DeathStalker Campaign

August 26

On August 26, 2020, Kaspersky revealed a new hack-for-hire group, DeathStalker, had been targeting institutions worldwide since 2012, with a focus law firms and financial entities.

Learn More

Target

Location: Argentina, China, Cyprus, India, Israel, Lebanon, Switzerland, Russia, Taiwan, Turkey, the United Kingdom, the United Arab Emirates
Date Breach First Reported:8/26/20

Incident

Method: Multiple
Type: Multiple

Actor

Type: Unknown
Attribution: Unknown

Description

On August 26, 2020, Kaspersky revealed a new hack-for-hire group, DeathStalker, had been targeting institutions worldwide since 2012, with a focus law firms and financial entities. Kaspersky researchers report that DeathStalker is not motivated by financial gain. Victim organizations are small and medium-sized businesses located in Argentina, China, Cyprus, India, Israel, Lebanon, Switzerland, Russia, Taiwan, Turkey, the United Kingdom and the United Arab Emirates.

New Zealand Stock Exchange DDoS Attack

August 26

On August 26, the New Zealand Stock Exchange's network provider experienced an extended DDoS attack that lasted several days and caused the Exchange to shut down operations.

Learn More

Target

Location: New Zealand
Date Breach First Reported:8/26/20

Incident

Method: DDoS
Type: Disruption

Actor

Type: Unknown
Attribution: Unknown

Description

On August 26, the New Zealand Stock Exchange's network provider experienced an extended DDoS attack that lasted several days and caused the Exchange to shut down operations. The NZX website and markets announcement platform were also impacted. The Australian government and other member states of the Five Eyes alliance reportedly helped with response and recovery efforts.

South Africa Experian Data Breach

August 19

On August 19, 2020, Experian South Africa, a major credit bureau, experienced a data breach that exposed personal information of up to 24 million South Africans according to the South Africa Banking Risk Information Centre; however, Experian South Africa disputed the reported numbers.

Learn More

Target

Location: South Africa
Date Breach First Reported: 8/19/20

Incident

Method: Unknown
Type: Data Breach

Actor

Type: Unknown
Attribution: Unknown

Description

On August 19, 2020, Experian South Africa, a major credit bureau, experienced a data breach that exposed personal information of up to 24 million South Africans according to the South Africa Banking Risk Information Centre; however, Experian South Africa disputed the reported numbers. 793,749 business entities are thought to be affected.

Payments Processor Juspay Data Leak

August 18

On August 18, 2020, payments processor Juspay's was hacked through a compromised server, resulting in the leak of over 100 million debit and credit card users.

Learn More

Target

Location: N/A
Date Breach First Reported: 1/4/21

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On August 18, 2020, payments processor Juspay's was hacked through a compromised server, resulting in the leak of over 100 million debit and credit card users. Juspay processes payments from many major companies, including Amazon, Swiggy, and MakeMyTrip. On January 4, 2021, Juspay confirmed the hack.

Finance Sector RDoS Campaign

August 17

On August 17, Akamai, a global content delivery network, reported an ongoing campaign of RDoS (Ransom DDoS) attacks targeting the financial sector and other businesses.

Learn More

Target

Location: N/A
Date Breach First Reported:8/17/20

Incident

Method: DDoS
Type: Disruption

Actor

Type: Unknown
Attribution: Unknown

Description

On August 17, Akamai, a global content delivery network, reported an ongoing campaign of RDoS (Ransom DDoS) attacks targeting the financial sector and other businesses. The extortion demands are similar to those used by DDoS ransom groups in the past. The actors claimed to be Fancy Bear and targeted businesses in multiple countries including the UK, the United States, and the APAC region.

Canadian COVID-19 Relief Fund Theft

August 15

On August 15, 2020, the Government of Canada reported that it’s GCKey, a critical single sign-on (SSO) system, had been subject to credential stuffing attacks aimed at stealing COVID-19 relief funds.

Learn More

Target

Location: Canada
Date Breach First Reported:8/15/20

Incident

Method: Other
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On August 15, 2020, the Government of Canada reported that it’s GCKey, a critical single sign-on (SSO) system, had been subject to credential stuffing attacks aimed at stealing COVID-19 relief funds. Attackers were able to get away with 11,200 GCKey accounts. GCKey provides access to crucial services for immigration, taxes, pension, and benefits across Canadian government institutions.

Pepperstone Data Breach

August 6

On August 6, Pepperstone, a Melbourne-based global derivatives broker, was subject to a data breach, compromising the personal data of an unknown number of customers.

Learn More

Target

Location: Australia
Date Breach First Reported:8/6/20

Incident

Method: Unknown
Type: Data Breach

Actor

Type: Unknown
Attribution: Unknown

Description

On August 6, Pepperstone, a Melbourne-based global derivatives broker, was subject to a data breach, compromising the personal data of an unknown number of customers. Pepperstone’s subsequent investigation showed that no trading accounts or funds had been corrupted.

NetWalker Ransomware Attacks

August 4

On August 4, 2020, McAfee reported that ransomware-as-a-service (RaaS) provider NetWalker had made $25 million over the previous five months through ransomware attacks.

Learn More

Target

Location: N/A
Date Breach First Reported:8/4/20

Incident

Method: Ransomware
Type: Theft

Actor

Type: Non-state actor
Attribution: Unknown

Description

On August 4, 2020, McAfee reported that ransomware-as-a-service (RaaS) provider NetWalker had made $25 million over the previous five months through ransomware attacks.

Taiwanese financial institutions data exfiltration

August 1

From August 2020, Taiwanese financial institutions have been targeted by a state-sponsored, Chinese advanced peristent threat group, Antlion, in an espionage campaign.

Learn More

Target

Location: Taiwan
Date Breach First Reported:2/3/2022

Incident

Method: Other
Type: Espionage

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

From August 2020, Taiwanese financial institutions have been targeted by a state-sponsored, Chinese advanced peristent threat group, Antlion, in an espionage campaign. Using the customised backdoor xPack, Antlion gained access to target’s machines, from which they were able to exfiltrate vast amounts of data.

Dave Third Party Banking App Breach

July 25

On July 25, 2020, hackers published data and personal information of 7.5 million users of ‘Dave’ banking app.

Learn More

Target

Location: United States
Date Breach First Reported:7/25/20

Incident

Method: Other
Type: Data breach

Actor

Type: Non-state actor
Attribution: Unknown

Description

On July 25, 2020, hackers published data and personal information of 7.5 million users of ‘Dave’ banking app. The attackers accessed and exfiltrated data between June 10 and July 3, 2020 by entering through Waydev, a third party analytics platform used by the Dave engineering team. The company has since patched the security gap, but the data has been leaked onto the hacker forum RAID and was available for free download by forum members. The breach included full names, emails, birth dates, and home addresses, encrypted social security numbers, and hashed passwords.

Rwandan Bank Heist

July 24

On July 30, 2020, Rwanda Investigation Bureau (RIW) revealed that they had arrested a hacker suspected of stealing Rwf 22.5 million from Nesen Industry Company's bank.

Learn More

Target

Location: Rwanda
Date Breach First Reported:7/30/20

Incident

Method: Unknown
Type: Theft

Actor

Type: Non-state actor
Attribution: High confidence

Description

On July 30, 2020, Rwanda Investigation Bureau (RIW) revealed that they had arrested a hacker suspected of stealing Rwf 22.5 million from Nesen Industry Company's bank. The theft had been executed through a local bank's automated payment system to transfer cash to different bank accounts. The bank had initially reported the incident on July 24, 2020.

Attempted SASSA Breach

July 24

On July 26, three suspects were arrested by South African authorities for attempting to hack into the South African Social Security Agency (SASSA).

Learn More

Target

Location: South Africa
Date Breach First Reported:7/26/20

Incident

Method: Unknown
Type: Theft

Actor

Type: Non-state actor
Attribution: High confidence

Description

On July 26, three suspects were arrested by South African authorities for attempting to hack into the South African Social Security Agency (SASSA). In a court hearing held two a few months after the incident, two of the hackers known to be first time offenders were granted bail.

Scotiabank Data Breach

July 21

On July 21, Scotiabank warned “a limited number” of customers of a data breach after Scotiabank bank an employee accessed client accounts without a valid business reason.

Learn More

Target

Location: Canada
Date Breach First Reported:7/21/20

Incident

Method: Other
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On July 21, Scotiabank warned “a limited number” of customers of a data breach after Scotiabank bank an employee accessed client accounts without a valid business reason.

Emotet Spreading QakBot Banking Malware

July 21

On July 21, observed Emotet, a known botnet, spreading the QakBot banking trojan at an unusually high rate.

Learn More

Target

Location: N/A
Date Breach First Reported:7/21/20

Incident

Method: Malware
Type: Theft

Actor

Type: Non-state actor
Attribution: Unknown

Description

On July 21, observed Emotet, a known botnet, spreading the QakBot banking trojan at an unusually high rate. QakBot recently replaced the longtime TrickBot payload.

Kattana Crypto App Malware

July 16

On July 16, researchers discovered GMERA malware embedded within Kattana, a cryptocurrency app, being used to steal wallet information.

Learn More

Target

Location: N/A
Date Breach First Reported:7/16/20

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On July 16, researchers discovered GMERA malware embedded within Kattana, a cryptocurrency app, being used to steal wallet information.

Famous Twitter Accounts Hijacked for Bitcoin

July 15

On July 15, several notable Twitter accounts including Joe Biden and Elon Musk were hacked to post a Bitcoin address purporting to double any contributions to the address.

Learn More

Target

Location: United States
Date Breach First Reported: 7/15/20

Incident

Method: Multiple
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On July 15, several notable Twitter accounts including Joe Biden and Elon Musk were hacked to post a Bitcoin address purporting to double any contributions to the address. The spear phishing operation targeted Twitter employees and was able to gain access to admin-level tools; in all, the hackers made more than $113,500.

On July 31, a 17-year-old suspect related to the recent Twitter Bitcoin scam was arrested in Florida.

Argenta ATM Attack

July 13

On July 13, Argenta, a Belgian savings bank shut down 143 cash machines after suffering a cyber-attack from unknown criminals.

Learn More

Target

Location: Belgium
Date Breach First Reported:7/13/20

Incident

Method: Multiple
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On July 13, Argenta, a Belgian savings bank shut down 143 cash machines after suffering a cyber-attack from unknown criminals. The attack was self-reported by Argenta, who refused to say how much money was affected. The criminals tried to leverage the technique known as 'jackpotting' to take control of the cash machines.

Spanish Crypto App Malware

July 12

In July 2020, Avast found Cerberus malware hidden in a cryptocurrency converter app used to infect victims of Android devices.

Learn More

Target

Location: N/A
Date Breach First Reported: 7/12/20

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In July 2020, Avast found Cerberus malware hidden in a cryptocurrency converter app used to infect victims of Android devices.

Primarily used by Spanish speaking users, the dropper embedded in the app later became active to download another malicious APK. Shortly after the malicious C&C communication was seized and the malware became dormant/harmless once again. The app had amassed thousands of downloads before being taken down.

SEC Warning of Ransomware Attacks on US Banks

July 10

On July 10, the SEC issued a warning about a rise in ransomware attacks on U.S. financial firms.

Learn More

Target

Location: United States
Date Breach First Reported:7/10/20

Incident

Method: Ransomware
Type: Theft

Actor

Type: N/A
Attribution: N/A

Description

On July 10, the SEC issued a warning about a rise in ransomware attacks on U.S. financial firms. These attacks focus on gaining access to the company and then enacting ransomware and have targeted firms all across the financial services sector.

Crypto-mining Botnet MrbMiner linked to Iranian Software Developer

July 1

Cybersecurity firm Sophos has found evidence tying the operations of MrbMiner, a crypto-mining botnet, to a boutique software development firm in Shiraz, Iran.

Learn More

Target

Location: Iran
Date Breach First Reported:1/21/21

Incident

Method: Malware
Type: Theft

Actor

Type: Non-state actor
Attribution: Speculated

Description

Cybersecurity firm Sophos has found evidence tying the operations of MrbMiner, a crypto-mining botnet, to a boutique software development firm in Shiraz, Iran. MrbMiner has been operational since the summer of 2020, launching brute-force attacks against Microsoft SQL Servers databases to gain access to poorly secured accounts. Once inside, the botnet would create a backdoor and download a cryptocurrency miner.

Ledger Wallet E-Commerce Data Leak

June 25

On June 25, 2020, cryptocurrency hardware wallet manufacturer Ledger's e-commerce database was breached.

Learn More

Target

Location: N/A
Date Breach First Reported:12/20

Incident

Method: Other
Type: Data Breach

Actor

Type: Unknown
Attribution: Unknown

Description

On June 25, 2020, cryptocurrency hardware wallet manufacturer Ledger's e-commerce database was breached. The company initially discovered the breach in July after it was tipped off by a researcher, and began an internal investigation. Months later, stolen data — including email addresses, phone numbers, and addresses of customers — were put up on the sharing martketplace Raidforums for free.

GoldenSpy Malware in Chinese Tax Software

June 25

On June 25, 2020, researchers identified a new backdoor trojan, dubbed 'GoldenSpy,' in Chinese tax software.

Learn More

Target

Location: China
Date Breach First Reported: 6/25/20

Incident

Method: Multiple
Type: Multiple

Actor

Type: Speculated
Attribution: Speculated

Description

On June 25, 2020, researchers identified a new backdoor trojan, dubbed 'GoldenSpy,' in Chinese tax software. Shortly after the discovery, the actors behind it delivered a silent uninstaller to remove all traces of the said malware. While the attribution remains unknown, researchers speculated that it has the characteristics similar to a coordinated APT campaign that focuses on foreign companies operating in China.

Researchers further uncovered an earlier campaign tied to GoldenSpy malware that came installed with Chinese tax software. New evidence suggests that GoldenSpy was preceded by another piece of malware that employed similar capabilities to infect taxpayers within China. This earlier version of GoldenSpy is called GoldenHelper."

IcedID Banking Trojan Using COVID-19 lures

June 22

On June 22, 2020, researchers identified a new variant of the IcedID banking trojan that uses COVID-19 related phishing lures.

Learn More

Target

Location: N/A
Date Breach First Reported:6/22/20

Incident

Method: Multiple
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On June 22, 2020, researchers identified a new variant of the IcedID banking trojan that uses COVID-19 related phishing lures. This new variant is using steganography to infect the victims and comes equipped with fresh anti-detection capabilities.

European Bank Targeted by Large DDoS Attack

June 21

On June 21, 2020, a large unidentified European bank was the target of a massive DDoS attack that sent 809 million packets per second through its network.

Learn More

Target

Location: N/A
Date Breach First Reported:6/23/20

Incident

Method: DDoS
Type: Disruption

Actor

Type: Unknown
Attribution: Unknown

Description

On June 21, 2020, a large unidentified European bank was the target of a massive DDoS attack that sent 809 million packets per second through its network. Akami, a global content delivery network and IT services provider, called the attack the “largest ever recorded” on their platforms, but reported it was able to mitigate the attack against the undisclosed customer.

Coincheck Data Breach

June 4

On June 4, 2020 Coincheck, a Japanese digital currency exchange, paused remittances after unknown attackers gained access to Coincheck's domain registry service and fraudulently obtained user email addresses as well as personal data.

Learn More

Target

Location: Japan
Date Breach First Reported:6/4/20

Incident

Method: Other
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On June 4, 2020 Coincheck, a Japanese digital currency exchange, paused remittances after unknown attackers gained access to Coincheck's domain registry service and fraudulently obtained user email addresses as well as personal data.

Banco BCR Data Breach

May 21

On May 21, 2020, the operators of the Maze Ransomware released 2GB of data, including credit card credentials, from Banco BCR, the state-owned Bank of Costa Rica.

Learn More

Target

Location: Costa Rica
Date Breach First Reported: 5/23/20

Incident

Method: Ransomware
Type: Theft

Actor

Type: Non-state actor
Attribution: Unknown

Description

On May 21, 2020, the operators of the Maze Ransomware released 2GB of data, including credit card credentials, from Banco BCR, the state-owned Bank of Costa Rica. Notably, the attackers claimed they decided not to encrypt Banco BCR data with ransomware because “the possible damage was too high.”

Three weeks previously on May 1, 2020, the operators announced that they had breached Banco BCR, first in August 2019, and then in February 2020 at which point they stole 11 million credit card credentials and other data.

Nigerian Hacking Group Targets US Unemployment Systems

May 14

On May 14, the U.S. Secret Service Bulletin alerted citizens to multiple fraudulent claims targeting state unemployment benefit programs.

Learn More

Target

Location: United States
Date Breach First Reported:5/14/20

Incident

Method: Multiple
Type: Theft

Actor

Type: Non-state actor
Attribution: Speculated

Description

On May 14, the U.S. Secret Service Bulletin alerted citizens to multiple fraudulent claims targeting state unemployment benefit programs. A group of Nigerian cybercriminals known as "Scattered Canary" appear to be behind the attacks, which targeted unemployment systems in Washington State as well as Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, and Wyoming. The group was able to steal millions from Washington State through fraudulent claims, although at least $300 million was recovered.

Indian Mobile Banking Apps Malware

May 14

On May 14, CERT-In, India’s national CERT, released a warning that a mobile banking malware called 'EventBot' that steals personal financial information was affecting Android users in India.

Learn More

Target

Location: India
Date Breach First Reported: 5/14/20

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On May 14, CERT-In, India’s national CERT, released a warning that a mobile banking malware called 'EventBot' that steals personal financial information was affecting Android users in India.

EventBot is a mobile-banking Trojan Trojan that targets over 200 financial applications, money-transfer services and cryptocurrency wallets across the US, Europe, and now India. It steals user data from financial applications, reads user SMS messages, and intercepts SMS messages to bypass 2FA.

Norfund Business Email Compromise

May 13

On May 13, Norfund, Norway's state investment fund, was subject to a $10 million heist that involved business email compromise.

Learn More

Target

Location: Norway
Date Breach First Reported: 5/14/20

Incident

Method: Other
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On May 13, Norfund, Norway's state investment fund, was subject to a $10 million heist that involved business email compromise. Scammers were able to gain access to the email system, which allowed them to actively monitor internal communications.

The attackers spent months doing reconnaissance in Norfund’s email system to design their fraudulent scheme. According to Norfund, they “manipulated and falsified information exchange between Norfund and the borrowing institution,” resulting in the attackers intercepting a $10 million loan that was meant for a microfinance institution in Cambodia.

Diebold Nixdorf Ransomware Attack

May 11

On May 11, 2020, American ATM manfacturer Diebold Nixdorf was hit by a ransomware attack that caused 'a limited IT systems outage'.

Learn More

Target

Location: United States
Date Breach First Reported: 5/11/20

Incident

Method: Other
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On May 11, 2020, American ATM manfacturer Diebold Nixdorf was hit by a ransomware attack that caused 'a limited IT systems outage'. ATMs were not affected.

While the company did not give any details, additional reporting suggests that the ransomware in question might have been 'ProLock', the successor of 'PwndLocker'. ProLock was found to be using QakBot and unprotected Remote Desktop Protocol (RDP) servers with weak credentials.

PerSwaysion Group Targets Executives with Spear-Phishing

April 30

Group-IB has reported that PerSwaysion, a cybercrime group operating since mid-2019, has breached the email accounts of high-ranking executives at more than 150 firms.

Learn More

Target

Location: N/A
Date Breach First Reported:4/30/20

Incident

Method: Phishing
Type: Data breach

Actor

Type: Non-state actor
Attribution: Speculated

Description

Group-IB has reported that PerSwaysion, a cybercrime group operating since mid-2019, has breached the email accounts of high-ranking executives at more than 150 firms. The group appears to have primarily targeted the financial sector, although it has expanded into other verticals, and typically uses phishing campaigns to breach corporate email accounts. The group members appear to be based in Nigeria and South Africa.

North Korean Web Skimming Attacks

April 23

On April 23, it was reported that North Korean hackers had been using webskimming malware to steal payment card details from online stores since at least May 2019.

Learn More

Target

Location: Serbia, Montenegro, Croatia, Slovenia, Bosnia and Herzegovina
Date Breach First Reported:4/23/20

Incident

Method: Malware
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On April 23, it was reported that North Korean hackers had been using webskimming malware to steal payment card details from online stores since at least May 2019. The attacks seem to be focused on the Balkans. The impact is not clear, but the attack was simple enough to execute multiple times on one target.

dForce Cryptocurrency Attack and Return

April 21

On April 21, 2020 an attacker stole $25 million in Ethereum, a popular cryptocurrency, from the dForce platform, a cryptocurrency firm, only to return the funds two days later.

Learn More

Target

Location: China
Date Breach First Reported:4/21/20

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On April 21, 2020 an attacker stole $25 million in Ethereum, a popular cryptocurrency, from the dForce platform, a cryptocurrency firm, only to return the funds two days later. The attacker did not return all funds in the same distribution of currencies that were taken but instead returned some in different tokens. It is not known why the attacker is returning the stolen funds.

Spanish Banks Attacked with Brazilian Trojan

April 13

On April 13, 2020, IBM researchers reported that Spanish banks had been the target of by a Brazilian banking Trojan, Grandoreiro, in a campaign lasting months.

Learn More

Target

Location: Spain
Date Breach First Reported: 4/13/20

Incident

Method: Malware
Type: Theft

Actor

Type: Non-state actor
Attribution: Unknown

Description

On April 13, 2020, IBM researchers reported that Spanish banks had been the target of by a Brazilian banking Trojan, Grandoreiro, in a campaign lasting months. The campaign exploits the Coronavirus outbreak by using videos themed on the pandemic that convince users to run a hidden executable.

Grandoreiro is a remote-overlay banking trojan that, upon a user accessing their online banking, can display images to impersonate said bank. This allows attacks to then then move money from the victims accounts. The malware executes upon access to a hardcoded list of entities, mostly local banks.

South Korean and US Payment Card Leak

April 9

On April 9, 2020, a cache of 400,000 payment card records from banks in South Korea and the U.S. were uploaded to a well-known underground marketplace.

Learn More

Target

Location: South Korea, United States
Date Breach First Reported: 4/24/20

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On April 9, 2020, a cache of 400,000 payment card records from banks in South Korea and the U.S. were uploaded to a well-known underground marketplace.

According to Group-IB, a security firm, the data dump was identified as the biggest sale of South Korea related bank records in 2020. The database contained mostly Track 2 information, meaning the data stored on the magnetic stripe of a card such as the bank identification number (BIN), the account number, expiration date and CVV.

Turkey Dog Continues To Claim Victims

April 1

Operating since April 2020, Turkey Dog activity has been luring unaware Turkish speakers into downloading malicious Android trojans through fake click-baits.

Learn More

Target

Location: Turkey
Date Breach First Reported:2/24/20

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

Operating since April 2020, Turkey Dog activity has been luring unaware Turkish speakers into downloading malicious Android trojans through fake click-baits. The banking trojans, Cerberus and Anubis, have been used to steal user credentials to gain access to bank accounts.

US, Canadian, Australian Banks Hit By Banking Trojan

March 30

On March 30, researchers reported that U.S., Canadian, and Australian banks were being increasingly targeted by Zeus Sphinx, a banking trojan that had been dormant for three years.

Learn More

Target

Location: United States, Canada, Australia
Date Breach First Reported: 5/11/20

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On March 30, researchers reported that U.S., Canadian, and Australian banks were being increasingly targeted by Zeus Sphinx, a banking trojan that had been dormant for three years. The attackers target those waiting on government relief payments from Covid-19.

The campaign used COVID-19 as a lure, such as sending booby-trapped document files named “COVID 19 relief.” Zeus Sphinx gained notoriety in 2015 for being used to target major financial institutions in the UK, and eventually in Brazil, Australia and North America. This version of the malware underwent core changes in its persistence mechanism, injections tactics, and bot configuration.

Monte de Paschi Bank Attack

March 30

On March 30, 2020, attackers breached email accounts of employees at Monte dei Paschi bank, an Italian state-owned bank, and sent messages to clients with voice mail attachments.

Learn More

Target

Location: Italy
Date Breach First Reported:4/11/20

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On March 30, 2020, attackers breached email accounts of employees at Monte dei Paschi bank, an Italian state-owned bank, and sent messages to clients with voice mail attachments. The bank notified customers on March 30 but did not disclose if there had been a data breach, the nature of the sent emails or if customers had been impacted.

Chubb Ransomware Attack

March 26

On March 26, 2020, Insurer Chubb was targeted by Maze ransomware and the attackers claimed to have data stolen.

Learn More

Target

Location: United States
Date Breach First Reported:3/26/20

Incident

Method: Ransomware
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On March 26, 2020, Insurer Chubb was targeted by Maze ransomware and the attackers claimed to have data stolen. Chubb claimed its networks were unaffected but admitted investigating an incident relating to the access of third-party data. Chubb itself offers insurance to compensate those who suffer costs from data breaches.

Square Milner data breach

March 25

On March 25, 2020, Square Milner, one of the largest accountancy firms in the US, experienced a possible data breach.

Learn More

Target

Location: United States
Date Breach First Reported:4/22/20

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On March 25, 2020, Square Milner, one of the largest accountancy firms in the US, experienced a possible data breach. According to Squar Milner, the data breach may have included names, addresses, Social Security numbers or Tax ID numbers. It appears client data was accessed via credential stuffing but an actual data breach of their systems is yet to be ruled out.

Finastra Ransomware Attack

March 20

On March 20, 2020, Finastra, a large London-based financial technology company, stated they were the victim of a ransomware attack.

Learn More

Target

Location: United Kingdom
Date Breach First Reported: 3/20/20

Incident

Method: Ransomware
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On March 20, 2020, Finastra, a large London-based financial technology company, stated they were the victim of a ransomware attack. The attack resulted in disruption of Finastra services as they shut down certain servers in response to the attack which had most impact on their North America operations.

Finastra employs more than 10,000 people and provides services to nearly all of the top 50 banks globally. The company claimed there was no evidence of customer or employee data exfiltration.

Southeast Asian Banks Credit Card Breach

March 6

On March 6, 2020, it was reported that over 200,000 credit card details from top banks in Singapore, Malaysia, the Phillippines, Vietnam, Indonesia, and Thailand were stolen and published online.

Learn More

Target

Location: Malaysia; Singapore; Philippines; Vietnam; Indonesia; Thailand
Date Breach First Reported:3/6/2020

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On March 6, 2020, it was reported that over 200,000 credit card details from top banks in Singapore, Malaysia, the Phillippines, Vietnam, Indonesia, and Thailand were stolen and published online. Security researchers determined that the Philippines had 172,828 cards breached, Malaysia and Singapore had 37,145 and 25,290 cards breached respectively. One of the banks, CIMB Group Holdings, responded that they were confident there was no breach and the details would have been obtained elsewhere.

Italian Banks Data Theft

March 3

On March 3, 2021, researchers at Avast reported that at least 100 Italian banks were compromised in attacks using the Ursnif banking Trojan.

Learn More

Target

Location: Italy
Date Breach First Reported:3/3/2020

Incident

Method: Multiple
Type: Theft

Actor

Type: Non-state actor
Attribution: High confidence

Description

On March 3, 2021, researchers at Avast reported that at least 100 Italian banks were compromised in attacks using the Ursnif banking Trojan. Over 1,700 credentials were also stolen from a single payment processor. In June 2021, researchers discovered the trojan had incorporated the Cerberus malware into its tool set to increase its attack surface.

Australian Banks DDoS Extortion

February 25

On February 25, 2020, it was reported that Australian banks and other financial institutions were being extorted by the Silence group with DDoS attacks unless they paid a ransom.

Learn More

Target

Location: Australia
Date Breach First Reported:2/25/2020

Incident

Method: DDoS
Type: Disruption

Actor

Type: Unknown
Attribution: Unknown

Description

On February 25, 2020, it was reported that Australian banks and other financial institutions were being extorted by the Silence group with DDoS attacks unless they paid a ransom. DDoS attacks have taken place but not against all targets, as they do not have the resources to attack all those threatened. The Silence group has also been linked to stealing from banks across Eastern Europe, South and Central Asia, and more recently, Sub-Saharan Africa. The group demanded payment in the cryptocurrency Monero to prevent the attack.

PayPal Accounts Linked to Google Play Abused

February 21

On February 21, 2020, hackers targeted PayPal accounts to carry out unauthorized purchases, estimated to be worth tens of thousands of euros, by exploiting PayPal’s Google Pay integration.

Learn More

Target

Location: United States, Germany
Date Breach First Reported:2/25/2020

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On February 21, 2020, hackers targeted PayPal accounts to carry out unauthorized purchases, estimated to be worth tens of thousands of euros, by exploiting PayPal’s Google Pay integration. The purchases were made at a variety of Target stores in the United States. Most of the victims appear to be German PayPal users.

Loqbox Data Breach

February 20

On February 20, Loqbox, a UK-based credit score builder startup, was the victim of a data breach in which customer details were compromised.

Learn More

Target

Location: United Kingdom
Date Breach First Reported:3/2/2020

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On February 20, Loqbox, a UK-based credit score builder startup, was the victim of a data breach in which customer details were compromised. This included names, dates of birth, addresses, and phone numbers. Partial card and account details were exposed although not enough to make payments or access accounts. Loqbox claims all funds are secure and have not been accessed by attackers.

Indonesian Bank Rakyat hit by cyberattack

February 1

In February 2020, Bank Rakyat Indonesia was reported to have been targeted by the North Korean hacking group, Lazarus.

Learn More

Target

Location: Indonesia
Date Breach First Reported:10/26/21

Incident

Method: Malware
Type: Multiple

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

In February 2020, Bank Rakyat Indonesia was reported to have been targeted by the North Korean hacking group, Lazarus. The attackers are believed to have gained access to the bank's computer networks using malware previously used in the Bangladesh bank heist, BEEFEATER. It remains unclear whether or not the attackers stole any funds.

Nedbank Third-Party Breach

February 1

On February 13, 2020, Nedbank, a major bank in southern Africa, notified its customers of a breach of a third-party service provider hired by the bank for its marketing and promotional activites.

Learn More

Target

Location: South Africa, Angola, Kenya, Lesotho, Malawi, Mozambique, Namibia, Swaziland, Zimbabwe
Date Breach First Reported:2/13/20

Incident

Method: Other
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On February 13, 2020, Nedbank, a major bank in southern Africa, notified its customers of a breach of a third-party service provider hired by the bank for its marketing and promotional activites. The personal information of 1.7 million customers of the bank was leaked through the breach.

“Deep voice” enabled bank theft

January 15

On January 15, 2020, hackers transferred $35 million from a Hong Kong-based bank, using "deep voice" technology to clone a bank director’s speech.

Learn More

Target

Location: United Arab Emirates
Date Breach First Reported:10/13/2021

Incident

Method: Multiple
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On January 15, 2020, hackers transferred $35 million from a Hong Kong-based bank, using "deep voice" technology to clone a bank director’s speech. The U.A.E. has sought American investigators’ help in tracing $400,000 of stolen funds that went into U.S.-based accounts held by Centennial Bank.

Sub-Saharan African Banks Targeted

January 2

In the first week of January 2020, it was reported that major banks in sub-Saharan Africa were targeted by the Silence hacking group.

Learn More

Target

Location: Africa
Date Breach First Reported:1/17/2020

Incident

Method: Malware
Type: Theft

Actor

Type: Nonstate actor
Attribution: Speculated

Description

In the first week of January 2020, it was reported that major banks in sub-Saharan Africa were targeted by the Silence hacking group. According to Kaspersky, who attributed the attacks to the Silence group based on malware used, the general outline of such an attack involved phishing emails being sent with the malware, data gathering, and then withdrawing large amounts of cash in one go via ATMs. As of mid-January 2020, the attacks are ongoing and persist in targeting large banks.

Web Shell Use Increases in Web Skimming Attacks

January 1

On April 7, 2021, VISA warned that threat actors are increasingly deploying web shells on compromised servers to exfiltrate credit card information stolen from online store customers.

Learn More

Target

Location: N/A
Date Breach First Reported:4/7/2021

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On April 7, 2021, VISA warned that threat actors are increasingly deploying web shells on compromised servers to exfiltrate credit card information stolen from online store customers. At least 45 eSkimming attacks occured in 2020 using web shells.

2019

Travelex Hit with Sodinokibi

December 31

On December 31, 2019, Travelex, a major foreign exchange company, took all its computer systems offline after company systems were infected with Sodinokibi ransomware and the attackers demanded $6 million to remove it.

Learn More

Target

Location: United Kingdom
Date Breach First Reported:12/31/2019

Incident

Method: Malware
Type: Theft

Actor

Type: Nonstate actor
Attribution: Unknown

Description

On December 31, 2019, Travelex, a major foreign exchange company, took all its computer systems offline after company systems were infected with Sodinokibi ransomware and the attackers demanded $6 million to remove it. This also impacted the exchange services of many major banks including Lloyds, Barclays, and RBS, who all use Travelex. The attackers also claimed to have exfiltrated 5GB of personal customer data that they threatened would be released if they did not receive payment. The attackers are believed to have used a VPN exploit that remained unpatched to access the firm’s systems. As of the end of January it has taken over a month for Travelex to restore its site and even then, only partially. It is unclear whether Travelex paid the ransom in this time.

Advantage and Argus Capital Funding Data Breach

December 24

On December 24, 2019, researchers discovered a data breach from Advantage and Argus Capital Funding, a NY-based private equity firm, which included 425GB of 500,000 legal and financial documents, including tax returns and social security information.

Learn More

Target

Location: United States
Date Breach First Reported: 12/24/19

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On December 24, 2019, researchers discovered a data breach from Advantage and Argus Capital Funding, a NY-based private equity firm, which included 425GB of 500,000 legal and financial documents, including tax returns and social security information.

The breach was discovered by vpnMentor who claim data including credit reports, bank statements, tax returns and social security information could be accessed without authentication. The database was linked to MCA Wizard, an application developed by Advantage and Argus Capital Funding. The database was stored in an unencrypted S3 bucket on Amazon Web Service. The vulnerability was patched by AWS on January 9, 2020.

Wawa Inc. Card Data Breach

December 10

On December 10, 2019, Wawa Inc., a U.S.-based convenience store chain, discovered that its payment card processing systems had been breached for a 9-month long period in which customers in any of its worldwide locations could have had their card data stolen.

Learn More

Target

Location: United States
Date Breach First Reported:12/19/2019

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On December 10, 2019, Wawa Inc., a U.S.-based convenience store chain, discovered that its payment card processing systems had been breached for a 9-month long period in which customers in any of its worldwide locations could have had their card data stolen. On January 27, 30 million card details believed to be part of the breach posted for sale online, including card numbers and expiration dates. Pins and CVV records were not exposed.

Iranian Debit Card Breach

December 10

On December 10, 2019, it was reported that Mellat, Tejarat, and Sarmayeh, Iran’s three largest banks, had been breached and that the attacker had published 15 million bank debit cards on social media in the aftermath of anti-government demonstrations.

Learn More

Target

Location: Iran
Date Breach First Reported:12/10/2019

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On December 10, 2019, it was reported that Mellat, Tejarat, and Sarmayeh, Iran’s three largest banks, had been breached and that the attacker had published 15 million bank debit cards on social media in the aftermath of anti-government demonstrations. Iran’s information and telecommunications minister denied this was due to attackers but an inside contractor who had access to the data. Researchers are disputing this and suggest it was likely a nation state actor.

UK and Israeli Private Equity Firms Business Email Compromise

December 3

On December 3, 2019, 3 private equity firms in the UK and Israel had £600k stolen by attackers, known as the “The Florentine Banker,” through a sophisticated business email compromise scheme.

Learn More

Target

Location: United Kingdom, Israel
Date Breach First Reported: 12/3/19

Incident

Method: Phishing
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On December 3, 2019, 3 private equity firms in the UK and Israel had £600k stolen by attackers, known as the “The Florentine Banker,” through a sophisticated business email compromise scheme.

The attackers gained control over the victim's email accounts and intercepted specific emails involving the planned transfer of funds. The group used email rules to divert those they deemed interesting into another folder. They then registered similar domains to those on the other side of the conversation, diverted the legitimate communication and instead sent their own modified emails. In this way the attackers could manipulate all the parties involved into transferring funds to their own accounts instead of those intended by impersonating both sides of the conversation. £600k was taken by the group in 3 different transactions. Researchers noted many other spoofed domains that appear to have been registered by the attackers suggesting that the group is targeting other organizations in similar attacks.

Upbit Crypto Heist

November 27

On November 27, 2019, $48.5 million in virtual currency was stolen from Upbit a South Korean cryptocurrency exchange.

Learn More

Target

Location: South Korea
Date Breach First Reported: 11/28/19

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On November 27, 2019, $48.5 million in virtual currency was stolen from Upbit a South Korean cryptocurrency exchange. The identity of the attackers remains unknown.

$48.5 million in Ethereum was taken from exchange Upbit's hot wallet in 17 transactions. Upbit have stated they will cover any loss to customers.

Edenred Malware

November 21

On November 21, 2019, Edenred, a payment solutions provider, reported that it was infected by malware that affected a number of the organization’s computers.

Learn More

Target

Location: Europe
Date Breach First Reported:11/21/2019

Incident

Method: Malware
Type: Unknown

Actor

Type: N/A
Attribution: Unknown

Description

On November 21, 2019, Edenred, a payment solutions provider, reported that it was infected by malware that affected a number of the organization’s computers. Edenred’s payment platform operates across 46 countries and in 2018 they managed 2.5 billion payment transactions. According to a statement released by the organization, as soon as the incident was detected they implemented countermeasures to prevent further infections. The number of computers effected and the extent of the attack is still currently unknown.

Cayman National Bank and Trust Data Theft

November 18

On November 18, 2019, the Cayman National Bank and Trust Company confirmed it had been breached and had confidential data stolen.

Learn More

Target

Location: United Kingdom
Date Breach First Reported:11/18/2019

Incident

Method: Unknown
Type: Data breach

Actor

Type: Non-state actor
Attribution: Speculated

Description

On November 18, 2019, the Cayman National Bank and Trust Company confirmed it had been breached and had confidential data stolen. The Cayman National Bank did not elaborate on the extent of the breach but confirmed it was working with law enforcement. This announcement corroborated an earlier claim by Phineas Fisher, a vigilante hacker persona, who publicized the hack to encourage similar hacktivism. Phineas Fisher offered $100,000 USD to hacktivists who breach and leak documents from bank, oil companies, surveillance spyware vendors, and others.

Cardplanet Fraud

November 13

On November 13, 2019, the United States charged a Russian man for running ‘Cardplanet,’ a card trading platform worth almost $20 million USD that buys and sells stolen payment card details.

Learn More

Target

Location: Unknown
Date Breach First Reported:11/13/2019

Incident

Method: N/A
Type: N/A

Actor

Type: Non-state actor
Attribution: High confidence

Description

On November 13, 2019, the United States charged a Russian man for running ‘Cardplanet,’ a card trading platform worth almost $20 million USD that buys and sells stolen payment card details. He is facing a number of charges including access device fraud, identity theft, and computer intrusion.

Rwandan Bank Botched Heist

November 1

On November 1, 2019, authorities apprehended twelve individuals over a cyber-fraud attempt on Equity Bank Rwanda.

Learn More

Target

Location: Rwanda
Date Breach First Reported:11/1/19

Incident

Method: Unknown
Type: Theft

Actor

Type: Non-state actor
Attribution: High confidence

Description

On November 1, 2019, authorities apprehended twelve individuals over a cyber-fraud attempt on Equity Bank Rwanda. The individuals include eight Kenyans, three Rwandans, and one Ugandan who were attempting to hack the local bank. Officials noted that the hack was thwarted and that the fraudsters did not steal any funds.

460,000 Turkish Card Details for Sale

October 28

On December 11, 2019, it was reported that 463,378 Turkish payment cards from Turkish banks had been posted for sale online between late October and late November, for an estimated total value of USD $500,000.

Learn More

Target

Location: Turkey
Date Breach First Reported: 12/11/19

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On December 11, 2019, it was reported that 463,378 Turkish payment cards from Turkish banks had been posted for sale online between late October and late November, for an estimated total value of USD $500,000. Full card details were available as well as personal data including emails and phone numbers. Security researchers from Group-IB speculated the payment card information was stolen from online card payments using a JavaScript-based skimmer, such as Magecart.

Johannesburg City Breach

October 24

On October 24, 2019, the City of Johannesburg reported a breach of its network and shut down its website and all e-services.

Learn More

Target

Location: South Africa
Date Breach First Reported:10/25/19

Incident

Method: Unknown
Type: Data breach

Actor

Type: Non-state actor
Attribution: Speculated

Description

On October 24, 2019, the City of Johannesburg reported a breach of its network and shut down its website and all e-services. Earlier that day, the city had received a bitcoin ransom note from a group called the Shadow Kill Hackers, who demanded payment of 4.0 bitcoins by October 28. The hack appeared to occur at the same time as several South African banks reported internet problems believed to also be related to cyber attacks.

SABRIC DDoS Attacks

October 23

On October 23, 2019, the South African Banking Risk Information Centre (SABRIC) reported a series of distributed denial-of-service attacks which targeted several public facing services across multiple banks in the country.

Learn More

Target

Location: South Africa
Date Breach First Reported:10/23/2019

Incident

Method: DDOS
Type: Disruption

Actor

Type: Unknown
Attribution: Unknown

Description

On October 23, 2019, the South African Banking Risk Information Centre (SABRIC) reported a series of distributed denial-of-service attacks which targeted several public facing services across multiple banks in the country. The attacks started with a ransom note delivered via email to several publicly available addresses.

Fake ”Fancy Bear” Group Targets Financial Sector

October 20

In October 2019, a group of cybercriminals masquerading as ”Fancy Bear,” the infamous hacking group associated with the DNC hack of 2016 among other major breaches, launched a series of distributed denial-of-service attacks against companies in the financial sector.

Learn More

Target

Location: Singapore, South Africa, Scandinavian Countries
Date Breach First Reported:10/24/2019

Incident

Method: DDOS
Type: Disruption

Actor

Type: Non-state actor
Attribution: Speculated

Description

In October 2019, a group of cybercriminals masquerading as ”Fancy Bear,” the infamous hacking group associated with the DNC hack of 2016 among other major breaches, launched a series of distributed denial-of-service attacks against companies in the financial sector. The group demanded ransom payments of up to 2 bitcoin.

BriansClub Data Theft

October 16

On October 16, 2019, it was reported that ‘BriansClub’, one of the largest underground markets for stolen credit card and payment details, was hacked by a competitor who stole 26 million card details.

Learn More

Target

Location: Unknown
Date Breach First Reported:10/16/2019

Incident

Method: Unknown
Type: Theft

Actor

Type: Non-state actor
Attribution: Speculated

Description

On October 16, 2019, it was reported that ‘BriansClub’, one of the largest underground markets for stolen credit card and payment details, was hacked by a competitor who stole 26 million card details. The credit card data was added to BriansClub between 2015-2019, representing 30 percent of the total cards that are currently being sold on the underground market.

Sberbank Data Leak

October 4

On October 4, 2019, it was reported that Sberbank, one of Russia’s largest banks, was investigating a suspected data leak that affected at least 200 customers, and potentially data on 60 million credit cards.

Learn More

Target

Location: Russia
Date Breach First Reported:10/4/2019

Incident

Method: N/A
Type: Data breach

Actor

Type: Insider
Attribution: Speculated

Description

On October 4, 2019, it was reported that Sberbank, one of Russia’s largest banks, was investigating a suspected data leak that affected at least 200 customers, and potentially data on 60 million credit cards. Sberbank is investigating an internal employee who may be behind the compromise of the database. Sberbank is working with law enforcement to investigate the incident further.

Indian ATMs Targeted with ATMDtrack Malware

September 23

On September 23, security researchers reported that North Korean hackers had developed and inserted malware to steal payment information from Indian ATMs and banking institutions.

Learn More

Target

Location: India
Date Breach First Reported:9/23/2019

Incident

Method: Malware
Type: Espionage

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

On September 23, security researchers reported that North Korean hackers had developed and inserted malware to steal payment information from Indian ATMs and banking institutions. The malware, known as ATMDtrack, began appearing on networks during the summer of 2018 and is thought to be attributable to Lazarus Group, a hacking group that has targeted banks, ATMs, and cryptocurrency exchanges in order to fund North Korea's weapons of mass destruction program.

ECB BIRD Site Data Breach

September 16

On September 16, the European Central Bank (ECB) shut down its Banks’ Integrated Reporting Dictionary (BIRD) site after routine maintenance uncovered a cyberattack compromising the information of the site’s newsletter subscribers.

Learn More

Target

Location: Germany
Date Breach First Reported:9/16/2019

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On September 16, the European Central Bank (ECB) shut down its Banks’ Integrated Reporting Dictionary (BIRD) site after routine maintenance uncovered a cyberattack compromising the information of the site’s newsletter subscribers. The ECB reported that no market-sensitive data was compromised in the attack, and it planned to contact the 481 individuals whose names, email addresses, and titles may have been accessed by hackers.

Hong Kong Exchanges and Clearing Limited DDoS Attack

September 6

On September 6, 2019, Hong Kong Exchanges and Clearing Limited (HKEx), a Hong Kong-based stock exchange, suffered a distributed denial-of-service attack (DDoS) and discovered a technical bug, forcing them to suspend trading.

Learn More

Target

Location: China
Date Breach First Reported:9/6/2019

Incident

Method: DDoS
Type: Disruption

Actor

Type: Unknown
Attribution: Unknown

Description

On September 6, 2019, Hong Kong Exchanges and Clearing Limited (HKEx), a Hong Kong-based stock exchange, suffered a distributed denial-of-service attack (DDoS) and discovered a technical bug, forcing them to suspend trading. Attackers sent high volumes of traffic to the organization’s website, causing it to slow down and display limited information on exchange prices. Although services resumed once the issues were resolved, this is the second time that HKEx has suffered an attack of this kind. In 2011 a DDoS attack forced the organizations to suspend their services, and the individual behind the attack was later sentenced to nine months in prison.

Himalayan ATM Heist

September 2

On September 2, Nepalese police arrested five Chinese nationals in connection with cyberattacks that cost Nepalese banks more than 35 million rupees (over $300,000).

Learn More

Target

Location: Nepal
Date Breach First Reported:9/2/2019

Incident

Method: Other
Type: Theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

On September 2, Nepalese police arrested five Chinese nationals in connection with cyberattacks that cost Nepalese banks more than 35 million rupees (over $300,000). The attackers targeted the Nepal Electronic Payment System, which was established to coordinate cash withdrawals at 17 Nepalese banks, and inserted malware that directed ATMs to process withdrawal requests without first verifying with member banks. Staff at one Nepali bank discovered the theft when ATMs began running out of cash sooner than expected and informed authorities. Police recovered 12.63 million rupees (more than $110,000) during the arrests.

Silence Group Targets Banks for 4.2 Million

August 23

On August 23, 2019, it was reported that financial institutions in Bulgaria, Chile, Costa Rica, and Ghana were compromised by the Silence Group.

Learn More

Target

Location: Bulgaria, Chile, Costa Rica, Ghana
Date Breach First Reported: 08/23/2019

Incident

Method: Multiple
Type: Theft

Actor

Type: Non-state actor
Attribution: High confidence

Description

On August 23, 2019, it was reported that financial institutions in Bulgaria, Chile, Costa Rica, and Ghana were compromised by the Silence Group. Since 2016, the Silence Group had stolen a cumulative $4.2 million USD from banks in Eastern and Western Europe and Asia.

Since 2018, Silence has sent over 170,000 phishing attacks to financial institutions. The group has refined its techniques since it was first spotted in 2016. Silence now uses fileless techniques, repurposed open-source projects, and old vulnerabilities.

Binance Ransomware

August 6

On August 6, Malta-based cryptocurrency exchange Binance became the victim of ransomware when attackers demanded 300 bitcoin (around $3.5 million at the time) in exchange for a Know Your Customer (KYC) database containing the personal information of around 10,000 users.

Learn More

Target

Location: Malta
Date Breach First Reported:8/6/2019

Incident

Method: Ransomware
Type: Unknown

Actor

Type: Unknown
Attribution: Unknown

Description

On August 6, Malta-based cryptocurrency exchange Binance became the victim of ransomware when attackers demanded 300 bitcoin (around $3.5 million at the time) in exchange for a Know Your Customer (KYC) database containing the personal information of around 10,000 users. The KYC database allegedly contained personal identification information and photographs of users with documents like passports. The company contested the authenticity of the documents, claiming that they lacked digital watermarks, refused to pay the ransom, and contacted law enforcement for assistance in pursuing the attacker(s).

Capital One Data Breach

July 29

On July 29, Capital One announced that it had suffered a data breach compromising the credit card applications of around 100 million individuals after a software engineer hacked into a cloud-based server.

Learn More

Target

Location: United States and Canada
Date Breach First Reported: 7/29/2019

Incident

Method: Other
Type: Data breach/theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

On July 29, Capital One announced that it had suffered a data breach compromising the credit card applications of around 100 million individuals after a software engineer hacked into a cloud-based server. The applications contained names, dates of birth, credit scores, contact information, and some American and Canadian social security numbers. The hacker exploited a misconfigured firewall to gain access to a database of personal information hosted by Amazon Web Services. Upon gaining access, the hacker posted about it on GitHub, and an unidentified individual notified Capital One about the presence of the database on GitHub. Authorities arrested one individual in connection with the data theft.

Banco Pan Data Breach

July 25

On July 25, security researchers found a file containing 250GB of personal and financial information, mainly tied to Brazilian financial institution Banco Pan, exposed online.

Learn More

Target

Location: Brazil
Date Breach First Reported:7/25/2019

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On July 25, security researchers found a file containing 250GB of personal and financial information, mainly tied to Brazilian financial institution Banco Pan, exposed online. The information, which Banco Pan claims is owned by a commercial partner, contained scans of identification cards and social security cards, proof of address documents, and service request forms.

Jana Bank Data Breach

July 23

On July 23, a security researcher reported that Jana Bank, an Indian small finance bank, left exposed a database containing information on millions of financial transactions.

Learn More

Target

Location: India
Date Breach First Reported: 7/23/2019

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On July 23, a security researcher reported that Jana Bank, an Indian small finance bank, left exposed a database containing information on millions of financial transactions. The Know Your Customer verification database was not password-protected, allowing anyone to access, alter, or download the information. Jana Bank immediately secured the database upon learning of its exposure.

Remixpoint Inc. Crypto Theft

July 12

On July 12, Remixpoint, a Japanese cryptocurrency exchange, halted services after it discovered the theft of $32 million in digital currencies.

Learn More

Target

Location: Japan
Date Breach First Reported:7/12/2019

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On July 12, Remixpoint, a Japanese cryptocurrency exchange, halted services after it discovered the theft of $32 million in digital currencies. After an error appeared in the exchange’s outgoing funds transfer system, Remixpoint discovered that the funds had been taken from a “hot” wallet (one that is connected to the internet). No funds had been stolen from “cold” wallets (those not connected to the internet). The company promised to investigate the incident and provided no further details.

Bitpoint Crypto Heist

July 12

On July 12, 2019, approximately $32 million in virtual currency was stolen from Bitpoint, a Japanese cryptocurrency exchange.

Learn More

Target

Location:Japan
Date Breach First Reported: 07/12/2019

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On July 12, 2019, approximately $32 million in virtual currency was stolen from Bitpoint, a Japanese cryptocurrency exchange. The identity of the attackers remains unknown.

Crypto Exchange Theft

June 25

On June 25, Europol, British law enforcement, and Dutch law enforcement officials arrested six individuals for cryptocurrency theft amounting to €24 million (over $26 million).

Learn More

Target

Location: Netherlands, United Kingdom
Date Breach First Reported:6/25/2019

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Speculated

Description

On June 25, Europol, British law enforcement, and Dutch law enforcement officials arrested six individuals for cryptocurrency theft amounting to €24 million (over $26 million). The individuals used a technique known as “typosquatting,” in which they duplicated an online cryptocurrency exchange to steal information and gain access to victims’ bitcoin wallets. The attack affected more than 4,000 individuals in at least 12 countries.

Bangladesh Switch System Cyberattack

June 22

In June 2019, at least three private Bangladeshi banks were compromised by major cyberattacks, with one, Dutch Bangla Bank Limited (DBBL), losing as much as TK 25 crore (around $3 million).

Learn More

Target

Location: Bangladesh
Date Breach First Reported:6/22/2019

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In June 2019, at least three private Bangladeshi banks were compromised by major cyberattacks, with one, Dutch Bangla Bank Limited (DBBL), losing as much as TK 25 crore (around $3 million). Attackers deployed malware to duplicate DBBL's Switch payment management system, allowing fraudulent financial transactions to be executed undetected. NCC Bank and Prime Bank were also targeted, but both banks reported no financial losses associated with the attack.

Dutch Bangla Bank Heist by Silence Group

May 31

On April 23, 2019, it was reported the Silence Group had targeted financial institutions in the UK, India, and South Korea since the end of 2018, and had stolen from at least one institution.

Learn More

Target

Location: Bangladesh, India, Sri Lanka, Kyrgyzstan
Date Breach First Reported: 05/31/2019

Incident

Method: Multiple
Type: Theft

Actor

Type: Non-state actor
Attribution: High confidence

Description

On May 31, 2019, the Silence Group stole $3 million from Bangladesh’s Dutch Bangla Bank via ATM cash outs. Three other undisclosed financial institutions in India, Sri Lanka, and Kyrgyzstan were also attacked in the same timeframe. Until recently, Silence had focused on Russia and the Commonwealth of Independent States.

Local media found a video of two Ukrainian men visiting Dutch Bangla Bank ATMs, making a phone call, and then withdrawing large sums of money.

Upbit Attempted Crypto Heist

May 25

On May 25, 2019, attackers attempted to steal from Upbit, a South Korean cryptocurrency exchange, but were thwarted by East Security, a security firm.

Learn More

Target

Location: South Korea
Date Breach First Reported: 08/30/2019

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On May 25, 2019, attackers attempted to steal from Upbit, a South Korean cryptocurrency exchange, but were thwarted by East Security, a security firm. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.

Attackers sent phishing emails to Upbit users in an attempt to steal their funds. It appears as though no losses have resulted from the emails.

First American Financial Corp.

May 24

On May 24, First American Financial Corp. suffered a data breach compromising around 885 million files related to mortgage deeds.

Learn More

Target

Location: United States
Date Breach First Reported:5/24/2019

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On May 24, First American Financial Corp. suffered a data breach compromising around 885 million files related to mortgage deeds. The documents, which dated back as far as 2003, contained bank account numbers and statements, mortgage and tax records, social security numbers, wire transaction receipts, and images of drivers' licenses. The documents were accessible to anyone with a web browser because the company used a standard format for document addresses, meaning that anyone with knowledge of at least one document link could access others simply by modifying the digits associated with the record number. Although the company took down the website, many of the pages remained accessible on archive.org. As of August 2019, the U.S. Securities and Exchange Commission had begun an investigation into the data breach.

GozNym Gang Arrested

May 16

On May 16, 2019, Europol, the U.S. Department of Justice (DoJ), and six other countries, dismantled a group of international cyber criminals that used the GozNym malware to steal over $100 million.

Learn More

Target

Location: Multiple
Date Breach First Reported:5/16/2019

Incident

Method: Malware
Type: Theft

Actor

Type: Nonstate actors
Attribution: High confidence

Description

On May 16, 2019, Europol, the U.S. Department of Justice (DoJ), and six other countries, dismantled a group of international cyber criminals that used the GozNym malware to steal over $100 million. The group stole from over 40,000 victims, including the bank accounts of small businesses, law firms, international corporations, and nonprofit organizations. Following a law enforcement investigation across the U.S., Bulgaria, Germany, Georgia, Moldova, and Ukraine, ten members were charged for the crime. The leader of the network was charged in Georgia while another was extradited from Bulgaria to the U.S. to face trial. Although some members of the gang are still on the run, the initial charges have been seen as a success for law enforcement in their efforts to combat international cybercrime.

FirstBank Breach

May 13

In May 2019, a Colorado bank suffered an external security incident resulting in the cancellation and redistribution of customer debit cards.

Learn More

Target

Location: United States
Date Breach First Reported:5/13/2019

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In May 2019, a Colorado bank suffered an external security incident resulting in the cancellation and redistribution of customer debit cards. FirstBank, Colorado’s largest locally-owned bank, issued a security notice on May 13 informing customers of the breach and instructing them to report any suspicious behavior. The bank confirmed that the breach did not occur on its online systems but from other merchants where FirstBank customers made transactions.

Retefe Malware Resurfaces in Germany and Switzerland

May 2

In May, U.S. security company Proofpoint reported the return of the Retefe banking Trojan in Germany and Switzerland.

Learn More

Target

Location: Switzerland, Germany
Date Breach First Reported: 5/2/2019

Incident

Method: Malware
Type: Unknown

Actor

Type: Unknown
Attribution: Unknown

Description

In May, U.S. security company Proofpoint reported the return of the Retefe banking Trojan in Germany and Switzerland. Retefe is a malware that installs the Tor internet browser to redirect infected devices to spoofed banking sites. The Trojan is typically delivered through email attachments and often attempts to trick users into downloading spoofed mobile Android applications to bypass two-factor authentication.

In the past, Retefe campaigns have targeted several European countries. In November 2016, Retefe targeted Tesco Bank and other UK financial institutions. In September 2017, an updated version of Retefe leveraged the EternalBlue exploit in a campaign against Swiss targets. Since April, the Trojan has reemerged in German and Swiss banks.

Silence Targets Banks in UK, India, and South Korea

April 23

On April 23, 2019, it was reported the Silence Group had targeted financial institutions in the UK, India, and South Korea since the end of 2018, and had stolen from at least one institution.

Learn More

Target

Location: United Kingdom, India, South Korea
Date Breach First Reported: 04/23/2019

Incident

Method: Multiple
Type: Theft

Actor

Type: Nonstate actor
Attribution: Known

Description

On April 23, 2019, it was reported the Silence Group had targeted financial institutions in the UK, India, and South Korea since the end of 2018, and had stolen from at least one institution.

Romanian ATM Skimmer Gang Arrested in Mexico

April 4

On March 31, Mexican law enforcement arrested two senior members of a Romanian cyber criminal group allegedly behind an ATM skimming operation in Mexico.

Learn More

Target

Location: Mexico
Date Breach First Reported:4/4/2019

Incident

Method: Skimmer
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

On March 31, Mexican law enforcement arrested two senior members of a Romanian cyber criminal group allegedly behind an ATM skimming operation in Mexico. One suspect is believed to be the head of Instacash, a fraudulent ATM service provider operating out of Mexico. The head of Instacash allegedly bribed and coerced ATM technicians to install sophisticated Bluetooth-based skimmers inside competitor’s ATMs, enabling the Romanian cyber criminal group to steal PINs and card data remotely from ATMs throughout popular tourist destinations in Mexico.

BitHumb Crypto Heist #4

March 29

On March 29, 2019, approximately $20 million in virtual currency was stolen from BitHumb, a South Korean cryptocurrency exchange, marking the fourth theft in two years.

Learn More

Target

Location: South Korea
Date Breach First Reported:08/30/2019

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On March 29, 2019, approximately $20 million in virtual currency was stolen from BitHumb, a South Korean cryptocurrency exchange, marking the fourth theft in two years. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the theft.

Kuwait Bank Theft

March 27

On March 27, 2019, attackers stole $49 million from a bank in Kuwait.

Learn More

Target

Location: Kuwait
Date Breach First Reported: 08/30/2019

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On March 27, 2019, attackers stole $49 million from a bank in Kuwait. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.

While the UN Security Council Panel of Experts did not reveal the name of the bank in Kuwait, the Gulf Bank of Kuwait announced a technical failure in its system of international remittances on Twitter on March 27.

DragonEx Crypto Heist

March 24

On March 24, 2019, $7 million in virtual currency was stolen from DragonEx, a Singapore based cryptocurrency exchange.

Learn More

Target

Location: Singapore
Date Breach First Reported: 03/24/2019

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On March 24, 2019, $7 million in virtual currency was stolen from DragonEx, a Singapore based cryptocurrency exchange. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the theft.

Stolen coins were across a range of currencies including bitcoin, ether, xrp, litecoin and EOS. DragonEx released the addresses of 20 wallets where funds were transferred in the hopes of blocking the movement of these funds.

Royal Bank of Scotland Security Flaw

March 22

In early 2019, the Royal Bank of Scotland’s (RBS) customer accounts were exposed to a security flaw after introducing a new customer security service.

Learn More

Target

Location: United Kingdom
Date Breach First Reported:3/22/2019

Incident

Method: Software vulnerability
Type: N/A

Actor

Type: Unknown
Attribution: Unknown

Description

In early 2019, the Royal Bank of Scotland’s (RBS) customer accounts were exposed to a security flaw after introducing a new customer security service. In January, RBS launched a free endpoint security service for customers in partnership with Danish firm Hedimal Security. While the security service was intended to detect threats and protect RBS customers from attacks, researchers discovered a software flaw that enabled access to customer emails, banking details and internet history. Hedimal Security has since released an update to fix the security flaw and insisted that only 50,000 computers were effected. They claim that there were no intrusions as a result of the security flaw.

Ursnif Malware Attack on Japanese Banks

March 12

The Ursnif banking Trojan, which was discovered in 2007, was repurposed in a campaign targeting Japanese banks that began in 2016.

Learn More

Target

Location: Japan
Date Breach First Reported:3/12/2019

Incident

Method: Malware
Type: Unknown

Actor

Type: Unknown
Attribution: Unknown

Description

The Ursnif banking Trojan, which was discovered in 2007, was repurposed in a campaign targeting Japanese banks that began in 2016. Ursnif, also known as Gozi ISFB, is a popular malware that steals information on infected Windows devices. Ursnif has been deployed in a new campaign that specifically targets banks in Japan. The malware terminates itself on devices outside of the country. The campaign uses a distribution network of spam botnets and compromised web servers to deliver the Trojan. Between 2016 and 2017, researchers at Palo Alto Networks observed millions of infected emails sent to banks in Japan. Researchers have not been able to identify the operation behind the campaign, but evidence suggests it may be connected to the Cutwill Botnet, a cyber criminal operation active since 2007.

Gambian Financial Institution Attempted Theft

March 1

In March 2019, attackers attempted to steal $9.3 million from a Gambian financial institution.

Learn More

Target

Location: The Gambia
Date Breach First Reported:08/30/2019

Incident

Method: Multiple
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

In March 2019, attackers attempted to steal $9.3 million from a Gambian financial institution. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.

Nigerian Financial Institution Attempted Theft

March 1

In March 2019, attackers attempted to steal $12.2 million from a Nigerian financial institution.

Learn More

Target

Location: Nigeria
Date Breach First Reported:08/30/2019

Incident

Method: Multiple
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

In March 2019, attackers attempted to steal $12.2 million from a Nigerian financial institution. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.

Bank of Valletta

February 13

On February 13, the Bank of Valletta (BOV), Malta’s largest and oldest bank, shut down operations after an attempted theft of €13 million.

Learn More

Target

Location: Malta
Date Breach First Reported: 2/14/2019

Incident

Method: Unknown
Type: Theft

Actor

Type: Nonstate actor
Attribution: Unknown

Description

On February 13, the Bank of Valletta (BOV), Malta’s largest and oldest bank, shut down operations after an attempted theft of €13 million. In August 2019, the UNSC Panel of Experts indicated DPRK-affiliated actors were behind the attack.

Attackers made multiple transfer requests from the Maltese bank to accounts in the UK, United States, Czech Republic, and Hong Kong. The bank’s employees discovered the fraudulent activity during their daily reconciliation of international orders. Within the hour, BOV notified other banks in an attempt to freeze the transactions. It also closed all its branches, shut down its ATMs and point-of-sale system, and stopped all other electronic services, which were restored the following day. In a statement, BOV said it was working with local and international police authorities to track down the attackers. On January 30, 2020, the UK's National Crime Agency issued arrests in London and Belfast, suspected to be in connection to the BOV heist.

U.S. Credit Union Spear-Phishing

February 8

Multiple credit unions in the United States were hit by spear-phishing emails impersonating compliance officers from other credit unions.

Learn More

Target

Location: United States
Date Breach First Reported:2/8/2019

Incident

Method: Phishing
Type: N/A

Actor

Type: Unknown
Attribution: Unknown

Description

Multiple credit unions in the United States were hit by spear-phishing emails impersonating compliance officers from other credit unions. Under the Bank Secrecy Act (BSA), financial institutions are required to have dedicated compliance personnel responsible for reporting suspicious transactions and potentially fraudulent activity to the U.S. government. Emails sent to these compliance officers contained a PDF with a malicious link. While it is believed that no employee clicked the link, there is speculation as to how the attackers obtained the email addresses of the compliance officers.

SBI Breach

February 4

The State Bank of India, the country’s largest, has denied claims that its servers were compromised during a recent intrusion.

Learn More

Target

Location: India
Date Breach First Reported:2/4/2019

Incident

Method: Unknown
Type: Unknown

Actor

Type: Unknown
Attribution: Unknown

Description

The State Bank of India, the country’s largest, has denied claims that its servers were compromised during a recent intrusion. Multiple media outlets reported an SBI server was unprotected, and as a result attackers were able to gain access to the system and steal users’ personal information. Despite the claims, the bank said their investigation revealed that SBI’s servers remained fully protected and that no breach had occurred.

Metro Bank 2FA Breach

February 2

UK-based Metro Bank became the first major bank to suffer from a new type of cyber intrusion that intercepts text messages with two-factor authentication codes used to verify various customer transactions.

Learn More

Target

Location: United Kingdom
Date Breach First Reported:2/2/2019

Incident

Method: Other
Type: Disruption

Actor

Type: Unknown
Attribution: Unknown

Description

UK-based Metro Bank became the first major bank to suffer from a new type of cyber intrusion that intercepts text messages with two-factor authentication codes used to verify various customer transactions. The attackers exploited flaws in the Signaling System 7 (SS7) protocol, which is used by telecommunications companies to route text messages around the world. A spokesperson for the bank stated that only a small number of those defrauded were Metro Bank customers.

Spanish Financial Institution Attempted Theft

February 1

In February 2019, attackers attempted to steal $32 million from a a Spanish financial institution.

Learn More

Target

Location: Spain
Date Breach First Reported: 08/30/2019

Incident

Method: Multiple
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

In February 2019, attackers attempted to steal $32 million from a a Spanish financial institution. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.

Spain’s National Cryptologic Centre (CCN), under the National Intelligence Centre stated in its 2019 Cyberthreats and Trends report that hackers associated with the DPRK government conducted the largest number of reported cyberattacks against Spain in 2018.

Chile ATM Attack

January 10

In December, hackers infiltrated Chile’s ATM interbank network, Redbanc, after tricking an employee into downloading a malicious program during a fake job interview over Skype.

Learn More

Target

Location: Chile
Date Breach First Reported: 1/15/2019

Incident

Method: Other
Type: Espionage

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In December, hackers infiltrated Chile’s ATM interbank network, Redbanc, after tricking an employee into downloading a malicious program during a fake job interview over Skype. In August 2019, the UNSC Panel of Experts indicated DPRK-affiliated actors were behind the attack.

It is believed that the Redbanc employee saw a LinkedIn job advertisement and attended a Skype interview where the attackers asked him to download a software program to submit his application form. The attackers tricked the victim into downloading malware on his system, giving them access to Redbanc’s network. Redbanc claims the event had no impact on its business operations.

Fuze Cards

January 10

The U.S. Secret Service has identified a number of criminal rings turning to Fuze cards in an attempt to avoid detection by U.S. law enforcement.

Learn More

Target

Location: United States
Date Breach First Reported:1/10/2019

Incident

Method: Cards
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

The U.S. Secret Service has identified a number of criminal rings turning to Fuze cards in an attempt to avoid detection by U.S. law enforcement. A Fuze card is a data storage device that looks like a bank card, but can hold account data for up to thirty cards. Using smartcard technology can help criminals avoid raising suspicions at payment points or if stopped by authorities, as it reduces the need for them to carry large numbers of counterfeit cards on their person.

Janeleiro Malware Targets Brazilian Organizations

January 1

On April 6, 2021, a security firm reported a new banking trojan called Janeleiro that has been targeting corporate users in Brazil since 2019.

Learn More

Target

Location: Brazil
Date Breach First Reported:4/6/2021

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On April 6, 2021, a security firm reported a new banking trojan called Janeleiro that has been targeting corporate users in Brazil since 2019. The affected sectors include engineering, healthcare, retail, manufacturing, finance, transportation, and government. The malware steals the personal information and banking credentials of users through fake pop-ups that imitate Brazilian banks websites.

2018

Evercore Breach

December 23

In November, hackers breached Evercore gaining access to thousands of sensitive documents from the global investment bank.

Learn More

Target

Location: Western Europe
Date Breach First Reported:12/23/2018

Incident

Method: Phishing
Type: Data breach

Actor

Type: Nonstate actor
Attribution: Speculated

Description

In November, hackers breached Evercore gaining access to thousands of sensitive documents from the global investment bank. The attackers used phishing tactics to gain access to an employee’s inbox, enabling them to steal around 160,000 pieces of data including documents, diary invitations, and emails. A source at the bank believes the motivation for the breach was to access the administrator's address book to send more phishing emails. The source also claims no data had been misused in result of the breach.

Government Payment Portals

December 18

In August 2017, Click2Gov, an online bill-payment portal used to pay for local government services in the United States, was the victim of a data breach.

Learn More

Target

Location: United States
Date Breach First Reported:12/18/2018

Incident

Method: Other
Type: Data breach

Actor

Type: Nonstate actor
Attribution: Speculated

Description

In August 2017, Click2Gov, an online bill-payment portal used to pay for local government services in the United States, was the victim of a data breach. The breach exposed customer data including payment card details and log-in credentials of users in over forty U.S. cities. Threat intelligence firm Gemini Advisory discovered that several users’ card details were sold on the dark web for approximately £10. Gemini identified 294,929 compromised payment records, resulting in at least $1.7 million in earnings for the criminals.

Brazilian Mobile Malware

December 13

In mid-December, a report revealed that over 2,000 mobile banking users in Brazil downloaded an Android-based Trojan through Google Play applications.

Learn More

Target

Location: Brazil
Date Breach First Reported:12/13/2018

Incident

Method: Malware
Type: Theft

Actor

Type: Nonstate actor
Attribution: Speculated

Description

In mid-December, a report revealed that over 2,000 mobile banking users in Brazil downloaded an Android-based Trojan through Google Play applications. Victims unknowingly downloaded the malware, allowing attackers to gain access to user devices and data. The “Android.BankBot.495” malware was designed to read the victim’s information when they logged into their mobile banking app. Reports suggest that the malware also targeted apps such as Uber, Netflix, and Twitter using phishing tactics.

ThreadKit Exploit

December 11

In late 2018, security researchers uncovered that Cobalt, a state-sponsored threat group that specializes in attacks on financial institutions, had begun employing a new variant of the ThreadKit exploit builder kit to execute phishing schemes utilizing Microsoft Office documents.

Learn More

Target

Location: Eastern Europe (Ukraine; Poland; Romania; Czech Republic; Hungary; Belarus; Bulgaria; Slovakia; Moldova)
Date Breach First Reported:12/11/2018

Incident

Method: Phishing
Type: Espionage

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In late 2018, security researchers uncovered that Cobalt, a state-sponsored threat group that specializes in attacks on financial institutions, had begun employing a new variant of the ThreadKit exploit builder kit to execute phishing schemes utilizing Microsoft Office documents. First observed in October 2017, the new tactics show an evolution of the ThreadKit macro delivery tool and demonstrate the growing range of techniques employed by malicious actors.

Eastern European Banks Targeted From the Inside

December 6

In 2017 and 2018, eight banks in Eastern Europe were targeted by attackers who connected electronic devices directly to the banks’ infrastructure.

Learn More

Target

Location: Eastern Europe
Date Breach First Reported:12/6/2018

Incident

Method: Other
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In 2017 and 2018, eight banks in Eastern Europe were targeted by attackers who connected electronic devices directly to the banks’ infrastructure. Attackers used a range of readily available devices such as netbooks, inexpensive laptops, USB tools, and other devices. The attackers disguised themselves as job seekers or couriers and gained access to the local network from various places inside the victims’ central or regional offices, and even from company branches in different countries. Once they gained access to the target bank’s infrastructure, the attackers scanned its networks to collect valuable information, such as account details for making payments. The attacks are believed to have caused tens of millions of dollars in damages.

Rapid Raids Jackpotting

November 14

On November 14, two Venezuelan men were found guilty of jackpotting, where they installed malicious software or hardware on ATMs to force the machines to dispense huge volumes of cash on demand.

Learn More

Target

Location: United States
Date Breach First Reported:11/14/2018

Incident

Method: Malware
Type: Theft

Actor

Type: Nonstate actor
Attribution: High Confidence

Description

On November 14, two Venezuelan men were found guilty of jackpotting, where they installed malicious software or hardware on ATMs to force the machines to dispense huge volumes of cash on demand. From February to March, the duo stole $125,000 from four ATMs in Indiana, Kentucky, Wisconsin, and most recently Michigan, where they were apprehended.

Postbank Internal Data Breach and Fraud

December 1

In December 2018, Postbank, the banking division of South Africa’s post office, experienced an internal data breach resulting in the theft of over $3.2 million and the forced replacement of 12 million cards.

Learn More

Target

Location: South Africa
Date Breach First Reported: 06/18/2020

Incident

Method: Multiple
Type: Theft

Actor

Type: Insider
Attribution: Speculated

Description

In December 2018, Postbank, the banking division of South Africa’s post office, experienced an internal data breach resulting in the theft of over $3.2 million and the forced replacement of 12 million cards. Employees stole Postbank’s 36-digit master encryption key and used it to access account balances in 25.000 fraudulent transactions over the course of a year.

According to internal documents acquired by journalists, the stolen 36-digit encryption key, “allows anyone who has it to gain unfettered access to the bank’s systems, and allows them to read and rewrite account balances, and change information and data on any of the bank’s 12-million cards.

HSBC U.S. Breach

November 6

In November, HSBC reported that hackers had gained access to customer data including names, addresses, phone numbers, and account details.

Learn More

Target

Location: United States
Date Breach First Reported:11/6/2018

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In November, HSBC reported that hackers had gained access to customer data including names, addresses, phone numbers, and account details. When HSBC discovered the compromised accounts, they suspended online access for affected customers to prevent further entry to the accounts. At the time of release, HSBC did not provide details on the number of customers affected. However, claims estimate that less than 1 percent of the bank’s U.S. online accounts were potentially compromised.

Magecart Payments Breach

November 2

In early November, Lloyds Banking Group and other UK banks were forced to replace payment cards after the breach of numerous retail sites.

Learn More

Target

Location: United Kingdom
Date Breach First Reported:11/2/2018

Incident

Method: Other
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In early November, Lloyds Banking Group and other UK banks were forced to replace payment cards after the breach of numerous retail sites. Websites for retailers, including Ticketmaster and British Airways, were manipulated to skim card information from hundreds of thousands of customers using the Magecart toolset.

Bank Islami

October 29

On October 29, 2018, Bank Islami in Pakistan detected a cyber attack on its international payment card network.

Learn More

Target

Location: Pakistan
Date Breach First Reported:10/29/2018

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On October 29, 2018, Bank Islami in Pakistan detected a cyber attack on its international payment card network. The bank uncovered suspicious transactions from payment cards outside of Pakistan and immediately shut down its international payment scheme. The bank confirmed that around 2.6 million Pakistani rupees (roughly $19,500) were withdrawn from customer accounts. Following the incident, the State Bank of Pakistan (SBP) issued directives to all banks, encouraging them to ensure the security of all payment cards and monitor card activity on a real-time basis.

Pakistan Data Theft

October 27

On October 27, cybersecurity firm Group-IB reported a spike in sales of card details from Pakistani customers on Joker’s Stash, a popular online marketplace for stolen information.

Learn More

Target

Location: Pakistan
Date Breach First Reported: 10/27/2018

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On October 27, cybersecurity firm Group-IB reported a spike in sales of card details from Pakistani customers on Joker’s Stash, a popular online marketplace for stolen information. Group-IB identified more than 150,000 card details from at least three Pakistani banks. The Pakistani Federal Investigation Agency revealed that almost all the nation’s banks had been affected. However, the State Bank of Pakistan has disputed the scale of the incident. The compromise of card details came weeks after Karachi-based Bank Islami suffered a breach of its payment cards system.

AXA Targeted in Mexico

October 23

On October 22, 2018, unknown hackers attacked insurance firm AXA, causing problems to the SPEI interbank payment matching system.

Learn More

Target

Location: Mexico
Date Breach First Reported:10/23/2018

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On October 22, 2018, unknown hackers attacked insurance firm AXA, causing problems to the SPEI interbank payment matching system. This incident prompted Mexico’s central bank to raise the security alert level on its payments system. AXA reported no client information or money was affected by the incident.

South African Hosting Platform Breach

October 5

On October 5, 2018, Hetzner, a popular web hosting platform in South Africa, was once again targeted in a security breach—the second such breach in a year.

Learn More

Target

Location: South Africa
Date Breach First Reported:10/11/2018

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On October 5, 2018, Hetzner, a popular web hosting platform in South Africa, was once again targeted in a security breach—the second such breach in a year. The hackers gained access to private customer information, including email addresses, phone numbers, and bank account information. Credit card information and user website passwords were not accessed. The company noticed the suspicious activity and launched an investigation, warning customers to beware phishing attacks.

State Bank of Mauritius

October 2

In October 2018, the Indian subsidiary of the State Bank of Mauritius was targeted by attackers who attempted to steal $14 million through compromised IT systems.

Learn More

Target

Location: Mauritius
Date Breach First Reported:10/2/2018

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In October 2018, the Indian subsidiary of the State Bank of Mauritius was targeted by attackers who attempted to steal $14 million through compromised IT systems. The bank managed to recover $10 million in the days following the attack and said no customers would lose money as a result. The thieves reportedly withdrew the funds using fraudulent messages on the SWIFT interbank messaging network.

Zaif Crypto Heist

September 14

On September 14, 2018, approximately $60 million in virtual currency was stolen from Zaif, a Japanese cryptocurrency exchange.

Learn More

Target

Location: Japan
Date Breach First Reported: 09/14/2018

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On September 14, 2018, approximately $60 million in virtual currency was stolen from Zaif, a Japanese cryptocurrency exchange.

The attackers accessed the exchange’s hot wallets to steal roughly $60 million in bitcoin, bitcoin cash, and MonaCoin. The identity of the attackers remains unknown.

Russian Bank Heists by Silence Group

September 5

First reported in 2018, Russian-speaking hackers, dubbed Silence by researchers at Group IB, targeted Russian banks, stealing $550,000 within a year.

Learn More

Target

Location: Russia
Date Breach First Reported:9/5/2018

Incident

Method: Multiple
Type: Theft

Actor

Type: Nonstate actor
Attribution: Speculated

Description

First reported in 2018, Russian-speaking hackers, dubbed Silence by researchers at Group IB, targeted Russian banks, stealing $550,000 within a year. After an unsuccessful attempt to penetrate the Russian Central Bank’s automated workstation client, the group attacked ATMs directly and through the supply chain, using phishing emails as its means of entry to the networks.

Banco de la Nacion

August 17

Over the weekend of August 17–19, 2018, an attack took place on Peruvian banks that forced at least one bank to take down its internet banking services and some card transactions.

Learn More

Target

Location: Peru, Thailand, Malaysia, Indonesia, United States, Latin America
Date Breach First Reported:8/17/2018

Incident

Method: Ransomware
Type: Disruption

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

Over the weekend of August 17–19, 2018, an attack took place on Peruvian banks that forced at least one bank to take down its internet banking services and some card transactions. There were reports that a new strain of ransomware was involved. The extent of the damage done remains unclear, but there were no indications in the weeks afterward that the attack targeted payment systems, or was a smokescreen for other activity.

Cosmos Bank SWIFT Heist

August 11

In August 2018, it was reported that Cosmos Bank, the second-biggest cooperative bank in India, lost $13.5 million through ATMs in twenty-eight countries as well as through unauthorized interbank transactions.

Learn More

Target

Location: India
Date Breach First Reported:8/11/2018

Incident

Method: Multiple
Type: Theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In August 2018, it was reported that Cosmos Bank, the second-biggest cooperative bank in India, lost $13.5 million through ATMs in twenty-eight countries as well as through unauthorized interbank transactions. The attackers seem to have stolen card information and also set up their own proxy server so transactions with stolen details would not trigger alarms. In August 2019, the UNSC Panel of Experts indicated DPRK-affiliated actors were behind the attack.

Over the course of just a few hours on August 11, the group coordinated almost 15,000 transactions to cash out funds through ATMs worldwide using compromised Visa and Rupay cards. Two days later, the attackers made further fraudulent transactions through the bank’s interface to the SWIFT messaging system—a technique used in numerous bank attacks, including against fellow Indian lender City Union Bank (CUB) in February.

The parallels with the CUB heist continued after police arrested several suspects accused of taking the funds from ATMs. Four of the people involved also admitted playing a role in the earlier theft, according to investigators in September.

The attack left Cosmos’s online banking service offline for more than a week, and the funds have not been recovered. There were signs that an attack on a bank was coming. Two days before the incident, the FBI issued a warning to banks about an imminent ATM cash-out scheme, without providing further public details.

National Bank of Blacksburg

July 24

In May 2016 and January 2017, the National Bank of Blacksburg, based in the state of Virginia, was hit by phishing emails that enabled intruders to install malware and pivot into the Star Network, a U.S. bank card processing service.

Learn More

Target

Location: United States
Date Breach First Reported:7/24/2018

Incident

Method: Multiple
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In May 2016 and January 2017, the National Bank of Blacksburg, based in the state of Virginia, was hit by phishing emails that enabled intruders to install malware and pivot into the Star Network, a U.S. bank card processing service. The 2017 attack gave wider access to bank networks and enabled the thieves to withdraw $1.8 million over the course of a weekend, taking total losses to $2.4 million. According to a lawsuit filed by the bank against its insurer to recover more of its losses, an investigation after the second attack concluded that both incidents were by the same group, using tools and servers of Russian origin.

PIR Bank Attacked

July 19

On July 3, 2018, attackers targeted Russia’s version of the SWIFT interbank network, the Automated Workstation Client, to siphon around $1 million from PIR Bank.

Learn More

Target

Location: Russia
Date Breach First Reported:7/19/2018

Incident

Method: Multiple
Type: Theft

Actor

Type: Nonstate actor
Attribution: Speculated

Description

On July 3, 2018, attackers targeted Russia’s version of the SWIFT interbank network, the Automated Workstation Client, to siphon around $1 million from PIR Bank. After breaching the network through an outdated router, the group attempted to install Powershell scripts to remain on the banks’ systems. A report by Group IB, which responded to the incident, attributed it to an established criminal group named MoneyTaker that has targeted more than a dozen banks in the United States, Russia, and the UK since 2016.

BitHumb Crypto Heist #3

June 19

On June 19, 2018, approximately $31 million in virtual currency was stolen from BitHumb, a South Korean cryptocurrency exchange, marking the third theft in the last 16 months.

Learn More

Target

Location: South Korea
Date Breach First Reported:08/30/2019

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On June 19, 2018, approximately $31 million in virtual currency was stolen from BitHumb, a South Korean cryptocurrency exchange, marking the third theft in the last 16 months. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the theft. Proceeds were laundered through a separate crypto-currency exchange called YoBit. The company stated they would compensate customers affected.

South African Insurer Ransom Attack

June 16

On June 16, 2018, South African insurer Liberty Holdings was targeted by hackers who claimed to have seized data from the firm.

Learn More

Target

Location: South Africa
Date Breach First Reported:06/18/2018

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On June 16, 2018, South African insurer Liberty Holdings was targeted by hackers who claimed to have seized data from the firm. The hackers threatened to publicly disclose the data unless compensated. Liberty Holdings refused to pay up, suspecting that the stolen data was largely comprised of recent email exchanges.

Coinrail Crypto Heist

June 10

On June 10, 2018, approximately $37 million in virtual currency was stolen from Coinrail, a South Korean cryptocurrency exchange.

Learn More

Target

Location: South Korea
Date Breach First Reported:06/10/2018

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On June 10, 2018, approximately $37 million in virtual currency was stolen from Coinrail, a South Korean cryptocurrency exchange. The identity of the attackers remains unknown.

Liberian Financial Institution Attempted Theft

June 1

In June 2018, attackers attempted to steal $32 million from a Liberian financial institution.

Learn More

Target

Location: Liberia
Date Breach First Reported:08/30/2019

Incident

Method: Multiple
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

In June 2018, attackers attempted to steal $32 million from a Liberian financial institution. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.

Data Breach Involving Canadian Banks

May 28

In 2018, it was revealed that up to 90,000 clients of the Canadian banks Simplii and Bank of Montreal (BMO) had been exposed by a data breach that the organization blamed on unidentified fraudsters.

Learn More

Target

Location: Canada
Date Breach First Reported:5/28/2018

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In 2018, it was revealed that up to 90,000 clients of the Canadian banks Simplii and Bank of Montreal (BMO) had been exposed by a data breach that the organization blamed on unidentified fraudsters. Bank of Montreal said there was a threat to make the data public from the group, which it thinks is behind the thefts from both banks. Simplii and BMO are now facing a class action lawsuit, with those involved arguing that the banks failed to properly protect sensitive information.

Banco de Chile Incident

May 24

In May 2018, Banco de Chile suffered a $10 million theft after the attackers used destructive software as cover for a fraudulent SWIFT transfer.

Learn More

Target

Location: Chile
Date Breach First Reported:5/24/2018

Incident

Method: Malware
Type: Disruption, theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In May 2018, Banco de Chile suffered a $10 million theft after the attackers used destructive software as cover for a fraudulent SWIFT transfer. The bank’s 9,000 workstations and 500 servers failed on May 24 as the KillMBR wiper tool rendered them unable to boot up, adding it to the growing ranks of Latin American banks suffering cyber attacks. In August 2019, the UNSC Panel of Experts indicated DPRK-affiliated actors were behind the attack.

ViewFines Data Breach

May 23

On May 23, ViewFines, an online traffic website, suffered a major data breach involving the personal records of 934,000 South African drivers.

Learn More

Target

Location: South Africa
Date Breach First Reported:5/24/2018

Incident

Method: Other
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On May 23, ViewFines, an online traffic website, suffered a major data breach involving the personal records of 934,000 South African drivers. The leak was the result of the company's faulty practice of creating a temporary backup on a publicly viewable directory. A week after the incident, the company sent warning emails to all of its users about the breach.

Mexican Bank Theft

May 12

Banco de Mexico warned a dozen banks to upgrade their security following $15 million in fraudulent cash withdrawals from five institutions linked to the central bank’s electronic payments system, SPEI.

Learn More

Target

Location: Mexico
Date Breach First Reported:5/12/2018

Incident

Method: Software vulnerability
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

Banco de Mexico warned a dozen banks to upgrade their security following $15 million in fraudulent cash withdrawals from five institutions linked to the central bank’s electronic payments system, SPEI. A vulnerability in third-party software connected to SPEI was used by unknown attackers to get into the system and make a series of fraudulent transactions before cashing out.

The investigators have not made clear whether each victim bank was compromised, or whether the attackers moved between them following the initial breach. It is also unclear whether the gang had insider help to clear large transactions through the banks’ security checks. The incidents delayed legitimate transfers but the central bank said client money and the SPEI infrastructure were unaffected.

Following the thefts, Banco de Mexico set up a new cybersecurity unit and asked its members to move to an in-house, encrypted software with SPEI. The incident came five months after Bancomext, the state-owned trade bank, blocked attempts to siphon off $110 million via a compromise in the network that granted attackers access to the global SWIFT interbank system.

DDoS-for-Hire

April 1

In April 2018, it was revealed that authorities in five countries worked together to take down Webstresser, a DDoS-for-hire site they said was behind up to 6 million attacks around the world over three years.

Learn More

Target

Location: Western Europe
Date Breach First Reported:4/1/2018

Incident

Method: DDOS
Type: Disruption

Actor

Type: Nonstate actor
Attribution: Speculated

Description

In April 2018, it was revealed that authorities in five countries worked together to take down Webstresser, a DDoS-for-hire site they said was behind up to 6 million attacks around the world over three years. The site was used to launch a coordinated attack on seven UK banks in November 2017, according to the UK’s National Crime Agency. Several people have been arrested, and the U.S. Department of Defense seized the website.

Malaysian Central Bank Attempted SWIFT Heist

March 29

On March 29, 2018, attackers attempted to use fraudulent SWIFT transactions to steal $390 million from the Malaysian Central Bank.

Learn More

Target

Location: Malaysia
Date Breach First Reported: 08/30/2019

Incident

Method: Multiple
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On March 29, 2018, attackers attempted to use fraudulent SWIFT transactions to steal $390 million from the Malaysian Central Bank.

According to the Malaysian Central Bank no funds were stolen during the incident and the bank's payment systems remained unaffected and operational. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.

Rapid Raids Jackpotting

March 19

In March 2018, two Venezuelan men were arrested for jackpotting, where they installed malicious software or hardware on ATMs to force the machines to dispense huge volumes of cash on demand.

Learn More

Target

Location: United States
Date Breach First Reported:3/18/2018

Incident

Method: Malware
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In March 2018, two Venezuelan men were arrested for jackpotting, where they installed malicious software or hardware on ATMs to force the machines to dispense huge volumes of cash on demand. From February to March, the duo stole $125,000 from four ATMs in Indiana, Kentucky, Wisconsin, and most recently Michigan, where they were apprehended. The pair were sentenced to federal prison in November 2018 for conspiracy to commit bank robbery.

Mabna Iranian Hack on the United States

March 23

Two financial firms were among the various U.S. targets of a hacking group operating under the guise of the Mabna Institute, which used password spraying to access information.

Learn More

Target

Location: United States
Date Breach First Reported:3/23/2018

Incident

Method: Password spraying
Type: Data breach

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

Two financial firms were among the various U.S. targets of a hacking group operating under the guise of the Mabna Institute, which used password spraying to access information. The actors are accused by the United States of stealing 31 terabytes of academic and commercial information in a campaign dating as far back as 2013. Nine Iranians have been charged by the United States, which claims the group acts on behalf of the Islamic Revolutionary Guard Corps and has imposed sanctions on numerous individuals and companies in the country as a result.

City Union Bank SWIFT Attack

February 18

In February 2018, City Union Bank in India suffered a breach that allowed $1 million to be transferred to a Chinese institution.

Learn More

Target

Location: India
Date Breach First Reported:2/18/2018

Incident

Method: Malware
Type: Theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In February 2018, City Union Bank in India suffered a breach that allowed $1 million to be transferred to a Chinese institution. The attackers tried to make three transactions totaling $2 million, sending money to Dubai and Turkey, but were thwarted by City Union Bank and the corresponding bank on the receiving end of the transfer. Two years earlier, attackers attempted but failed to make a $170 million SWIFT transfer out of the Union Bank of India. In August 2019, the UNSC Panel of Experts indicated DPRK-affiliated actors were behind the attack.

BitGrail Crypto Heist

February 9

On February 9, 2018, BitGrail, a small Italian cryptocurrency exchange, announced that attackers had stolen $170 million in Nano, a cryptocurrency. The identity of the attackers remains unknown.

Learn More

Target

Location: Italy
Date Breach First Reported:02/10/2018

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On February 9, 2018, BitGrail, a small Italian cryptocurrency exchange, announced that attackers had stolen $170 million in Nano, a cryptocurrency. The identity of the attackers remains unknown.

Infraud Gang

February 7

In February 2018, it was revealed that thirty-six people from seven countries had been indicted in the United States for their alleged involvement in the Infraud Organization, which law enforcement officials say sells stolen personal and financial information.

Learn More

Target

Location: Netherlands
Date Breach First Reported:2/7/2018

Incident

Method: Multiple
Type: Theft

Actor

Type: Nonstate actor
Attribution: Speculated

Description

In February 2018, it was revealed that thirty-six people from seven countries had been indicted in the United States for their alleged involvement in the Infraud Organization, which law enforcement officials say sells stolen personal and financial information. More than half a billion dollars was lost by the victims, the U.S. Department of Justice said, with a trail going back to October 2010. The organization was said to have more than 10,000 registered members who bought and sold illicit products including malware, data from credit card dumps, and information needed for identity fraud.

Dutch DDoS Attack

January 29

In January, ABN Amro, Rabobank, and ING suffered disruptions to online and mobile banking services, while the Dutch tax authority website was taken down for several minutes.

Learn More

Target

Location: Netherlands
Date Breach First Reported:1/29/2018

Incident

Method: DDOS
Type: Disruption

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In January, ABN Amro, Rabobank, and ING suffered disruptions to online and mobile banking services, while the Dutch tax authority website was taken down for several minutes. Initial reports raised concerns of a Russian connection to the attack, as it came a week after a media report that Dutch intelligence agents had infiltrated the Russian threat group APT 29. However, an eighteen-year-old from the Dutch city of Oosterhout was arrested in February for the attack, having claimed online that he bought a “stresser” tool for €40 that enabled him to send a deluge of traffic to victim websites.

Coincheck Crypto Heist

January 26

On January 26, 2018, $534 million worth of NEM, a cryptocurrency was stolen from Coincheck, a Japanese cryptocurrency exchange, forcing Coincheck to freeze all transactions.

Learn More

Target

Location: Japan
Date Breach First Reported: 01/26/2018

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On January 26, 2018, $534 million worth of NEM, a cryptocurrency was stolen from Coincheck, a Japanese cryptocurrency exchange, forcing Coincheck to freeze all transactions.

In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the theft. NEM Foundation president Lon Wong called the incident, “the biggest theft in the history of the world.” Group-IB, a Singapore-based security firm, also attributed the theft to Lazarus, a group of North Korean hackers, in October 2018.

National Bank of Kenya Fraud

January 17

On January 17, fraudsters stole Sh29 million from the National Bank of Kenya.

Learn More

Target

Location: Kenya
Date Breach First Reported:09/21/2018

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On January 17, fraudsters stole Sh29 million from the National Bank of Kenya. The bank has noted that the attempted fraud was frustrated by the system's monitoring and security platforms, and that they were confident they could recover the siphoned funds.

Bancomext Attempted SWIFT Heist

January 9

On January 9, 2018, attackers attempted to use fraudulent SWIFT transactions to steal $110 million from Bancomext, Mexico’s state-owned trade bank, but the money was ultimately recovered.

Learn More

Target

Location: Mexico
Date Breach First Reported:08/30/2019

Incident

Method: Multiple
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On January 9, 2018, attackers attempted to use fraudulent SWIFT transactions to steal $110 million from Bancomext, Mexico’s state-owned trade bank, but the money was ultimately recovered. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.

Costa Rican Financial Institution Attempted Theft

January 1

In January 2018, attackers attempted to steal $19 million from a private Costa Rican financial institution.

Learn More

Target

Location: Costa Rica
Date Breach First Reported: 08/30/2019

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

In January 2018, attackers attempted to steal $19 million from a private Costa Rican financial institution. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.

In a submission to the United Nations Security Council Panel of Experts, the Costa Rican government confirmed that an investigation was launched by the Office of the Public Prosecutor’s Division on Fraud.

2017

NiceHash Crypto Heist

December 6

On December 6, 2017, approximately $70 million was stolen from NiceHash, a Slovenian cryptocurrency mining service.

Learn More

Target

Location: Slovenia
Date Breach First Reported:12/06/2017

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On December 6, 2017, approximately $70 million was stolen from NiceHash, a Slovenian cryptocurrency mining service. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the theft.

Youbit Hacked

December 1

On December 19, 2017, YouBit, a South Korean cryptocurrency exchange, was hacked for the second time that year and had 17 percent of it's digital currency stolen by attackers, which forced it to stop trading.

Learn More

Target

Location: South Korea
Date Breach First Reported:12/19/2017

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

On December 19, 2017, YouBit, a South Korean cryptocurrency exchange, was hacked for the second time that year and had 17 percent of it's digital currency stolen by attackers, which forced it to stop trading. It later declared bankruptcy as a result. In August 2019, the UNSC Panel of Experts indicated DPRK-affiliated actors were behind the attack.

Paradise Papers

November 5

In November 2017, an unknown whistle-blower leaked a trove of secret records on offshore companies to the German newspaper Süddeutsche Zeitung, which shared the details with 380 journalists around the world.

Learn More

Target

Location: Multiple
Date Breach First Reported:11/5/2017

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In November 2017, an unknown whistle-blower leaked a trove of secret records on offshore companies to the German newspaper Süddeutsche Zeitung, which shared the details with 380 journalists around the world. The Paradise Papers, covering the law firm Appleby’s business as far back as 1950, shone a light on offshore tax affairs in thirty jurisdictions, including Bermuda and the Cayman Islands, the heart of the global hedge fund industry. Appleby has said it was the victim of a cyber attack, alleging the intruder “deployed the tactics of a professional hacker.” The breach came just over a year after the Panama Papers, documents from law firm Mossack Fonseca that were leaked to the same newspaper.

South African Hosting Platform Breach

November 1

In early November, Hetzner, one of South Africa’s largest hosting companies, was hacked, exposing hundreds of thousands of domain names, bank account details, and other personal information.

Learn More

Target

Location: South Africa
Date Breach First Reported:11/6/2017

Incident

Method: SQL injection
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In early November, Hetzner, one of South Africa’s largest hosting companies, was hacked, exposing hundreds of thousands of domain names, bank account details, and other personal information. Although hackers did not gain access to credit card information, the incident did leave many organizations vulnerable to bad actors who could gain control of their websites. An SQL injection vulnerability was identified and fixed.

South Korean Crypto Heist Thwarted

October 10

In October 2017, the Korean Internet Security Agency thwarted an attack on 10 cryptocurrency exchanges in South Korea.

Learn More

Target

Location: South Korea
Date Breach First Reported:12/15/2017

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In October 2017, the Korean Internet Security Agency thwarted an attack on 10 cryptocurrency exchanges in South Korea. The attack used sophisticated Business Email Compromise. South Korean media reported the attack was carried out by DPRK-affiliated hackers.

Far Eastern International Bank

October 1

In October 2017, Far Eastern International Bank in Taiwan became the victim of a $14 million theft when hackers planted malware in the company’s systems to access a SWIFT terminal, which was then used to make fraudulent transfers.

Learn More

Target

Location: Taiwan
Date Breach First Reported:10/1/2017

Incident

Method: Malware
Type: Theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In October 2017, Far Eastern International Bank in Taiwan became the victim of a $14 million theft when hackers planted malware in the company’s systems to access a SWIFT terminal, which was then used to make fraudulent transfers. The attackers used an unusual ransomware variant named Hermes, but this was likely a distraction for their main objective of using administrative credentials to move funds to Cambodia, the United States, and Sri Lanka. The attack is suspected of being performed by a group that has repeatedly intruded on bank networks to carry out thefts. Most of the stolen money was recovered, and two men were arrested in Sri Lanka after they attempted to withdraw funds. In August 2019, the UNSC Panel of Experts indicated DPRK-affiliated actors were behind the attack.

Tunisian Financial Institution Attempted Theft

October 10

In October 2017, attackers attempted to steal $60 million from a Tunisian financial institution.

Learn More

Target

Location: Tunisia
Date Breach First Reported:08/30/2019

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

In October 2017, attackers attempted to steal $60 million from a Tunisian financial institution. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attack.

Coinis Crypto Heist

September 23

On September 23, 2017, virtual currency was stolen from Coinis, a South Korean cryptocurrency exchange, worth an estimate $2.19 million according to reports.

Learn More

Target

Location: South Korea
Date Breach First Reported:09/23/2017

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On September 23, 2017, virtual currency was stolen from Coinis, a South Korean cryptocurrency exchange, worth an estimate $2.19 million according to reports. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the theft. In December 2017, South Korean newspaper Chosun Ilbo reported that the South Korean government has attributed the attack to DPRK-affiliated actors.

SEC Edgar Hack

September 21

The Securities and Exchange Commission announced in September 2017 that hackers might have accessed inside information from the Edgar database, which contains market-sensitive filings for companies listed on U.S. stock exchanges, and used it to make illegal profits on share trades.

Learn More

Target

Location: United States
Date Breach First Reported:9/21/2017

Incident

Method: Software vulnerability
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

The Securities and Exchange Commission announced in September 2017 that hackers might have accessed inside information from the Edgar database, which contains market-sensitive filings for companies listed on U.S. stock exchanges, and used it to make illegal profits on share trades. The commission did not realize the intrusion, which took place in 2016 through a software vulnerability in a test filing component, could have leaked company secrets until August 2017. The identity of the hackers is unknown, although reports have suggested the perpetrators are based in Eastern Europe.

Equifax Hack

September 7

In one of the biggest data breaches on record, the credit reporting agency Equifax announced in October 2017 that more than 150 million customer records had been compromised, including some sensitive data such as birth dates and 12,000 U.S. social security numbers.

Learn More

Target

Location: United States
Date Breach First Reported: 9/7/2017

Incident

Method: Web app vulnerability
Type: Data breach

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

In one of the biggest data breaches on record, the credit reporting agency Equifax announced in October 2017 that more than 150 million customer records had been compromised, including some sensitive data such as birth dates and 12,000 U.S. social security numbers. According to the U.S. government indictments, the breach was carried out by the Chinese People’s Liberation Army (PLA) exploiting a bug in an Apache Struts web application that the company had failed to patch.

The attackers scanned Equifax’s estate for the vulnerability and gained access to the application, an online dispute portal, days after the bug was made public in March—but did not take any data for several months. Once inside the network, the attackers found unencrypted usernames and passwords for other databases, spent seventy-six days on the network, eventually accessing forty-eight different datasets.

Equifax has spent $439 million on redressing the data loss and, a year after disclosure, its share price remained below the pre-breach level. However, the company has avoided fines from the banking regulators in eight U.S. states after agreeing to a deal in June 2018 to improve its cybersecurity oversight.

On February 10 2020, the U.S. Department of Justice indicted four members of the Chinese People’s Liberation Army (PLA) for a targeted intrusion into the networks of Equifax, a credit reporting agency in the United States. The indictment states that the attackers were targeting the private data of millions of Americans, along with Equifax trade secrets, such as ‘data compilations and database plans’. The indictment lists the operators’ affiliation with the 54th Research Institute, formerly part of the PLA and now part of the PLA Strategic Support Force (SSF).

PesaLink Attempted Hack

August 31

In late August 2017, PesaLink, a jointly-owned payment transfer platform used widely by Kenya's commercial banks, was the victim of a cyberattack.

Learn More

Target

Location: Kenya
Date Breach First Reported:9/1/2017

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In late August 2017, PesaLink, a jointly-owned payment transfer platform used widely by Kenya's commercial banks, was the victim of a cyberattack. An official from the company claimed that the attack was halted successfully and that there was no resulting loss of funds or customer data.

South Korean Monero Cryptojacking

July 15

In the summer of 2017, a South Korean company’s server was hijacked by attackers and made to mine 70 Monero coins, a cryptocurrency, worth approximately $25,000.

Learn More

Target

Location: South Korea
Date Breach First Reported:08/30/2019

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

In the summer of 2017, a South Korean company’s server was hijacked by attackers and made to mine 70 Monero coins, a cryptocurrency, worth approximately $25,000. The South Korean Financial Stability Institute attributed the theft to DPRK-affiliated group Andarial in January 2018, and in August 2019, the UN Security Council Panel of Experts also indicated DPRK-affiliated actors were behind the theft.

BitHumb Crypto Heist #2

June 29

In February 2017, at least $7 million in virtual currency was stolen from BitHumb, a South Korean cryptocurrency exchange.

Learn More

Target

Location: South Korea
Date Breach First Reported: 06/29/2017

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On June 29, approximately $7 million in virtual currency was stolen from BitHumb, a South Korean cryptocurrency exchange for the second time in four months. The South Korean National Intelligence Services attributed the theft to the DPRK, and in August 2019, the UN Security Council Panel of Experts also indicated DPRK-affiliated actors were behind the theft.

The attackers gained access to an employee’s personal computer. From there they managed to exfiltrate the details of 3% of the platforms total users including names, emails and phone numbers. The company stated they would compensate customers affected.

YouBit Crypto Heist

April 22

On April 22, 2017, approximately $5.6 million in cryptocurrency was stolen from YouBit, a South Korean cryptocurrency exchange then named Yapizon.

Learn More

Target

Location: South Korea
Date Breach First Reported:12/05/2017

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On April 22, 2017, approximately $5.6 million in cryptocurrency was stolen from YouBit, a South Korean cryptocurrency exchange then named Yapizon. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the theft. Group-IB, a Singapore-based security firm, also attributed the theft to Lazarus, a group of North Korean hackers, in October 2018.

BitHumb Crypto Heist #1

February 1

In February 2017, at least $7 million in virtual currency was stolen from BitHumb, a South Korean cryptocurrency exchange.

Learn More

Target

Location: South Korea
Date Breach First Reported: 12/05/2017

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

In February 2017, at least $7 million in virtual currency was stolen from BitHumb, a South Korean cryptocurrency exchange. The hackers also stole PII from 30,000 customers.

In December 2017, the South Korean government attributed the attack to North Korea. In January 16, 2018, Recorded Future, a security firm known for analyzing state-sponsored attacks, attributed the attack to the Lazarus Group in the North Korean government. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the theft.

2016

Russian Banks DDoS Attack

December 2

In December 2016, after a number of DDoS attacks on Russian banks throughout the previous month, the Russian Federal Security Service (FSB) announced that it had discovered pending cyber attacks intended to impact a range of major Russian banks.

Learn More

Target

Location: Russia
Date Breach First Reported: 12/2/2016

Incident

Method: DDOS
Type: Disruption

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In December 2016, after a number of DDoS attacks on Russian banks throughout the previous month, the Russian Federal Security Service (FSB) announced that it had discovered pending cyber attacks intended to impact a range of major Russian banks. Servers and command centers purportedly to be used in these attacks were located in the Netherlands and owned by BlazingFast, a Ukrainian hosting company. BlazingFast said it had no information about the asserted attack and that it was unable to find any malicious data. The Dutch Ministry of Security and Justice said that it was aware its infrastructure could be used for cyber attacks elsewhere, and that if the Russian authorities decided to investigate, the Dutch investigating authorities would provide assistance.

On December 9, Rostelecom, Russia’s telecom operator, said in a statement that it had blocked DDoS attacks against the five biggest banks and financial institutions in Russia on December 5. They reached a peak volume of 3.2 million packets per second, which is low compared to the volume of other recent DDoS attacks. The statement further noted that part of the DDoS attacks involved a botnet similar to that used in prior weeks against Germany’s Deutsche Telekom and Ireland’s Eircom, exploiting a vulnerability in home routers. No perpetrators were identified, though the FSB claimed that it was organized by foreign intelligence services and speculated it had been done on behalf of Ukraine, due to the servers’ location and ownership. The FSB stated that it expected the DDoS attacks to be accompanied by text messages, agitating social network publications, and blog statements about a “crisis in the Russian credit and financial system, bankruptcy and withdrawal of licenses of leading federal and regional banks,” and that “the campaign [would be] directed against several dozen Russian cities.” Presumably, this would be an attempt to create a run on Russian banks, initiating a financial crisis. No evidence exists that such action, complementary to the DDoS attacks, was attempted.

Insider Trading Hack

December 1

In late 2016, the Securities and Exchange Commission (SEC) sued three Chinese traders, arguing that they had installed malware on the networks of two law firms to steal confidential, market-moving information on mergers and acquisitions.

Learn More

Target

Location: United States
Date Breach First Reported:12/1/2016

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In late 2016, the Securities and Exchange Commission (SEC) sued three Chinese traders, arguing that they had installed malware on the networks of two law firms to steal confidential, market-moving information on mergers and acquisitions. The men were ordered to pay $8.9 million in penalties, and the trio were also indicted on criminal charges, which are ongoing. Hong Kong refused a request to extradite one of the men to the United States in 2017.

Tesco Bank Card Theft

November 5

Tesco Bank, a retail bank based in the UK, was the target of thieves who used vulnerabilities in its card issuing process to guess bank card numbers and steal £2.26 million in November 2016.

Learn More

Target

Location: United Kingdom
Date Breach First Reported: 11/5/2016

Incident

Method: Card number guessing
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

Tesco Bank, a retail bank based in the UK, was the target of thieves who used vulnerabilities in its card issuing process to guess bank card numbers and steal £2.26 million in November 2016. The unknown attackers likely used an algorithm to generate bank card numbers that used Tesco’s identifying numbers at the start and conformed to the industry-wide Luhn validation scheme that helps protect against accidental errors.

There are around 1 billion possible card numbers for each bank, but regulators have said Tesco Bank’s cards had deficiencies, such as sequential card numbers, that made guessing the full numbers easier. The bank only used basic checks to assess whether cards were genuine, for example merely inspecting whether the debit card would expire in the future instead of making sure the exact expiration date matched its records.

Visa and Mastercard had both previously warned of an increase in the type of fraud seen in this case, which used the magnetic strip to verify the transaction. On November 5, 2016, as the weekend began, the gang started making fraudulent transactions with the card details it had calculated. Almost 9,000 accounts were affected, or 6.6 percent of the bank’s entire customer base. One customer had twenty-two fraudulent transactions totaling £65,000 on his account.

Tesco Bank halted all online and contactless transactions after a day of struggling to block all the fake purchases reported in the United States, Spain, and Brazil. In October 2018, Tesco was fined £16.4 million by the UK’s Financial Conduct Authority for deficiencies in its bank card policies and its response to the incident.

Liberia Mirai Botnet Attack

October 31

On October 31, a distributed denial-of-service attack was launched against Lonestar MTN, a Liberian network provider.

Learn More

Target

Location: Liberia
Date Breach First Reported: 11/4/2016

Incident

Method: DDoS
Type: Disruption

Actor

Type: Non-state actor
Attribution: High confidence

Description

On October 31, a distributed denial-of-service attack was launched against Lonestar MTN, a Liberian network provider. The DDos attack employed the now infamous internet-of-things Mirai botnet to crash large segments of the country's internet. A British hacker named Daniel Kaye was eventually sentenced for the crime after claiming to have been funded by a senior official at Cellcom, another Liberian network provider, to disrupt its competitor Lonestar.

Indian ATM Breach

October 20

In mid-2016, a number of Indian banks replaced or changed security codes on 3.25 million debit cards after uncovering a breach in Hitachi’s payment switch systems, which link into the ATM network.

Learn More

Target

Location: India
Date Breach First Reported:10/20/2016

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In mid-2016, a number of Indian banks replaced or changed security codes on 3.25 million debit cards after uncovering a breach in Hitachi’s payment switch systems, which link into the ATM network. Visa, Mastercard, and India’s Rupay cards were all affected by the compromise.

Union Bank of India Attempted SWIFT Heist

July 21

On July 21, 2016, attackers attempted to use fraudulent SWIFT transactions to steal $170 million from the Union Bank of India (UBI), but the money was ultimately recovered within three days after the transactions were flagged.

Learn More

Target

Location: India
Date Breach First Reported: 08/30/2019

Incident

Method: Multiple
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On July 21, 2016, attackers attempted to use fraudulent SWIFT transactions to steal $170 million from the Union Bank of India (UBI), but the money was ultimately recovered within three days after the transactions were flagged.

Multiple security firms noted the attackers used tactics and techniques similar to the Bangladesh heist four months previously. The attackers sent the money to accounts in Thailand, Cambodia, Australia, Hong Kong and Taiwan, and those accounts belonged to shell companies associated with Chinese-organized crime syndicates. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft of UBI.

Nigerian Bank Attempted SWIFT Heist

July 1

In July 2016, attackers attempted to use fraudulent SWIFT transactions to steal $100 million from a Nigerian bank, but the money was ultimately recovered.

Learn More

Target

Location: Nigeria
Date Breach First Reported: 08/30/2019

Incident

Method: Multiple
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

In July 2016, attackers attempted to use fraudulent SWIFT transactions to steal $100 million from a Nigerian bank, but the money was ultimately recovered.

The attackers initiated fraudulent SWIFT transactions of $100 million from the unnamed Nigerian Bank to bank accounts in Asia, similar to the techniques seen in the 2016 Bangladesh heist. The funds were later returned at the request of the Nigerian bank. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attack on the Nigerian bank, referencing the “African Bank” named in the U.S. Department of Justice 2018 indictment of Park Jin Hyok.

Standard Bank Theft

May 5

On May 15, 2016, attackers stole $19 million from South Africa’s Standard Bank by making 14,000 withdrawals over 3 hours from 1,700 ATMs across Japan.

Learn More

Target

Location: South Africa, Japan
Date Breach First Reported: 08/30/2019

Incident

Method: Multiple
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On May 15, 2016, attackers stole $19 million from South Africa’s Standard Bank by making 14,000 withdrawals over 3 hours from 1,700 ATMs across Japan.

UN Security Council Panel of Experts indicated in August 2019 that DPRK-affiliated actors were behind the attack. According to the Japanese government, the attackers used forged cards with data of roughly 3,000 pieces of customer information stolen from Standard Bank to withdraw cash from ATMs located in Tokyo and 16 prefectures across Japan. 260 suspects, including organized crime group members, have been arrested as of July 2019.

Central Banks DDoS Attack

May 4

In May 2016, hacktivists briefly took down the Bank of Greece’s website, and later did the same to the central banks of Mexico, Panama, Kenya, and Bosnia and Herzegovina.

Learn More

Target

Location: Panama, Greece, Mexico, Kenya, Bosnia and Herzegovina
Date Breach First Reported:5/4/2016

Incident

Method: DDOS
Type: Disruption

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In May 2016, hacktivists briefly took down the Bank of Greece’s website, and later did the same to the central banks of Mexico, Panama, Kenya, and Bosnia and Herzegovina. Anonymous claimed responsibility as part of Operation Icarus, a campaign against central banks.

Panama Papers

April 3

In April 2016, an anonymous source leaked 2.6 terabytes of information from the Panamanian law firm Mossack Fonseca to the German newspaper Süddeutsche Zeitung.

Learn More

Target

Location: Panama
Date Breach First Reported:4/3/2016

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In April 2016, an anonymous source leaked 2.6 terabytes of information from the Panamanian law firm Mossack Fonseca to the German newspaper Süddeutsche Zeitung. The journalists shared the 11.5 million leaked documents with a dozen global news organizations to simultaneously print stories about the money-laundering, tax affairs, and financial secrecy within. The revelations had far-reaching effects, including the resignation of the Icelandic prime minister, a number of tax evasion investigations, and the closure of Mossack Fonseca.

Belgian National Bank Incident

February 22

On February 22, 2016, a hacking group called DownSec Belgium shut down the website for Belgium’s National Bank for most of the morning using DDoS attacks.

Learn More

Target

Location: Belgium
Date Breach First Reported:2/22/2016

Incident

Method: DDOS
Type: Disruption

Actor

Type: Nonstate actor
Attribution: High confidence

Description

On February 22, 2016, a hacking group called DownSec Belgium shut down the website for Belgium’s National Bank for most of the morning using DDoS attacks. Little information has been reported about the attack, but it followed similar DDoS attacks by the same group against the websites for the Belgian Federal Agency for Nuclear Control, the country’s Crisis Center, and its federal cyber emergency team. DownSec Belgium claims to fight against corrupt government abuses.

Bangladesh Bank SWIFT Hack

February 1

In February 2016, media outlets reported that hackers had breached the network of the Bangladesh central bank and sent thirty-five fraudulent transfer requests to the Federal Reserve Bank of New York, totaling nearly $1 billion.

Learn More

Target

Location: Bangladesh
Date Breach First Reported: 2/1/2016

Incident

Method: Malware
Type: Theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In February 2016, media outlets reported that hackers had breached the network of the Bangladesh central bank and sent thirty-five fraudulent transfer requests to the Federal Reserve Bank of New York, totaling nearly $1 billion. Four of these fraudulent requests succeeded, and the hackers were able to transfer $81 million to accounts in the Philippines, representing one of the largest bank thefts in history. A fifth request for $20 million to be sent to an account in Sri Lanka was stopped due to the recipient’s name, Shalika Foundation, being misspelled “fandation.” The remaining transfers, which totaled somewhere between $850 and $870 million, were also stopped before they could be completed due to a stroke of good fortune: the name of the destination bank branch included the word “Jupiter,” which was the name of an unrelated company on a sanctions blacklist. In August 2019, the UNSC Panel of Experts indicated DPRK-affiliated actors were behind the attack.

The hackers had introduced malware onto the Bangladesh central bank’s server and deployed keylogger software that allowed them to steal the bank’s credentials for the SWIFT system. The hackers also custom-designed a malware toolkit that compromised SWIFT’s Alliance Access system and was designed to cover their tracks. This toolkit allowed them to delete records of transfer requests, bypass validity checks, delete records of logins, manipulate reporting of balances, and stop attached printers from printing transaction logs. Although the malware was custom-designed to steal from the Bangladesh central bank, the toolkit could potentially be used against other banks in the SWIFT system running Alliance Access software.

The intruders had monitored the bank’s routine activity in order to create money transfer requests that appeared genuine. Furthermore, they timed the thefts so that it would be the weekend in Bangladesh when the Federal Reserve reached out to confirm the transactions, and then it would be the weekend in New York when the Bangladesh central bank employees instructed the Federal Reserve to cancel the transactions. "

2015

Guatemalan Financial Institution Theft

December 01

In December 2015, attackers stole $16 million from a Guatemalan financial institution.

Learn More

Target

Location: Guatemala
Date Breach First Reported:08/30/2019

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

In December 2015, attackers stole $16 million from a Guatemalan financial institution. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attack.

Greek Banks DDoS Attack

November 30

In late 2015, hackers threatened to disable systems at three Greek banks unless they paid a bitcoin ransom.

Learn More

Target

Location: Greece
Date Breach First Reported:11/30/2015

Incident

Method: DDOS
Type: Disruption

Actor

Type: Nonstate actor
Attribution: Speculated

Description

In late 2015, hackers threatened to disable systems at three Greek banks unless they paid a bitcoin ransom. When the banks refused, they had their sites repeatedly knocked out for several hours. The group claiming responsibility for the extortion said it was part of the Armada Collective, which had previously targeted numerous businesses including Cloudflare and Proton Mail, although some investigators believed it might have been a copycat attack using the same name. Some suspected original members of the collective were arrested in Europol’s Operation Pleiades in January 2016, which targeted the group DDoS4Bitcoin that has been active since mid-2014.

Swedbank and Nordea DDoS Attack

November 6

In November 2015, a teenager was sentenced to community service after carrying out four DDoS attacks against Nordea and Swedbank.

Learn More

Target

Location: Denmark, Sweden
Date Breach First Reported:11/6/2015

Incident

Method: DDOS
Type: Disruption

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In November 2015, a teenager was sentenced to community service after carrying out four DDoS attacks against Nordea and Swedbank. The attacks blocked customers from the banks’ websites for hours at a time. The perpetrator’s lawyers said he was “drawn into a circus” where online groups would test the power of botnets.

Shanghai Composite Index Suspected Manipulation

June 12

Beginning on June 12, 2015, the Shanghai Composite Index began to plummet, and by June 19 it had fallen by 13 percent.

Learn More

Target

Location: China
Date Breach First Reported:6/12/2015

Incident

Method: Unknown
Type: Data breach, disruption

Actor

Type: Unknown
Attribution: Unknown

Description

Beginning on June 12, 2015, the Shanghai Composite Index began to plummet, and by June 19 it had fallen by 13 percent. Chinese stock markets continued to fall throughout July and August, and again in January and February 2016. Although there is no public evidence, some have speculated that the initial sudden crash may have been caused by a cyber attack.

Tien Phong Commercial Joint Stock Bank

May 15

In May 2015, the Vietnamese bank Tien Phong announced it had blocked a fraudulent SWIFT transaction worth €1m several months before attackers successfully stole from the Bank of Bangladesh using the same method.

Learn More

Target

Location: Vietnam
Date Breach First Reported:5/15/2015

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In May 2015, the Vietnamese bank Tien Phong announced it had blocked a fraudulent SWIFT transaction worth €1m several months before attackers successfully stole from the Bank of Bangladesh using the same method. Tien Phong did not name the bank that had been the source of the fraudulent transfer request.

Dyre Wolf Campaign

April 2

In April 2015, a threat group twinned malware with a sophisticated social engineering tactic to steal more than $1 million from businesses.

Learn More

Target

Location: Multiple
Date Breach First Reported:4/2/2015

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In April 2015, a threat group twinned malware with a sophisticated social engineering tactic to steal more than $1 million from businesses. A variant of Dyre malware named Upatre, which spread through victims’ email contacts, was used to block hundreds of bank websites on the victim’s device. The victim was then prompted to call a helpline number—actually staffed by a member of the gang who would then harvest the victim’s banking credentials and subsequently make fraudulent wire transfers.

Health Insurer Hacks

February 4

In February 2015, reports indicated that records for almost 80 million customers were stolen from Anthem, a U.S. healthcare insurer, after attackers deployed a spearphishing email that gave access to ninety of the company’s systems, including its back-end database.

Learn More

Target

Location: United States
Date Breach First Reported:2/4/2015

Incident

Method: Phishing
Type: Data breach

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In February 2015, reports indicated that records for almost 80 million customers were stolen from Anthem, a U.S. healthcare insurer, after attackers deployed a spearphishing email that gave access to ninety of the company’s systems, including its back-end database. The stolen data was taken over the course of several weeks and included personal information, such as social security numbers. A subsequent report by the California Department of Insurance pointed to a national government as the likely culprit for the attack, and suggested the initial breach occurred in February 2014, meaning Anthem was exposed for a year before the compromise was discovered. Anthem ended up settling a lawsuit relating to the data loss for $115 million. Several weeks after the incident was disclosed, fellow insurer Premera Blue Cross announced that around 11 million customer accounts had been compromised by attackers, and rival CareFirst admitted 1.1 million current and former members may have had their information stolen. Some researchers believe the thefts were carried out by the same group. In September 2015, Excellus announced a data loss, with 10 million customers’ data exposed by a breach that initially occurred in December 2013.

Ecuadorian Banco del Austro

January 12

In early 2015, a bank in Ecuador was the first known victim in a series of multimillion dollar heists that used compromised payments systems to then transfer funds over the SWIFT interbank messaging network.

Learn More

Target

Location: Ecuador
Date Breach First Reported: 1/12/2015

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In early 2015, a bank in Ecuador was the first known victim in a series of multimillion dollar heists that used compromised payments systems to then transfer funds over the SWIFT interbank messaging network. In January 2015, thieves transferred $12 million out of Banco del Austro and routed most of the proceeds to twenty-three companies registered in Hong Kong.

The same method has been used in several thefts in the preceding years including the $81 million Bank of Bangladesh heist in 2016. If an attacker manages to gain access to a bank’s SWIFT terminal, the system can be used to ask other banks to transfer funds. Banco del Austro said it recovered around $2.8 million of the stolen money. The heist came to light in a lawsuit Banco brought against Wells Fargo, which it alleged failed to spot red flags when it approved the fraudulent transaction. The litigation was settled in February 2018 but no details were disclosed.

Metel Malware Attack on Russian Banks

January 1

The Metel banking Trojan, which was discovered in 2011, was repurposed by a criminal gang in 2015 to steal directly from bank ATMs and even manipulate the Russian exchange rate.

Learn More

Target

Location: Russia
Date Breach First Reported:1/1/2015

Incident

Method: Multiple: malware, phishing and browser vulnerabilities
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

The Metel banking Trojan, which was discovered in 2011, was repurposed by a criminal gang in 2015 to steal directly from bank ATMs and even manipulate the Russian exchange rate. The group used spearphishing emails or browser vulnerabilities to deliver Metel, also known as Corcow, and access the bank’s systems before pivoting into areas that allowed them to roll back ATM transactions. This meant they could withdraw unlimited amounts of money, automatically resetting the account balance after each transaction. Researchers at Kaspersky, who first reported on the operation, said the gang comprised fewer than ten members and had made no infections outside Russia. In February 2015, Energobank fell victim to a Metel infection that allowed attackers to place some $500 million in currency orders, sending the ruble swinging with extreme volatility between 55 and 66 rubles per dollar for a period of fourteen minutes. However, there is no evidence the attackers profited from the movement. Metel had infected 250,000 devices and more than 100 financial institutions in 2015, according to researchers at Group IB.

2014

Gautrain Management Agency Insider Threat Thwarted

November 1

In November 2014, the Hawks (South Africa’s Directorate for Priority Crime Investigation) thwarted an insider attempt to defraud the Gautrain Management Agency (GMA), a roads and transportation agency of Gauteng Province.

Learn More

Target

Location: South Africa
Date Breach First Reported:11/12/2014

Incident

Method: Insider threat
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In November 2014, the Hawks (South Africa’s Directorate for Priority Crime Investigation) thwarted an insider attempt to defraud the Gautrain Management Agency (GMA), a roads and transportation agency of Gauteng Province. The attempted theft could have cost the agency up to R800 million. One of the criminals was identified as a rogue employee who had installed key-loggers and programs to override the security measures in an effort to steal financial information.

Tyupkin ATM Malware

October 7

In October 2014, reports revealed that criminals had written malware to infect Windows-based ATMs and steal millions from machines primarily in Eastern Europe.

Learn More

Target

Location: Eastern Europe
Date Breach First Reported:10/7/2014

Incident

Method: Malware
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In October 2014, reports revealed that criminals had written malware to infect Windows-based ATMs and steal millions from machines primarily in Eastern Europe. The malware, dubbed Tyupkin, was spread by a CD and once installed it laid low, only accepting commands on Sunday and Monday nights. Mules could type in a randomly generated key allowing them to withdraw 40 banknotes. Similar to the Ploutus campaign in Latin America, the Tyupkin group had an organized gang of mules to access the ATMs and collect the money. Eight Romanian and Moldovan nationals were arrested in connection with the scheme in January 2016.

Warsaw Stock Exchange Breach

October 1

In October 2014, a group claiming to be affiliated with the so-called Islamic State hacked the internal networks of the Warsaw Stock Exchange and posted dozens of login credentials for brokers online.

Learn More

Target

Location: Poland
Date Breach First Reported:10/1/2014

Incident

Method: Unknown
Type: Data breach

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In October 2014, a group claiming to be affiliated with the so-called Islamic State hacked the internal networks of the Warsaw Stock Exchange and posted dozens of login credentials for brokers online. The means by which the group gained access to the exchange’s networks are unknown, but they were reportedly able to infiltrate an investment simulator and a web portal for managing the stock exchange’s upgrade to a new trading system, as well as render the exchange’s website unavailable for two hours. The exchange’s employees say that the trading system itself was not breached. NATO officials later indicated privately that they believed that the hacking group’s claim of being affiliated with Islamic militants was a false flag operation, and that in fact the breach was conducted by APT 28, a group widely believed by security researchers to be affiliated with the Russian government.

JPMorgan Chase Data Breach

August 1

In August 2014, the first reports emerged that account information and home addresses for 83 million customers were exposed after attackers stole login credentials from a JPMorgan Chase employee.

Learn More

Target

Location: United States
Date Breach First Reported: 8/1/2014

Incident

Method: Stolen password
Type: Data breach

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In August 2014, the first reports emerged that account information and home addresses for 83 million customers were exposed after attackers stole login credentials from a JPMorgan Chase employee. The group entered the network through a single-factor authentication server that had not been upgraded with the rest of the firm’s estate, before gaining access to more than ninety bank servers for several months. However, the bank said the attackers had not accessed more sensitive information, such as social security numbers.

JPMorgan discovered the breach after reportedly finding the same group on a website for a charity race that it sponsors. The size of the incident prompted the National Security Agency and the FBI to join the investigation. Other companies targeted in the attacks included Dow Jones, Fidelity, E*Trade, and Scottrade. The U.S. authorities believe the harvested information was used in securities fraud, money laundering, credit-card fraud, and fake pharmaceuticals.

Nine people so far have been charged in the ongoing probe. A Russian national was extradited from Georgia to the United States in September 2018, although he denied that he was the central hacker in the attacks. The federal authorities in New York said the man worked with an international syndicate from 2012 to 2015 to steal customer information, which was used in numerous crimes including a spam email campaign to falsely tout stocks and shares to ramp up the price. In September 2019, he pleaded guilty to six felony charges in connection with the data breach and other cybercrimes, and he faces up to a lifetime in prison.

In January 2017, a Florida man pleaded guilty to charges linked to funds processed through Coin.mx, an unlicensed bitcoin exchange owned by an Israeli who the United States has alleged masterminded the information stealing campaign. The supposed ringleader was extradited to the United States in 2016 and, according to media reports, entered a plea deal with prosecutors."

European Central Bank

July 24

In July 2014, the European Central Bank (ECB) announced that hackers had breached the security of a database holding email addresses and other contact data submitted by people registering for events at the bank.

Learn More

Target

Location: Eastern Europe, Western Europe
Date Breach First Reported: 7/24/2014

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In July 2014, the European Central Bank (ECB) announced that hackers had breached the security of a database holding email addresses and other contact data submitted by people registering for events at the bank. The ECB said most