Timeline of Cyber Incidents Involving Financial Institutions

Since 2016, there have been growing concerns about cybersecurity risks to the financial system prompting the G20 finance ministers and central bank governors to warn in March 2017 that “the malicious use of Information and Communication Technologies could . . . undermine security and confidence and endanger financial stability.” Financial institutions have always been attractive targets at the center of malicious cyber and fraudulent activity since the internet started to expand worldwide. But the threat landscape has been getting worse with nation-states increasingly joining the mix and with the resulting damage escalating, from theft to disruption and destruction.

To keep track of the evolution of the threat landscape involving financial institutions, Carnegie’s Cyber Policy Initiative developed this timeline of cyber incidents targeting financial institutions in association with the Cyber Threat Intelligence unit of BAE Systems. The timeline dates back to 2007 and is updated regularly based on data BAE Systems provides to Carnegie. The timeline has not been designed to cover every single incident but rather to provide insight into key trends and how the threat landscape is evolving over time.

2019

Indian ATMs Targeted with ATMDtrack Malware

September 23

On September 23, security researchers reported that North Korean hackers had developed and inserted malware to steal payment information from Indian ATMs and banking institutions.

Learn More

Target

Location: India
Date Breach First Reported: 9/23/2019

Incident

Method: Malware
Type: Espionage

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

On September 23, security researchers reported that North Korean hackers had developed and inserted malware to steal payment information from Indian ATMs and banking institutions. The malware, known as ATMDtrack, began appearing on networks during the summer of 2018 and is thought to be attributable to Lazarus Group, a hacking group that has targeted banks, ATMs, and cryptocurrency exchanges in order to fund North Korea's weapons of mass destruction program.

ECB BIRD Site Data Breach

September 16

On September 16, the European Central Bank (ECB) shut down its Banks’ Integrated Reporting Dictionary (BIRD) site after routine maintenance uncovered a cyberattack compromising the information of the site’s newsletter subscribers.

Learn More

Target

Location: Europe
Date Breach First Reported: 9/16/2019

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On September 16, the European Central Bank (ECB) shut down its Banks’ Integrated Reporting Dictionary (BIRD) site after routine maintenance uncovered a cyberattack compromising the information of the site’s newsletter subscribers. The ECB reported that no market-sensitive data was compromised in the attack, and it planned to contact the 481 individuals whose names, email addresses, and titles may have been accessed by hackers.

Himalayan ATM Heist

September 2

On September 2, Nepalese police arrested five Chinese nationals in connection with cyberattacks that cost Nepalese banks more than 35 million rupees (over $300,000).

Learn More

Target

Location: Nepal
Date Breach First Reported: 9/2/2019

Incident

Method: Other
Type: Theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

On September 2, Nepalese police arrested five Chinese nationals in connection with cyberattacks that cost Nepalese banks more than 35 million rupees (over $300,000). The attackers targeted the Nepal Electronic Payment System, which was established to coordinate cash withdrawals at 17 Nepalese banks, and inserted malware that directed ATMs to process withdrawal requests without first verifying with member banks. Staff at one Nepali bank discovered the theft when ATMs began running out of cash sooner than expected and informed authorities. Police recovered 12.63 million rupees (more than $110,000) during the arrests.

Binance Ransomware

August 6

On August 6, Malta-based cryptocurrency exchange Binance became the victim of ransomware when attackers demanded 300 bitcoin (around $3.5 million at the time) in exchange for a Know Your Customer (KYC) database containing the personal information of around 10,000 users.

Learn More

Target

Location: Multiple
Date Breach First Reported: 8/6/2019

Incident

Method: Ransomware
Type: Unknown

Actor

Type: Unknown
Attribution: Unknown

Description

On August 6, Malta-based cryptocurrency exchange Binance became the victim of ransomware when attackers demanded 300 bitcoin (around $3.5 million at the time) in exchange for a Know Your Customer (KYC) database containing the personal information of around 10,000 users. The KYC database allegedly contained personal identification information and photographs of users with documents like passports. The company contested the authenticity of the documents, claiming that they lacked digital watermarks, refused to pay the ransom, and contacted law enforcement for assistance in pursuing the attacker(s).

Capital One Data Breach

July 29

On July 29, Capital One announced that it had suffered a data breach compromising the credit card applications of around 100 million individuals after a software engineer hacked into a cloud-based server.

Learn More

Target

Location: United States and Canada
Date Breach First Reported: 7/29/2019

Incident

Method: Other
Type: Data breach/theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

On July 29, Capital One announced that it had suffered a data breach compromising the credit card applications of around 100 million individuals after a software engineer hacked into a cloud-based server. The applications contained names, dates of birth, credit scores, contact information, and some American and Canadian social security numbers. The hacker exploited a misconfigured firewall to gain access to a database of personal information hosted by Amazon Web Services. Upon gaining access, the hacker posted about it on GitHub, and an unidentified individual notified Capital One about the presence of the database on GitHub. Authorities arrested one individual in connection with the data theft.

Banco Pan Data Breach

July 25

On July 25, security researchers found a file containing 250GB of personal and financial information, mainly tied to Brazilian financial institution Banco Pan, exposed online.

Learn More

Target

Location: Brazil
Date Breach First Reported: 7/25/2019

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On July 25, security researchers found a file containing 250GB of personal and financial information, mainly tied to Brazilian financial institution Banco Pan, exposed online. The information, which Banco Pan claims is owned by a commercial partner, contained scans of identification cards and social security cards, proof of address documents, and service request forms.

Jana Bank Data Breach

July 23

On July 23, a security researcher reported that Jana Bank, an Indian small finance bank, left exposed a database containing information on millions of financial transactions.

Learn More

Target

Location: India
Date Breach First Reported: 7/23/2019

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On July 23, a security researcher reported that Jana Bank, an Indian small finance bank, left exposed a database containing information on millions of financial transactions. The Know Your Customer verification database was not password-protected, allowing anyone to access, alter, or download the information. Jana Bank immediately secured the database upon learning of its exposure.

Remixpoint Inc. Crypto Theft

July 12

On July 12, Remixpoint, a Japanese cryptocurrency exchange, halted services after it discovered the theft of $32 million in digital currencies.

Learn More

Target

Location: Japan
Date Breach First Reported: 7/12/2019

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On July 12, Remixpoint, a Japanese cryptocurrency exchange, halted services after it discovered the theft of $32 million in digital currencies. After an error appeared in the exchange’s outgoing funds transfer system, Remixpoint discovered that the funds had been taken from a “hot” wallet (one that is connected to the internet). No funds had been stolen from “cold” wallets (those not connected to the internet). The company promised to investigate the incident and provided no further details.

Crypto Exchange Theft

June 25

On June 25, Europol, British law enforcement, and Dutch law enforcement officials arrested six individuals for cryptocurrency theft amounting to €24 million (over $26 million).

Learn More

Target

Location: Multiple
Date Breach First Reported: 6/25/2019

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Speculated

Description

On June 25, Europol, British law enforcement, and Dutch law enforcement officials arrested six individuals for cryptocurrency theft amounting to €24 million (over $26 million). The individuals used a technique known as “typosquatting,” in which they duplicated an online cryptocurrency exchange to steal information and gain access to victims’ bitcoin wallets. The attack affected more than 4,000 individuals in at least 12 countries.

Bangladesh Switch System Cyberattack

June 22

In June 2019, at least three private Bangladeshi banks were compromised by major cyberattacks, with one, Dutch Bangla Bank Limited (DBBL), losing as much as TK 25 crore (around $3 million).

Learn More

Target

Location: Bangladesh
Date Breach First Reported: 6/22/2019

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In June 2019, at least three private Bangladeshi banks were compromised by major cyberattacks, with one, Dutch Bangla Bank Limited (DBBL), losing as much as TK 25 crore (around $3 million). Attackers deployed malware to duplicate DBBL's Switch payment management system, allowing fraudulent financial transactions to be executed undetected. NCC Bank and Prime Bank were also targeted, but both banks reported no financial losses associated with the attack.

First American Financial Corp.

May 24

On May 24, First American Financial Corp. suffered a data breach compromising around 885 million files related to mortgage deeds.

Learn More

Target

Location: United States
Date Breach First Reported: 5/24/2019

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On May 24, First American Financial Corp. suffered a data breach compromising around 885 million files related to mortgage deeds. The documents, which dated back as far as 2003, contained bank account numbers and statements, mortgage and tax records, social security numbers, wire transaction receipts, and images of drivers' licenses. The documents were accessible to anyone with a web browser because the company used a standard format for document addresses, meaning that anyone with knowledge of at least one document link could access others simply by modifying the digits associated with the record number. Although the company took down the website, many of the pages remained accessible on archive.org. As of August 2019, the U.S. Securities and Exchange Commission had begun an investigation into the data breach.

GozNym Gang Arrested

May 16

On May 16, 2019, Europol, the U.S. Department of Justice (DoJ), and six other countries, dismantled a group of international cyber criminals that used the GozNym malware to steal over $100 million.

Learn More

Target

Location: Multiple
Date Breach First Reported: 5/16/2019

Incident

Method: Malware
Type: Theft

Actor

Type: Nonstate actors
Attribution: High confidence

Description

On May 16, 2019, Europol, the U.S. Department of Justice (DoJ), and six other countries, dismantled a group of international cyber criminals that used the GozNym malware to steal over $100 million. The group stole from over 40,000 victims, including the bank accounts of small businesses, law firms, international corporations, and nonprofit organizations. Following a law enforcement investigation across the U.S., Bulgaria, Germany, Georgia, Moldova, and Ukraine, ten members were charged for the crime. The leader of the network was charged in Georgia while another was extradited from Bulgaria to the U.S. to face trial. Although some members of the gang are still on the run, the initial charges have been seen as a success for law enforcement in their efforts to combat international cybercrime.

FirstBank Breach

May 13

In May 2019, a Colorado bank suffered an external security incident resulting in the cancellation and redistribution of customer debit cards.

Learn More

Target

Location: United States
Date Breach First Reported: 5/13/2019

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In May 2019, a Colorado bank suffered an external security incident resulting in the cancellation and redistribution of customer debit cards. FirstBank, Colorado’s largest locally-owned bank, issued a security notice on May 13 informing customers of the breach and instructing them to report any suspicious behavior. The bank confirmed that the breach did not occur on its online systems but from other merchants where FirstBank customers made transactions.

Retefe Malware Resurfaces in Germany and Switzerland

May 2

In May, U.S. security company Proofpoint reported the return of the Retefe banking Trojan in Germany and Switzerland.

Learn More

Target

Location: Switzerland, Germany
Date Breach First Reported: 5/2/2019

Incident

Method: Malware
Type: Unknown

Actor

Type: Unknown
Attribution: Unknown

Description

In May, U.S. security company Proofpoint reported the return of the Retefe banking Trojan in Germany and Switzerland. Retefe is a malware that installs the Tor internet browser to redirect infected devices to spoofed banking sites. The Trojan is typically delivered through email attachments and often attempts to trick users into downloading spoofed mobile Android applications to bypass two-factor authentication.

In the past, Retefe campaigns have targeted several European countries. In November 2016, Retefe targeted Tesco Bank and other UK financial institutions. In September 2017, an updated version of Retefe leveraged the EternalBlue exploit in a campaign against Swiss targets. Since April, the Trojan has reemerged in German and Swiss banks.

Romanian ATM Skimmer Gang Arrested in Mexico

April 4

On March 31, Mexican law enforcement arrested two senior members of a Romanian cyber criminal group allegedly behind an ATM skimming operation in Mexico.

Learn More

Target

Location: Mexico
Date Breach First Reported: 4/4/2019

Incident

Method: Skimmer
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

On March 31, Mexican law enforcement arrested two senior members of a Romanian cyber criminal group allegedly behind an ATM skimming operation in Mexico. One suspect is believed to be the head of Instacash, a fraudulent ATM service provider operating out of Mexico. The head of Instacash allegedly bribed and coerced ATM technicians to install sophisticated Bluetooth-based skimmers inside competitor’s ATMs, enabling the Romanian cyber criminal group to steal PINs and card data remotely from ATMs throughout popular tourist destinations in Mexico.

Royal Bank of Scotland Security Flaw

March 22

In early 2019, the Royal Bank of Scotland’s (RBS) customer accounts were exposed to a security flaw after introducing a new customer security service.

Learn More

Target

Location: United Kingdom
Date Breach First Reported: 3/22/2019

Incident

Method: Software vulnerability
Type: N/A

Actor

Type: Unknown
Attribution: Unknown

Description

In early 2019, the Royal Bank of Scotland’s (RBS) customer accounts were exposed to a security flaw after introducing a new customer security service. In January, RBS launched a free endpoint security service for customers in partnership with Danish firm Hedimal Security. While the security service was intended to detect threats and protect RBS customers from attacks, researchers discovered a software flaw that enabled access to customer emails, banking details and internet history. Hedimal Security has since released an update to fix the security flaw and insisted that only 50,000 computers were effected. They claim that there were no intrusions as a result of the security flaw.

Ursnif Malware Attack on Japanese Banks

March 12

The Ursnif banking Trojan, which was discovered in 2007, was repurposed in a campaign targeting Japanese banks that began in 2016.

Learn More

Target

Location: Japan
Date Breach First Reported: 3/12/2019

Incident

Method: Malware
Type: Unknown

Actor

Type: Unknown
Attribution: Unknown

Description

The Ursnif banking Trojan, which was discovered in 2007, was repurposed in a campaign targeting Japanese banks that began in 2016. Ursnif, also known as Gozi ISFB, is a popular malware that steals information on infected Windows devices. Ursnif has been deployed in a new campaign that specifically targets banks in Japan. The malware terminates itself on devices outside of the country. The campaign uses a distribution network of spam botnets and compromised web servers to deliver the Trojan. Between 2016 and 2017, researchers at Palo Alto Networks observed millions of infected emails sent to banks in Japan. Researchers have not been able to identify the operation behind the campaign, but evidence suggests it may be connected to the Cutwill Botnet, a cyber criminal operation active since 2007.

Bank of Valletta

February 13

On February 13, the Bank of Valletta (BOV), Malta’s largest and oldest bank, shut down operations after an attempted theft of €13 million.

Learn More

Target

Location: Malta
Date Breach First Reported: 2/14/2019

Incident

Method: Unknown
Type: Disruption

Actor

Type: Unknown
Attribution: Unknown

Description

On February 13, the Bank of Valletta (BOV), Malta’s largest and oldest bank, shut down operations after an attempted theft of €13 million. Attackers made multiple transfer requests from the Maltese bank to accounts in the UK, United States, Czech Republic, and Hong Kong. The bank’s employees discovered the fraudulent activity during their daily reconciliation of international orders. Within the hour, BOV notified other banks in an attempt to freeze the transactions. It also closed all its branches, shut down its ATMs and point-of-sale system, and stopped all other electronic services, which were restored the following day. In a statement, BOV said it was working with local and international police authorities to track down the attackers. They also announced that customer accounts were not effected in the incident.

U.S. Credit Union Spear-Phishing

February 8

Multiple credit unions in the United States were hit by spear-phishing emails impersonating compliance officers from other credit unions.

Learn More

Target

Location: United States
Date Breach First Reported: 2/8/2019

Incident

Method: Phishing
Type: N/A

Actor

Type: Unknown
Attribution: Unknown

Description

Multiple credit unions in the United States were hit by spear-phishing emails impersonating compliance officers from other credit unions. Under the Bank Secrecy Act (BSA), financial institutions are required to have dedicated compliance personnel responsible for reporting suspicious transactions and potentially fraudulent activity to the U.S. government. Emails sent to these compliance officers contained a PDF with a malicious link. While it is believed that no employee clicked the link, there is speculation as to how the attackers obtained the email addresses of the compliance officers.

SBI Breach

February 4

The State Bank of India, the country’s largest, has denied claims that its servers were compromised during a recent intrusion.

Learn More

Target

Location: India
Date Breach First Reported: 2/4/2019

Incident

Method: Unknown
Type: Unknown

Actor

Type: Unknown
Attribution: Unknown

Description

The State Bank of India, the country’s largest, has denied claims that its servers were compromised during a recent intrusion. Multiple media outlets reported an SBI server was unprotected, and as a result attackers were able to gain access to the system and steal users’ personal information. Despite the claims, the bank said their investigation revealed that SBI’s servers remained fully protected and that no breach had occurred.

Metro Bank 2FA Breach

February 2

UK-based Metro Bank became the first major bank to suffer from a new type of cyber intrusion that intercepts text messages with two-factor authentication codes used to verify various customer transactions.

Learn More

Target

Location: United Kingdom
Date Breach First Reported: 2/2/2019

Incident

Method: Other
Type: Disruption

Actor

Type: Unknown
Attribution: Unknown

Description

UK-based Metro Bank became the first major bank to suffer from a new type of cyber intrusion that intercepts text messages with two-factor authentication codes used to verify various customer transactions. The attackers exploited flaws in the Signaling System 7 (SS7) protocol, which is used by telecommunications companies to route text messages around the world. A spokesperson for the bank stated that only a small number of those defrauded were Metro Bank customers.

Chile ATM Attack

January 10

In December, hackers infiltrated Chile’s ATM interbank network, Redbanc, after tricking an employee into downloading a malicious program during a fake job interview over Skype.

Learn More

Target

Location: Chile
Date Breach First Reported: 1/15/2019

Incident

Method: Other
Type: Espionage

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In December, hackers infiltrated Chile’s ATM interbank network, Redbanc, after tricking an employee into downloading a malicious program during a fake job interview over Skype. It is believed that the Redbanc employee saw a LinkedIn job advertisement and attended a Skype interview where the attackers asked him to download a software program to submit his application form. The attackers tricked the victim into downloading malware on his system, giving them access to Redbanc’s network. Redbanc claims the event had no impact on its business operations.

Fuze Cards

January 10

The U.S. Secret Service has identified a number of criminal rings turning to Fuze cards in an attempt to avoid detection by U.S. law enforcement.

Learn More

Target

Location: United States
Date Breach First Reported: 1/10/2019

Incident

Method: Cards
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

The U.S. Secret Service has identified a number of criminal rings turning to Fuze cards in an attempt to avoid detection by U.S. law enforcement. A Fuze card is a data storage device that looks like a bank card, but can hold account data for up to thirty cards. Using smartcard technology can help criminals avoid raising suspicions at payment points or if stopped by authorities, as it reduces the need for them to carry large numbers of counterfeit cards on their person.

2018

Evercore Breach

December 23

In November, hackers breached Evercore gaining access to thousands of sensitive documents from the global investment bank.

Learn More

Target

Location: Western Europe
Date Breach First Reported: 12/23/2018

Incident

Method: Phishing
Type: Data breach

Actor

Type: Nonstate actor
Attribution: Speculated

Description

In November, hackers breached Evercore gaining access to thousands of sensitive documents from the global investment bank. The attackers used phishing tactics to gain access to an employee’s inbox, enabling them to steal around 160,000 pieces of data including documents, diary invitations, and emails. A source at the bank believes the motivation for the breach was to access the administrator's address book to send more phishing emails. The source also claims no data had been misused in result of the breach.

Government Payment Portals

December 18

In August 2017, Click2Gov, an online bill-payment portal used to pay for local government services in the United States, was the victim of a data breach.

Learn More

Target

Location: United States
Date Breach First Reported: 12/18/2018

Incident

Method: Other
Type: Data breach

Actor

Type: Nonstate actor
Attribution: Speculated

Description

In August 2017, Click2Gov, an online bill-payment portal used to pay for local government services in the United States, was the victim of a data breach. The breach exposed customer data including payment card details and log-in credentials of users in over forty U.S. cities. Threat intelligence firm Gemini Advisory discovered that several users’ card details were sold on the dark web for approximately £10. Gemini identified 294,929 compromised payment records, resulting in at least $1.7 million in earnings for the criminals.

Brazilian Mobile Malware

December 13

In mid-December, a report revealed that over 2,000 mobile banking users in Brazil downloaded an Android-based Trojan through Google Play applications.

Learn More

Target

Location: Brazil
Date Breach First Reported: 12/13/2018

Incident

Method: Malware
Type: Theft

Actor

Type: Nonstate actor
Attribution: Speculated

Description

In mid-December, a report revealed that over 2,000 mobile banking users in Brazil downloaded an Android-based Trojan through Google Play applications. Victims unknowingly downloaded the malware, allowing attackers to gain access to user devices and data. The “Android.BankBot.495” malware was designed to read the victim’s information when they logged into their mobile banking app. Reports suggest that the malware also targeted apps such as Uber, Netflix, and Twitter using phishing tactics.

ThreadKit Exploit

December 11

In late 2018, security researchers uncovered that Cobalt, a state-sponsored threat group that specializes in attacks on financial institutions, had begun employing a new variant of the ThreadKit exploit builder kit to execute phishing schemes utilizing Microsoft Office documents.

Learn More

Target

Location: Eastern Europe (Ukraine; Poland; Romania; Czech Republic; Hungary; Belarus; Bulgaria; Slovakia; Moldova)
Date Breach First Reported: 12/11/2018

Incident

Method: Phishing
Type: Espionage

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In late 2018, security researchers uncovered that Cobalt, a state-sponsored threat group that specializes in attacks on financial institutions, had begun employing a new variant of the ThreadKit exploit builder kit to execute phishing schemes utilizing Microsoft Office documents. First observed in October 2017, the new tactics show an evolution of the ThreadKit macro delivery tool and demonstrate the growing range of techniques employed by malicious actors.

Eastern European Banks Targeted From the Inside

December 6

In 2017 and 2018, eight banks in Eastern Europe were targeted by attackers who connected electronic devices directly to the banks’ infrastructure.

Learn More

Target

Location: Eastern Europe
Date Breach First Reported: 12/6/2018

Incident

Method: Other
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In 2017 and 2018, eight banks in Eastern Europe were targeted by attackers who connected electronic devices directly to the banks’ infrastructure. Attackers used a range of readily available devices such as netbooks, inexpensive laptops, USB tools, and other devices. The attackers disguised themselves as job seekers or couriers and gained access to the local network from various places inside the victims’ central or regional offices, and even from company branches in different countries. Once they gained access to the target bank’s infrastructure, the attackers scanned its networks to collect valuable information, such as account details for making payments. The attacks are believed to have caused tens of millions of dollars in damages.

Rapid Raids Jackpotting

November 14

On November 14, two Venezuelan men were found guilty of jackpotting, where they installed malicious software or hardware on ATMs to force the machines to dispense huge volumes of cash on demand.

Learn More

Target

Location: United States
Date Breach First Reported: 11/14/2018

Incident

Method: Malware
Type: Theft

Actor

Type: Nonstate actor
Attribution: High Confidence

Description

On November 14, two Venezuelan men were found guilty of jackpotting, where they installed malicious software or hardware on ATMs to force the machines to dispense huge volumes of cash on demand. From February to March, the duo stole $125,000 from four ATMs in Indiana, Kentucky, Wisconsin, and most recently Michigan, where they were apprehended.

HSBC U.S. Breach

November 6

In November, HSBC reported that hackers had gained access to customer data including names, addresses, phone numbers, and account details.

Learn More

Target

Location: United States
Date Breach First Reported: 11/6/2018

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In November, HSBC reported that hackers had gained access to customer data including names, addresses, phone numbers, and account details. When HSBC discovered the compromised accounts, they suspended online access for affected customers to prevent further entry to the accounts. At the time of release, HSBC did not provide details on the number of customers affected. However, claims estimate that less than 1 percent of the bank’s U.S. online accounts were potentially compromised.

Magecart Payments Breach

November 2

In early November, Lloyds Banking Group and other UK banks were forced to replace payment cards after the breach of numerous retail sites.

Learn More

Target

Location: United Kingdom
Date Breach First Reported: 11/2/2018

Incident

Method: Other
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In early November, Lloyds Banking Group and other UK banks were forced to replace payment cards after the breach of numerous retail sites. Websites for retailers, including Ticketmaster and British Airways, were manipulated to skim card information from hundreds of thousands of customers using the Magecart toolset.

Bank Islami

October 29

On October 29, 2018, Bank Islami in Pakistan detected a cyber attack on its international payment card network.

Learn More

Target

Location: Pakistan
Date Breach First Reported: 10/29/2018

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On October 29, 2018, Bank Islami in Pakistan detected a cyber attack on its international payment card network. The bank uncovered suspicious transactions from payment cards outside of Pakistan and immediately shut down its international payment scheme. The bank confirmed that around 2.6 million Pakistani rupees (roughly $19,500) were withdrawn from customer accounts. Following the incident, the State Bank of Pakistan (SBP) issued directives to all banks, encouraging them to ensure the security of all payment cards and monitor card activity on a real-time basis.

Pakistan Data Theft

October 27

On October 27, cybersecurity firm Group-IB reported a spike in sales of card details from Pakistani customers on Joker’s Stash, a popular online marketplace for stolen information.

Learn More

Target

Location: Pakistan
Date Breach First Reported: 10/27/2018

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On October 27, cybersecurity firm Group-IB reported a spike in sales of card details from Pakistani customers on Joker’s Stash, a popular online marketplace for stolen information. Group-IB identified more than 150,000 card details from at least three Pakistani banks. The Pakistani Federal Investigation Agency revealed that almost all the nation’s banks had been affected. However, the State Bank of Pakistan has disputed the scale of the incident. The compromise of card details came weeks after Karachi-based Bank Islami suffered a breach of its payment cards system.

AXA Targeted in Mexico

October 23

On October 22, 2018, unknown hackers attacked insurance firm AXA, causing problems to the SPEI interbank payment matching system.

Learn More

Target

Location: Mexico
Date Breach First Reported: 10/23/2018

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On October 22, 2018, unknown hackers attacked insurance firm AXA, causing problems to the SPEI interbank payment matching system. This incident prompted Mexico’s central bank to raise the security alert level on its payments system. AXA reported no client information or money was affected by the incident.

State Bank of Mauritius

October 2

In October 2018, the Indian subsidiary of the State Bank of Mauritius was targeted by attackers who attempted to steal $14 million through compromised IT systems.

Learn More

Target

Location: Mauritius
Date Breach First Reported:10/2/2018

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In October 2018, the Indian subsidiary of the State Bank of Mauritius was targeted by attackers who attempted to steal $14 million through compromised IT systems. The bank managed to recover $10 million in the days following the attack and said no customers would lose money as a result. The thieves reportedly withdrew the funds using fraudulent messages on the SWIFT interbank messaging network.

Silence

September 5

First reported in 2018, Russian-speaking hackers, dubbed Silence by researchers at Group IB, targeted Russian banks, stealing $550,000 within a year.

Learn More

Target

Location: Russia
Date Breach First Reported:9/5/2018

Incident

Method: Multiple
Type: Theft

Actor

Type: Nonstate actor
Attribution: Speculated

Description

First reported in 2018, Russian-speaking hackers, dubbed Silence by researchers at Group IB, targeted Russian banks, stealing $550,000 within a year. After an unsuccessful attempt to penetrate the Russian Central Bank’s automated workstation client, the group attacked ATMs directly and through the supply chain, using phishing emails as its means of entry to the networks.

Banco de la Nacion

August 17

Over the weekend of August 17–19, 2018, an attack took place on Peruvian banks that forced at least one bank to take down its internet banking services and some card transactions.

Learn More

Target

Location: Peru, Thailand, Malaysia, Indonesia, United States, Latin America
Date Breach First Reported:8/17/2018

Incident

Method: Ransomware
Type: Disruption

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

Over the weekend of August 17–19, 2018, an attack took place on Peruvian banks that forced at least one bank to take down its internet banking services and some card transactions. There were reports that a new strain of ransomware was involved. The extent of the damage done remains unclear, but there were no indications in the weeks afterward that the attack targeted payment systems, or was a smokescreen for other activity.

Cosmos Bank SWIFT Heist

August 11

In August 2018, it was reported that Cosmos Bank, the second-biggest cooperative bank in India, lost $13.5 million through ATMs in twenty-eight countries as well as through unauthorized interbank transactions.

Learn More

Target

Location: India
Date Breach First Reported:8/11/2018

Incident

Method: Multiple
Type: Theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In August 2018, it was reported that Cosmos Bank, the second-biggest cooperative bank in India, lost $13.5 million through ATMs in twenty-eight countries as well as through unauthorized interbank transactions. The attackers seem to have stolen card information and also set up their own proxy server so transactions with stolen details would not trigger alarms.

Over the course of just a few hours on August 11, the group coordinated almost 15,000 transactions to cash out funds through ATMs worldwide using compromised Visa and Rupay cards. Two days later, the attackers made further fraudulent transactions through the bank’s interface to the SWIFT messaging system—a technique used in numerous bank attacks, including against fellow Indian lender City Union Bank (CUB) in February.

The parallels with the CUB heist continued after police arrested several suspects accused of taking the funds from ATMs. Four of the people involved also admitted playing a role in the earlier theft, according to investigators in September.

The attack left Cosmos’s online banking service offline for more than a week, and the funds have not been recovered. There were signs that an attack on a bank was coming. Two days before the incident, the FBI issued a warning to banks about an imminent ATM cash-out scheme, without providing further public details.

National Bank of Blacksburg

July 24

In May 2016 and January 2017, the National Bank of Blacksburg, based in the state of Virginia, was hit by phishing emails that enabled intruders to install malware and pivot into the Star Network, a U.S. bank card processing service.

Learn More

Target

Location: United States
Date Breach First Reported:7/24/2018

Incident

Method: Multiple
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In May 2016 and January 2017, the National Bank of Blacksburg, based in the state of Virginia, was hit by phishing emails that enabled intruders to install malware and pivot into the Star Network, a U.S. bank card processing service. The 2017 attack gave wider access to bank networks and enabled the thieves to withdraw $1.8 million over the course of a weekend, taking total losses to $2.4 million. According to a lawsuit filed by the bank against its insurer to recover more of its losses, an investigation after the second attack concluded that both incidents were by the same group, using tools and servers of Russian origin.

PIR Bank Attacked

July 19

On July 3, 2018, attackers targeted Russia’s version of the SWIFT interbank network, the Automated Workstation Client, to siphon around $1 million from PIR Bank.

Learn More

Target

Location: Russia
Date Breach First Reported:7/19/2018

Incident

Method: Multiple
Type: Theft

Actor

Type: Nonstate actor
Attribution: Speculated

Description

On July 3, 2018, attackers targeted Russia’s version of the SWIFT interbank network, the Automated Workstation Client, to siphon around $1 million from PIR Bank. After breaching the network through an outdated router, the group attempted to install Powershell scripts to remain on the banks’ systems. A report by Group IB, which responded to the incident, attributed it to an established criminal group named MoneyTaker that has targeted more than a dozen banks in the United States, Russia, and the UK since 2016.

Data Breach Involving Canadian Banks

May 28

In 2018, it was revealed that up to 90,000 clients of the Canadian banks Simplii and Bank of Montreal (BMO) had been exposed by a data breach that the organization blamed on unidentified fraudsters.

Learn More

Target

Location: Canada
Date Breach First Reported:5/28/2018

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In 2018, it was revealed that up to 90,000 clients of the Canadian banks Simplii and Bank of Montreal (BMO) had been exposed by a data breach that the organization blamed on unidentified fraudsters. Bank of Montreal said there was a threat to make the data public from the group, which it thinks is behind the thefts from both banks. Simplii and BMO are now facing a class action lawsuit, with those involved arguing that the banks failed to properly protect sensitive information.

Banco de Chile Incident

May 24

In May 2018, Banco de Chile suffered a $10 million theft after the attackers used destructive software as cover for a fraudulent SWIFT transfer.

Learn More

Target

Location: Chile
Date Breach First Reported:5/24/2018

Incident

Method: Malware
Type: Disruption, theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In May 2018, Banco de Chile suffered a $10 million theft after the attackers used destructive software as cover for a fraudulent SWIFT transfer. The bank’s 9,000 workstations and 500 servers failed on May 24 as the KillMBR wiper tool rendered them unable to boot up, adding it to the growing ranks of Latin American banks suffering cyber attacks.

Mexican Bank Theft

May 12

Banco de Mexico warned a dozen banks to upgrade their security following $15 million in fraudulent cash withdrawals from five institutions linked to the central bank’s electronic payments system, SPEI.

Learn More

Target

Location: Mexico
Date Breach First Reported:5/12/2018

Incident

Method: Software vulnerability
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

Banco de Mexico warned a dozen banks to upgrade their security following $15 million in fraudulent cash withdrawals from five institutions linked to the central bank’s electronic payments system, SPEI. A vulnerability in third-party software connected to SPEI was used by unknown attackers to get into the system and make a series of fraudulent transactions before cashing out.

The investigators have not made clear whether each victim bank was compromised, or whether the attackers moved between them following the initial breach. It is also unclear whether the gang had insider help to clear large transactions through the banks’ security checks. The incidents delayed legitimate transfers but the central bank said client money and the SPEI infrastructure were unaffected.

Following the thefts, Banco de Mexico set up a new cybersecurity unit and asked its members to move to an in-house, encrypted software with SPEI. The incident came five months after Bancomext, the state-owned trade bank, blocked attempts to siphon off $110 million via a compromise in the network that granted attackers access to the global SWIFT interbank system.

DDoS-for-Hire

April 1

In April 2018, it was revealed that authorities in five countries worked together to take down Webstresser, a DDoS-for-hire site they said was behind up to 6 million attacks around the world over three years.

Learn More

Target

Location: Western Europe
Date Breach First Reported:4/1/2018

Incident

Method: DDOS
Type: Disruption

Actor

Type: Nonstate actor
Attribution: Speculated

Description

In April 2018, it was revealed that authorities in five countries worked together to take down Webstresser, a DDoS-for-hire site they said was behind up to 6 million attacks around the world over three years. The site was used to launch a coordinated attack on seven UK banks in November 2017, according to the UK’s National Crime Agency. Several people have been arrested, and the U.S. Department of Defense seized the website.

Mabna Iranian Hack on the United States

March 23

Two financial firms were among the various U.S. targets of a hacking group operating under the guise of the Mabna Institute, which used password spraying to access information.

Learn More

Target

Location: United States
Date Breach First Reported:3/23/2018

Incident

Method: Password spraying
Type: Data breach

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

Two financial firms were among the various U.S. targets of a hacking group operating under the guise of the Mabna Institute, which used password spraying to access information. The actors are accused by the United States of stealing 31 terabytes of academic and commercial information in a campaign dating as far back as 2013. Nine Iranians have been charged by the United States, which claims the group acts on behalf of the Islamic Revolutionary Guard Corps and has imposed sanctions on numerous individuals and companies in the country as a result.

City Union Bank SWIFT Attack

February 18

In February 2018, City Union Bank in India suffered a breach that allowed $1 million to be transferred to a Chinese institution.

Learn More

Target

Location: India
Date Breach First Reported:2/18/2018

Incident

Method: Malware
Type: Theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In February 2018, City Union Bank in India suffered a breach that allowed $1 million to be transferred to a Chinese institution. The attackers tried to make three transactions totaling $2 million, sending money to Dubai and Turkey, but were thwarted by City Union Bank and the corresponding bank on the receiving end of the transfer. Two years earlier, attackers attempted but failed to make a $170 million SWIFT transfer out of the Union Bank of India. While the incidents bear the hallmarks of the group that carried out the Bank of Bangladesh theft in 2016, there is no strong evidence the events are connected.

Infraud Gang

February 7

In February 2018, it was revealed that thirty-six people from seven countries had been indicted in the United States for their alleged involvement in the Infraud Organization, which law enforcement officials say sells stolen personal and financial information.

Learn More

Target

Location: Netherlands
Date Breach First Reported:2/7/2018

Incident

Method: Multiple
Type: Theft

Actor

Type: Nonstate actor
Attribution: Speculated

Description

In February 2018, it was revealed that thirty-six people from seven countries had been indicted in the United States for their alleged involvement in the Infraud Organization, which law enforcement officials say sells stolen personal and financial information. More than half a billion dollars was lost by the victims, the U.S. Department of Justice said, with a trail going back to October 2010. The organization was said to have more than 10,000 registered members who bought and sold illicit products including malware, data from credit card dumps, and information needed for identity fraud.

Dutch DDoS Attack

January 29

In January, ABN Amro, Rabobank, and ING suffered disruptions to online and mobile banking services, while the Dutch tax authority website was taken down for several minutes.

Learn More

Target

Location: Netherlands
Date Breach First Reported:1/29/2018

Incident

Method: DDOS
Type: Disruption

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In January, ABN Amro, Rabobank, and ING suffered disruptions to online and mobile banking services, while the Dutch tax authority website was taken down for several minutes. Initial reports raised concerns of a Russian connection to the attack, as it came a week after a media report that Dutch intelligence agents had infiltrated the Russian threat group APT 29. However, an eighteen-year-old from the Dutch city of Oosterhout was arrested in February for the attack, having claimed online that he bought a “stresser” tool for €40 that enabled him to send a deluge of traffic to victim websites.

2017

Youbit Hacked

December 1

In a demonstration of cryptocurrency’s growing role in online crime circles, the bitcoin exchange Youbit was hacked twice in 2017, forcing it to file for bankruptcy.

Learn More

Target

Location: South Korea
Date Breach First Reported:12/1/2017

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In a demonstration of cryptocurrency’s growing role in online crime circles, the bitcoin exchange Youbit was hacked twice in 2017, forcing it to file for bankruptcy. The South Korean exchange lost nearly 4,000 bitcoins in a theft in April, which the country’s authorities had linked to North Korea, according to local media. The attack in December led to the loss of 17 percent of Youbit’s digital currency and forced it to stop trading. The thefts came weeks after a $70 million bitcoin heist at NiceHash, a cryptocurrency mining service in Slovenia, at a time when the price of the currency had soared above $15,000.

Paradise Papers

November 5

In November 2017, an unknown whistle-blower leaked a trove of secret records on offshore companies to the German newspaper Süddeutsche Zeitung, which shared the details with 380 journalists around the world.

Learn More

Target

Location: Multiple
Date Breach First Reported:11/5/2017

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In November 2017, an unknown whistle-blower leaked a trove of secret records on offshore companies to the German newspaper Süddeutsche Zeitung, which shared the details with 380 journalists around the world. The Paradise Papers, covering the law firm Appleby’s business as far back as 1950, shone a light on offshore tax affairs in thirty jurisdictions, including Bermuda and the Cayman Islands, the heart of the global hedge fund industry. Appleby has said it was the victim of a cyber attack, alleging the intruder “deployed the tactics of a professional hacker.” The breach came just over a year after the Panama Papers, documents from law firm Mossack Fonseca that were leaked to the same newspaper.

Far Eastern International Bank

October 1

In October 2017, Far Eastern International Bank in Taiwan became the victim of a $14 million theft when hackers planted malware in the company’s systems to access a SWIFT terminal, which was then used to make fraudulent transfers.

Learn More

Target

Location: Taiwan
Date Breach First Reported:10/1/2017

Incident

Method: Malware
Type: Theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In October 2017, Far Eastern International Bank in Taiwan became the victim of a $14 million theft when hackers planted malware in the company’s systems to access a SWIFT terminal, which was then used to make fraudulent transfers. The attackers used an unusual ransomware variant named Hermes, but this was likely a distraction for their main objective of using administrative credentials to move funds to Cambodia, the United States, and Sri Lanka. The attack is suspected of being performed by a group that has repeatedly intruded on bank networks to carry out thefts. Most of the stolen money was recovered, and two men were arrested in Sri Lanka after they attempted to withdraw funds.

SEC Edgar Hack

September 21

The Securities and Exchange Commission announced in September 2017 that hackers might have accessed inside information from the Edgar database, which contains market-sensitive filings for companies listed on U.S. stock exchanges, and used it to make illegal profits on share trades.

Learn More

Target

Location: United States
Date Breach First Reported: 9/21/2017

Incident

Method: Software vulnerability
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

The Securities and Exchange Commission announced in September 2017 that hackers might have accessed inside information from the Edgar database, which contains market-sensitive filings for companies listed on U.S. stock exchanges, and used it to make illegal profits on share trades. The commission did not realize the intrusion, which took place in 2016 through a software vulnerability in a test filing component, could have leaked company secrets until August 2017. The identity of the hackers is unknown, although reports have suggested the perpetrators are based in Eastern Europe.

Equifax Hack

September 7

In one of the biggest data breaches on record, the credit reporting agency Equifax announced in October 2017 that more than 150 million customer records had been compromised, including some sensitive data such as birth dates and 12,000 U.S. social security numbers.

Learn More

Target

Location: United States
Date Breach First Reported: 9/7/2017

Incident

Method: Web app vulnerability
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In one of the biggest data breaches on record, the credit reporting agency Equifax announced in October 2017 that more than 150 million customer records had been compromised, including some sensitive data such as birth dates and 12,000 U.S. social security numbers. The breach, which sent shares in Equifax down 13 percent in the days after disclosure, was the result of unknown attackers exploiting a bug in an Apache Struts web application that the company had failed to patch.

The attackers scanned Equifax’s estate for the vulnerability and gained access to the application, an online dispute portal, days after the bug was made public in March—but did not take any data for several months. Once inside the network, the attackers found unencrypted usernames and passwords for other databases, spent seventy-six days on the network, eventually accessing forty-eight different datasets.

Equifax has spent $439 million on redressing the data loss and, a year after disclosure, its share price remained below the pre-breach level. However, the company has avoided fines from the banking regulators in eight U.S. states after agreeing to a deal in June 2018 to improve its cybersecurity oversight. The identity of the data thieves remains unknown.

2016

Russian Banks DDoS Attack

December 2

In December 2016, after a number of DDoS attacks on Russian banks throughout the previous month, the Russian Federal Security Service (FSB) announced that it had discovered pending cyber attacks intended to impact a range of major Russian banks.

Learn More

Target

Location: Russia
Date Breach First Reported: 12/2/2016

Incident

Method: DDOS
Type: Disruption

Actor

Type: National government
Attribution: Speculated

Description

In December 2016, after a number of DDoS attacks on Russian banks throughout the previous month, the Russian Federal Security Service (FSB) announced that it had discovered pending cyber attacks intended to impact a range of major Russian banks. Servers and command centers purportedly to be used in these attacks were located in the Netherlands and owned by BlazingFast, a Ukrainian hosting company. BlazingFast said it had no information about the asserted attack and that it was unable to find any malicious data. The Dutch Ministry of Security and Justice said that it was aware its infrastructure could be used for cyber attacks elsewhere, and that if the Russian authorities decided to investigate, the Dutch investigating authorities would provide assistance.

On December 9, Rostelecom, Russia’s telecom operator, said in a statement that it had blocked DDoS attacks against the five biggest banks and financial institutions in Russia on December 5. They reached a peak volume of 3.2 million packets per second, which is low compared to the volume of other recent DDoS attacks. The statement further noted that part of the DDoS attacks involved a botnet similar to that used in prior weeks against Germany’s Deutsche Telekom and Ireland’s Eircom, exploiting a vulnerability in home routers. No perpetrators were identified, though the FSB claimed that it was organized by foreign intelligence services and speculated it had been done on behalf of Ukraine, due to the servers’ location and ownership. The FSB stated that it expected the DDoS attacks to be accompanied by text messages, agitating social network publications, and blog statements about a “crisis in the Russian credit and financial system, bankruptcy and withdrawal of licenses of leading federal and regional banks,” and that “the campaign [would be] directed against several dozen Russian cities.” Presumably, this would be an attempt to create a run on Russian banks, initiating a financial crisis. No evidence exists that such action, complementary to the DDoS attacks, was attempted.

Insider Trading Hack

December 1

In late 2016, the Securities and Exchange Commission (SEC) sued three Chinese traders, arguing that they had installed malware on the networks of two law firms to steal confidential, market-moving information on mergers and acquisitions.

Learn More

Target

Location: United States
Date Breach First Reported: 12/1/2016

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In late 2016, the Securities and Exchange Commission (SEC) sued three Chinese traders, arguing that they had installed malware on the networks of two law firms to steal confidential, market-moving information on mergers and acquisitions. The men were ordered to pay $8.9 million in penalties, and the trio were also indicted on criminal charges, which are ongoing. Hong Kong refused a request to extradite one of the men to the United States in 2017.

Tesco Bank Card Theft

November 5

Tesco Bank, a retail bank based in the UK, was the target of thieves who used vulnerabilities in its card issuing process to guess bank card numbers and steal £2.26 million in November 2016.

Learn More

Target

Location: United Kingdom
Date Breach First Reported: 11/5/2016

Incident

Method: Card number guessing
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

Tesco Bank, a retail bank based in the UK, was the target of thieves who used vulnerabilities in its card issuing process to guess bank card numbers and steal £2.26 million in November 2016. The unknown attackers likely used an algorithm to generate bank card numbers that used Tesco’s identifying numbers at the start and conformed to the industry-wide Luhn validation scheme that helps protect against accidental errors.

There are around 1 billion possible card numbers for each bank, but regulators have said Tesco Bank’s cards had deficiencies, such as sequential card numbers, that made guessing the full numbers easier. The bank only used basic checks to assess whether cards were genuine, for example merely inspecting whether the debit card would expire in the future instead of making sure the exact expiration date matched its records.

Visa and Mastercard had both previously warned of an increase in the type of fraud seen in this case, which used the magnetic strip to verify the transaction. On November 5, 2016, as the weekend began, the gang started making fraudulent transactions with the card details it had calculated. Almost 9,000 accounts were affected, or 6.6 percent of the bank’s entire customer base. One customer had twenty-two fraudulent transactions totaling £65,000 on his account.

Tesco Bank halted all online and contactless transactions after a day of struggling to block all the fake purchases reported in the United States, Spain, and Brazil. In October 2018, Tesco was fined £16.4 million by the UK’s Financial Conduct Authority for deficiencies in its bank card policies and its response to the incident.

Indian ATM Breach

October 20

In mid-2016, a number of Indian banks replaced or changed security codes on 3.25 million debit cards after uncovering a breach in Hitachi’s payment switch systems, which link into the ATM network.

Learn More

Target

Location: India
Date Breach First Reported: 10/20/2016

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In mid-2016, a number of Indian banks replaced or changed security codes on 3.25 million debit cards after uncovering a breach in Hitachi’s payment switch systems, which link into the ATM network. Visa, Mastercard, and India’s Rupay cards were all affected by the compromise.

Central Banks DDoS Attack

May 4

In May 2016, hacktivists briefly took down the Bank of Greece’s website, and later did the same to the central banks of Mexico, Panama, Kenya, and Bosnia and Herzegovina.

Learn More

Target

Location: Multiple
Date Breach First Reported: 5/4/2016

Incident

Method: DDOS
Type: Disruption

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In May 2016, hacktivists briefly took down the Bank of Greece’s website, and later did the same to the central banks of Mexico, Panama, Kenya, and Bosnia and Herzegovina. Anonymous claimed responsibility as part of Operation Icarus, a campaign against central banks.

Panama Papers

April 3

In April 2016, an anonymous source leaked 2.6 terabytes of information from the Panamanian law firm Mossack Fonseca to the German newspaper Süddeutsche Zeitung.

Learn More

Target

Location: Panama
Date Breach First Reported: 4/3/2016

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In April 2016, an anonymous source leaked 2.6 terabytes of information from the Panamanian law firm Mossack Fonseca to the German newspaper Süddeutsche Zeitung. The journalists shared the 11.5 million leaked documents with a dozen global news organizations to simultaneously print stories about the money-laundering, tax affairs, and financial secrecy within. The revelations had far-reaching effects, including the resignation of the Icelandic prime minister, a number of tax evasion investigations, and the closure of Mossack Fonseca.

Belgian National Bank Incident

February 22

On February 22, 2016, a hacking group called DownSec Belgium shut down the website for Belgium’s National Bank for most of the morning using DDoS attacks.

Learn More

Target

Location: Belgium
Date Breach First Reported: 2/22/2016

Incident

Method: DDOS
Type: Disruption

Actor

Type: Nonstate actor
Attribution: High confidence

Description

On February 22, 2016, a hacking group called DownSec Belgium shut down the website for Belgium’s National Bank for most of the morning using DDoS attacks. Little information has been reported about the attack, but it followed similar DDoS attacks by the same group against the websites for the Belgian Federal Agency for Nuclear Control, the country’s Crisis Center, and its federal cyber emergency team. DownSec Belgium claims to fight against corrupt government abuses.

Bangladesh Bank SWIFT Hack

February 1

In February 2016, media outlets reported that hackers had breached the network of the Bangladesh central bank and sent thirty-five fraudulent transfer requests to the Federal Reserve Bank of New York, totaling nearly $1 billion.

Learn More

Target

Location: Bangladesh
Date Breach First Reported: 2/1/2016

Incident

Method: Malware
Type: Theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In February 2016, media outlets reported that hackers had breached the network of the Bangladesh central bank and sent thirty-five fraudulent transfer requests to the Federal Reserve Bank of New York, totaling nearly $1 billion. Four of these fraudulent requests succeeded, and the hackers were able to transfer $81 million to accounts in the Philippines, representing one of the largest bank thefts in history. A fifth request for $20 million to be sent to an account in Sri Lanka was stopped due to the recipient’s name, Shalika Foundation, being misspelled “fandation.” The remaining transfers, which totaled somewhere between $850 and $870 million, were also stopped before they could be completed due to a stroke of good fortune: the name of the destination bank branch included the word “Jupiter,” which was the name of an unrelated company on a sanctions blacklist.

The hackers had introduced malware onto the Bangladesh central bank’s server and deployed keylogger software that allowed them to steal the bank’s credentials for the SWIFT system. The hackers also custom-designed a malware toolkit that compromised SWIFT’s Alliance Access system and was designed to cover their tracks. This toolkit allowed them to delete records of transfer requests, bypass validity checks, delete records of logins, manipulate reporting of balances, and stop attached printers from printing transaction logs. Although the malware was custom-designed to steal from the Bangladesh central bank, the toolkit could potentially be used against other banks in the SWIFT system running Alliance Access software.

The intruders had monitored the bank’s routine activity in order to create money transfer requests that appeared genuine. Furthermore, they timed the thefts so that it would be the weekend in Bangladesh when the Federal Reserve reached out to confirm the transactions, and then it would be the weekend in New York when the Bangladesh central bank employees instructed the Federal Reserve to cancel the transactions.

2015

Greek Banks DDoS Attack

November 30

In late 2015, hackers threatened to disable systems at three Greek banks unless they paid a bitcoin ransom.

Learn More

Target

Location: Greece
Date Breach First Reported: 11/30/2015

Incident

Method: DDOS
Type: Disruption

Actor

Type: Nonstate actor
Attribution: Speculated

Description

In late 2015, hackers threatened to disable systems at three Greek banks unless they paid a bitcoin ransom. When the banks refused, they had their sites repeatedly knocked out for several hours. The group claiming responsibility for the extortion said it was part of the Armada Collective, which had previously targeted numerous businesses including Cloudflare and Proton Mail, although some investigators believed it might have been a copycat attack using the same name. Some suspected original members of the collective were arrested in Europol’s Operation Pleiades in January 2016, which targeted the group DDoS4Bitcoin that has been active since mid-2014.

Swedbank and Nordea DDoS Attack

November 6

In November 2015, a teenager was sentenced to community service after carrying out four DDoS attacks against Nordea and Swedbank.

Learn More

Target

Location: Denmark, Sweden
Date Breach First Reported: 11/6/2015

Incident

Method: DDOS
Type: Disruption

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In November 2015, a teenager was sentenced to community service after carrying out four DDoS attacks against Nordea and Swedbank. The attacks blocked customers from the banks’ websites for hours at a time. The perpetrator’s lawyers said he was “drawn into a circus” where online groups would test the power of botnets.

Shanghai Composite Index Suspected Manipulation

June 12

Beginning on June 12, 2015, the Shanghai Composite Index began to plummet, and by June 19 it had fallen by 13 percent.

Learn More

Target

Location: China
Date Breach First Reported: 6/12/2015

Incident

Method: Unknown
Type: Data breach, disruption

Actor

Type: Unknown
Attribution: Unknown

Description

Beginning on June 12, 2015, the Shanghai Composite Index began to plummet, and by June 19 it had fallen by 13 percent. Chinese stock markets continued to fall throughout July and August, and again in January and February 2016. Although there is no public evidence, some have speculated that the initial sudden crash may have been caused by a cyber attack.

Tien Phong Commercial Joint Stock Bank

May 15

In May 2015, the Vietnamese bank Tien Phong announced it had blocked a fraudulent SWIFT transaction worth €1m several months before attackers successfully stole from the Bank of Bangladesh using the same method.

Learn More

Target

Location: Vietnam
Date Breach First Reported: 5/15/2015

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In May 2015, the Vietnamese bank Tien Phong announced it had blocked a fraudulent SWIFT transaction worth €1m several months before attackers successfully stole from the Bank of Bangladesh using the same method. Tien Phong did not name the bank that had been the source of the fraudulent transfer request.

Dyre Wolf Campaign

April 2

In April 2015, a threat group twinned malware with a sophisticated social engineering tactic to steal more than $1 million from businesses.

Learn More

Target

Location: Multiple
Date Breach First Reported: 4/2/2015

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In April 2015, a threat group twinned malware with a sophisticated social engineering tactic to steal more than $1 million from businesses. A variant of Dyre malware named Upatre, which spread through victims’ email contacts, was used to block hundreds of bank websites on the victim’s device. The victim was then prompted to call a helpline number—actually staffed by a member of the gang who would then harvest the victim’s banking credentials and subsequently make fraudulent wire transfers.

Health Insurer Hacks

February 4

In February 2015, reports indicated that records for almost 80 million customers were stolen from Anthem, a U.S. healthcare insurer, after attackers deployed a spearphishing email that gave access to ninety of the company’s systems, including its back-end database.

Learn More

Target

Location: United States
Date Breach First Reported: 2/4/2015

Incident

Method: Phishing
Type: Data breach

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In February 2015, reports indicated that records for almost 80 million customers were stolen from Anthem, a U.S. healthcare insurer, after attackers deployed a spearphishing email that gave access to ninety of the company’s systems, including its back-end database. The stolen data was taken over the course of several weeks and included personal information, such as social security numbers. A subsequent report by the California Department of Insurance pointed to a national government as the likely culprit for the attack, and suggested the initial breach occurred in February 2014, meaning Anthem was exposed for a year before the compromise was discovered. Anthem ended up settling a lawsuit relating to the data loss for $115 million. Several weeks after the incident was disclosed, fellow insurer Premera Blue Cross announced that around 11 million customer accounts had been compromised by attackers, and rival CareFirst admitted 1.1 million current and former members may have had their information stolen. Some researchers believe the thefts were carried out by the same group. In September 2015, Excellus announced a data loss, with 10 million customers’ data exposed by a breach that initially occurred in December 2013.

Ecuadorian Banco del Austro

January 12

In early 2015, a bank in Ecuador was the first known victim in a series of multimillion dollar heists that used compromised payments systems to then transfer funds over the SWIFT interbank messaging network.

Learn More

Target

Location: Ecuador
Date Breach First Reported: 1/12/2015

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In early 2015, a bank in Ecuador was the first known victim in a series of multimillion dollar heists that used compromised payments systems to then transfer funds over the SWIFT interbank messaging network. In January 2015, thieves transferred $12 million out of Banco del Austro and routed most of the proceeds to twenty-three companies registered in Hong Kong.

The same method has been used in several thefts in the preceding years including the $81 million Bank of Bangladesh heist in 2016. If an attacker manages to gain access to a bank’s SWIFT terminal, the system can be used to ask other banks to transfer funds. Banco del Austro said it recovered around $2.8 million of the stolen money. The heist came to light in a lawsuit Banco brought against Wells Fargo, which it alleged failed to spot red flags when it approved the fraudulent transaction. The litigation was settled in February 2018 but no details were disclosed.

Metel Malware Attack on Russian Banks

January 1

The Metel banking Trojan, which was discovered in 2011, was repurposed by a criminal gang in 2015 to steal directly from bank ATMs and even manipulate the Russian exchange rate.

Learn More

Target

Location: Russia
Date Breach First Reported: 1/1/2015

Incident

Method: Multiple: malware, phishing and browser vulnerabilities
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

The Metel banking Trojan, which was discovered in 2011, was repurposed by a criminal gang in 2015 to steal directly from bank ATMs and even manipulate the Russian exchange rate. The group used spearphishing emails or browser vulnerabilities to deliver Metel, also known as Corcow, and access the bank’s systems before pivoting into areas that allowed them to roll back ATM transactions. This meant they could withdraw unlimited amounts of money, automatically resetting the account balance after each transaction. Researchers at Kaspersky, who first reported on the operation, said the gang comprised fewer than ten members and had made no infections outside Russia. In February 2015, Energobank fell victim to a Metel infection that allowed attackers to place some $500 million in currency orders, sending the ruble swinging with extreme volatility between 55 and 66 rubles per dollar for a period of fourteen minutes. However, there is no evidence the attackers profited from the movement. Metel had infected 250,000 devices and more than 100 financial institutions in 2015, according to researchers at Group IB.

2014

Tyupkin ATM Malware

October 7

In October 2014, reports revealed that criminals had written malware to infect Windows-based ATMs and steal millions from machines primarily in Eastern Europe.

Learn More

Target

Location: Eastern Europe
Date Breach First Reported: 10/7/2014

Incident

Method: Malware
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In October 2014, reports revealed that criminals had written malware to infect Windows-based ATMs and steal millions from machines primarily in Eastern Europe. The malware, dubbed Tyupkin, was spread by a CD and once installed it laid low, only accepting commands on Sunday and Monday nights. Mules could type in a randomly generated key allowing them to withdraw 40 banknotes. Similar to the Ploutus campaign in Latin America, the Tyupkin group had an organized gang of mules to access the ATMs and collect the money. Eight Romanian and Moldovan nationals were arrested in connection with the scheme in January 2016.

Warsaw Stock Exchange Breach

October 1

In October 2014, a group claiming to be affiliated with the so-called Islamic State hacked the internal networks of the Warsaw Stock Exchange and posted dozens of login credentials for brokers online.

Learn More

Target

Location: Poland
Date Breach First Reported: 10/1/2014

Incident

Method: Unknown
Type: Data breach

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In October 2014, a group claiming to be affiliated with the so-called Islamic State hacked the internal networks of the Warsaw Stock Exchange and posted dozens of login credentials for brokers online. The means by which the group gained access to the exchange’s networks are unknown, but they were reportedly able to infiltrate an investment simulator and a web portal for managing the stock exchange’s upgrade to a new trading system, as well as render the exchange’s website unavailable for two hours. The exchange’s employees say that the trading system itself was not breached. NATO officials later indicated privately that they believed that the hacking group’s claim of being affiliated with Islamic militants was a false flag operation, and that in fact the breach was conducted by APT 28, a group widely believed by security researchers to be affiliated with the Russian government.

JPMorgan Chase Data Breach

August 1

In August 2014, the first reports emerged that account information and home addresses for 83 million customers were exposed after attackers stole login credentials from a JPMorgan Chase employee.

Learn More

Target

Location: United States
Date Breach First Reported: 8/1/2014

Incident

Method: Stolen password
Type: Data breach

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In August 2014, the first reports emerged that account information and home addresses for 83 million customers were exposed after attackers stole login credentials from a JPMorgan Chase employee. The group entered the network through a single-factor authentication server that had not been upgraded with the rest of the firm’s estate, before gaining access to more than ninety bank servers for several months. However, the bank said the attackers had not accessed more sensitive information, such as social security numbers.

JPMorgan discovered the breach after reportedly finding the same group on a website for a charity race that it sponsors. The size of the incident prompted the National Security Agency and the FBI to join the investigation. Other companies targeted in the attacks included Dow Jones, Fidelity, E*Trade, and Scottrade. The U.S. authorities believe the harvested information was used in securities fraud, money laundering, credit-card fraud, and fake pharmaceuticals.

Nine people so far have been charged in the ongoing probe. A Russian national was extradited from Georgia to the United States in September 2018, although he denied that he was the central hacker in the attacks. The federal authorities in New York said the man worked with an international syndicate from 2012 to 2015 to steal customer information, which was used in numerous crimes including a spam email campaign to falsely tout stocks and shares to ramp up the price. In September 2019, he pleaded guilty to six felony charges in connection with the data breach and other cybercrimes, and he faces up to a lifetime in prison.

In January 2017, a Florida man pleaded guilty to charges linked to funds processed through Coin.mx, an unlicensed bitcoin exchange owned by an Israeli who the United States has alleged masterminded the information stealing campaign. The supposed ringleader was extradited to the United States in 2016 and, according to media reports, entered a plea deal with prosecutors."

European Central Bank

July 24

In July 2014, the European Central Bank (ECB) announced that hackers had breached the security of a database holding email addresses and other contact data submitted by people registering for events at the bank.

Learn More

Target

Location: Western Europe
Date Breach First Reported: 7/24/2014

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In July 2014, the European Central Bank (ECB) announced that hackers had breached the security of a database holding email addresses and other contact data submitted by people registering for events at the bank. The ECB said most of the stolen data was encrypted, and no internal systems or sensitive market data had been compromised as the database was separate to those systems. Approximately 20,000 people had their information exposed in non-encrypted form.

The attack came to light after the supposed perpetrators emailed the ECB demanding a ransom payment on July 21. The bank informed the German police, although no further information is available about the investigation.

Ukrainian Bank Data Breach

July 8

In July 2014, the pro-Russian group called CyberBerkut hacked into PrivatBank, one of Ukraine’s largest commercial banks, and published stolen customer data on VKontakte, a Russian social media website.

Learn More

Target

Location: Ukraine
Date Breach First Reported: 7/8/2014

Incident

Method: Unknown
Type: Data breach

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In July 2014, the pro-Russian group called CyberBerkut hacked into PrivatBank, one of Ukraine’s largest commercial banks, and published stolen customer data on VKontakte, a Russian social media website. The means by which it gained access to the data is unknown. It is believed that CyberBerkut targeted PrivatBank because the bank’s co-owner, Igor Kolomoisky, had offered a $10,000 bounty for the capture of Russian-backed militants in Ukraine. The group warned PrivatBank customers to transfer their money to state-owned banks. CyberBerkut may have connections to the Russian government, but the relative lack of sophistication of their attacks has led some experts to conclude that official links are unlikely.

2013

People’s Bank of China DDoS Attack

December 19

In December 2013, the People’s Bank of China (PBOC) was bombarded with DDoS traffic that reportedly came from disgruntled bitcoin users who were protesting the country’s ban on the decentralized currency.

Learn More

Target

Location: China
Date Breach First Reported: 12/19/2013

Incident

Method: DDOS
Type: Disruption

Actor

Type: Unknown
Attribution: Unknown

Description

In December 2013, the People’s Bank of China (PBOC) was bombarded with DDoS traffic that reportedly came from disgruntled bitcoin users who were protesting the country’s ban on the decentralized currency. The week before the attack, PBOC had warned that bitcoin was “not a real currency” and that Chinese institutions would not accept bitcoin deposits. With China the largest source of bitcoin trading at the time, the announcement sent the value of the currency down by around 40 percent. The perpetrators of the DDoS attack have not been publicly identified.

Ploutus Malware

September 1

In September 2013, the malware Ploutus was built to be installed directly on ATMs in order to give an attacker privileged rights, including the ability to dispense cash on demand via SMS or using a keyboard attached to the machine.

Learn More

Target

Location: Multiple
Date Breach First Reported: 9/1/2013

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In September 2013, the malware Ploutus was built to be installed directly on ATMs in order to give an attacker privileged rights, including the ability to dispense cash on demand via SMS or using a keyboard attached to the machine. The malware has been altered several times to enable its use in new ATM models. Ploutus has resulted in numerous attacks in Mexico and later other countries, including the United States, where in 2018 two men were convicted of installing the malware on cash machines in Connecticut and Rhode Island.

CME Group

July 1

In July 2013, CME Group, which operates the world’s largest futures exchange, announced in November 2013 that its ClearPort clearing service had been compromised the previous July.

Learn More

Target

Location: United States
Date Breach First Reported: 7/1/2013

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In July 2013, CME Group, which operates the world’s largest futures exchange, announced in November 2013 that its ClearPort clearing service had been compromised the previous July. The firm said some customer information was compromised but that trading was not affected. While large financial firms are generally under no obligation to make data breaches public, the company informed affected customers and announced that it was working with the authorities. The FBI investigated the incident but has released no further information.

Carbanak Malware

June 1

In 2013, the source code for the Carbanak banking Trojan was leaked online. Since then, the malware has been used by several gangs to steal from dozens of financial institutions.

Learn More

Target

Location: Multiple
Date Breach First Reported: 6/1/2013

Incident

Method: Malware
Type: Theft

Actor

Type: Nonstate actor
Attribution: Speculated

Description

In 2013, the source code for the Carbanak banking Trojan was leaked online. Since then, the malware has been used by several gangs to steal from dozens of financial institutions. The attack strategies have changed many times in order to avoid detection.

The malware is often pushed into financial companies by luring employees to click malicious documents, which provide the attackers a foothold to move across the network to remotely manipulate ATMs, known as “jackpotting,” or to compromise point-of-sale data. The gangs planned each theft carefully, taking between two and four months to complete each intrusion, ultimately using mules to withdraw the funds from ATMs and transfer them to the criminals’ accounts.

Fin7, the most prolific group using Carbanak, has stolen more than €1 billion from banks in more than thirty countries over the past three years, according to Europol. As well as using Carbanak, the gang is understood to use widely available tools such as the Cobalt Strike framework. The group recruited developers to work for an Israeli-Russian front company named Combi Security, and it is not clear whether the employees knew the nature of the work.

The authorities arrested a man thought to be the gang’s ringleader in Spain in March 2018, while in August the U.S. Department of Justice arrested three Ukrainian suspects. The United States claims the group stole the details of 15 million payment cards by attacking more than 120 U.S. companies, including the Chipotle and Arby’s restaurant chains.

Another Trojan, which is named Odinaff and bears a resemblance to Carbanak, was spotted attacking banking, trading, and payroll companies in 2016. It is unclear whether this is the work of Fin7 or another gang. While Fin7 appears to have gone quiet, it is unclear whether this is because activity stopped following the arrests or its techniques have changed again.

South Korea Attacked III

March 20

In March 2013, almost exactly two years since the last DDoS attack on South Korea, the Shinhan, Nonghyup, and Jeju banks were targeted by a Trojan that deleted data and disrupted ATMs, online banking, and mobile payments.

Learn More

Target

Location: South Korea
Date Breach First Reported: 3/20/2013

Incident

Method: Diskwiping
Type: Disruption

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In March 2013, almost exactly two years since the last DDoS attack on South Korea, the Shinhan, Nonghyup, and Jeju banks were targeted by a Trojan that deleted data and disrupted ATMs, online banking, and mobile payments. Trojan.Jokra was used to wipe disks, but the attack varied from its predecessors in that it did not include a DDoS attack. After six months of attacks, South Korean politicians said this wave cost the country almost $650 million in economic damage, making it far larger than the two previous campaigns. The incident was attributed by some to the DarkSeoul gang, a threat actor linked to the North Korean regime that would later be tied to the Sony breach in 2014.

Bank of the West DDoS Attack

February 19

On Christmas Eve 2013, Bank of the West was the victim of a DDoS attack used to disguise $900,000 in fraudulent transfers out of accounts belonging to Ascent Builders, a Californian construction firm.

Learn More

Target

Location: United States
Date Breach First Reported: 2/19/2013

Incident

Method: Multiple
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On Christmas Eve 2013, Bank of the West was the victim of a DDoS attack used to disguise $900,000 in fraudulent transfers out of accounts belonging to Ascent Builders, a Californian construction firm. The perpetrators made fraudulent, automated clearinghouse and wire transfers before they knocked the bank’s website offline. A network of more than sixty mules was reportedly used to transfer the money into criminal accounts, making the funds more difficult to trace.

2012

Operation Ababil

September 18

In September 2012, a group called the Cyber Fighters of Izz ad-Din al-Qassam launched several waves of DDoS attacks against U.S. financial institutions.

Learn More

Target

Location: United States
Date Breach First Reported: 9/18/2012

Incident

Method: DDOS
Type: Disruption

Actor

Type: National government
Attribution: Speculated

Description

In September 2012, a group called the Cyber Fighters of Izz ad-Din al-Qassam launched several waves of DDoS attacks against U.S. financial institutions. Naming the campaign Operation Ababil, the group justified their attacks as retribution for an anti-Islam video released by the U.S. pastor Terry Jones. The attacks were powerful, sending 100 gigabits per second of data to the victim sites, prompting claims that this was beyond the capabilities of a hacktivist group. Some reports said the group had ties to Anonymous, while others made links to the Iranian government—however, the group claimed it acted independently. The campaign launched two additional waves of attacks on December 10, 2012, and March 5, 2013.

Operation High Roller

June 25

In June 2012, U.S. security researchers uncovered a fraud ring attempting to execute high-value transactions worth between €60 million and €2 billion by using a customized Trojan spyware tool.

Learn More

Target

Location: Western Europe
Date Breach First Reported: 6/25/2012

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In June 2012, U.S. security researchers uncovered a fraud ring attempting to execute high-value transactions worth between €60 million and €2 billion by using a customized Trojan spyware tool. Operation High Roller, as it was named by the researchers who uncovered it, was the first gang to automate many of the steps in fraudulent transactions. The malware automatically checked balances, found active mule accounts that could receive stolen funds, and deleted emails confirming transfers. It also managed to bypass two-factor authentication and run its command servers on the cloud. Its targets were chiefly high-balance bank accounts in Europe. U.S. authorities indicted two men, a Russian and an Albanian, who authored the original SpyEye Trojan in 2011 subsequently used during the operation.

Shanghai Composite Index Suspected Manipulation

June 4

In June 2012, the Shanghai Composite Index saw a severe drop on the anniversary of the Tiananmen Square massacre of 1989.

Learn More

Target

Location: China
Date Breach First Reported: 6/4/2012

Incident

Method: Unknown
Type: Multiple

Actor

Type: Unknown
Attribution: Unknown

Description

In June 2012, the Shanghai Composite Index saw a severe drop on the anniversary of the Tiananmen Square massacre of 1989. While there is no confirmation of any wrongdoing in this case, the Shanghai Composite Index opened at 2,346.98 and fell exactly 64.89 points, matching the date of the incident (June 4, 1989). This led to widespread but unproven speculation about a protest hack that had manipulated trading that day. The Chinese censors blocked online references to the Shanghai Composite Index and several other terms on the anniversary.

Iranian Banking Data Breaches

April 16

In April 2012, a security researcher, Khosrow Zarefarid, dumped online the names, card numbers, and PINs of 3 million people across twenty-two Iranian banks after his reports on vulnerabilities were ignored by the companies involved.

Learn More

Target

Location: Iran
Date Breach First Reported: 4/16/2012

Incident

Method: Other
Type: Data breach

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In April 2012, a security researcher, Khosrow Zarefarid, dumped online the names, card numbers, and PINs of 3 million people across twenty-two Iranian banks after his reports on vulnerabilities were ignored by the companies involved. However, no funds were stolen in the breach. Google took down the blog containing the information, and the banks urged customers to change their PINs. Zarefarid maintained that he was a whistleblower rather than a hacker.

U.S. Financial Exchange DDoS Attacks

February 1

In February 2012, financial exchange operators Nasdaq, CBOE, and BATS were hit by DDoS attacks for several days, resulting in patchy access to company websites but with no disruptions to trading.

Learn More

Target

Location: United States
Date Breach First Reported: 2/1/2012

Incident

Method: DDOS
Type: Disruption

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In February 2012, financial exchange operators Nasdaq, CBOE, and BATS were hit by DDoS attacks for several days, resulting in patchy access to company websites but with no disruptions to trading. The activist group Anonymous claimed responsibility for the incident, saying it acted out of sympathy for the Occupy Wall Street protests in New York.

Brazil Banks DDoS Attacks

January 30

In January 2012, the hacktivist collective Anonymous used DDoS attacks to bring down numerous Brazilian banking websites to protest corruption and inequality in the country.

Learn More

Target

Location: Brazil
Date Breach First Reported: 1/30/2012

Incident

Method: DDOS
Type: Disruption

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In January 2012, the hacktivist collective Anonymous used DDoS attacks to bring down numerous Brazilian banking websites to protest corruption and inequality in the country. Banco do Brasil, Itaú Unibanco, Citibank, and Bradesco were among those affected by the #OpWeeksPayment campaign. The attackers reprised their campaign around the World Cup in 2014, which Brazil hosted.

Brazilian Payments System Attack

January 1

From 2012 to 2014, Boleto Bancario, a payments system used for almost half of non-cash transactions in Brazil, was targeted by malware that manipulated the victim’s browser to reroute payments to attacker-controlled accounts.

Learn More

Target

Location: Brazil
Date Breach First Reported: 1/1/2012

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

From 2012 to 2014, Boleto Bancario, a payments system used for almost half of non-cash transactions in Brazil, was targeted by malware that manipulated the victim’s browser to reroute payments to attacker-controlled accounts. The technique compromised $3.75 billion in payments within a two-year period, using several different versions of malware including Eupuds, Boleteiro, and Domingo, according to researchers at RSA. The unidentified gang responsible later changed its “bolware” strategy to introduce DNS poisoning as a means to install the malware, lessening the need for spam emails to spread the malware.

2011

Citigroup Data Theft

June 8

In June, Citigroup announced that 360,000 card details in the United States were exposed after attackers exploited a URL vulnerability that allowed them to hop between accounts by slightly changing the website address.

Learn More

Target

Location: United States
Date Breach First Reported: 6/8/2011

Incident

Method: Other
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In June, Citigroup announced that 360,000 card details in the United States were exposed after attackers exploited a URL vulnerability that allowed them to hop between accounts by slightly changing the website address. The attackers reportedly created a script that would repeat this action tens of thousands of times in order to harvest the information before they were detected by a routine check in early May. The attackers stole names, account numbers, and contact information but were not able to access the card security codes needed to clone the cards, Citigroup said. The bank later settled lawsuits with the states of California and Connecticut over the breach. The website vulnerability was present as early as 2008, according to Connecticut authorities.

Global Payments Breach

June 1

In June 2011, bank and retail payment processor Global Payments was hit by a major data breach.

Learn More

Target

Location: United States
Date Breach First Reported: 6/1/2011

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In June 2011, bank and retail payment processor Global Payments was hit by a major data breach. The company said unknown attackers had stolen the details of around 1.5 million cards from a handful of servers, with enough information to counterfeit the cards although not customer names or addresses. Details of the intrusion remain scarce, although Vons supermarkets said it detected compromised prepaid credit cards around the same time that appeared related to the Global Payments breach. The incident prompted Mastercard and Visa to warn card-issuing banks about the potential fraud.

South Korea Attacked II

March 1

In March 2011, South Korea was hit by a widespread DDoS attack, almost two years after a similar campaign in 2009.

Learn More

Target

Location: South Korea
Date Breach First Reported: 3/1/2011

Incident

Method: DDOS
Type: Disruption

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In March 2011, South Korea was hit by a widespread DDoS attack, almost two years after a similar campaign in 2009. Targets included Hanabank, Jeilbank, and Wooribank as well as government websites and the network of U.S. Forces Korea. The Koredos Trojan was used to wipe disks on the computers used as command-and-control servers. North Korea is speculated to be behind the ten-day incident.

Multinational Prepaid Card Heist

February 27

In February 2011, a criminal gang breached at least three payment processors to take card information during a $55 million stealing spree.

Learn More

Target

Location: Multiple
Date Breach First Reported: 2/27/2011

Incident

Method: Multiple
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In February 2011, a criminal gang breached at least three payment processors to take card information during a $55 million stealing spree. Once inside the processors’ networks, the gang used administrator privileges to steal card and PIN details and lift withdrawal limits. The U.S. authorities said the gang then sent the data to “cashing crews” worldwide, who used it to clone cards. The mules withdrew $10 million through 15,000 fraudulent ATM withdrawals in eighteen countries over the course of a weekend. The American Red Cross had distributed the original prepaid cards to disaster victims.

The gang’s second operation resulted in $5 million in withdrawals in twenty countries. In February 2013, the gang carried out its third and largest operation, taking just hours to withdraw $40 million from twenty-four countries.

A Turkish man named as the gang’s leader, Ercan Findikoglu, was jailed for eight years in the United States in 2017 after extradition from Germany. He has also been convicted in Turkey for conspiring to produce fake cards—with a nineteen-and-a-half-year sentence he is expected to serve upon release in the United States. Three other men were jailed in 2014.

Iranian DDoS Attacks on U.S. Banks

January 1

On March 24, 2016, the United States unsealed an indictment of seven Iranians allegedly responsible for the DDoS attacks targeting U.S. financial institutions across a two-year period on behalf of the Iranian government and Islamic Revolutionary Guard Corps.

Learn More

Target

Location: United States
Date Breach First Reported: 1/1/2011

Incident

Method: DDOS
Type: Disruption

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On March 24, 2016, the United States unsealed an indictment of seven Iranians allegedly responsible for the DDoS attacks targeting U.S. financial institutions across a two-year period on behalf of the Iranian government and Islamic Revolutionary Guard Corps. The indictment followed the landmark international deal to limit Iran’s nuclear capabilities in July 2015. Over forty-six financial organizations were targeted over the course of 176 days between December 2011 and mid-2013, the indictment said. The victims, which included Bank of America, the New York Stock Exchange, and Capital One, spent tens of millions of dollars to counteract the attacks, which at their height were occurring on a near-weekly basis.

The seven men were accused of managing several “botnets” consisting of thousands of compromised computers to send malicious traffic to victim website, blocking access for legitimate users. They built the botnet by exploiting a known vulnerability in a popular content management software to install malware. The men worked for two private computer security companies in Iran that allegedly performed tasks for the government. Several were also accused of belonging to hacking groups that have claimed responsibility for attacks on NASA in February 2012.

The political fallout from the attack was far-reaching. The U.S. Treasury Department imposed sanctions against eleven individuals and organizations in September 2017 over their links to Iran, some of whom were accused of participating in the DDoS attack. Meanwhile, U.S. President Donald Trump announced the United States’ withdrawal from the Iran nuclear deal in May 2018.

Lebanese Banks Espionage Operation

January 1

In early 2011, a virus named Gauss was used to steal inside information from multiple Lebanese banks.

Learn More

Target

Location: Lebanon
Date Breach First Reported: 1/1/2011

Incident

Method: Malware
Type: Espionage

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In early 2011, a virus named Gauss was used to steal inside information from multiple Lebanese banks. Gauss, which bore resemblances to the Flame and Stuxnet malware, stole passwords, banking credentials, and browser cookies from infected devices. Most of the 2,500 infections detected by researchers at Kaspersky were on personal computers in Lebanon. News outlets have speculated that this cyber surveillance tool was designed by the U.S. and Israeli governments to circumvent Lebanon’s strict banking secrecy laws, which have made it difficult for global authorities to access information of suspected wrongdoing. These speculations were fueled by a statement made by the United States in March 2011, accusing a Lebanese bank of laundering money for a Mexican drug ring with links to Hezbollah.

2010

U.S. Federal Reserve Bank of Cleveland Breach

November 19

On October 21, 2010, a Malaysian national was arrested by the Secret Service for hacking into Federal Reserve Bank in Cleveland and a range of other U.S. firms.

Learn More

Target

Location: United States
Date Breach First Reported: 11/19/2010

Incident

Method: Multiple
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

On October 21, 2010, a Malaysian national was arrested by the Secret Service for hacking into Federal Reserve Bank in Cleveland and a range of other U.S. firms. He successfully stole over 400,000 credit and debit card numbers. However, the Federal Reserve said none of its production data was accessed, and that the hacker had only accessed test computers, but the intrusion nevertheless caused thousands of dollars in damage. Several organizations including Fed Comp, a data processor for federal credit unions, were breached. The Malaysian national was jailed for ten years for running the scheme. The U.S. central banking system is a prominent target for attackers. Records obtained by Reuters showed that the Federal Reserve’s Washington-based Board of Governors detected more than fifty breaches between 2011 and 2015.

Nasdaq Intrusion

October 1

In October 2010, the FBI detected an intrusion on servers used by financial markets operator Nasdaq.

Learn More

Target

Location: United States
Date Breach First Reported: 10/1/2010

Incident

Method: Malware
Type: Data breach, disruption

Actor

Type: Multiple
Attribution: Speculated

Description

In October 2010, the FBI detected an intrusion on servers used by financial markets operator Nasdaq. Further investigation by several U.S. agencies found that hackers had been in the network for around a year. They had used two zero-day exploits to build their presence in the stock exchange’s network, and planted malware on the Director’s Desk system, where directors of publicly held companies share confidential information. Nasdaq said no data was taken, and there was reportedly no evidence of suspicious trades that could be based on information in the system. The malware also included a destructive capability, but it is unclear whether disruption was a goal or simply a tool the attackers might use to cover their tracks. At the same time, a group of criminals penetrated Nasdaq in an incident that some investigators believed was linked. In 2013, following a sprawling investigation, the United States charged four Russians and a Ukrainian man with a string of online break-ins at Nasdaq and other companies dating back to 2005. Carrefour, 7-Eleven, Heartland Payment Systems, and JC Penney were among their other targets, together losing $300 million as a result of the scheme. Breaching Heartland exposed more than 100 million payment cards, ultimately costing the firm $12 million in fines and fees.

The gang was said to have found a vulnerability in the password-reminder page of the Nasdaq site that enabled it to steal information, including hashed passwords, from the firm’s SQL servers.

Two men were jailed in 2018 for twelve years and four years, respectively, for their roles in the gang. The pair helped steal more than 160 million credit card numbers from the companies they breached, according to U.S. prosecutors, using techniques such as “war-driving,” or traveling with a laptop to pick up the signal from unsecured networks. These details were sold via middlemen to “cashers,” who used the information to create cloned cards. Albert Gonzalez, an American known online as Soupnazi, was jailed in 2009 for twenty years. The other indicted men are still at large.

PNC Bank ATM Skimming

April 15

In mid-2010, it was reported that over $200,000 in fraudulent transactions took place in New York and Washington, DC.

Learn More

Target

Location: United States
Date Breach First Reported: 4/15/2010

Incident

Method: Other
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In mid-2010, it was reported that over $200,000 in fraudulent transactions took place in New York and Washington, DC. The transactions were traced back to compromised accounts and withdrawals in Pittsburg. Two Romanians were jailed for bank fraud, access device fraud, and aggravated identity theft. While this was one of the first instances of ATM skimming for card details in the United States, the technique was already widespread in Eastern Europe.

Charles Schwab Hack

April 7

In mid-2010, a Russian national based in New York was jailed for three years for stealing and laundering more than $246,000 through Charles Schwab brokerage accounts in 2006.

Learn More

Target

Location: United States
Date Breach First Reported: 4/7/2010

Incident

Method: Keylogging
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In mid-2010, a Russian national based in New York was jailed for three years for stealing and laundering more than $246,000 through Charles Schwab brokerage accounts in 2006. The hacker accessed the accounts through a keylogging Trojan, which captured the information of 180 credit cards. The hacker and his accomplices sent a portion of the proceeds back to co-conspirators in Russia, according to the FBI.

Bank of America ATM Fraud

April 1

In 2010, a Bank of America employee was charged with computer fraud after installing malware on 100 ATMs to steal $304,000 over seven months, in an early example of ATM “jackpotting.”

Learn More

Target

Location: United States
Date Breach First Reported: 4/1/2010

Incident

Method: Other
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In 2010, a Bank of America employee was charged with computer fraud after installing malware on 100 ATMs to steal $304,000 over seven months, in an early example of ATM “jackpotting.” The man was jailed for twenty-seven months after admitting to writing code that ordered the ATMs to issue cash without a record of the transaction. He withdrew his funds over the seven months, stopping in October 2009 when Bank of America’s internal control systems spotted the suspicious transactions.

National City Bank Breach

March 18

In early 2010, National City Bank identified a number of former debit accounts that had been compromised.

Learn More

Target

Location: United States
Date Breach First Reported: 3/18/2010

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In early 2010, National City Bank identified a number of former debit accounts that had been compromised. The breach was only discovered after PNC Financial Services acquired the bank in 2008, highlighting the importance of assessing cybersecurity during large mergers and acquisitions. While the new owners announced the breach, they did not reveal the number of customers affected or the amount of money stolen.

Morgan Stanley Break-In

February 28

Morgan Stanley detected a very sensitive network break-in that lasted six months in 2009, according to leaked emails.

Learn More

Target

Location: United States
Date Breach First Reported: 2/28/2010

Incident

Method: Unknown
Type: Data breach, theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

Morgan Stanley detected a very sensitive network break-in that lasted six months in 2009, according to leaked emails. The bank believed the incident was part of Operation Aurora, carried out by the same state-sponsored attackers that targeted Google, Rackspace, Northrop Grumman, and Yahoo earlier that year.

Latvian Bank Leak

February 24

In early 2010, a hacker leaked financial details of banks, tax records, and state-owned firms to a TV station, to raise public awareness of lucrative public sector salaries during a period of austerity in Latvia.

Learn More

Target

Location: Latvia
Date Breach First Reported: 2/24/2010

Incident

Method: Unknown
Type: Data breach

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In early 2010, a hacker leaked financial details of banks, tax records, and state-owned firms to a TV station, to raise public awareness of lucrative public sector salaries during a period of austerity in Latvia. Ilmars Poikans, an IT researcher who used the alias Neo, was arrested shortly afterward and sentenced in 2015 to community service for accessing 7.5 million tax records. He was pardoned in December 2017.

2009

South Korea and United States Attacked

July 4

In July 2009, financial institutions in the United States and South Korea were among several targets of a widespread DDoS attack.

Learn More

Target

Location: United States and South Korea
Date Breach First Reported: 7/4/2009

Incident

Method: DDOS
Type: Disruption

Actor

Type: National government
Attribution: Speculated

Description

In July 2009, financial institutions in the United States and South Korea were among several targets of a widespread DDoS attack. The incident, which began over a U.S. holiday weekend, comprised three waves of attacks spanning six days. The botnet of up to 65,000 compromised computers blocked and slowed government and commercial websites for several hours at a time. The New York Stock Exchange website was reportedly affected, as well as those for the Nasdaq, the White House, and the Washington Post. Several days later, the sites of Shinhan Bank, the newspaper Chosun Ilbo, and the National Assembly were hit in South Korea. In total, there were around thirty-five sites targeted by the attacks. Researchers estimated that the botnet generated 23 megabits of data per second, not enough to cause long-lasting disruption to the targeted sites. The malware spread through email with a time bomb in its code to trigger on July 10, when it would overwrite the victim’s hard drive with the string “Memory of the Independence Day.” This destroyed the master boot record and made the device unusable. While no one was publically attributed to the attack, South Korean intelligence suspects it was the work of a specific criminal or state-sponsored organization.

Zeus Malware Attacks

March 1

Between 2007 and 2011, a Trojan malware known as Zeus was used in numerous criminal operations to steal data on Windows devices.

Learn More

Target

Location: Multiple
Date Breach First Reported: 3/1/2009

Incident

Method: Malware
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

Between 2007 and 2011, a Trojan malware known as Zeus was used in numerous criminal operations to steal data on Windows devices. Zeus was widely traded on criminal forums as a way to harvest online credentials. Its source code was made public in 2011 after its purported creator announced his retirement, which allowed multiple versions to spread. The Trojan included a keylogger that recorded bank login credentials and a botnet that executed attacks using infected devices.

In March 2009, a security firm discovered an online data trove of stolen information from 160,000 computers infected by Zeus malware, including devices at Metro City Bank. A criminal gang also used Zeus in a global scheme to wire millions of dollars from five banks to overseas accounts, according to U.S. and UK officials who made more than 100 arrests in October 2010. The gang recruited mules to launder the stolen funds and withdraw money from ATMs around the world.

The variant Gameover Zeus was controlled by a group of hackers in Russia and Ukraine from October 2011 onward, according to the FBI. Among its many uses was as a platform to infect systems with Cryptolocker ransomware. Operation Tovar, an international law enforcement effort in June 2014, resulted in the seizure of key Gameover Zeus infrastructure and the release of up to 1 million victim machines from the botnet. The authorities believe the gang stole more than $100 million. The Russian man accused of authoring both Zeus and Gameover Zeus remains at large.

Skimer ATM Malware Attack

March 1

In 2009, security researchers discovered Skimer, an advanced multifunctional malware employed in several ATM heists across the world.

Learn More

Target

Location: Multiple
Date Breach First Reported: 3/1/2009

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In 2009, security researchers discovered Skimer, an advanced multifunctional malware employed in several ATM heists across the world. Skimer is capable of executing over twenty malicious commands, including withdrawing ATM funds and collecting customer information such as bank account numbers and payment card PINs. To install Skimer, attackers had to access ATMs and install backdoors in the device’s Windows operating system. Then, the attackers could silently siphon card numbers and customer information for later use in fraudulent transactions. Once correct details were entered into the ATM pin pad, Skimer gave attackers a control panel to execute multiple commands from cashing out an ATM to deleting traces of the infection from the system. The malware has continued to evolve with later variants still in use around the world.

2008

RBS WorldPay Hack

November 1

Toward the end of 2008, Atlanta-based credit card processing company RBS WorldPay was breached by an international crime ring.

Learn More

Target

Location: United States
Date Breach First Reported: 11/1/2008

Incident

Method: Multiple
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

Toward the end of 2008, Atlanta-based credit card processing company RBS WorldPay was breached by an international crime ring. The group used sophisticated hacking techniques to break the encryption used by RBS WorldPay to protect customer data on payroll debit cards. Once bypassed, the group created counterfeit payroll debit cards and raised their account limits. The group employed a network of individuals to use the cards to withdraw over $9 million from more than 2,100 ATMs in at least 280 cities worldwide. The investigation of the incident identified over 1.5 million customers whose confidential information was compromised. Individuals in Russia, Moldova, Nigeria, and Estonia were indicted from the hack in 2009. To date, U.S. authorities have charged fourteen men.

United Arab Emirates ATM Fraud

September 9

In September 2008, six banks in the UAE alerted customers to change their PINs after concerns over a spike in ATM fraud in the region.

Learn More

Target

Location: Middle East
Date Breach First Reported: 9/9/2008

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In September 2008, six banks in the UAE alerted customers to change their PINs after concerns over a spike in ATM fraud in the region. HSBC, one of the affected banks, said the move was in response to counterfeit ATM card usage from abroad, highlighting an early case of financial attacks operating on an international scale.

Russian Cyber Attacks on Georgia

July 20

Between July and August, Georgia became the victim of a coordinated defacement and DDoS campaign that disrupted government and bank websites during the lead up to a war with Russia.

Learn More

Target

Location: Georgia
Date Breach First Reported: 7/20/2008

Incident

Method: Multiple
Type: Disruption

Actor

Type: National government
Attribution: High confidence

Description

Between July and August, Georgia became the victim of a coordinated defacement and DDoS campaign that disrupted government and bank websites during the lead up to a war with Russia. The first incident occurred on July 20, when the website of then Georgian president Mikheil Saakashvili was disrupted by a DDoS attack, just weeks before Russia invaded the country. The DDoS attack was directed using a strain of Pinch malware frequently used in Russia, which flooded websites with traffic that included the phrase “win love in Russia.”

As part of the conflict and war that took place from August 7 to 12, 2008, numerous Georgian government and media sites were defaced and disrupted, including depictions of Saakashvili next to Hitler on the president’s website. The only impact on the financial sector throughout this campaign was the defacement of the National Bank of Georgia’s website. A group by the name of South Ossetia Hack Crew claimed responsibility for the attacks. However, Georgia would later attribute the attack to the Russia government, which denied the allegations.

HSBC Insider Fraud

July 7

On April 18, a clerk at HSBC’s headquarters in London fraudulently wired €90 million to accounts in Manchester and Morocco.

Learn More

Target

Location: United Kingdom
Date Breach First Reported: 7/7/2008

Incident

Method: Other
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

On April 18, a clerk at HSBC’s headquarters in London fraudulently wired €90 million to accounts in Manchester and Morocco. The employee used passwords stolen from colleagues to execute two transactions on a Friday afternoon. He was caught when he forgot to leave the original accounts with zero balances, which HSBC staff in Malaysia spotted over the weekend. He was jailed for nine years, and the money was returned to its owners. Investigators in the UK would later uncover the gang that masterminded the fraud.

Citibank ATM Theft

July 1

In early 2008, a Russian hacking ring stole $2 million after penetrating a network of Citibank-affiliated ATMs across New York City.

Learn More

Target

Location: United States
Date Breach First Reported: 7/1/2008

Incident

Method: Malware
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In early 2008, a Russian hacking ring stole $2 million after penetrating a network of Citibank-affiliated ATMs across New York City. The group gained access to a server that processed ATM withdrawals within 7-Eleven stores. This enabled them to steal debit card numbers and PINs from 2,200 machines, which they used to withdraw the $2 million. Three members of the group were arrested and pleaded guilty to numerous counts of fraud and conspiracy later that year. Investigators later linked this theft to a global network of hackers that had stolen card information as early as 2005. A hacker identified as the ringleader by authorities was jailed in 2010. He would also be linked to the Nasdaq intrusion two years later.

Société Générale Rogue Trader

January 1

In January 2008, a junior trader at the French bank Société Générale executed fraudulent transactions to cover up $7.2 billion in losses from risky futures trades.

Learn More

Target

Location: France
Date Breach First Reported: 1/1/2008

Incident

Method: Insider threat
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In January 2008, a junior trader at the French bank Société Générale executed fraudulent transactions to cover up $7.2 billion in losses from risky futures trades. The rogue trader hid his losses by booking fake offsetting trades on colleagues’ accounts and using knowledge from his previous role in the back office to alter internal risk controls so he would not trigger internal alerts. At one point, the portfolio of unauthorized trades was worth over €50 billion, approximately the same value as the entire firm. The employee was arrested and sentenced to three years in prison in 2010. The bank suffered one of the biggest trading losses on record due to the incident, and the French banking regulator imposed a $6 million penalty for its lax controls.

2007

DA Davidson Data Breach

December 25

On December 25–26, 2017, confidential information from 192,000 customers was stolen from financial services holding company DA Davidson.

Learn More

Target

Location: United States
Date Breach First Reported: 12/25/2007

Incident

Method: SQL injection
Type: Data breach

Actor

Type: Nonstate actor
Attribution: High confidence

Description

On December 25–26, 2017, confidential information from 192,000 customers was stolen from financial services holding company DA Davidson. Attackers deployed a SQL injection into the brokerage’s website over the Christmas holiday to access customer records. The breach was discovered after the perpetrators attempted to blackmail the firm several weeks later. The U.S. Secret Service launched an investigation that identified four suspects, three of whom were Latvian nationals, who were extradited from the Netherlands to face charges in the United States. Following the breach, the Financial Industry Regulatory Authority issued a $375,000 fine to DA Davidson for its failure to protect confidential customer information.

TD Ameritrade Data Breach

September 14

On September 14, 2007, online brokerage firm TD Ameritrade revealed that its database was the target of a data breach that led to the theft of 6.3 million customer account records.

Learn More

Target

Location: United States
Date Breach First Reported: 9/14/2007

Incident

Method: Phishing
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On September 14, 2007, online brokerage firm TD Ameritrade revealed that its database was the target of a data breach that led to the theft of 6.3 million customer account records. The attackers gained access to Ameritrade’s database via investment-themed phishing emails. According to Ameritrade, sensitive data on the database, such as social security numbers, were not accessed during the breach. No identify theft was detected in the aftermath of the breach. However, customers did claim to have received spam emails. The FBI and U.S. financial regulators investigated the incident, but no arrests were reported. On September 13, 2011, TD Ameritrade agreed to pay customers $6.5 million to settle a class action suit in relation to the breach.

Estonian DDoS Attacks

April 26

Following the contentious relocation of a Soviet-era statue in Tallinn, Estonia fell victim to a series of coordinated DDoS attacks against government, bank, university, and newspaper websites that lasted three weeks.

Learn More

Target

Location: Estonia
Date Breach First Reported: 4/26/2007

Incident

Method: DDoS
Type: Disruption

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

Following the contentious relocation of a Soviet-era statue in Tallinn, Estonia fell victim to a series of coordinated DDoS attacks against government, bank, university, and newspaper websites that lasted three weeks. The attacks began on April 26, when government and political party email servers and websites were disrupted. The following week, a second wave began that disrupted access to Estonian news websites. The final wave, which began on May 9, was the heaviest and targeted the Estonian banking sector. The attack forced two major Estonian banks to suspend online banking, disabling bank card transactions and ATM withdrawals. The disruption did not end until the attackers’ botnet contracts expired on May 19. The attacks were carried out by Russian hacktivists communicating openly on Russian-language chatrooms, where users shared precise instructions on how to conduct the attacks. Estonia accused the Russian government of ordering the attacks but was unable to produce definitive proof.

About the Timeline

The timeline is based on data compiled for a 2017 Carnegie white paper in addition to data provided by BAE Systems. Incidents that occurred after 2017 are based on data BAE Systems shares with Carnegie on a monthly basis and are subsequently added to the timeline. The incidents are coded using several indicators and can be filtered accordingly:

  1. incident type;
  2. target location, which includes information about the physical location of the victim(s);
  3. actor type, which includes information about the attacker to the extent known;
  4. attribution, which includes an assessment of the level of confidence in the information about the attacker; and
  5. other details about the incident summarized in a short narrative text.

With respect to associating a specific date with a cyber incident, which may be part of a longer cyber operation, the dates for each event are chosen intuitively either using the starting date/month of the incident, if known, or when the incident was first reported. For further questions about the methodology, please contact the team here.

Developed in association with

BAE Systems logo

Please note...

You are leaving the website for the Carnegie-Tsinghua Center for Global Policy and entering a website for another of Carnegie's global centers.

请注意...

你将离开清华—卡内基中心网站,进入卡内基其他全球中心的网站。