Timeline of Cyber Incidents Involving Financial Institutions

About the FinCyber newsletter

Sign up for the monthly FinCyber newsletter tracking latest developments and the geopolitics of cybersecurity in the context of the financial system

Sign up

About the Timeline

The timeline tracks cyber incidents involving financial institutions dating back to 2007. The timeline is based on Carnegie research and data BAE Systems’s threat intelligence team shares with Carnegie on a monthly basis and are subsequently added to the timeline. The incidents are coded using several indicators and can be filtered accordingly:

  1. incident type;
  2. target country and target region, which include information about the physical location of the victim(s);
  3. actor type, which includes information about the attacker to the extent known;
  4. attribution, which includes an assessment of the level of confidence in the information about the attacker; and
  5. other details about the incident summarized in a short narrative text.

With respect to associating a specific date with a cyber incident, which may be part of a longer cyber operation, the dates for each event are chosen intuitively either using the starting date/month of the incident, if known, or when the incident was first reported. For further questions about the methodology, please contact the team here.

When citing this resource, please use the following format:

Carnegie Endowment for International Peace and BAE Systems. Timeline of Cyber Incidents Involving Financial Institutions. FinCyber Initiative, Carnegie Endowment for International Peace. https://carnegieendowment.org/specialprojects/protectingfinancialstability/timeline (access date).”

About the FinCyber Timeline

This timeline chronicles ~200 cyber incidents targeting financial institutions since 2007, and can be filtered by country, region, year, attribution, incident type, and actor type. Cybersecurity risks to the financial system have grown in recent years, in part because the cyber threat landscape is worsening; in particular, state-sponsored cyberattacks targeting financial institutions are becoming more frequent, sophisticated, and destructive. In 2017, the G20 warned that cyberattacks could “undermine the security and confidence and endanger financial stability.”

To keep track of the evolution of the threat landscape, Carnegie’s Cyber Policy Initiative updates this timeline with data from provided by the Cyber Threat Intelligence unit of BAE Systems. The timeline has not been designed to cover every single incident but rather to provide insight into key trends and how the threat landscape is evolving over time.

2020

Scotiabank Data Breach

July 21

On July 21, Scotiabank warned “a limited number” of customers of a data breach after Scotiabank bank an employee accessed client accounts without a valid business reason.

Learn More

Target

Location: Canada
Date Breach First Reported: 7/21/20

Incident

Method: Other
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On July 21, Scotiabank warned “a limited number” of customers of a data breach after Scotiabank bank an employee accessed client accounts without a valid business reason.

Emotet Spreading QakBot Banking Malware

July 21

On July 21, observed Emotet, a known botnet, spreading the QakBot banking trojan at an unusually high rate.

Learn More

Target

Location: N/A
Date Breach First Reported: 7/21/20

Incident

Method: Malware
Type: Theft

Actor

Type: Non-state actor
Attribution: Unknown

Description

On July 21, observed Emotet, a known botnet, spreading the QakBot banking trojan at an unusually high rate. QakBot recently replaced the longtime TrickBot payload.

Kattana Crypto App Malware

July 16

On July 16, researchers discovered GMERA malware embedded within Kattana, a cryptocurrency app, being used to steal wallet information.

Learn More

Target

Location: N/A
Date Breach First Reported: 7/16/20

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On July 16, researchers discovered GMERA malware embedded within Kattana, a cryptocurrency app, being used to steal wallet information.

Famous Twitter Accounts Hijacked for Bitcoin

July 15

On July 15, several notable Twitter accounts including Joe Biden and Elon Musk were hacked to post a Bitcoin address purporting to double any contributions to the address.

Learn More

Target

Location: United States
Date Breach First Reported: 7/15/20

Incident

Method: Multiple
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On July 15, several notable Twitter accounts including Joe Biden and Elon Musk were hacked to post a Bitcoin address purporting to double any contributions to the address. The spear phishing operation targeted Twitter employees and was able to gain access to admin-level tools; in all, the hackers made more than $113,500.

On July 31, a 17-year-old suspect related to the recent Twitter Bitcoin scam was arrested in Florida.

Argenta ATM Attack

July 13

On July 13, Argenta, a Belgian savings bank shut down 143 cash machines after suffering a cyber-attack from unknown criminals.

Learn More

Target

Location: Belgium
Date Breach First Reported: 7/13/20

Incident

Method: Multiple
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On July 13, Argenta, a Belgian savings bank shut down 143 cash machines after suffering a cyber-attack from unknown criminals. The attack was self-reported by Argenta, who refused to say how much money was affected. The criminals tried to leverage the technique known as 'jackpotting' to take control of the cash machines.

Spanish Crypto App Malware

July 12

In July 2020, Avast found Cerberus malware hidden in a cryptocurrency converter app used to infect victims of Android devices.

Learn More

Target

Location: N/A
Date Breach First Reported: 7/12/20

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In July 2020, Avast found Cerberus malware hidden in a cryptocurrency converter app used to infect victims of Android devices.

Primarily used by Spanish speaking users, the dropper embedded in the app later became active to download another malicious APK. Shortly after the malicious C&C communication was seized and the malware became dormant/harmless once again. The app had amassed thousands of downloads before being taken down.

SEC Warning of Ransomware Attacks on US Banks

July 10

On July 10, the SEC issued a warning about a rise in ransomware attacks on U.S. financial firms.

Learn More

Target

Location: United States
Date Breach First Reported: 7/10/20

Incident

Method: Ransomware
Type: Theft

Actor

Type: N/A
Attribution: N/A

Description

On July 10, the SEC issued a warning about a rise in ransomware attacks on U.S. financial firms. These attacks focus on gaining access to the company and then enacting ransomware and have targeted firms all across the financial services sector.

GoldenSpy Malware in Chinese Tax Software

June 25

On June 25, 2020, researchers identified a new backdoor trojan, dubbed 'GoldenSpy,' in Chinese tax software.

Learn More

Target

Location: China
Date Breach First Reported: 6/25/20

Incident

Method: Multiple
Type: Multiple

Actor

Type: Speculated
Attribution: Speculated

Description

On June 25, 2020, researchers identified a new backdoor trojan, dubbed 'GoldenSpy,' in Chinese tax software. Shortly after the discovery, the actors behind it delivered a silent uninstaller to remove all traces of the said malware. While the attribution remains unknown, researchers speculated that it has the characteristics similar to a coordinated APT campaign that focuses on foreign companies operating in China.

Researchers further uncovered an earlier campaign tied to GoldenSpy malware that came installed with Chinese tax software. New evidence suggests that GoldenSpy was preceded by another piece of malware that employed similar capabilities to infect taxpayers within China. This earlier version of GoldenSpy is called GoldenHelper."

IcedID Banking Trojan Using COVID-19 lures

June 22

On June 22, 2020, researchers identified a new variant of the IcedID banking trojan that uses COVID-19 related phishing lures.

Learn More

Target

Location: N/A
Date Breach First Reported: 6/22/20

Incident

Method: Multiple
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On June 22, 2020, researchers identified a new variant of the IcedID banking trojan that uses COVID-19 related phishing lures. This new variant is using steganography to infect the victims and comes equipped with fresh anti-detection capabilities.

European Bank Targeted by Large DDoS Attack

June 21

On June 21, 2020, a large unidentified European bank was the target of a massive DDoS attack that sent 809 million packets per second through its network.

Learn More

Target

Location: N/A
Date Breach First Reported: 6/23/20

Incident

Method: DDoS
Type: Disruption

Actor

Type: Unknown
Attribution: Unknown

Description

On June 21, 2020, a large unidentified European bank was the target of a massive DDoS attack that sent 809 million packets per second through its network. Akami, a global content delivery network and IT services provider, called the attack the “largest ever recorded” on their platforms, but reported it was able to mitigate the attack against the undisclosed customer.

Coincheck Data Breach

June 4

On June 4, 2020 Coincheck, a Japanese digital currency exchange, paused remittances after unknown attackers gained access to Coincheck's domain registry service and fraudulently obtained user email addresses as well as personal data.

Learn More

Target

Location: Japan
Date Breach First Reported: 6/4/20

Incident

Method: Other
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On June 4, 2020 Coincheck, a Japanese digital currency exchange, paused remittances after unknown attackers gained access to Coincheck's domain registry service and fraudulently obtained user email addresses as well as personal data.

Banco BCR Data Breach

May 21

On May 21, 2020, the operators of the Maze Ransomware released 2GB of data, including credit card credentials, from Banco BCR, the state-owned Bank of Costa Rica.

Learn More

Target

Location: Costa Rica
Date Breach First Reported: 5/23/20

Incident

Method: Ransomware
Type: Theft

Actor

Type: Non-state actor
Attribution: Unknown

Description

On May 21, 2020, the operators of the Maze Ransomware released 2GB of data, including credit card credentials, from Banco BCR, the state-owned Bank of Costa Rica. Notably, the attackers claimed they decided not to encrypt Banco BCR data with ransomware because “the possible damage was too high.”

Three weeks previously on May 1, 2020, the operators announced that they had breached Banco BCR, first in August 2019, and then in February 2020 at which point they stole 11 million credit card credentials and other data.

Indian Mobile Banking Apps Malware

May 14

On May 14, CERT-In, India’s national CERT, released a warning that a mobile banking malware called 'EventBot' that steals personal financial information was affecting Android users in India.

Learn More

Target

Location: India
Date Breach First Reported: 5/14/20

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On May 14, CERT-In, India’s national CERT, released a warning that a mobile banking malware called 'EventBot' that steals personal financial information was affecting Android users in India.

EventBot is a mobile-banking Trojan Trojan that targets over 200 financial applications, money-transfer services and cryptocurrency wallets across the US, Europe, and now India. It steals user data from financial applications, reads user SMS messages, and intercepts SMS messages to bypass 2FA.

Norfund Business Email Compromise

May 13

On May 13, Norfund, Norway's state investment fund, was subject to a $10 million heist that involved business email compromise.

Learn More

Target

Location: Norway
Date Breach First Reported: 5/14/20

Incident

Method: Other
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On May 13, Norfund, Norway's state investment fund, was subject to a $10 million heist that involved business email compromise. Scammers were able to gain access to the email system, which allowed them to actively monitor internal communications.

The attackers spent months doing reconnaissance in Norfund’s email system to design their fraudulent scheme. According to Norfund, they “manipulated and falsified information exchange between Norfund and the borrowing institution,” resulting in the attackers intercepting a $10 million loan that was meant for a microfinance institution in Cambodia.

Diebold Nixdorf Ransomware Attack

May 11

On May 11, 2020, American ATM manfacturer Diebold Nixdorf was hit by a ransomware attack that caused 'a limited IT systems outage'.

Learn More

Target

Location: United States
Date Breach First Reported: 5/11/20

Incident

Method: Other
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On May 11, 2020, American ATM manfacturer Diebold Nixdorf was hit by a ransomware attack that caused 'a limited IT systems outage'. ATMs were not affected.

While the company did not give any details, additional reporting suggests that the ransomware in question might have been 'ProLock', the successor of 'PwndLocker'. ProLock was found to be using QakBot and unprotected Remote Desktop Protocol (RDP) servers with weak credentials.

North Korean Web Skimming Attacks

April 23

On April 23, it was reported that North Korean hackers had been using webskimming malware to steal payment card details from online stores since at least May 2019.

Learn More

Target

Location: Serbia, Montenegro, Croatia, Slovenia, Bosnia and Herzegovina
Date Breach First Reported: 4/23/20

Incident

Method: Malware
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On April 23, it was reported that North Korean hackers had been using webskimming malware to steal payment card details from online stores since at least May 2019. The attacks seem to be focused on the Balkans. The impact is not clear, but the attack was simple enough to execute multiple times on one target.

dForce Cryptocurrency Attack and Return

April 21

On April 21, 2020 an attacker stole $25 million in Ethereum, a popular cryptocurrency, from the dForce platform, a cryptocurrency firm, only to return the funds two days later.

Learn More

Target

Location: China
Date Breach First Reported: 4/21/20

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On April 21, 2020 an attacker stole $25 million in Ethereum, a popular cryptocurrency, from the dForce platform, a cryptocurrency firm, only to return the funds two days later. The attacker did not return all funds in the same distribution of currencies that were taken but instead returned some in different tokens. It is not known why the attacker is returning the stolen funds.

Spanish Banks Attacked with Brazilian Trojan

April 13

On April 13, 2020, IBM researchers reported that Spanish banks had been the target of by a Brazilian banking Trojan, Grandoreiro, in a campaign lasting months.

Learn More

Target

Location: Spain
Date Breach First Reported: 4/13/20

Incident

Method: Malware
Type: Theft

Actor

Type: Non-state actor
Attribution: Unknown

Description

On April 13, 2020, IBM researchers reported that Spanish banks had been the target of by a Brazilian banking Trojan, Grandoreiro, in a campaign lasting months. The campaign exploits the Coronavirus outbreak by using videos themed on the pandemic that convince users to run a hidden executable.

Grandoreiro is a remote-overlay banking trojan that, upon a user accessing their online banking, can display images to impersonate said bank. This allows attacks to then then move money from the victims accounts. The malware executes upon access to a hardcoded list of entities, mostly local banks.

South Korean and US Payment Card Leak

April 9

On April 9, 2020, a cache of 400,000 payment card records from banks in South Korea and the U.S. were uploaded to a well-known underground marketplace.

Learn More

Target

Location: South Korea, United States
Date Breach First Reported: 4/24/20

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On April 9, 2020, a cache of 400,000 payment card records from banks in South Korea and the U.S. were uploaded to a well-known underground marketplace.

According to Group-IB, a security firm, the data dump was identified as the biggest sale of South Korea related bank records in 2020. The database contained mostly Track 2 information, meaning the data stored on the magnetic stripe of a card such as the bank identification number (BIN), the account number, expiration date and CVV.

US, Canadian, Australian Banks Hit By Banking Trojan

March 30

On March 30, researchers reported that U.S., Canadian, and Australian banks were being increasingly targeted by Zeus Sphinx, a banking trojan that had been dormant for three years.

Learn More

Target

Location: United States, Canada, Australia
Date Breach First Reported: 5/11/20

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On March 30, researchers reported that U.S., Canadian, and Australian banks were being increasingly targeted by Zeus Sphinx, a banking trojan that had been dormant for three years. The attackers target those waiting on government relief payments from Covid-19.

The campaign used COVID-19 as a lure, such as sending booby-trapped document files named “COVID 19 relief.” Zeus Sphinx gained notoriety in 2015 for being used to target major financial institutions in the UK, and eventually in Brazil, Australia and North America. This version of the malware underwent core changes in its persistence mechanism, injections tactics, and bot configuration.

Monte de Paschi Bank Attack

March 30

On March 30, 2020, attackers breached email accounts of employees at Monte dei Paschi bank, an Italian state-owned bank, and sent messages to clients with voice mail attachments.

Learn More

Target

Location: Italy
Date Breach First Reported: 4/11/20

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On March 30, 2020, attackers breached email accounts of employees at Monte dei Paschi bank, an Italian state-owned bank, and sent messages to clients with voice mail attachments. The bank notified customers on March 30 but did not disclose if there had been a data breach, the nature of the sent emails or if customers had been impacted.

Chubb Ransomware Attack

March 26

On March 26, 2020, Insurer Chubb was targeted by Maze ransomware and the attackers claimed to have data stolen.

Learn More

Target

Location: United States
Date Breach First Reported: 3/26/20

Incident

Method: Ransomware
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On March 26, 2020, Insurer Chubb was targeted by Maze ransomware and the attackers claimed to have data stolen. Chubb claimed its networks were unaffected but admitted investigating an incident relating to the access of third-party data. Chubb itself offers insurance to compensate those who suffer costs from data breaches.

Square Milner data breach

March 25

On March 25, 2020, Square Milner, one of the largest accountancy firms in the US, experienced a possible data breach.

Learn More

Target

Location: United States
Date Breach First Reported: 4/22/20

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On March 25, 2020, Square Milner, one of the largest accountancy firms in the US, experienced a possible data breach. According to Squar Milner, the data breach may have included names, addresses, Social Security numbers or Tax ID numbers. It appears client data was accessed via credential stuffing but an actual data breach of their systems is yet to be ruled out.

Finastra Ransomware Attack

March 20

On March 20, 2020, Finastra, a large London-based financial technology company, stated they were the victim of a ransomware attack.

Learn More

Target

Location: United Kingdom
Date Breach First Reported: 3/20/20

Incident

Method: Ransomware
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On March 20, 2020, Finastra, a large London-based financial technology company, stated they were the victim of a ransomware attack. The attack resulted in disruption of Finastra services as they shut down certain servers in response to the attack which had most impact on their North America operations.

Finastra employs more than 10,000 people and provides services to nearly all of the top 50 banks globally. The company claimed there was no evidence of customer or employee data exfiltration.

Southeast Asian Banks Credit Card Breach

March 6

On March 6, 2020, it was reported that over 200,000 credit card details from top banks in Singapore, Malaysia, the Phillippines, Vietnam, Indonesia, and Thailand were stolen and published online.

Learn More

Target

Location: Malaysia; Singapore; Philippines; Vietnam; Indonesia; Thailand
Date Breach First Reported: 3/6/2020

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On March 6, 2020, it was reported that over 200,000 credit card details from top banks in Singapore, Malaysia, the Phillippines, Vietnam, Indonesia, and Thailand were stolen and published online. Security researchers determined that the Philippines had 172,828 cards breached, Malaysia and Singapore had 37,145 and 25,290 cards breached respectively. One of the banks, CIMB Group Holdings, responded that they were confident there was no breach and the details would have been obtained elsewhere.

Australian Banks DDoS Extortion

February 25

On February 25, 2020, it was reported that Australian banks and other financial institutions were being extorted by the Silence group with DDoS attacks unless they paid a ransom.

Learn More

Target

Location: Australia
Date Breach First Reported: 2/25/2020

Incident

Method: DDoS
Type: Disruption

Actor

Type: Unknown
Attribution: Unknown

Description

On February 25, 2020, it was reported that Australian banks and other financial institutions were being extorted by the Silence group with DDoS attacks unless they paid a ransom. DDoS attacks have taken place but not against all targets, as they do not have the resources to attack all those threatened. The Silence group has also been linked to stealing from banks across Eastern Europe, South and Central Asia, and more recently, Sub-Saharan Africa. The group demanded payment in the cryptocurrency Monero to prevent the attack.

PayPal Accounts Linked to Google Play Abused

February 21

On February 21, 2020, hackers targeted PayPal accounts to carry out unauthorized purchases, estimated to be worth tens of thousands of euros, by exploiting PayPal’s Google Pay integration.

Learn More

Target

Location: United States, Germany
Date Breach First Reported: 2/25/2020

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On February 21, 2020, hackers targeted PayPal accounts to carry out unauthorized purchases, estimated to be worth tens of thousands of euros, by exploiting PayPal’s Google Pay integration. The purchases were made at a variety of Target stores in the United States. Most of the victims appear to be German PayPal users.

Loqbox Data Breach

February 20

On February 20, Loqbox, a UK-based credit score builder startup, was the victim of a data breach in which customer details were compromised.

Learn More

Target

Location: United Kingdom
Date Breach First Reported: 3/2/2020

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On February 20, Loqbox, a UK-based credit score builder startup, was the victim of a data breach in which customer details were compromised. This included names, dates of birth, addresses, and phone numbers. Partial card and account details were exposed although not enough to make payments or access accounts. Loqbox claims all funds are secure and have not been accessed by attackers.

Sub-Saharan African Banks Targeted

January 2

In the first week of January 2020, it was reported that major banks in sub-Saharan Africa were targeted by the Silence hacking group.

Learn More

Target

Location: Africa
Date Breach First Reported: 1/17/2020

Incident

Method: Malware
Type: Theft

Actor

Type: Nonstate actor
Attribution: Speculated

Description

In the first week of January 2020, it was reported that major banks in sub-Saharan Africa were targeted by the Silence hacking group. According to Kaspersky, who attributed the attacks to the Silence group based on malware used, the general outline of such an attack involved phishing emails being sent with the malware, data gathering, and then withdrawing large amounts of cash in one go via ATMs. As of mid-January 2020, the attacks are ongoing and persist in targeting large banks.

2019

Travelex Hit with Sodinokibi

December 31

On December 31, 2019, Travelex, a major foreign exchange company, took all its computer systems offline after company systems were infected with Sodinokibi ransomware and the attackers demanded $6 million to remove it.

Learn More

Target

Location: United Kingdom
Date Breach First Reported: 12/31/2019

Incident

Method: Malware
Type: Theft

Actor

Type: Nonstate actor
Attribution: Unknown

Description

On December 31, 2019, Travelex, a major foreign exchange company, took all its computer systems offline after company systems were infected with Sodinokibi ransomware and the attackers demanded $6 million to remove it. This also impacted the exchange services of many major banks including Lloyds, Barclays, and RBS, who all use Travelex. The attackers also claimed to have exfiltrated 5GB of personal customer data that they threatened would be released if they did not receive payment. The attackers are believed to have used a VPN exploit that remained unpatched to access the firm’s systems. As of the end of January it has taken over a month for Travelex to restore its site and even then, only partially. It is unclear whether Travelex paid the ransom in this time.

Advantage and Argus Capital Funding Data Breach

December 24

On December 24, 2019, researchers discovered a data breach from Advantage and Argus Capital Funding, a NY-based private equity firm, which included 425GB of 500,000 legal and financial documents, including tax returns and social security information.

Learn More

Target

Location: United States
Date Breach First Reported: 12/24/19

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On December 24, 2019, researchers discovered a data breach from Advantage and Argus Capital Funding, a NY-based private equity firm, which included 425GB of 500,000 legal and financial documents, including tax returns and social security information.

The breach was discovered by vpnMentor who claim data including credit reports, bank statements, tax returns and social security information could be accessed without authentication. The database was linked to MCA Wizard, an application developed by Advantage and Argus Capital Funding. The database was stored in an unencrypted S3 bucket on Amazon Web Service. The vulnerability was patched by AWS on January 9, 2020.

Wawa Inc. Card Data Breach

December 10

On December 10, 2019, Wawa Inc., a U.S.-based convenience store chain, discovered that its payment card processing systems had been breached for a 9-month long period in which customers in any of its worldwide locations could have had their card data stolen.

Learn More

Target

Location: United States
Date Breach First Reported: 12/19/2019

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On December 10, 2019, Wawa Inc., a U.S.-based convenience store chain, discovered that its payment card processing systems had been breached for a 9-month long period in which customers in any of its worldwide locations could have had their card data stolen. On January 27, 30 million card details believed to be part of the breach posted for sale online, including card numbers and expiration dates. Pins and CVV records were not exposed.

Iranian Debit Card Breach

December 10

On December 10, 2019, it was reported that Mellat, Tejarat, and Sarmayeh, Iran’s three largest banks, had been breached and that the attacker had published 15 million bank debit cards on social media in the aftermath of anti-government demonstrations.

Learn More

Target

Location: Iran
Date Breach First Reported: 12/10/2019

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On December 10, 2019, it was reported that Mellat, Tejarat, and Sarmayeh, Iran’s three largest banks, had been breached and that the attacker had published 15 million bank debit cards on social media in the aftermath of anti-government demonstrations. Iran’s information and telecommunications minister denied this was due to attackers but an inside contractor who had access to the data. Researchers are disputing this and suggest it was likely a nation state actor.

UK and Israeli Private Equity Firms Business Email Compromise

December 3

On December 3, 2019, 3 private equity firms in the UK and Israel had £600k stolen by attackers, known as the “The Florentine Banker,” through a sophisticated business email compromise scheme.

Learn More

Target

Location: United Kingdom, Israel
Date Breach First Reported: 12/3/19

Incident

Method: Phishing
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On December 3, 2019, 3 private equity firms in the UK and Israel had £600k stolen by attackers, known as the “The Florentine Banker,” through a sophisticated business email compromise scheme.

The attackers gained control over the victim's email accounts and intercepted specific emails involving the planned transfer of funds. The group used email rules to divert those they deemed interesting into another folder. They then registered similar domains to those on the other side of the conversation, diverted the legitimate communication and instead sent their own modified emails. In this way the attackers could manipulate all the parties involved into transferring funds to their own accounts instead of those intended by impersonating both sides of the conversation. £600k was taken by the group in 3 different transactions. Researchers noted many other spoofed domains that appear to have been registered by the attackers suggesting that the group is targeting other organizations in similar attacks.

Upbit Crypto Heist

November 27

On November 27, 2019, $48.5 million in virtual currency was stolen from Upbit a South Korean cryptocurrency exchange.

Learn More

Target

Location: South Korea
Date Breach First Reported: 11/28/19

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On November 27, 2019, $48.5 million in virtual currency was stolen from Upbit a South Korean cryptocurrency exchange. The identity of the attackers remains unknown.

$48.5 million in Ethereum was taken from exchange Upbit's hot wallet in 17 transactions. Upbit have stated they will cover any loss to customers.

Edenred Malware

November 21

On November 21, 2019, Edenred, a payment solutions provider, reported that it was infected by malware that affected a number of the organization’s computers.

Learn More

Target

Location: Europe
Date Breach First Reported: 11/21/2019

Incident

Method: Malware
Type: Unknown

Actor

Type: N/A
Attribution: Unknown

Description

On November 21, 2019, Edenred, a payment solutions provider, reported that it was infected by malware that affected a number of the organization’s computers. Edenred’s payment platform operates across 46 countries and in 2018 they managed 2.5 billion payment transactions. According to a statement released by the organization, as soon as the incident was detected they implemented countermeasures to prevent further infections. The number of computers effected and the extent of the attack is still currently unknown.

Cayman National Bank and Trust Data Theft

November 18

On November 18, 2019, the Cayman National Bank and Trust Company confirmed it had been breached and had confidential data stolen.

Learn More

Target

Location: United Kingdom
Date Breach First Reported: 11/18/2019

Incident

Method: Unknown
Type: Data breach

Actor

Type: Non-state actor
Attribution: Speculated

Description

On November 18, 2019, the Cayman National Bank and Trust Company confirmed it had been breached and had confidential data stolen. The Cayman National Bank did not elaborate on the extent of the breach but confirmed it was working with law enforcement. This announcement corroborated an earlier claim by Phineas Fisher, a vigilante hacker persona, who publicized the hack to encourage similar hacktivism. Phineas Fisher offered $100,000 USD to hacktivists who breach and leak documents from bank, oil companies, surveillance spyware vendors, and others.

Cardplanet Fraud

November 13

On November 13, 2019, the United States charged a Russian man for running ‘Cardplanet,’ a card trading platform worth almost $20 million USD that buys and sells stolen payment card details.

Learn More

Target

Location: Unknown
Date Breach First Reported: 11/13/2019

Incident

Method: N/A
Type: N/A

Actor

Type: Non-state actor
Attribution: High confidence

Description

On November 13, 2019, the United States charged a Russian man for running ‘Cardplanet,’ a card trading platform worth almost $20 million USD that buys and sells stolen payment card details. He is facing a number of charges including access device fraud, identity theft, and computer intrusion.

BriansClub Data Theft

October 16

On October 16, 2019, it was reported that ‘BriansClub’, one of the largest underground markets for stolen credit card and payment details, was hacked by a competitor who stole 26 million card details.

Learn More

Target

Location: Unknown
Date Breach First Reported: 10/16/2019

Incident

Method: Unknown
Type: Theft

Actor

Type: Non-state actor
Attribution: Speculated

Description

On October 16, 2019, it was reported that ‘BriansClub’, one of the largest underground markets for stolen credit card and payment details, was hacked by a competitor who stole 26 million card details. The credit card data was added to BriansClub between 2015-2019, representing 30 percent of the total cards that are currently being sold on the underground market.

Sberbank Data Leak

October 4

On October 4, 2019, it was reported that Sberbank, one of Russia’s largest banks, was investigating a suspected data leak that affected at least 200 customers, and potentially data on 60 million credit cards.

Learn More

Target

Location: Russia
Date Breach First Reported: 10/4/2019

Incident

Method: N/A
Type: Data breach

Actor

Type: Insider
Attribution: Speculated

Description

On October 4, 2019, it was reported that Sberbank, one of Russia’s largest banks, was investigating a suspected data leak that affected at least 200 customers, and potentially data on 60 million credit cards. Sberbank is investigating an internal employee who may be behind the compromise of the database. Sberbank is working with law enforcement to investigate the incident further.

460,000 Turkish Card Details for Sale

September 28

On December 11, 2019, it was reported that 463,378 Turkish payment cards from Turkish banks had been posted for sale online between late October and late November, for an estimated total value of USD $500,000.

Learn More

Target

Location: Turkey
Date Breach First Reported: 12/11/19

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On December 11, 2019, it was reported that 463,378 Turkish payment cards from Turkish banks had been posted for sale online between late October and late November, for an estimated total value of USD $500,000. Full card details were available as well as personal data including emails and phone numbers. Security researchers from Group-IB speculated the payment card information was stolen from online card payments using a JavaScript-based skimmer, such as Magecart.

Indian ATMs Targeted with ATMDtrack Malware

September 23

On September 23, security researchers reported that North Korean hackers had developed and inserted malware to steal payment information from Indian ATMs and banking institutions.

Learn More

Target

Location: India
Date Breach First Reported: 9/23/2019

Incident

Method: Malware
Type: Espionage

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

On September 23, security researchers reported that North Korean hackers had developed and inserted malware to steal payment information from Indian ATMs and banking institutions. The malware, known as ATMDtrack, began appearing on networks during the summer of 2018 and is thought to be attributable to Lazarus Group, a hacking group that has targeted banks, ATMs, and cryptocurrency exchanges in order to fund North Korea's weapons of mass destruction program.

ECB BIRD Site Data Breach

September 16

On September 16, the European Central Bank (ECB) shut down its Banks’ Integrated Reporting Dictionary (BIRD) site after routine maintenance uncovered a cyberattack compromising the information of the site’s newsletter subscribers.

Learn More

Target

Location: Germany
Date Breach First Reported: 9/16/2019

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On September 16, the European Central Bank (ECB) shut down its Banks’ Integrated Reporting Dictionary (BIRD) site after routine maintenance uncovered a cyberattack compromising the information of the site’s newsletter subscribers. The ECB reported that no market-sensitive data was compromised in the attack, and it planned to contact the 481 individuals whose names, email addresses, and titles may have been accessed by hackers.

Hong Kong Exchanges and Clearing Limited DDoS Attack

September 6

On September 6, 2019, Hong Kong Exchanges and Clearing Limited (HKEx), a Hong Kong-based stock exchange, suffered a distributed denial-of-service attack (DDoS) and discovered a technical bug, forcing them to suspend trading.

Learn More

Target

Location: China
Date Breach First Reported: 9/6/2019

Incident

Method: DDoS
Type: Disruption

Actor

Type: Unknown
Attribution: Unknown

Description

On September 6, 2019, Hong Kong Exchanges and Clearing Limited (HKEx), a Hong Kong-based stock exchange, suffered a distributed denial-of-service attack (DDoS) and discovered a technical bug, forcing them to suspend trading. Attackers sent high volumes of traffic to the organization’s website, causing it to slow down and display limited information on exchange prices. Although services resumed once the issues were resolved, this is the second time that HKEx has suffered an attack of this kind. In 2011 a DDoS attack forced the organizations to suspend their services, and the individual behind the attack was later sentenced to nine months in prison.

Himalayan ATM Heist

September 2

On September 2, Nepalese police arrested five Chinese nationals in connection with cyberattacks that cost Nepalese banks more than 35 million rupees (over $300,000).

Learn More

Target

Location: Nepal
Date Breach First Reported: 9/2/2019

Incident

Method: Other
Type: Theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

On September 2, Nepalese police arrested five Chinese nationals in connection with cyberattacks that cost Nepalese banks more than 35 million rupees (over $300,000). The attackers targeted the Nepal Electronic Payment System, which was established to coordinate cash withdrawals at 17 Nepalese banks, and inserted malware that directed ATMs to process withdrawal requests without first verifying with member banks. Staff at one Nepali bank discovered the theft when ATMs began running out of cash sooner than expected and informed authorities. Police recovered 12.63 million rupees (more than $110,000) during the arrests.

Silence Group Targets Banks for 4.2 Million

August 23

On August 23, 2019, it was reported that financial institutions in Bulgaria, Chile, Costa Rica, and Ghana were compromised by the Silence Group.

Learn More

Target

Location: Bulgaria, Chile, Costa Rica, Ghana
Date Breach First Reported: 08/23/2019

Incident

Method: Multiple
Type: Theft

Actor

Type: Non-state actor
Attribution: High confidence

Description

On August 23, 2019, it was reported that financial institutions in Bulgaria, Chile, Costa Rica, and Ghana were compromised by the Silence Group. Since 2016, the Silence Group had stolen a cumulative $4.2 million USD from banks in Eastern and Western Europe and Asia.

Since 2018, Silence has sent over 170,000 phishing attacks to financial institutions. The group has refined its techniques since it was first spotted in 2016. Silence now uses fileless techniques, repurposed open-source projects, and old vulnerabilities.

Binance Ransomware

August 6

On August 6, Malta-based cryptocurrency exchange Binance became the victim of ransomware when attackers demanded 300 bitcoin (around $3.5 million at the time) in exchange for a Know Your Customer (KYC) database containing the personal information of around 10,000 users.

Learn More

Target

Location: Malta
Date Breach First Reported: 8/6/2019

Incident

Method: Ransomware
Type: Unknown

Actor

Type: Unknown
Attribution: Unknown

Description

On August 6, Malta-based cryptocurrency exchange Binance became the victim of ransomware when attackers demanded 300 bitcoin (around $3.5 million at the time) in exchange for a Know Your Customer (KYC) database containing the personal information of around 10,000 users. The KYC database allegedly contained personal identification information and photographs of users with documents like passports. The company contested the authenticity of the documents, claiming that they lacked digital watermarks, refused to pay the ransom, and contacted law enforcement for assistance in pursuing the attacker(s).

Capital One Data Breach

July 29

On July 29, Capital One announced that it had suffered a data breach compromising the credit card applications of around 100 million individuals after a software engineer hacked into a cloud-based server.

Learn More

Target

Location: United States and Canada
Date Breach First Reported: 7/29/2019

Incident

Method: Other
Type: Data breach/theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

On July 29, Capital One announced that it had suffered a data breach compromising the credit card applications of around 100 million individuals after a software engineer hacked into a cloud-based server. The applications contained names, dates of birth, credit scores, contact information, and some American and Canadian social security numbers. The hacker exploited a misconfigured firewall to gain access to a database of personal information hosted by Amazon Web Services. Upon gaining access, the hacker posted about it on GitHub, and an unidentified individual notified Capital One about the presence of the database on GitHub. Authorities arrested one individual in connection with the data theft.

Banco Pan Data Breach

July 25

On July 25, security researchers found a file containing 250GB of personal and financial information, mainly tied to Brazilian financial institution Banco Pan, exposed online.

Learn More

Target

Location: Brazil
Date Breach First Reported: 7/25/2019

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On July 25, security researchers found a file containing 250GB of personal and financial information, mainly tied to Brazilian financial institution Banco Pan, exposed online. The information, which Banco Pan claims is owned by a commercial partner, contained scans of identification cards and social security cards, proof of address documents, and service request forms.

Jana Bank Data Breach

July 23

On July 23, a security researcher reported that Jana Bank, an Indian small finance bank, left exposed a database containing information on millions of financial transactions.

Learn More

Target

Location: India
Date Breach First Reported: 7/23/2019

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On July 23, a security researcher reported that Jana Bank, an Indian small finance bank, left exposed a database containing information on millions of financial transactions. The Know Your Customer verification database was not password-protected, allowing anyone to access, alter, or download the information. Jana Bank immediately secured the database upon learning of its exposure.

Remixpoint Inc. Crypto Theft

July 12

On July 12, Remixpoint, a Japanese cryptocurrency exchange, halted services after it discovered the theft of $32 million in digital currencies.

Learn More

Target

Location: Japan
Date Breach First Reported: 7/12/2019

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On July 12, Remixpoint, a Japanese cryptocurrency exchange, halted services after it discovered the theft of $32 million in digital currencies. After an error appeared in the exchange’s outgoing funds transfer system, Remixpoint discovered that the funds had been taken from a “hot” wallet (one that is connected to the internet). No funds had been stolen from “cold” wallets (those not connected to the internet). The company promised to investigate the incident and provided no further details.

Bitpoint Crypto Heist

July 12

On July 12, 2019, approximately $32 million in virtual currency was stolen from Bitpoint, a Japanese cryptocurrency exchange.

Learn More

Target

Location:Japan
Date Breach First Reported: 07/12/2019

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On July 12, 2019, approximately $32 million in virtual currency was stolen from Bitpoint, a Japanese cryptocurrency exchange. The identity of the attackers remains unknown.

Crypto Exchange Theft

June 25

On June 25, Europol, British law enforcement, and Dutch law enforcement officials arrested six individuals for cryptocurrency theft amounting to €24 million (over $26 million).

Learn More

Target

Location: Netherlands, United Kingdom
Date Breach First Reported: 6/25/2019

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Speculated

Description

On June 25, Europol, British law enforcement, and Dutch law enforcement officials arrested six individuals for cryptocurrency theft amounting to €24 million (over $26 million). The individuals used a technique known as “typosquatting,” in which they duplicated an online cryptocurrency exchange to steal information and gain access to victims’ bitcoin wallets. The attack affected more than 4,000 individuals in at least 12 countries.

Bangladesh Switch System Cyberattack

June 22

In June 2019, at least three private Bangladeshi banks were compromised by major cyberattacks, with one, Dutch Bangla Bank Limited (DBBL), losing as much as TK 25 crore (around $3 million).

Learn More

Target

Location: Bangladesh
Date Breach First Reported: 6/22/2019

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In June 2019, at least three private Bangladeshi banks were compromised by major cyberattacks, with one, Dutch Bangla Bank Limited (DBBL), losing as much as TK 25 crore (around $3 million). Attackers deployed malware to duplicate DBBL's Switch payment management system, allowing fraudulent financial transactions to be executed undetected. NCC Bank and Prime Bank were also targeted, but both banks reported no financial losses associated with the attack.

Dutch Bangla Bank Heist by Silence Group

May 31

On April 23, 2019, it was reported the Silence Group had targeted financial institutions in the UK, India, and South Korea since the end of 2018, and had stolen from at least one institution.

Learn More

Target

Location: Bangladesh, India, Sri Lanka, Kyrgyzstan
Date Breach First Reported: 05/31/2019

Incident

Method: Multiple
Type: Theft

Actor

Type: Non-state actor
Attribution: High confidence

Description

On May 31, 2019, the Silence Group stole $3 million from Bangladesh’s Dutch Bangla Bank via ATM cash outs. Three other undisclosed financial institutions in India, Sri Lanka, and Kyrgyzstan were also attacked in the same timeframe. Until recently, Silence had focused on Russia and the Commonwealth of Independent States.

Local media found a video of two Ukrainian men visiting Dutch Bangla Bank ATMs, making a phone call, and then withdrawing large sums of money.

Upbit Attempted Crypto Heist

May 25

On May 25, 2019, attackers attempted to steal from Upbit, a South Korean cryptocurrency exchange, but were thwarted by East Security, a security firm.

Learn More

Target

Location: South Korea
Date Breach First Reported: 08/30/2019

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On May 25, 2019, attackers attempted to steal from Upbit, a South Korean cryptocurrency exchange, but were thwarted by East Security, a security firm. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.

Attackers sent phishing emails to Upbit users in an attempt to steal their funds. It appears as though no losses have resulted from the emails.

First American Financial Corp.

May 24

On May 24, First American Financial Corp. suffered a data breach compromising around 885 million files related to mortgage deeds.

Learn More

Target

Location: United States
Date Breach First Reported: 5/24/2019

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On May 24, First American Financial Corp. suffered a data breach compromising around 885 million files related to mortgage deeds. The documents, which dated back as far as 2003, contained bank account numbers and statements, mortgage and tax records, social security numbers, wire transaction receipts, and images of drivers' licenses. The documents were accessible to anyone with a web browser because the company used a standard format for document addresses, meaning that anyone with knowledge of at least one document link could access others simply by modifying the digits associated with the record number. Although the company took down the website, many of the pages remained accessible on archive.org. As of August 2019, the U.S. Securities and Exchange Commission had begun an investigation into the data breach.

GozNym Gang Arrested

May 16

On May 16, 2019, Europol, the U.S. Department of Justice (DoJ), and six other countries, dismantled a group of international cyber criminals that used the GozNym malware to steal over $100 million.

Learn More

Target

Location: Multiple
Date Breach First Reported: 5/16/2019

Incident

Method: Malware
Type: Theft

Actor

Type: Nonstate actors
Attribution: High confidence

Description

On May 16, 2019, Europol, the U.S. Department of Justice (DoJ), and six other countries, dismantled a group of international cyber criminals that used the GozNym malware to steal over $100 million. The group stole from over 40,000 victims, including the bank accounts of small businesses, law firms, international corporations, and nonprofit organizations. Following a law enforcement investigation across the U.S., Bulgaria, Germany, Georgia, Moldova, and Ukraine, ten members were charged for the crime. The leader of the network was charged in Georgia while another was extradited from Bulgaria to the U.S. to face trial. Although some members of the gang are still on the run, the initial charges have been seen as a success for law enforcement in their efforts to combat international cybercrime.

FirstBank Breach

May 13

In May 2019, a Colorado bank suffered an external security incident resulting in the cancellation and redistribution of customer debit cards.

Learn More

Target

Location: United States
Date Breach First Reported: 5/13/2019

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In May 2019, a Colorado bank suffered an external security incident resulting in the cancellation and redistribution of customer debit cards. FirstBank, Colorado’s largest locally-owned bank, issued a security notice on May 13 informing customers of the breach and instructing them to report any suspicious behavior. The bank confirmed that the breach did not occur on its online systems but from other merchants where FirstBank customers made transactions.

Retefe Malware Resurfaces in Germany and Switzerland

May 2

In May, U.S. security company Proofpoint reported the return of the Retefe banking Trojan in Germany and Switzerland.

Learn More

Target

Location: Switzerland, Germany
Date Breach First Reported: 5/2/2019

Incident

Method: Malware
Type: Unknown

Actor

Type: Unknown
Attribution: Unknown

Description

In May, U.S. security company Proofpoint reported the return of the Retefe banking Trojan in Germany and Switzerland. Retefe is a malware that installs the Tor internet browser to redirect infected devices to spoofed banking sites. The Trojan is typically delivered through email attachments and often attempts to trick users into downloading spoofed mobile Android applications to bypass two-factor authentication.

In the past, Retefe campaigns have targeted several European countries. In November 2016, Retefe targeted Tesco Bank and other UK financial institutions. In September 2017, an updated version of Retefe leveraged the EternalBlue exploit in a campaign against Swiss targets. Since April, the Trojan has reemerged in German and Swiss banks.

Silence Targets Banks in UK, India, and South Korea

April 23

On April 23, 2019, it was reported the Silence Group had targeted financial institutions in the UK, India, and South Korea since the end of 2018, and had stolen from at least one institution.

Learn More

Target

Location: United Kingdom, India, South Korea
Date Breach First Reported: 04/23/2019

Incident

Method: Multiple
Type: Theft

Actor

Type: Nonstate actor
Attribution: Known

Description

On April 23, 2019, it was reported the Silence Group had targeted financial institutions in the UK, India, and South Korea since the end of 2018, and had stolen from at least one institution.

Romanian ATM Skimmer Gang Arrested in Mexico

April 4

On March 31, Mexican law enforcement arrested two senior members of a Romanian cyber criminal group allegedly behind an ATM skimming operation in Mexico.

Learn More

Target

Location: Mexico
Date Breach First Reported: 4/4/2019

Incident

Method: Skimmer
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

On March 31, Mexican law enforcement arrested two senior members of a Romanian cyber criminal group allegedly behind an ATM skimming operation in Mexico. One suspect is believed to be the head of Instacash, a fraudulent ATM service provider operating out of Mexico. The head of Instacash allegedly bribed and coerced ATM technicians to install sophisticated Bluetooth-based skimmers inside competitor’s ATMs, enabling the Romanian cyber criminal group to steal PINs and card data remotely from ATMs throughout popular tourist destinations in Mexico.

BitHumb Crypto Heist #4

March 29

On March 29, 2019, approximately $20 million in virtual currency was stolen from BitHumb, a South Korean cryptocurrency exchange, marking the fourth theft in two years.

Learn More

Target

Location: South Korea
Date Breach First Reported: 08/30/2019

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On March 29, 2019, approximately $20 million in virtual currency was stolen from BitHumb, a South Korean cryptocurrency exchange, marking the fourth theft in two years. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the theft.

Kuwait Bank Theft

March 27

On March 27, 2019, attackers stole $49 million from a bank in Kuwait.

Learn More

Target

Location: Kuwait
Date Breach First Reported: 08/30/2019

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On March 27, 2019, attackers stole $49 million from a bank in Kuwait. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.

While the UN Security Council Panel of Experts did not reveal the name of the bank in Kuwait, the Gulf Bank of Kuwait announced a technical failure in its system of international remittances on Twitter on March 27.

DragonEx Crypto Heist

March 24

On March 24, 2019, $7 million in virtual currency was stolen from DragonEx, a Singapore based cryptocurrency exchange.

Learn More

Target

Location: Singapore
Date Breach First Reported: 03/24/2019

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On March 24, 2019, $7 million in virtual currency was stolen from DragonEx, a Singapore based cryptocurrency exchange. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the theft.

Stolen coins were across a range of currencies including bitcoin, ether, xrp, litecoin and EOS. DragonEx released the addresses of 20 wallets where funds were transferred in the hopes of blocking the movement of these funds.

Royal Bank of Scotland Security Flaw

March 22

In early 2019, the Royal Bank of Scotland’s (RBS) customer accounts were exposed to a security flaw after introducing a new customer security service.

Learn More

Target

Location: United Kingdom
Date Breach First Reported: 3/22/2019

Incident

Method: Software vulnerability
Type: N/A

Actor

Type: Unknown
Attribution: Unknown

Description

In early 2019, the Royal Bank of Scotland’s (RBS) customer accounts were exposed to a security flaw after introducing a new customer security service. In January, RBS launched a free endpoint security service for customers in partnership with Danish firm Hedimal Security. While the security service was intended to detect threats and protect RBS customers from attacks, researchers discovered a software flaw that enabled access to customer emails, banking details and internet history. Hedimal Security has since released an update to fix the security flaw and insisted that only 50,000 computers were effected. They claim that there were no intrusions as a result of the security flaw.

Ursnif Malware Attack on Japanese Banks

March 12

The Ursnif banking Trojan, which was discovered in 2007, was repurposed in a campaign targeting Japanese banks that began in 2016.

Learn More

Target

Location: Japan
Date Breach First Reported: 3/12/2019

Incident

Method: Malware
Type: Unknown

Actor

Type: Unknown
Attribution: Unknown

Description

The Ursnif banking Trojan, which was discovered in 2007, was repurposed in a campaign targeting Japanese banks that began in 2016. Ursnif, also known as Gozi ISFB, is a popular malware that steals information on infected Windows devices. Ursnif has been deployed in a new campaign that specifically targets banks in Japan. The malware terminates itself on devices outside of the country. The campaign uses a distribution network of spam botnets and compromised web servers to deliver the Trojan. Between 2016 and 2017, researchers at Palo Alto Networks observed millions of infected emails sent to banks in Japan. Researchers have not been able to identify the operation behind the campaign, but evidence suggests it may be connected to the Cutwill Botnet, a cyber criminal operation active since 2007.

Gambian Financial Institution Attempted Theft

March 1

In March 2019, attackers attempted to steal $9.3 million from a Gambian financial institution.

Learn More

Target

Location: The Gambia
Date Breach First Reported: 08/30/2019

Incident

Method: Multiple
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

In March 2019, attackers attempted to steal $9.3 million from a Gambian financial institution. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.

Nigerian Financial Institution Attempted Theft

March 1

In March 2019, attackers attempted to steal $12.2 million from a Nigerian financial institution.

Learn More

Target

Location: Nigeria
Date Breach First Reported: 08/30/2019

Incident

Method: Multiple
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

In March 2019, attackers attempted to steal $12.2 million from a Nigerian financial institution. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.

Bank of Valletta

February 13

On February 13, the Bank of Valletta (BOV), Malta’s largest and oldest bank, shut down operations after an attempted theft of €13 million.

Learn More

Target

Location: Malta
Date Breach First Reported: 2/14/2019

Incident

Method: Unknown
Type: Theft

Actor

Type: Nonstate actor
Attribution: Unknown

Description

On February 13, the Bank of Valletta (BOV), Malta’s largest and oldest bank, shut down operations after an attempted theft of €13 million. In August 2019, the UNSC Panel of Experts indicated DPRK-affiliated actors were behind the attack.

Attackers made multiple transfer requests from the Maltese bank to accounts in the UK, United States, Czech Republic, and Hong Kong. The bank’s employees discovered the fraudulent activity during their daily reconciliation of international orders. Within the hour, BOV notified other banks in an attempt to freeze the transactions. It also closed all its branches, shut down its ATMs and point-of-sale system, and stopped all other electronic services, which were restored the following day. In a statement, BOV said it was working with local and international police authorities to track down the attackers. On January 30, 2020, the UK's National Crime Agency issued arrests in London and Belfast, suspected to be in connection to the BOV heist.

U.S. Credit Union Spear-Phishing

February 8

Multiple credit unions in the United States were hit by spear-phishing emails impersonating compliance officers from other credit unions.

Learn More

Target

Location: United States
Date Breach First Reported: 2/8/2019

Incident

Method: Phishing
Type: N/A

Actor

Type: Unknown
Attribution: Unknown

Description

Multiple credit unions in the United States were hit by spear-phishing emails impersonating compliance officers from other credit unions. Under the Bank Secrecy Act (BSA), financial institutions are required to have dedicated compliance personnel responsible for reporting suspicious transactions and potentially fraudulent activity to the U.S. government. Emails sent to these compliance officers contained a PDF with a malicious link. While it is believed that no employee clicked the link, there is speculation as to how the attackers obtained the email addresses of the compliance officers.

SBI Breach

February 4

The State Bank of India, the country’s largest, has denied claims that its servers were compromised during a recent intrusion.

Learn More

Target

Location: India
Date Breach First Reported: 2/4/2019

Incident

Method: Unknown
Type: Unknown

Actor

Type: Unknown
Attribution: Unknown

Description

The State Bank of India, the country’s largest, has denied claims that its servers were compromised during a recent intrusion. Multiple media outlets reported an SBI server was unprotected, and as a result attackers were able to gain access to the system and steal users’ personal information. Despite the claims, the bank said their investigation revealed that SBI’s servers remained fully protected and that no breach had occurred.

Metro Bank 2FA Breach

February 2

UK-based Metro Bank became the first major bank to suffer from a new type of cyber intrusion that intercepts text messages with two-factor authentication codes used to verify various customer transactions.

Learn More

Target

Location: United Kingdom
Date Breach First Reported: 2/2/2019

Incident

Method: Other
Type: Disruption

Actor

Type: Unknown
Attribution: Unknown

Description

UK-based Metro Bank became the first major bank to suffer from a new type of cyber intrusion that intercepts text messages with two-factor authentication codes used to verify various customer transactions. The attackers exploited flaws in the Signaling System 7 (SS7) protocol, which is used by telecommunications companies to route text messages around the world. A spokesperson for the bank stated that only a small number of those defrauded were Metro Bank customers.

Spanish Financial Institution Attempted Theft

February 1

In February 2019, attackers attempted to steal $32 million from a a Spanish financial institution.

Learn More

Target

Location: Spain
Date Breach First Reported: 08/30/2019

Incident

Method: Multiple
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

In February 2019, attackers attempted to steal $32 million from a a Spanish financial institution. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.

Spain’s National Cryptologic Centre (CCN), under the National Intelligence Centre stated in its 2019 Cyberthreats and Trends report that hackers associated with the DPRK government conducted the largest number of reported cyberattacks against Spain in 2018.

Chile ATM Attack

January 10

In December, hackers infiltrated Chile’s ATM interbank network, Redbanc, after tricking an employee into downloading a malicious program during a fake job interview over Skype.

Learn More

Target

Location: Chile
Date Breach First Reported: 1/15/2019

Incident

Method: Other
Type: Espionage

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In December, hackers infiltrated Chile’s ATM interbank network, Redbanc, after tricking an employee into downloading a malicious program during a fake job interview over Skype. In August 2019, the UNSC Panel of Experts indicated DPRK-affiliated actors were behind the attack.

It is believed that the Redbanc employee saw a LinkedIn job advertisement and attended a Skype interview where the attackers asked him to download a software program to submit his application form. The attackers tricked the victim into downloading malware on his system, giving them access to Redbanc’s network. Redbanc claims the event had no impact on its business operations.

Fuze Cards

January 10

The U.S. Secret Service has identified a number of criminal rings turning to Fuze cards in an attempt to avoid detection by U.S. law enforcement.

Learn More

Target

Location: United States
Date Breach First Reported: 1/10/2019

Incident

Method: Cards
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

The U.S. Secret Service has identified a number of criminal rings turning to Fuze cards in an attempt to avoid detection by U.S. law enforcement. A Fuze card is a data storage device that looks like a bank card, but can hold account data for up to thirty cards. Using smartcard technology can help criminals avoid raising suspicions at payment points or if stopped by authorities, as it reduces the need for them to carry large numbers of counterfeit cards on their person.

2018

Evercore Breach

December 23

In November, hackers breached Evercore gaining access to thousands of sensitive documents from the global investment bank.

Learn More

Target

Location: Western Europe
Date Breach First Reported: 12/23/2018

Incident

Method: Phishing
Type: Data breach

Actor

Type: Nonstate actor
Attribution: Speculated

Description

In November, hackers breached Evercore gaining access to thousands of sensitive documents from the global investment bank. The attackers used phishing tactics to gain access to an employee’s inbox, enabling them to steal around 160,000 pieces of data including documents, diary invitations, and emails. A source at the bank believes the motivation for the breach was to access the administrator's address book to send more phishing emails. The source also claims no data had been misused in result of the breach.

Government Payment Portals

December 18

In August 2017, Click2Gov, an online bill-payment portal used to pay for local government services in the United States, was the victim of a data breach.

Learn More

Target

Location: United States
Date Breach First Reported: 12/18/2018

Incident

Method: Other
Type: Data breach

Actor

Type: Nonstate actor
Attribution: Speculated

Description

In August 2017, Click2Gov, an online bill-payment portal used to pay for local government services in the United States, was the victim of a data breach. The breach exposed customer data including payment card details and log-in credentials of users in over forty U.S. cities. Threat intelligence firm Gemini Advisory discovered that several users’ card details were sold on the dark web for approximately £10. Gemini identified 294,929 compromised payment records, resulting in at least $1.7 million in earnings for the criminals.

Brazilian Mobile Malware

December 13

In mid-December, a report revealed that over 2,000 mobile banking users in Brazil downloaded an Android-based Trojan through Google Play applications.

Learn More

Target

Location: Brazil
Date Breach First Reported: 12/13/2018

Incident

Method: Malware
Type: Theft

Actor

Type: Nonstate actor
Attribution: Speculated

Description

In mid-December, a report revealed that over 2,000 mobile banking users in Brazil downloaded an Android-based Trojan through Google Play applications. Victims unknowingly downloaded the malware, allowing attackers to gain access to user devices and data. The “Android.BankBot.495” malware was designed to read the victim’s information when they logged into their mobile banking app. Reports suggest that the malware also targeted apps such as Uber, Netflix, and Twitter using phishing tactics.

ThreadKit Exploit

December 11

In late 2018, security researchers uncovered that Cobalt, a state-sponsored threat group that specializes in attacks on financial institutions, had begun employing a new variant of the ThreadKit exploit builder kit to execute phishing schemes utilizing Microsoft Office documents.

Learn More

Target

Location: Eastern Europe (Ukraine; Poland; Romania; Czech Republic; Hungary; Belarus; Bulgaria; Slovakia; Moldova)
Date Breach First Reported: 12/11/2018

Incident

Method: Phishing
Type: Espionage

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In late 2018, security researchers uncovered that Cobalt, a state-sponsored threat group that specializes in attacks on financial institutions, had begun employing a new variant of the ThreadKit exploit builder kit to execute phishing schemes utilizing Microsoft Office documents. First observed in October 2017, the new tactics show an evolution of the ThreadKit macro delivery tool and demonstrate the growing range of techniques employed by malicious actors.

Eastern European Banks Targeted From the Inside

December 6

In 2017 and 2018, eight banks in Eastern Europe were targeted by attackers who connected electronic devices directly to the banks’ infrastructure.

Learn More

Target

Location: Eastern Europe
Date Breach First Reported: 12/6/2018

Incident

Method: Other
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In 2017 and 2018, eight banks in Eastern Europe were targeted by attackers who connected electronic devices directly to the banks’ infrastructure. Attackers used a range of readily available devices such as netbooks, inexpensive laptops, USB tools, and other devices. The attackers disguised themselves as job seekers or couriers and gained access to the local network from various places inside the victims’ central or regional offices, and even from company branches in different countries. Once they gained access to the target bank’s infrastructure, the attackers scanned its networks to collect valuable information, such as account details for making payments. The attacks are believed to have caused tens of millions of dollars in damages.

Rapid Raids Jackpotting

November 14

On November 14, two Venezuelan men were found guilty of jackpotting, where they installed malicious software or hardware on ATMs to force the machines to dispense huge volumes of cash on demand.

Learn More

Target

Location: United States
Date Breach First Reported: 11/14/2018

Incident

Method: Malware
Type: Theft

Actor

Type: Nonstate actor
Attribution: High Confidence

Description

On November 14, two Venezuelan men were found guilty of jackpotting, where they installed malicious software or hardware on ATMs to force the machines to dispense huge volumes of cash on demand. From February to March, the duo stole $125,000 from four ATMs in Indiana, Kentucky, Wisconsin, and most recently Michigan, where they were apprehended.

Postbank Internal Data Breach and Fraud

December 1

In December 2018, Postbank, the banking division of South Africa’s post office, experienced an internal data breach resulting in the theft of over $3.2 million and the forced replacement of 12 million cards.

Learn More

Target

Location: South Africa
Date Breach First Reported: 06/18/2020

Incident

Method: Multiple
Type: Theft

Actor

Type: Insider
Attribution: Speculated

Description

In December 2018, Postbank, the banking division of South Africa’s post office, experienced an internal data breach resulting in the theft of over $3.2 million and the forced replacement of 12 million cards. Employees stole Postbank’s 36-digit master encryption key and used it to access account balances in 25.000 fraudulent transactions over the course of a year.

According to internal documents acquired by journalists, the stolen 36-digit encryption key, “allows anyone who has it to gain unfettered access to the bank’s systems, and allows them to read and rewrite account balances, and change information and data on any of the bank’s 12-million cards.

HSBC U.S. Breach

November 6

In November, HSBC reported that hackers had gained access to customer data including names, addresses, phone numbers, and account details.

Learn More

Target

Location: United States
Date Breach First Reported: 11/6/2018

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In November, HSBC reported that hackers had gained access to customer data including names, addresses, phone numbers, and account details. When HSBC discovered the compromised accounts, they suspended online access for affected customers to prevent further entry to the accounts. At the time of release, HSBC did not provide details on the number of customers affected. However, claims estimate that less than 1 percent of the bank’s U.S. online accounts were potentially compromised.

Magecart Payments Breach

November 2

In early November, Lloyds Banking Group and other UK banks were forced to replace payment cards after the breach of numerous retail sites.

Learn More

Target

Location: United Kingdom
Date Breach First Reported: 11/2/2018

Incident

Method: Other
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In early November, Lloyds Banking Group and other UK banks were forced to replace payment cards after the breach of numerous retail sites. Websites for retailers, including Ticketmaster and British Airways, were manipulated to skim card information from hundreds of thousands of customers using the Magecart toolset.

Bank Islami

October 29

On October 29, 2018, Bank Islami in Pakistan detected a cyber attack on its international payment card network.

Learn More

Target

Location: Pakistan
Date Breach First Reported: 10/29/2018

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On October 29, 2018, Bank Islami in Pakistan detected a cyber attack on its international payment card network. The bank uncovered suspicious transactions from payment cards outside of Pakistan and immediately shut down its international payment scheme. The bank confirmed that around 2.6 million Pakistani rupees (roughly $19,500) were withdrawn from customer accounts. Following the incident, the State Bank of Pakistan (SBP) issued directives to all banks, encouraging them to ensure the security of all payment cards and monitor card activity on a real-time basis.

Pakistan Data Theft

October 27

On October 27, cybersecurity firm Group-IB reported a spike in sales of card details from Pakistani customers on Joker’s Stash, a popular online marketplace for stolen information.

Learn More

Target

Location: Pakistan
Date Breach First Reported: 10/27/2018

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On October 27, cybersecurity firm Group-IB reported a spike in sales of card details from Pakistani customers on Joker’s Stash, a popular online marketplace for stolen information. Group-IB identified more than 150,000 card details from at least three Pakistani banks. The Pakistani Federal Investigation Agency revealed that almost all the nation’s banks had been affected. However, the State Bank of Pakistan has disputed the scale of the incident. The compromise of card details came weeks after Karachi-based Bank Islami suffered a breach of its payment cards system.

AXA Targeted in Mexico

October 23

On October 22, 2018, unknown hackers attacked insurance firm AXA, causing problems to the SPEI interbank payment matching system.

Learn More

Target

Location: Mexico
Date Breach First Reported: 10/23/2018

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On October 22, 2018, unknown hackers attacked insurance firm AXA, causing problems to the SPEI interbank payment matching system. This incident prompted Mexico’s central bank to raise the security alert level on its payments system. AXA reported no client information or money was affected by the incident.

State Bank of Mauritius

October 2

In October 2018, the Indian subsidiary of the State Bank of Mauritius was targeted by attackers who attempted to steal $14 million through compromised IT systems.

Learn More

Target

Location: Mauritius
Date Breach First Reported:10/2/2018

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In October 2018, the Indian subsidiary of the State Bank of Mauritius was targeted by attackers who attempted to steal $14 million through compromised IT systems. The bank managed to recover $10 million in the days following the attack and said no customers would lose money as a result. The thieves reportedly withdrew the funds using fraudulent messages on the SWIFT interbank messaging network.

Zaif Crypto Heist

September 14

On September 14, 2018, approximately $60 million in virtual currency was stolen from Zaif, a Japanese cryptocurrency exchange.

Learn More

Target

Location: Japan
Date Breach First Reported: 09/14/2018

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On September 14, 2018, approximately $60 million in virtual currency was stolen from Zaif, a Japanese cryptocurrency exchange.

The attackers accessed the exchange’s hot wallets to steal roughly $60 million in bitcoin, bitcoin cash, and MonaCoin. The identity of the attackers remains unknown.

Russian Bank Heists by Silence Group

September 5

First reported in 2018, Russian-speaking hackers, dubbed Silence by researchers at Group IB, targeted Russian banks, stealing $550,000 within a year.

Learn More

Target

Location: Russia
Date Breach First Reported:9/5/2018

Incident

Method: Multiple
Type: Theft

Actor

Type: Nonstate actor
Attribution: Speculated

Description

First reported in 2018, Russian-speaking hackers, dubbed Silence by researchers at Group IB, targeted Russian banks, stealing $550,000 within a year. After an unsuccessful attempt to penetrate the Russian Central Bank’s automated workstation client, the group attacked ATMs directly and through the supply chain, using phishing emails as its means of entry to the networks.

Banco de la Nacion

August 17

Over the weekend of August 17–19, 2018, an attack took place on Peruvian banks that forced at least one bank to take down its internet banking services and some card transactions.

Learn More

Target

Location: Peru, Thailand, Malaysia, Indonesia, United States, Latin America
Date Breach First Reported:8/17/2018

Incident

Method: Ransomware
Type: Disruption

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

Over the weekend of August 17–19, 2018, an attack took place on Peruvian banks that forced at least one bank to take down its internet banking services and some card transactions. There were reports that a new strain of ransomware was involved. The extent of the damage done remains unclear, but there were no indications in the weeks afterward that the attack targeted payment systems, or was a smokescreen for other activity.

Cosmos Bank SWIFT Heist

August 11

In August 2018, it was reported that Cosmos Bank, the second-biggest cooperative bank in India, lost $13.5 million through ATMs in twenty-eight countries as well as through unauthorized interbank transactions.

Learn More

Target

Location: India
Date Breach First Reported:8/11/2018

Incident

Method: Multiple
Type: Theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In August 2018, it was reported that Cosmos Bank, the second-biggest cooperative bank in India, lost $13.5 million through ATMs in twenty-eight countries as well as through unauthorized interbank transactions. The attackers seem to have stolen card information and also set up their own proxy server so transactions with stolen details would not trigger alarms. In August 2019, the UNSC Panel of Experts indicated DPRK-affiliated actors were behind the attack.

Over the course of just a few hours on August 11, the group coordinated almost 15,000 transactions to cash out funds through ATMs worldwide using compromised Visa and Rupay cards. Two days later, the attackers made further fraudulent transactions through the bank’s interface to the SWIFT messaging system—a technique used in numerous bank attacks, including against fellow Indian lender City Union Bank (CUB) in February.

The parallels with the CUB heist continued after police arrested several suspects accused of taking the funds from ATMs. Four of the people involved also admitted playing a role in the earlier theft, according to investigators in September.

The attack left Cosmos’s online banking service offline for more than a week, and the funds have not been recovered. There were signs that an attack on a bank was coming. Two days before the incident, the FBI issued a warning to banks about an imminent ATM cash-out scheme, without providing further public details.

National Bank of Blacksburg

July 24

In May 2016 and January 2017, the National Bank of Blacksburg, based in the state of Virginia, was hit by phishing emails that enabled intruders to install malware and pivot into the Star Network, a U.S. bank card processing service.

Learn More

Target

Location: United States
Date Breach First Reported:7/24/2018

Incident

Method: Multiple
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In May 2016 and January 2017, the National Bank of Blacksburg, based in the state of Virginia, was hit by phishing emails that enabled intruders to install malware and pivot into the Star Network, a U.S. bank card processing service. The 2017 attack gave wider access to bank networks and enabled the thieves to withdraw $1.8 million over the course of a weekend, taking total losses to $2.4 million. According to a lawsuit filed by the bank against its insurer to recover more of its losses, an investigation after the second attack concluded that both incidents were by the same group, using tools and servers of Russian origin.

PIR Bank Attacked

July 19

On July 3, 2018, attackers targeted Russia’s version of the SWIFT interbank network, the Automated Workstation Client, to siphon around $1 million from PIR Bank.

Learn More

Target

Location: Russia
Date Breach First Reported:7/19/2018

Incident

Method: Multiple
Type: Theft

Actor

Type: Nonstate actor
Attribution: Speculated

Description

On July 3, 2018, attackers targeted Russia’s version of the SWIFT interbank network, the Automated Workstation Client, to siphon around $1 million from PIR Bank. After breaching the network through an outdated router, the group attempted to install Powershell scripts to remain on the banks’ systems. A report by Group IB, which responded to the incident, attributed it to an established criminal group named MoneyTaker that has targeted more than a dozen banks in the United States, Russia, and the UK since 2016.

BitHumb Crypto Heist #3

June 19

On June 19, 2018, approximately $31 million in virtual currency was stolen from BitHumb, a South Korean cryptocurrency exchange, marking the third theft in the last 16 months.

Learn More

Target

Location: South Korea
Date Breach First Reported: 08/30/2019

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On June 19, 2018, approximately $31 million in virtual currency was stolen from BitHumb, a South Korean cryptocurrency exchange, marking the third theft in the last 16 months. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the theft. Proceeds were laundered through a separate crypto-currency exchange called YoBit. The company stated they would compensate customers affected.

Coinrail Crypto Heist

June 10

On June 10, 2018, approximately $37 million in virtual currency was stolen from Coinrail, a South Korean cryptocurrency exchange.

Learn More

Target

Location: South Korea
Date Breach First Reported: 06/10/2018

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On June 10, 2018, approximately $37 million in virtual currency was stolen from Coinrail, a South Korean cryptocurrency exchange. The identity of the attackers remains unknown.

Liberian Financial Institution Attempted Theft

June 1

In June 2018, attackers attempted to steal $32 million from a Liberian financial institution.

Learn More

Target

Location: Liberia
Date Breach First Reported: 08/30/2019

Incident

Method: Multiple
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

In June 2018, attackers attempted to steal $32 million from a Liberian financial institution. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.

Data Breach Involving Canadian Banks

May 28

In 2018, it was revealed that up to 90,000 clients of the Canadian banks Simplii and Bank of Montreal (BMO) had been exposed by a data breach that the organization blamed on unidentified fraudsters.

Learn More

Target

Location: Canada
Date Breach First Reported:5/28/2018

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In 2018, it was revealed that up to 90,000 clients of the Canadian banks Simplii and Bank of Montreal (BMO) had been exposed by a data breach that the organization blamed on unidentified fraudsters. Bank of Montreal said there was a threat to make the data public from the group, which it thinks is behind the thefts from both banks. Simplii and BMO are now facing a class action lawsuit, with those involved arguing that the banks failed to properly protect sensitive information.

Banco de Chile Incident

May 24

In May 2018, Banco de Chile suffered a $10 million theft after the attackers used destructive software as cover for a fraudulent SWIFT transfer.

Learn More

Target

Location: Chile
Date Breach First Reported:5/24/2018

Incident

Method: Malware
Type: Disruption, theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In May 2018, Banco de Chile suffered a $10 million theft after the attackers used destructive software as cover for a fraudulent SWIFT transfer. The bank’s 9,000 workstations and 500 servers failed on May 24 as the KillMBR wiper tool rendered them unable to boot up, adding it to the growing ranks of Latin American banks suffering cyber attacks. In August 2019, the UNSC Panel of Experts indicated DPRK-affiliated actors were behind the attack.

Mexican Bank Theft

May 12

Banco de Mexico warned a dozen banks to upgrade their security following $15 million in fraudulent cash withdrawals from five institutions linked to the central bank’s electronic payments system, SPEI.

Learn More

Target

Location: Mexico
Date Breach First Reported:5/12/2018

Incident

Method: Software vulnerability
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

Banco de Mexico warned a dozen banks to upgrade their security following $15 million in fraudulent cash withdrawals from five institutions linked to the central bank’s electronic payments system, SPEI. A vulnerability in third-party software connected to SPEI was used by unknown attackers to get into the system and make a series of fraudulent transactions before cashing out.

The investigators have not made clear whether each victim bank was compromised, or whether the attackers moved between them following the initial breach. It is also unclear whether the gang had insider help to clear large transactions through the banks’ security checks. The incidents delayed legitimate transfers but the central bank said client money and the SPEI infrastructure were unaffected.

Following the thefts, Banco de Mexico set up a new cybersecurity unit and asked its members to move to an in-house, encrypted software with SPEI. The incident came five months after Bancomext, the state-owned trade bank, blocked attempts to siphon off $110 million via a compromise in the network that granted attackers access to the global SWIFT interbank system.

DDoS-for-Hire

April 1

In April 2018, it was revealed that authorities in five countries worked together to take down Webstresser, a DDoS-for-hire site they said was behind up to 6 million attacks around the world over three years.

Learn More

Target

Location: Western Europe
Date Breach First Reported:4/1/2018

Incident

Method: DDOS
Type: Disruption

Actor

Type: Nonstate actor
Attribution: Speculated

Description

In April 2018, it was revealed that authorities in five countries worked together to take down Webstresser, a DDoS-for-hire site they said was behind up to 6 million attacks around the world over three years. The site was used to launch a coordinated attack on seven UK banks in November 2017, according to the UK’s National Crime Agency. Several people have been arrested, and the U.S. Department of Defense seized the website.

Malaysian Central Bank Attempted SWIFT Heist

March 29

On March 29, 2018, attackers attempted to use fraudulent SWIFT transactions to steal $390 million from the Malaysian Central Bank.

Learn More

Target

Location: Malaysia
Date Breach First Reported: 08/30/2019

Incident

Method: Multiple
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On March 29, 2018, attackers attempted to use fraudulent SWIFT transactions to steal $390 million from the Malaysian Central Bank.

According to the Malaysian Central Bank no funds were stolen during the incident and the bank's payment systems remained unaffected and operational. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.

Rapid Raids Jackpotting

March 19

In March 2018, two Venezuelan men were arrested for jackpotting, where they installed malicious software or hardware on ATMs to force the machines to dispense huge volumes of cash on demand.

Learn More

Target

Location: United States
Date Breach First Reported: 3/18/2018

Incident

Method: Malware
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In March 2018, two Venezuelan men were arrested for jackpotting, where they installed malicious software or hardware on ATMs to force the machines to dispense huge volumes of cash on demand. From February to March, the duo stole $125,000 from four ATMs in Indiana, Kentucky, Wisconsin, and most recently Michigan, where they were apprehended. The pair were sentenced to federal prison in November 2018 for conspiracy to commit bank robbery.

Mabna Iranian Hack on the United States

March 23

Two financial firms were among the various U.S. targets of a hacking group operating under the guise of the Mabna Institute, which used password spraying to access information.

Learn More

Target

Location: United States
Date Breach First Reported:3/23/2018

Incident

Method: Password spraying
Type: Data breach

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

Two financial firms were among the various U.S. targets of a hacking group operating under the guise of the Mabna Institute, which used password spraying to access information. The actors are accused by the United States of stealing 31 terabytes of academic and commercial information in a campaign dating as far back as 2013. Nine Iranians have been charged by the United States, which claims the group acts on behalf of the Islamic Revolutionary Guard Corps and has imposed sanctions on numerous individuals and companies in the country as a result.

City Union Bank SWIFT Attack

February 18

In February 2018, City Union Bank in India suffered a breach that allowed $1 million to be transferred to a Chinese institution.

Learn More

Target

Location: India
Date Breach First Reported:2/18/2018

Incident

Method: Malware
Type: Theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In February 2018, City Union Bank in India suffered a breach that allowed $1 million to be transferred to a Chinese institution. The attackers tried to make three transactions totaling $2 million, sending money to Dubai and Turkey, but were thwarted by City Union Bank and the corresponding bank on the receiving end of the transfer. Two years earlier, attackers attempted but failed to make a $170 million SWIFT transfer out of the Union Bank of India. In August 2019, the UNSC Panel of Experts indicated DPRK-affiliated actors were behind the attack.

BitGrail Crypto Heist

February 9

On February 9, 2018, BitGrail, a small Italian cryptocurrency exchange, announced that attackers had stolen $170 million in Nano, a cryptocurrency. The identity of the attackers remains unknown.

Learn More

Target

Location: Italy
Date Breach First Reported: 02/10/2018

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On February 9, 2018, BitGrail, a small Italian cryptocurrency exchange, announced that attackers had stolen $170 million in Nano, a cryptocurrency. The identity of the attackers remains unknown.

Infraud Gang

February 7

In February 2018, it was revealed that thirty-six people from seven countries had been indicted in the United States for their alleged involvement in the Infraud Organization, which law enforcement officials say sells stolen personal and financial information.

Learn More

Target

Location: Netherlands
Date Breach First Reported:2/7/2018

Incident

Method: Multiple
Type: Theft

Actor

Type: Nonstate actor
Attribution: Speculated

Description

In February 2018, it was revealed that thirty-six people from seven countries had been indicted in the United States for their alleged involvement in the Infraud Organization, which law enforcement officials say sells stolen personal and financial information. More than half a billion dollars was lost by the victims, the U.S. Department of Justice said, with a trail going back to October 2010. The organization was said to have more than 10,000 registered members who bought and sold illicit products including malware, data from credit card dumps, and information needed for identity fraud.

Dutch DDoS Attack

January 29

In January, ABN Amro, Rabobank, and ING suffered disruptions to online and mobile banking services, while the Dutch tax authority website was taken down for several minutes.

Learn More

Target

Location: Netherlands
Date Breach First Reported:1/29/2018

Incident

Method: DDOS
Type: Disruption

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In January, ABN Amro, Rabobank, and ING suffered disruptions to online and mobile banking services, while the Dutch tax authority website was taken down for several minutes. Initial reports raised concerns of a Russian connection to the attack, as it came a week after a media report that Dutch intelligence agents had infiltrated the Russian threat group APT 29. However, an eighteen-year-old from the Dutch city of Oosterhout was arrested in February for the attack, having claimed online that he bought a “stresser” tool for €40 that enabled him to send a deluge of traffic to victim websites.

Coincheck Crypto Heist

January 26

On January 26, 2018, $534 million worth of NEM, a cryptocurrency was stolen from Coincheck, a Japanese cryptocurrency exchange, forcing Coincheck to freeze all transactions.

Learn More

Target

Location: Japan
Date Breach First Reported: 01/26/2018

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On January 26, 2018, $534 million worth of NEM, a cryptocurrency was stolen from Coincheck, a Japanese cryptocurrency exchange, forcing Coincheck to freeze all transactions.

In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the theft. NEM Foundation president Lon Wong called the incident, “the biggest theft in the history of the world.” Group-IB, a Singapore-based security firm, also attributed the theft to Lazarus, a group of North Korean hackers, in October 2018.

Bancomext Attempted SWIFT Heist

January 9

On January 9, 2018, attackers attempted to use fraudulent SWIFT transactions to steal $110 million from Bancomext, Mexico’s state-owned trade bank, but the money was ultimately recovered.

Learn More

Target

Location: Mexico
Date Breach First Reported: 08/30/2019

Incident

Method: Multiple
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On January 9, 2018, attackers attempted to use fraudulent SWIFT transactions to steal $110 million from Bancomext, Mexico’s state-owned trade bank, but the money was ultimately recovered. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.

Costa Rican Financial Institution Attempted Theft

January 1

In January 2018, attackers attempted to steal $19 million from a private Costa Rican financial institution.

Learn More

Target

Location: Costa Rica
Date Breach First Reported: 08/30/2019

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

In January 2018, attackers attempted to steal $19 million from a private Costa Rican financial institution. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.

In a submission to the United Nations Security Council Panel of Experts, the Costa Rican government confirmed that an investigation was launched by the Office of the Public Prosecutor’s Division on Fraud.

2017

NiceHash Crypto Heist

December 6

On December 6, 2017, approximately $70 million was stolen from NiceHash, a Slovenian cryptocurrency mining service.

Learn More

Target

Location: Slovenia
Date Breach First Reported: 12/06/2017

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On December 6, 2017, approximately $70 million was stolen from NiceHash, a Slovenian cryptocurrency mining service. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the theft.

Youbit Hacked

December 1

On December 19, 2017, YouBit, a South Korean cryptocurrency exchange, was hacked for the second time that year and had 17 percent of it's digital currency stolen by attackers, which forced it to stop trading.

Learn More

Target

Location: South Korea
Date Breach First Reported:12/19/2017

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

On December 19, 2017, YouBit, a South Korean cryptocurrency exchange, was hacked for the second time that year and had 17 percent of it's digital currency stolen by attackers, which forced it to stop trading. It later declared bankruptcy as a result. In August 2019, the UNSC Panel of Experts indicated DPRK-affiliated actors were behind the attack.

Paradise Papers

November 5

In November 2017, an unknown whistle-blower leaked a trove of secret records on offshore companies to the German newspaper Süddeutsche Zeitung, which shared the details with 380 journalists around the world.

Learn More

Target

Location: Multiple
Date Breach First Reported:11/5/2017

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In November 2017, an unknown whistle-blower leaked a trove of secret records on offshore companies to the German newspaper Süddeutsche Zeitung, which shared the details with 380 journalists around the world. The Paradise Papers, covering the law firm Appleby’s business as far back as 1950, shone a light on offshore tax affairs in thirty jurisdictions, including Bermuda and the Cayman Islands, the heart of the global hedge fund industry. Appleby has said it was the victim of a cyber attack, alleging the intruder “deployed the tactics of a professional hacker.” The breach came just over a year after the Panama Papers, documents from law firm Mossack Fonseca that were leaked to the same newspaper.

South Korean Crypto Heist Thwarted

October 10

In October 2017, the Korean Internet Security Agency thwarted an attack on 10 cryptocurrency exchanges in South Korea.

Learn More

Target

Location: South Korea
Date Breach First Reported: 12/15/2017

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In October 2017, the Korean Internet Security Agency thwarted an attack on 10 cryptocurrency exchanges in South Korea. The attack used sophisticated Business Email Compromise. South Korean media reported the attack was carried out by DPRK-affiliated hackers.

Far Eastern International Bank

October 1

In October 2017, Far Eastern International Bank in Taiwan became the victim of a $14 million theft when hackers planted malware in the company’s systems to access a SWIFT terminal, which was then used to make fraudulent transfers.

Learn More

Target

Location: Taiwan
Date Breach First Reported:10/1/2017

Incident

Method: Malware
Type: Theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In October 2017, Far Eastern International Bank in Taiwan became the victim of a $14 million theft when hackers planted malware in the company’s systems to access a SWIFT terminal, which was then used to make fraudulent transfers. The attackers used an unusual ransomware variant named Hermes, but this was likely a distraction for their main objective of using administrative credentials to move funds to Cambodia, the United States, and Sri Lanka. The attack is suspected of being performed by a group that has repeatedly intruded on bank networks to carry out thefts. Most of the stolen money was recovered, and two men were arrested in Sri Lanka after they attempted to withdraw funds. In August 2019, the UNSC Panel of Experts indicated DPRK-affiliated actors were behind the attack.

Tunisian Financial Institution Attempted Theft

October 10

In October 2017, attackers attempted to steal $60 million from a Tunisian financial institution.

Learn More

Target

Location: Tunisia
Date Breach First Reported: 08/30/2019

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

In October 2017, attackers attempted to steal $60 million from a Tunisian financial institution. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attack.

Coinis Crypto Heist

September 23

On September 23, 2017, virtual currency was stolen from Coinis, a South Korean cryptocurrency exchange, worth an estimate $2.19 million according to reports.

Learn More

Target

Location: South Korea
Date Breach First Reported: 09/23/2017

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On September 23, 2017, virtual currency was stolen from Coinis, a South Korean cryptocurrency exchange, worth an estimate $2.19 million according to reports. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the theft. In December 2017, South Korean newspaper Chosun Ilbo reported that the South Korean government has attributed the attack to DPRK-affiliated actors.

SEC Edgar Hack

September 21

The Securities and Exchange Commission announced in September 2017 that hackers might have accessed inside information from the Edgar database, which contains market-sensitive filings for companies listed on U.S. stock exchanges, and used it to make illegal profits on share trades.

Learn More

Target

Location: United States
Date Breach First Reported: 9/21/2017

Incident

Method: Software vulnerability
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

The Securities and Exchange Commission announced in September 2017 that hackers might have accessed inside information from the Edgar database, which contains market-sensitive filings for companies listed on U.S. stock exchanges, and used it to make illegal profits on share trades. The commission did not realize the intrusion, which took place in 2016 through a software vulnerability in a test filing component, could have leaked company secrets until August 2017. The identity of the hackers is unknown, although reports have suggested the perpetrators are based in Eastern Europe.

Equifax Hack

September 7

In one of the biggest data breaches on record, the credit reporting agency Equifax announced in October 2017 that more than 150 million customer records had been compromised, including some sensitive data such as birth dates and 12,000 U.S. social security numbers.

Learn More

Target

Location: United States
Date Breach First Reported: 9/7/2017

Incident

Method: Web app vulnerability
Type: Data breach

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

In one of the biggest data breaches on record, the credit reporting agency Equifax announced in October 2017 that more than 150 million customer records had been compromised, including some sensitive data such as birth dates and 12,000 U.S. social security numbers. According to the U.S. government indictments, the breach was carried out by the Chinese People’s Liberation Army (PLA) exploiting a bug in an Apache Struts web application that the company had failed to patch.

The attackers scanned Equifax’s estate for the vulnerability and gained access to the application, an online dispute portal, days after the bug was made public in March—but did not take any data for several months. Once inside the network, the attackers found unencrypted usernames and passwords for other databases, spent seventy-six days on the network, eventually accessing forty-eight different datasets.

Equifax has spent $439 million on redressing the data loss and, a year after disclosure, its share price remained below the pre-breach level. However, the company has avoided fines from the banking regulators in eight U.S. states after agreeing to a deal in June 2018 to improve its cybersecurity oversight.

On February 10 2020, the U.S. Department of Justice indicted four members of the Chinese People’s Liberation Army (PLA) for a targeted intrusion into the networks of Equifax, a credit reporting agency in the United States. The indictment states that the attackers were targeting the private data of millions of Americans, along with Equifax trade secrets, such as ‘data compilations and database plans’. The indictment lists the operators’ affiliation with the 54th Research Institute, formerly part of the PLA and now part of the PLA Strategic Support Force (SSF).

South Korean Monero Cryptojacking

July 15

In the summer of 2017, a South Korean company’s server was hijacked by attackers and made to mine 70 Monero coins, a cryptocurrency, worth approximately $25,000.

Learn More

Target

Location: South Korea
Date Breach First Reported: 08/30/2019

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

In the summer of 2017, a South Korean company’s server was hijacked by attackers and made to mine 70 Monero coins, a cryptocurrency, worth approximately $25,000. The South Korean Financial Stability Institute attributed the theft to DPRK-affiliated group Andarial in January 2018, and in August 2019, the UN Security Council Panel of Experts also indicated DPRK-affiliated actors were behind the theft.

BitHumb Crypto Heist #2

June 29

In February 2017, at least $7 million in virtual currency was stolen from BitHumb, a South Korean cryptocurrency exchange.

Learn More

Target

Location: South Korea
Date Breach First Reported: 06/29/2017

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On June 29, approximately $7 million in virtual currency was stolen from BitHumb, a South Korean cryptocurrency exchange for the second time in four months. The South Korean National Intelligence Services attributed the theft to the DPRK, and in August 2019, the UN Security Council Panel of Experts also indicated DPRK-affiliated actors were behind the theft.

The attackers gained access to an employee’s personal computer. From there they managed to exfiltrate the details of 3% of the platforms total users including names, emails and phone numbers. The company stated they would compensate customers affected.

YouBit Crypto Heist

April 22

On April 22, 2017, approximately $5.6 million in cryptocurrency was stolen from YouBit, a South Korean cryptocurrency exchange then named Yapizon.

Learn More

Target

Location: South Korea
Date Breach First Reported: 12/05/2017

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On April 22, 2017, approximately $5.6 million in cryptocurrency was stolen from YouBit, a South Korean cryptocurrency exchange then named Yapizon. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the theft. Group-IB, a Singapore-based security firm, also attributed the theft to Lazarus, a group of North Korean hackers, in October 2018.

BitHumb Crypto Heist #1

February 1

In February 2017, at least $7 million in virtual currency was stolen from BitHumb, a South Korean cryptocurrency exchange.

Learn More

Target

Location: South Korea
Date Breach First Reported: 12/05/2017

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

In February 2017, at least $7 million in virtual currency was stolen from BitHumb, a South Korean cryptocurrency exchange. The hackers also stole PII from 30,000 customers.

In December 2017, the South Korean government attributed the attack to North Korea. In January 16, 2018, Recorded Future, a security firm known for analyzing state-sponsored attacks, attributed the attack to the Lazarus Group in the North Korean government. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the theft.

2016

Russian Banks DDoS Attack

December 2

In December 2016, after a number of DDoS attacks on Russian banks throughout the previous month, the Russian Federal Security Service (FSB) announced that it had discovered pending cyber attacks intended to impact a range of major Russian banks.

Learn More

Target

Location: Russia
Date Breach First Reported: 12/2/2016

Incident

Method: DDOS
Type: Disruption

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In December 2016, after a number of DDoS attacks on Russian banks throughout the previous month, the Russian Federal Security Service (FSB) announced that it had discovered pending cyber attacks intended to impact a range of major Russian banks. Servers and command centers purportedly to be used in these attacks were located in the Netherlands and owned by BlazingFast, a Ukrainian hosting company. BlazingFast said it had no information about the asserted attack and that it was unable to find any malicious data. The Dutch Ministry of Security and Justice said that it was aware its infrastructure could be used for cyber attacks elsewhere, and that if the Russian authorities decided to investigate, the Dutch investigating authorities would provide assistance.

On December 9, Rostelecom, Russia’s telecom operator, said in a statement that it had blocked DDoS attacks against the five biggest banks and financial institutions in Russia on December 5. They reached a peak volume of 3.2 million packets per second, which is low compared to the volume of other recent DDoS attacks. The statement further noted that part of the DDoS attacks involved a botnet similar to that used in prior weeks against Germany’s Deutsche Telekom and Ireland’s Eircom, exploiting a vulnerability in home routers. No perpetrators were identified, though the FSB claimed that it was organized by foreign intelligence services and speculated it had been done on behalf of Ukraine, due to the servers’ location and ownership. The FSB stated that it expected the DDoS attacks to be accompanied by text messages, agitating social network publications, and blog statements about a “crisis in the Russian credit and financial system, bankruptcy and withdrawal of licenses of leading federal and regional banks,” and that “the campaign [would be] directed against several dozen Russian cities.” Presumably, this would be an attempt to create a run on Russian banks, initiating a financial crisis. No evidence exists that such action, complementary to the DDoS attacks, was attempted.

Insider Trading Hack

December 1

In late 2016, the Securities and Exchange Commission (SEC) sued three Chinese traders, arguing that they had installed malware on the networks of two law firms to steal confidential, market-moving information on mergers and acquisitions.

Learn More

Target

Location: United States
Date Breach First Reported: 12/1/2016

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In late 2016, the Securities and Exchange Commission (SEC) sued three Chinese traders, arguing that they had installed malware on the networks of two law firms to steal confidential, market-moving information on mergers and acquisitions. The men were ordered to pay $8.9 million in penalties, and the trio were also indicted on criminal charges, which are ongoing. Hong Kong refused a request to extradite one of the men to the United States in 2017.

Tesco Bank Card Theft

November 5

Tesco Bank, a retail bank based in the UK, was the target of thieves who used vulnerabilities in its card issuing process to guess bank card numbers and steal £2.26 million in November 2016.

Learn More

Target

Location: United Kingdom
Date Breach First Reported: 11/5/2016

Incident

Method: Card number guessing
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

Tesco Bank, a retail bank based in the UK, was the target of thieves who used vulnerabilities in its card issuing process to guess bank card numbers and steal £2.26 million in November 2016. The unknown attackers likely used an algorithm to generate bank card numbers that used Tesco’s identifying numbers at the start and conformed to the industry-wide Luhn validation scheme that helps protect against accidental errors.

There are around 1 billion possible card numbers for each bank, but regulators have said Tesco Bank’s cards had deficiencies, such as sequential card numbers, that made guessing the full numbers easier. The bank only used basic checks to assess whether cards were genuine, for example merely inspecting whether the debit card would expire in the future instead of making sure the exact expiration date matched its records.

Visa and Mastercard had both previously warned of an increase in the type of fraud seen in this case, which used the magnetic strip to verify the transaction. On November 5, 2016, as the weekend began, the gang started making fraudulent transactions with the card details it had calculated. Almost 9,000 accounts were affected, or 6.6 percent of the bank’s entire customer base. One customer had twenty-two fraudulent transactions totaling £65,000 on his account.

Tesco Bank halted all online and contactless transactions after a day of struggling to block all the fake purchases reported in the United States, Spain, and Brazil. In October 2018, Tesco was fined £16.4 million by the UK’s Financial Conduct Authority for deficiencies in its bank card policies and its response to the incident.

Indian ATM Breach

October 20

In mid-2016, a number of Indian banks replaced or changed security codes on 3.25 million debit cards after uncovering a breach in Hitachi’s payment switch systems, which link into the ATM network.

Learn More

Target

Location: India
Date Breach First Reported: 10/20/2016

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In mid-2016, a number of Indian banks replaced or changed security codes on 3.25 million debit cards after uncovering a breach in Hitachi’s payment switch systems, which link into the ATM network. Visa, Mastercard, and India’s Rupay cards were all affected by the compromise.

Union Bank of India Attempted SWIFT Heist

July 21

On July 21, 2016, attackers attempted to use fraudulent SWIFT transactions to steal $170 million from the Union Bank of India (UBI), but the money was ultimately recovered within three days after the transactions were flagged.

Learn More

Target

Location: India
Date Breach First Reported: 08/30/2019

Incident

Method: Multiple
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On July 21, 2016, attackers attempted to use fraudulent SWIFT transactions to steal $170 million from the Union Bank of India (UBI), but the money was ultimately recovered within three days after the transactions were flagged.

Multiple security firms noted the attackers used tactics and techniques similar to the Bangladesh heist four months previously. The attackers sent the money to accounts in Thailand, Cambodia, Australia, Hong Kong and Taiwan, and those accounts belonged to shell companies associated with Chinese-organized crime syndicates. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft of UBI.

Nigerian Bank Attempted SWIFT Heist

July 1

In July 2016, attackers attempted to use fraudulent SWIFT transactions to steal $100 million from a Nigerian bank, but the money was ultimately recovered.

Learn More

Target

Location: Nigeria
Date Breach First Reported: 08/30/2019

Incident

Method: Multiple
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

In July 2016, attackers attempted to use fraudulent SWIFT transactions to steal $100 million from a Nigerian bank, but the money was ultimately recovered.

The attackers initiated fraudulent SWIFT transactions of $100 million from the unnamed Nigerian Bank to bank accounts in Asia, similar to the techniques seen in the 2016 Bangladesh heist. The funds were later returned at the request of the Nigerian bank. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attack on the Nigerian bank, referencing the “African Bank” named in the U.S. Department of Justice 2018 indictment of Park Jin Hyok.

Standard Bank Theft

May 5

On May 15, 2016, attackers stole $19 million from South Africa’s Standard Bank by making 14,000 withdrawals over 3 hours from 1,700 ATMs across Japan.

Learn More

Target

Location: South Africa, Japan
Date Breach First Reported: 08/30/2019

Incident

Method: Multiple
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On May 15, 2016, attackers stole $19 million from South Africa’s Standard Bank by making 14,000 withdrawals over 3 hours from 1,700 ATMs across Japan.

UN Security Council Panel of Experts indicated in August 2019 that DPRK-affiliated actors were behind the attack. According to the Japanese government, the attackers used forged cards with data of roughly 3,000 pieces of customer information stolen from Standard Bank to withdraw cash from ATMs located in Tokyo and 16 prefectures across Japan. 260 suspects, including organized crime group members, have been arrested as of July 2019.

Central Banks DDoS Attack

May 4

In May 2016, hacktivists briefly took down the Bank of Greece’s website, and later did the same to the central banks of Mexico, Panama, Kenya, and Bosnia and Herzegovina.

Learn More

Target

Location: Panama, Greece, Mexico, Kenya, Bosnia and Herzegovina
Date Breach First Reported: 5/4/2016

Incident

Method: DDOS
Type: Disruption

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In May 2016, hacktivists briefly took down the Bank of Greece’s website, and later did the same to the central banks of Mexico, Panama, Kenya, and Bosnia and Herzegovina. Anonymous claimed responsibility as part of Operation Icarus, a campaign against central banks.

Panama Papers

April 3

In April 2016, an anonymous source leaked 2.6 terabytes of information from the Panamanian law firm Mossack Fonseca to the German newspaper Süddeutsche Zeitung.

Learn More

Target

Location: Panama
Date Breach First Reported: 4/3/2016

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In April 2016, an anonymous source leaked 2.6 terabytes of information from the Panamanian law firm Mossack Fonseca to the German newspaper Süddeutsche Zeitung. The journalists shared the 11.5 million leaked documents with a dozen global news organizations to simultaneously print stories about the money-laundering, tax affairs, and financial secrecy within. The revelations had far-reaching effects, including the resignation of the Icelandic prime minister, a number of tax evasion investigations, and the closure of Mossack Fonseca.

Belgian National Bank Incident

February 22

On February 22, 2016, a hacking group called DownSec Belgium shut down the website for Belgium’s National Bank for most of the morning using DDoS attacks.

Learn More

Target

Location: Belgium
Date Breach First Reported: 2/22/2016

Incident

Method: DDOS
Type: Disruption

Actor

Type: Nonstate actor
Attribution: High confidence

Description

On February 22, 2016, a hacking group called DownSec Belgium shut down the website for Belgium’s National Bank for most of the morning using DDoS attacks. Little information has been reported about the attack, but it followed similar DDoS attacks by the same group against the websites for the Belgian Federal Agency for Nuclear Control, the country’s Crisis Center, and its federal cyber emergency team. DownSec Belgium claims to fight against corrupt government abuses.

Bangladesh Bank SWIFT Hack

February 1

In February 2016, media outlets reported that hackers had breached the network of the Bangladesh central bank and sent thirty-five fraudulent transfer requests to the Federal Reserve Bank of New York, totaling nearly $1 billion.

Learn More

Target

Location: Bangladesh
Date Breach First Reported: 2/1/2016

Incident

Method: Malware
Type: Theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In February 2016, media outlets reported that hackers had breached the network of the Bangladesh central bank and sent thirty-five fraudulent transfer requests to the Federal Reserve Bank of New York, totaling nearly $1 billion. Four of these fraudulent requests succeeded, and the hackers were able to transfer $81 million to accounts in the Philippines, representing one of the largest bank thefts in history. A fifth request for $20 million to be sent to an account in Sri Lanka was stopped due to the recipient’s name, Shalika Foundation, being misspelled “fandation.” The remaining transfers, which totaled somewhere between $850 and $870 million, were also stopped before they could be completed due to a stroke of good fortune: the name of the destination bank branch included the word “Jupiter,” which was the name of an unrelated company on a sanctions blacklist. In August 2019, the UNSC Panel of Experts indicated DPRK-affiliated actors were behind the attack.

The hackers had introduced malware onto the Bangladesh central bank’s server and deployed keylogger software that allowed them to steal the bank’s credentials for the SWIFT system. The hackers also custom-designed a malware toolkit that compromised SWIFT’s Alliance Access system and was designed to cover their tracks. This toolkit allowed them to delete records of transfer requests, bypass validity checks, delete records of logins, manipulate reporting of balances, and stop attached printers from printing transaction logs. Although the malware was custom-designed to steal from the Bangladesh central bank, the toolkit could potentially be used against other banks in the SWIFT system running Alliance Access software.

The intruders had monitored the bank’s routine activity in order to create money transfer requests that appeared genuine. Furthermore, they timed the thefts so that it would be the weekend in Bangladesh when the Federal Reserve reached out to confirm the transactions, and then it would be the weekend in New York when the Bangladesh central bank employees instructed the Federal Reserve to cancel the transactions. "

2015

Guatemalan Financial Institution Theft

December 01

In December 2015, attackers stole $16 million from a Guatemalan financial institution.

Learn More

Target

Location: Guatemala
Date Breach First Reported: 08/30/2019

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

In December 2015, attackers stole $16 million from a Guatemalan financial institution. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attack.

Greek Banks DDoS Attack

November 30

In late 2015, hackers threatened to disable systems at three Greek banks unless they paid a bitcoin ransom.

Learn More

Target

Location: Greece
Date Breach First Reported: 11/30/2015

Incident

Method: DDOS
Type: Disruption

Actor

Type: Nonstate actor
Attribution: Speculated

Description

In late 2015, hackers threatened to disable systems at three Greek banks unless they paid a bitcoin ransom. When the banks refused, they had their sites repeatedly knocked out for several hours. The group claiming responsibility for the extortion said it was part of the Armada Collective, which had previously targeted numerous businesses including Cloudflare and Proton Mail, although some investigators believed it might have been a copycat attack using the same name. Some suspected original members of the collective were arrested in Europol’s Operation Pleiades in January 2016, which targeted the group DDoS4Bitcoin that has been active since mid-2014.

Swedbank and Nordea DDoS Attack

November 6

In November 2015, a teenager was sentenced to community service after carrying out four DDoS attacks against Nordea and Swedbank.

Learn More

Target

Location: Denmark, Sweden
Date Breach First Reported: 11/6/2015

Incident

Method: DDOS
Type: Disruption

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In November 2015, a teenager was sentenced to community service after carrying out four DDoS attacks against Nordea and Swedbank. The attacks blocked customers from the banks’ websites for hours at a time. The perpetrator’s lawyers said he was “drawn into a circus” where online groups would test the power of botnets.

Shanghai Composite Index Suspected Manipulation

June 12

Beginning on June 12, 2015, the Shanghai Composite Index began to plummet, and by June 19 it had fallen by 13 percent.

Learn More

Target

Location: China
Date Breach First Reported: 6/12/2015

Incident

Method: Unknown
Type: Data breach, disruption

Actor

Type: Unknown
Attribution: Unknown

Description

Beginning on June 12, 2015, the Shanghai Composite Index began to plummet, and by June 19 it had fallen by 13 percent. Chinese stock markets continued to fall throughout July and August, and again in January and February 2016. Although there is no public evidence, some have speculated that the initial sudden crash may have been caused by a cyber attack.

Tien Phong Commercial Joint Stock Bank

May 15

In May 2015, the Vietnamese bank Tien Phong announced it had blocked a fraudulent SWIFT transaction worth €1m several months before attackers successfully stole from the Bank of Bangladesh using the same method.

Learn More

Target

Location: Vietnam
Date Breach First Reported: 5/15/2015

Incident

Method: Unknown
Type: Theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In May 2015, the Vietnamese bank Tien Phong announced it had blocked a fraudulent SWIFT transaction worth €1m several months before attackers successfully stole from the Bank of Bangladesh using the same method. Tien Phong did not name the bank that had been the source of the fraudulent transfer request.

Dyre Wolf Campaign

April 2

In April 2015, a threat group twinned malware with a sophisticated social engineering tactic to steal more than $1 million from businesses.

Learn More

Target

Location: Multiple
Date Breach First Reported: 4/2/2015

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In April 2015, a threat group twinned malware with a sophisticated social engineering tactic to steal more than $1 million from businesses. A variant of Dyre malware named Upatre, which spread through victims’ email contacts, was used to block hundreds of bank websites on the victim’s device. The victim was then prompted to call a helpline number—actually staffed by a member of the gang who would then harvest the victim’s banking credentials and subsequently make fraudulent wire transfers.

Health Insurer Hacks

February 4

In February 2015, reports indicated that records for almost 80 million customers were stolen from Anthem, a U.S. healthcare insurer, after attackers deployed a spearphishing email that gave access to ninety of the company’s systems, including its back-end database.

Learn More

Target

Location: United States
Date Breach First Reported: 2/4/2015

Incident

Method: Phishing
Type: Data breach

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In February 2015, reports indicated that records for almost 80 million customers were stolen from Anthem, a U.S. healthcare insurer, after attackers deployed a spearphishing email that gave access to ninety of the company’s systems, including its back-end database. The stolen data was taken over the course of several weeks and included personal information, such as social security numbers. A subsequent report by the California Department of Insurance pointed to a national government as the likely culprit for the attack, and suggested the initial breach occurred in February 2014, meaning Anthem was exposed for a year before the compromise was discovered. Anthem ended up settling a lawsuit relating to the data loss for $115 million. Several weeks after the incident was disclosed, fellow insurer Premera Blue Cross announced that around 11 million customer accounts had been compromised by attackers, and rival CareFirst admitted 1.1 million current and former members may have had their information stolen. Some researchers believe the thefts were carried out by the same group. In September 2015, Excellus announced a data loss, with 10 million customers’ data exposed by a breach that initially occurred in December 2013.

Ecuadorian Banco del Austro

January 12

In early 2015, a bank in Ecuador was the first known victim in a series of multimillion dollar heists that used compromised payments systems to then transfer funds over the SWIFT interbank messaging network.

Learn More

Target

Location: Ecuador
Date Breach First Reported: 1/12/2015

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In early 2015, a bank in Ecuador was the first known victim in a series of multimillion dollar heists that used compromised payments systems to then transfer funds over the SWIFT interbank messaging network. In January 2015, thieves transferred $12 million out of Banco del Austro and routed most of the proceeds to twenty-three companies registered in Hong Kong.

The same method has been used in several thefts in the preceding years including the $81 million Bank of Bangladesh heist in 2016. If an attacker manages to gain access to a bank’s SWIFT terminal, the system can be used to ask other banks to transfer funds. Banco del Austro said it recovered around $2.8 million of the stolen money. The heist came to light in a lawsuit Banco brought against Wells Fargo, which it alleged failed to spot red flags when it approved the fraudulent transaction. The litigation was settled in February 2018 but no details were disclosed.

Metel Malware Attack on Russian Banks

January 1

The Metel banking Trojan, which was discovered in 2011, was repurposed by a criminal gang in 2015 to steal directly from bank ATMs and even manipulate the Russian exchange rate.

Learn More

Target

Location: Russia
Date Breach First Reported: 1/1/2015

Incident

Method: Multiple: malware, phishing and browser vulnerabilities
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

The Metel banking Trojan, which was discovered in 2011, was repurposed by a criminal gang in 2015 to steal directly from bank ATMs and even manipulate the Russian exchange rate. The group used spearphishing emails or browser vulnerabilities to deliver Metel, also known as Corcow, and access the bank’s systems before pivoting into areas that allowed them to roll back ATM transactions. This meant they could withdraw unlimited amounts of money, automatically resetting the account balance after each transaction. Researchers at Kaspersky, who first reported on the operation, said the gang comprised fewer than ten members and had made no infections outside Russia. In February 2015, Energobank fell victim to a Metel infection that allowed attackers to place some $500 million in currency orders, sending the ruble swinging with extreme volatility between 55 and 66 rubles per dollar for a period of fourteen minutes. However, there is no evidence the attackers profited from the movement. Metel had infected 250,000 devices and more than 100 financial institutions in 2015, according to researchers at Group IB.

2014

Tyupkin ATM Malware

October 7

In October 2014, reports revealed that criminals had written malware to infect Windows-based ATMs and steal millions from machines primarily in Eastern Europe.

Learn More

Target

Location: Eastern Europe
Date Breach First Reported: 10/7/2014

Incident

Method: Malware
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In October 2014, reports revealed that criminals had written malware to infect Windows-based ATMs and steal millions from machines primarily in Eastern Europe. The malware, dubbed Tyupkin, was spread by a CD and once installed it laid low, only accepting commands on Sunday and Monday nights. Mules could type in a randomly generated key allowing them to withdraw 40 banknotes. Similar to the Ploutus campaign in Latin America, the Tyupkin group had an organized gang of mules to access the ATMs and collect the money. Eight Romanian and Moldovan nationals were arrested in connection with the scheme in January 2016.

Warsaw Stock Exchange Breach

October 1

In October 2014, a group claiming to be affiliated with the so-called Islamic State hacked the internal networks of the Warsaw Stock Exchange and posted dozens of login credentials for brokers online.

Learn More

Target

Location: Poland
Date Breach First Reported: 10/1/2014

Incident

Method: Unknown
Type: Data breach

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In October 2014, a group claiming to be affiliated with the so-called Islamic State hacked the internal networks of the Warsaw Stock Exchange and posted dozens of login credentials for brokers online. The means by which the group gained access to the exchange’s networks are unknown, but they were reportedly able to infiltrate an investment simulator and a web portal for managing the stock exchange’s upgrade to a new trading system, as well as render the exchange’s website unavailable for two hours. The exchange’s employees say that the trading system itself was not breached. NATO officials later indicated privately that they believed that the hacking group’s claim of being affiliated with Islamic militants was a false flag operation, and that in fact the breach was conducted by APT 28, a group widely believed by security researchers to be affiliated with the Russian government.

JPMorgan Chase Data Breach

August 1

In August 2014, the first reports emerged that account information and home addresses for 83 million customers were exposed after attackers stole login credentials from a JPMorgan Chase employee.

Learn More

Target

Location: United States
Date Breach First Reported: 8/1/2014

Incident

Method: Stolen password
Type: Data breach

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In August 2014, the first reports emerged that account information and home addresses for 83 million customers were exposed after attackers stole login credentials from a JPMorgan Chase employee. The group entered the network through a single-factor authentication server that had not been upgraded with the rest of the firm’s estate, before gaining access to more than ninety bank servers for several months. However, the bank said the attackers had not accessed more sensitive information, such as social security numbers.

JPMorgan discovered the breach after reportedly finding the same group on a website for a charity race that it sponsors. The size of the incident prompted the National Security Agency and the FBI to join the investigation. Other companies targeted in the attacks included Dow Jones, Fidelity, E*Trade, and Scottrade. The U.S. authorities believe the harvested information was used in securities fraud, money laundering, credit-card fraud, and fake pharmaceuticals.

Nine people so far have been charged in the ongoing probe. A Russian national was extradited from Georgia to the United States in September 2018, although he denied that he was the central hacker in the attacks. The federal authorities in New York said the man worked with an international syndicate from 2012 to 2015 to steal customer information, which was used in numerous crimes including a spam email campaign to falsely tout stocks and shares to ramp up the price. In September 2019, he pleaded guilty to six felony charges in connection with the data breach and other cybercrimes, and he faces up to a lifetime in prison.

In January 2017, a Florida man pleaded guilty to charges linked to funds processed through Coin.mx, an unlicensed bitcoin exchange owned by an Israeli who the United States has alleged masterminded the information stealing campaign. The supposed ringleader was extradited to the United States in 2016 and, according to media reports, entered a plea deal with prosecutors."

European Central Bank

July 24

In July 2014, the European Central Bank (ECB) announced that hackers had breached the security of a database holding email addresses and other contact data submitted by people registering for events at the bank.

Learn More

Target

Location: Eastern Europe, Western Europe
Date Breach First Reported: 7/24/2014

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In July 2014, the European Central Bank (ECB) announced that hackers had breached the security of a database holding email addresses and other contact data submitted by people registering for events at the bank. The ECB said most of the stolen data was encrypted, and no internal systems or sensitive market data had been compromised as the database was separate to those systems. Approximately 20,000 people had their information exposed in non-encrypted form.

The attack came to light after the supposed perpetrators emailed the ECB demanding a ransom payment on July 21. The bank informed the German police, although no further information is available about the investigation.

Ukrainian Bank Data Breach

July 8

In July 2014, the pro-Russian group called CyberBerkut hacked into PrivatBank, one of Ukraine’s largest commercial banks, and published stolen customer data on VKontakte, a Russian social media website.

Learn More

Target

Location: Ukraine
Date Breach First Reported: 7/8/2014

Incident

Method: Unknown
Type: Data breach

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In July 2014, the pro-Russian group called CyberBerkut hacked into PrivatBank, one of Ukraine’s largest commercial banks, and published stolen customer data on VKontakte, a Russian social media website. The means by which it gained access to the data is unknown. It is believed that CyberBerkut targeted PrivatBank because the bank’s co-owner, Igor Kolomoisky, had offered a $10,000 bounty for the capture of Russian-backed militants in Ukraine. The group warned PrivatBank customers to transfer their money to state-owned banks. CyberBerkut may have connections to the Russian government, but the relative lack of sophistication of their attacks has led some experts to conclude that official links are unlikely.

2013

People’s Bank of China DDoS Attack

December 19

In December 2013, the People’s Bank of China (PBOC) was bombarded with DDoS traffic that reportedly came from disgruntled bitcoin users who were protesting the country’s ban on the decentralized currency.

Learn More

Target

Location: China
Date Breach First Reported: 12/19/2013

Incident

Method: DDOS
Type: Disruption

Actor

Type: Unknown
Attribution: Unknown

Description

In December 2013, the People’s Bank of China (PBOC) was bombarded with DDoS traffic that reportedly came from disgruntled bitcoin users who were protesting the country’s ban on the decentralized currency. The week before the attack, PBOC had warned that bitcoin was “not a real currency” and that Chinese institutions would not accept bitcoin deposits. With China the largest source of bitcoin trading at the time, the announcement sent the value of the currency down by around 40 percent. The perpetrators of the DDoS attack have not been publicly identified.

Ploutus Malware

September 1

In September 2013, the malware Ploutus was built to be installed directly on ATMs in order to give an attacker privileged rights, including the ability to dispense cash on demand via SMS or using a keyboard attached to the machine.

Learn More

Target

Location: Multiple
Date Breach First Reported: 9/1/2013

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In September 2013, the malware Ploutus was built to be installed directly on ATMs in order to give an attacker privileged rights, including the ability to dispense cash on demand via SMS or using a keyboard attached to the machine. The malware has been altered several times to enable its use in new ATM models. Ploutus has resulted in numerous attacks in Mexico and later other countries, including the United States, where in 2018 two men were convicted of installing the malware on cash machines in Connecticut and Rhode Island.

CME Group

July 1

In July 2013, CME Group, which operates the world’s largest futures exchange, announced in November 2013 that its ClearPort clearing service had been compromised the previous July.

Learn More

Target

Location: United States
Date Breach First Reported: 7/1/2013

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In July 2013, CME Group, which operates the world’s largest futures exchange, announced in November 2013 that its ClearPort clearing service had been compromised the previous July. The firm said some customer information was compromised but that trading was not affected. While large financial firms are generally under no obligation to make data breaches public, the company informed affected customers and announced that it was working with the authorities. The FBI investigated the incident but has released no further information.

Carbanak Malware

June 1

In 2013, the source code for the Carbanak banking Trojan was leaked online. Since then, the malware has been used by several gangs to steal from dozens of financial institutions.

Learn More

Target

Location: United States, Russia, Taiwan, Australia
Date Breach First Reported: 6/1/2013

Incident

Method: Malware
Type: Theft

Actor

Type: Nonstate actor
Attribution: Speculated

Description

In 2013, the source code for the Carbanak banking Trojan was leaked online. Since then, the malware has been used by several gangs to steal from dozens of financial institutions. The attack strategies have changed many times in order to avoid detection.

The malware is often pushed into financial companies by luring employees to click malicious documents, which provide the attackers a foothold to move across the network to remotely manipulate ATMs, known as “jackpotting,” or to compromise point-of-sale data. The gangs planned each theft carefully, taking between two and four months to complete each intrusion, ultimately using mules to withdraw the funds from ATMs and transfer them to the criminals’ accounts.

Fin7, the most prolific group using Carbanak, has stolen more than €1 billion from banks in more than thirty countries over the past three years, according to Europol. As well as using Carbanak, the gang is understood to use widely available tools such as the Cobalt Strike framework. The group recruited developers to work for an Israeli-Russian front company named Combi Security, and it is not clear whether the employees knew the nature of the work.

The authorities arrested a man thought to be the gang’s ringleader in Spain in March 2018, while in August the U.S. Department of Justice arrested three Ukrainian suspects. The United States claims the group stole the details of 15 million payment cards by attacking more than 120 U.S. companies, including the Chipotle and Arby’s restaurant chains.

Another Trojan, which is named Odinaff and bears a resemblance to Carbanak, was spotted attacking banking, trading, and payroll companies in 2016. It is unclear whether this is the work of Fin7 or another gang. While Fin7 appears to have gone quiet, it is unclear whether this is because activity stopped following the arrests or its techniques have changed again.

South Korea Attacked III

March 20

In March 2013, almost exactly two years since the last DDoS attack on South Korea, the Shinhan, Nonghyup, and Jeju banks were targeted by a Trojan that deleted data and disrupted ATMs, online banking, and mobile payments.

Learn More

Target

Location: South Korea
Date Breach First Reported: 3/20/2013

Incident

Method: Diskwiping
Type: Disruption

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In March 2013, almost exactly two years since the last DDoS attack on South Korea, the Shinhan, Nonghyup, and Jeju banks were targeted by a Trojan that deleted data and disrupted ATMs, online banking, and mobile payments. Trojan.Jokra was used to wipe disks, but the attack varied from its predecessors in that it did not include a DDoS attack. After six months of attacks, South Korean politicians said this wave cost the country almost $650 million in economic damage, making it far larger than the two previous campaigns. The incident was attributed by some to the DarkSeoul gang, a threat actor linked to the North Korean regime that would later be tied to the Sony breach in 2014.

Bank of the West DDoS Attack

February 19

On Christmas Eve 2013, Bank of the West was the victim of a DDoS attack used to disguise $900,000 in fraudulent transfers out of accounts belonging to Ascent Builders, a Californian construction firm.

Learn More

Target

Location: United States
Date Breach First Reported: 2/19/2013

Incident

Method: Multiple
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

On Christmas Eve 2013, Bank of the West was the victim of a DDoS attack used to disguise $900,000 in fraudulent transfers out of accounts belonging to Ascent Builders, a Californian construction firm. The perpetrators made fraudulent, automated clearinghouse and wire transfers before they knocked the bank’s website offline. A network of more than sixty mules was reportedly used to transfer the money into criminal accounts, making the funds more difficult to trace.

2012

Operation Ababil

September 18

In September 2012, a group called the Cyber Fighters of Izz ad-Din al-Qassam launched several waves of DDoS attacks against U.S. financial institutions.

Learn More

Target

Location: United States
Date Breach First Reported: 9/18/2012

Incident

Method: DDOS
Type: Disruption

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In September 2012, a group called the Cyber Fighters of Izz ad-Din al-Qassam launched several waves of DDoS attacks against U.S. financial institutions. Naming the campaign Operation Ababil, the group justified their attacks as retribution for an anti-Islam video released by the U.S. pastor Terry Jones. The attacks were powerful, sending 100 gigabits per second of data to the victim sites, prompting claims that this was beyond the capabilities of a hacktivist group. Some reports said the group had ties to Anonymous, while others made links to the Iranian government—however, the group claimed it acted independently. The campaign launched two additional waves of attacks on December 10, 2012, and March 5, 2013.

Operation High Roller

June 25

In June 2012, U.S. security researchers uncovered a fraud ring attempting to execute high-value transactions worth between €60 million and €2 billion by using a customized Trojan spyware tool.

Learn More

Target

Location: United States, Colombia
Date Breach First Reported: 6/25/2012

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In June 2012, U.S. security researchers uncovered a fraud ring attempting to execute high-value transactions worth between €60 million and €2 billion by using a customized Trojan spyware tool. Operation High Roller, as it was named by the researchers who uncovered it, was the first gang to automate many of the steps in fraudulent transactions. The malware automatically checked balances, found active mule accounts that could receive stolen funds, and deleted emails confirming transfers. It also managed to bypass two-factor authentication and run its command servers on the cloud. Its targets were chiefly high-balance bank accounts in Europe. U.S. authorities indicted two men, a Russian and an Albanian, who authored the original SpyEye Trojan in 2011 subsequently used during the operation.

Shanghai Composite Index Suspected Manipulation

June 4

In June 2012, the Shanghai Composite Index saw a severe drop on the anniversary of the Tiananmen Square massacre of 1989.

Learn More

Target

Location: China
Date Breach First Reported: 6/4/2012

Incident

Method: Unknown
Type: Multiple

Actor

Type: Unknown
Attribution: Unknown

Description

In June 2012, the Shanghai Composite Index saw a severe drop on the anniversary of the Tiananmen Square massacre of 1989. While there is no confirmation of any wrongdoing in this case, the Shanghai Composite Index opened at 2,346.98 and fell exactly 64.89 points, matching the date of the incident (June 4, 1989). This led to widespread but unproven speculation about a protest hack that had manipulated trading that day. The Chinese censors blocked online references to the Shanghai Composite Index and several other terms on the anniversary.

Iranian Banking Data Breaches

April 16

In April 2012, a security researcher, Khosrow Zarefarid, dumped online the names, card numbers, and PINs of 3 million people across twenty-two Iranian banks after his reports on vulnerabilities were ignored by the companies involved.

Learn More

Target

Location: Iran
Date Breach First Reported: 4/16/2012

Incident

Method: Other
Type: Data breach

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In April 2012, a security researcher, Khosrow Zarefarid, dumped online the names, card numbers, and PINs of 3 million people across twenty-two Iranian banks after his reports on vulnerabilities were ignored by the companies involved. However, no funds were stolen in the breach. Google took down the blog containing the information, and the banks urged customers to change their PINs. Zarefarid maintained that he was a whistleblower rather than a hacker.

U.S. Financial Exchange DDoS Attacks

February 1

In February 2012, financial exchange operators Nasdaq, CBOE, and BATS were hit by DDoS attacks for several days, resulting in patchy access to company websites but with no disruptions to trading.

Learn More

Target

Location: United States
Date Breach First Reported: 2/1/2012

Incident

Method: DDOS
Type: Disruption

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In February 2012, financial exchange operators Nasdaq, CBOE, and BATS were hit by DDoS attacks for several days, resulting in patchy access to company websites but with no disruptions to trading. The activist group Anonymous claimed responsibility for the incident, saying it acted out of sympathy for the Occupy Wall Street protests in New York.

Brazil Banks DDoS Attacks

January 30

In January 2012, the hacktivist collective Anonymous used DDoS attacks to bring down numerous Brazilian banking websites to protest corruption and inequality in the country.

Learn More

Target

Location: Brazil
Date Breach First Reported: 1/30/2012

Incident

Method: DDOS
Type: Disruption

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In January 2012, the hacktivist collective Anonymous used DDoS attacks to bring down numerous Brazilian banking websites to protest corruption and inequality in the country. Banco do Brasil, Itaú Unibanco, Citibank, and Bradesco were among those affected by the #OpWeeksPayment campaign. The attackers reprised their campaign around the World Cup in 2014, which Brazil hosted.

Brazilian Payments System Attack

January 1

From 2012 to 2014, Boleto Bancario, a payments system used for almost half of non-cash transactions in Brazil, was targeted by malware that manipulated the victim’s browser to reroute payments to attacker-controlled accounts.

Learn More

Target

Location: Brazil
Date Breach First Reported: 1/1/2012

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

From 2012 to 2014, Boleto Bancario, a payments system used for almost half of non-cash transactions in Brazil, was targeted by malware that manipulated the victim’s browser to reroute payments to attacker-controlled accounts. The technique compromised $3.75 billion in payments within a two-year period, using several different versions of malware including Eupuds, Boleteiro, and Domingo, according to researchers at RSA. The unidentified gang responsible later changed its “bolware” strategy to introduce DNS poisoning as a means to install the malware, lessening the need for spam emails to spread the malware.

2011

Citigroup Data Theft

June 8

In June, Citigroup announced that 360,000 card details in the United States were exposed after attackers exploited a URL vulnerability that allowed them to hop between accounts by slightly changing the website address.

Learn More

Target

Location: United States
Date Breach First Reported: 6/8/2011

Incident

Method: Other
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In June, Citigroup announced that 360,000 card details in the United States were exposed after attackers exploited a URL vulnerability that allowed them to hop between accounts by slightly changing the website address. The attackers reportedly created a script that would repeat this action tens of thousands of times in order to harvest the information before they were detected by a routine check in early May. The attackers stole names, account numbers, and contact information but were not able to access the card security codes needed to clone the cards, Citigroup said. The bank later settled lawsuits with the states of California and Connecticut over the breach. The website vulnerability was present as early as 2008, according to Connecticut authorities.

Global Payments Breach

June 1

In June 2011, bank and retail payment processor Global Payments was hit by a major data breach.

Learn More

Target

Location: United States
Date Breach First Reported: 6/1/2011

Incident

Method: Unknown
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In June 2011, bank and retail payment processor Global Payments was hit by a major data breach. The company said unknown attackers had stolen the details of around 1.5 million cards from a handful of servers, with enough information to counterfeit the cards although not customer names or addresses. Details of the intrusion remain scarce, although Vons supermarkets said it detected compromised prepaid credit cards around the same time that appeared related to the Global Payments breach. The incident prompted Mastercard and Visa to warn card-issuing banks about the potential fraud.

South Korea Attacked II

March 1

In March 2011, South Korea was hit by a widespread DDoS attack, almost two years after a similar campaign in 2009.

Learn More

Target

Location: South Korea
Date Breach First Reported: 3/1/2011

Incident

Method: DDOS
Type: Disruption

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In March 2011, South Korea was hit by a widespread DDoS attack, almost two years after a similar campaign in 2009. Targets included Hanabank, Jeilbank, and Wooribank as well as government websites and the network of U.S. Forces Korea. The Koredos Trojan was used to wipe disks on the computers used as command-and-control servers. North Korea is speculated to be behind the ten-day incident.

Multinational Prepaid Card Heist

February 27

In February 2011, a criminal gang breached at least three payment processors to take card information during a $55 million stealing spree.

Learn More

Target

Location: Multiple
Date Breach First Reported: 2/27/2011

Incident

Method: Multiple
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In February 2011, a criminal gang breached at least three payment processors to take card information during a $55 million stealing spree. Once inside the processors’ networks, the gang used administrator privileges to steal card and PIN details and lift withdrawal limits. The U.S. authorities said the gang then sent the data to “cashing crews” worldwide, who used it to clone cards. The mules withdrew $10 million through 15,000 fraudulent ATM withdrawals in eighteen countries over the course of a weekend. The American Red Cross had distributed the original prepaid cards to disaster victims.

The gang’s second operation resulted in $5 million in withdrawals in twenty countries. In February 2013, the gang carried out its third and largest operation, taking just hours to withdraw $40 million from twenty-four countries.

A Turkish man named as the gang’s leader, Ercan Findikoglu, was jailed for eight years in the United States in 2017 after extradition from Germany. He has also been convicted in Turkey for conspiring to produce fake cards—with a nineteen-and-a-half-year sentence he is expected to serve upon release in the United States. Three other men were jailed in 2014.

Iranian DDoS Attacks on U.S. Banks

January 1

On March 24, 2016, the United States unsealed an indictment of seven Iranians allegedly responsible for the DDoS attacks targeting U.S. financial institutions across a two-year period on behalf of the Iranian government and Islamic Revolutionary Guard Corps.

Learn More

Target

Location: United States
Date Breach First Reported: 1/1/2011

Incident

Method: DDOS
Type: Disruption

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

On March 24, 2016, the United States unsealed an indictment of seven Iranians allegedly responsible for the DDoS attacks targeting U.S. financial institutions across a two-year period on behalf of the Iranian government and Islamic Revolutionary Guard Corps. The indictment followed the landmark international deal to limit Iran’s nuclear capabilities in July 2015. Over forty-six financial organizations were targeted over the course of 176 days between December 2011 and mid-2013, the indictment said. The victims, which included Bank of America, the New York Stock Exchange, and Capital One, spent tens of millions of dollars to counteract the attacks, which at their height were occurring on a near-weekly basis.

The seven men were accused of managing several “botnets” consisting of thousands of compromised computers to send malicious traffic to victim website, blocking access for legitimate users. They built the botnet by exploiting a known vulnerability in a popular content management software to install malware. The men worked for two private computer security companies in Iran that allegedly performed tasks for the government. Several were also accused of belonging to hacking groups that have claimed responsibility for attacks on NASA in February 2012.

The political fallout from the attack was far-reaching. The U.S. Treasury Department imposed sanctions against eleven individuals and organizations in September 2017 over their links to Iran, some of whom were accused of participating in the DDoS attack. Meanwhile, U.S. President Donald Trump announced the United States’ withdrawal from the Iran nuclear deal in May 2018.

Lebanese Banks Espionage Operation

January 1

In early 2011, a virus named Gauss was used to steal inside information from multiple Lebanese banks.

Learn More

Target

Location: Lebanon
Date Breach First Reported: 1/1/2011

Incident

Method: Malware
Type: Espionage

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In early 2011, a virus named Gauss was used to steal inside information from multiple Lebanese banks. Gauss, which bore resemblances to the Flame and Stuxnet malware, stole passwords, banking credentials, and browser cookies from infected devices. Most of the 2,500 infections detected by researchers at Kaspersky were on personal computers in Lebanon. News outlets have speculated that this cyber surveillance tool was designed by the U.S. and Israeli governments to circumvent Lebanon’s strict banking secrecy laws, which have made it difficult for global authorities to access information of suspected wrongdoing. These speculations were fueled by a statement made by the United States in March 2011, accusing a Lebanese bank of laundering money for a Mexican drug ring with links to Hezbollah.

2010

U.S. Federal Reserve Bank of Cleveland Breach

November 19

On October 21, 2010, a Malaysian national was arrested by the Secret Service for hacking into Federal Reserve Bank in Cleveland and a range of other U.S. firms.

Learn More

Target

Location: United States
Date Breach First Reported: 11/19/2010

Incident

Method: Multiple
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

On October 21, 2010, a Malaysian national was arrested by the Secret Service for hacking into Federal Reserve Bank in Cleveland and a range of other U.S. firms. He successfully stole over 400,000 credit and debit card numbers. However, the Federal Reserve said none of its production data was accessed, and that the hacker had only accessed test computers, but the intrusion nevertheless caused thousands of dollars in damage. Several organizations including Fed Comp, a data processor for federal credit unions, were breached. The Malaysian national was jailed for ten years for running the scheme. The U.S. central banking system is a prominent target for attackers. Records obtained by Reuters showed that the Federal Reserve’s Washington-based Board of Governors detected more than fifty breaches between 2011 and 2015.

Nasdaq Intrusion

October 1

In October 2010, the FBI detected an intrusion on servers used by financial markets operator Nasdaq.

Learn More

Target

Location: United States
Date Breach First Reported: 10/1/2010

Incident

Method: Malware
Type: Data breach, disruption

Actor

Type: Multiple
Attribution: Speculated

Description

In October 2010, the FBI detected an intrusion on servers used by financial markets operator Nasdaq. Further investigation by several U.S. agencies found that hackers had been in the network for around a year. They had used two zero-day exploits to build their presence in the stock exchange’s network, and planted malware on the Director’s Desk system, where directors of publicly held companies share confidential information. Nasdaq said no data was taken, and there was reportedly no evidence of suspicious trades that could be based on information in the system. The malware also included a destructive capability, but it is unclear whether disruption was a goal or simply a tool the attackers might use to cover their tracks. At the same time, a group of criminals penetrated Nasdaq in an incident that some investigators believed was linked. In 2013, following a sprawling investigation, the United States charged four Russians and a Ukrainian man with a string of online break-ins at Nasdaq and other companies dating back to 2005. Carrefour, 7-Eleven, Heartland Payment Systems, and JC Penney were among their other targets, together losing $300 million as a result of the scheme. Breaching Heartland exposed more than 100 million payment cards, ultimately costing the firm $12 million in fines and fees.

The gang was said to have found a vulnerability in the password-reminder page of the Nasdaq site that enabled it to steal information, including hashed passwords, from the firm’s SQL servers.

Two men were jailed in 2018 for twelve years and four years, respectively, for their roles in the gang. The pair helped steal more than 160 million credit card numbers from the companies they breached, according to U.S. prosecutors, using techniques such as “war-driving,” or traveling with a laptop to pick up the signal from unsecured networks. These details were sold via middlemen to “cashers,” who used the information to create cloned cards. Albert Gonzalez, an American known online as Soupnazi, was jailed in 2009 for twenty years. The other indicted men are still at large.

PNC Bank ATM Skimming

April 15

In mid-2010, it was reported that over $200,000 in fraudulent transactions took place in New York and Washington, DC.

Learn More

Target

Location: United States
Date Breach First Reported: 4/15/2010

Incident

Method: Other
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In mid-2010, it was reported that over $200,000 in fraudulent transactions took place in New York and Washington, DC. The transactions were traced back to compromised accounts and withdrawals in Pittsburg. Two Romanians were jailed for bank fraud, access device fraud, and aggravated identity theft. While this was one of the first instances of ATM skimming for card details in the United States, the technique was already widespread in Eastern Europe.

Charles Schwab Hack

April 7

In mid-2010, a Russian national based in New York was jailed for three years for stealing and laundering more than $246,000 through Charles Schwab brokerage accounts in 2006.

Learn More

Target

Location: United States
Date Breach First Reported: 4/7/2010

Incident

Method: Keylogging
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In mid-2010, a Russian national based in New York was jailed for three years for stealing and laundering more than $246,000 through Charles Schwab brokerage accounts in 2006. The hacker accessed the accounts through a keylogging Trojan, which captured the information of 180 credit cards. The hacker and his accomplices sent a portion of the proceeds back to co-conspirators in Russia, according to the FBI.

Bank of America ATM Fraud

April 1

In 2010, a Bank of America employee was charged with computer fraud after installing malware on 100 ATMs to steal $304,000 over seven months, in an early example of ATM “jackpotting.”

Learn More

Target

Location: United States
Date Breach First Reported: 4/1/2010

Incident

Method: Other
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In 2010, a Bank of America employee was charged with computer fraud after installing malware on 100 ATMs to steal $304,000 over seven months, in an early example of ATM “jackpotting.” The man was jailed for twenty-seven months after admitting to writing code that ordered the ATMs to issue cash without a record of the transaction. He withdrew his funds over the seven months, stopping in October 2009 when Bank of America’s internal control systems spotted the suspicious transactions.

National City Bank Breach

March 18

In early 2010, National City Bank identified a number of former debit accounts that had been compromised.

Learn More

Target

Location: United States
Date Breach First Reported: 3/18/2010

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In early 2010, National City Bank identified a number of former debit accounts that had been compromised. The breach was only discovered after PNC Financial Services acquired the bank in 2008, highlighting the importance of assessing cybersecurity during large mergers and acquisitions. While the new owners announced the breach, they did not reveal the number of customers affected or the amount of money stolen.

Morgan Stanley Break-In

February 28

Morgan Stanley detected a very sensitive network break-in that lasted six months in 2009, according to leaked emails.

Learn More

Target

Location: United States
Date Breach First Reported: 2/28/2010

Incident

Method: Unknown
Type: Data breach, theft

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

Morgan Stanley detected a very sensitive network break-in that lasted six months in 2009, according to leaked emails. The bank believed the incident was part of Operation Aurora, carried out by the same state-sponsored attackers that targeted Google, Rackspace, Northrop Grumman, and Yahoo earlier that year.

Latvian Bank Leak

February 24

In early 2010, a hacker leaked financial details of banks, tax records, and state-owned firms to a TV station, to raise public awareness of lucrative public sector salaries during a period of austerity in Latvia.

Learn More

Target

Location: Latvia
Date Breach First Reported: 2/24/2010

Incident

Method: Unknown
Type: Data breach

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In early 2010, a hacker leaked financial details of banks, tax records, and state-owned firms to a TV station, to raise public awareness of lucrative public sector salaries during a period of austerity in Latvia. Ilmars Poikans, an IT researcher who used the alias Neo, was arrested shortly afterward and sentenced in 2015 to community service for accessing 7.5 million tax records. He was pardoned in December 2017.

2009

South Korea and United States Attacked

July 4

In July 2009, financial institutions in the United States and South Korea were among several targets of a widespread DDoS attack.

Learn More

Target

Location: United States and South Korea
Date Breach First Reported: 7/4/2009

Incident

Method: DDOS
Type: Disruption

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

In July 2009, financial institutions in the United States and South Korea were among several targets of a widespread DDoS attack. The incident, which began over a U.S. holiday weekend, comprised three waves of attacks spanning six days. The botnet of up to 65,000 compromised computers blocked and slowed government and commercial websites for several hours at a time. The New York Stock Exchange website was reportedly affected, as well as those for the Nasdaq, the White House, and the Washington Post. Several days later, the sites of Shinhan Bank, the newspaper Chosun Ilbo, and the National Assembly were hit in South Korea. In total, there were around thirty-five sites targeted by the attacks. Researchers estimated that the botnet generated 23 megabits of data per second, not enough to cause long-lasting disruption to the targeted sites. The malware spread through email with a time bomb in its code to trigger on July 10, when it would overwrite the victim’s hard drive with the string “Memory of the Independence Day.” This destroyed the master boot record and made the device unusable. While no one was publically attributed to the attack, South Korean intelligence suspects it was the work of a specific criminal or state-sponsored organization.

Zeus Malware Attacks

March 1

Between 2007 and 2011, a Trojan malware known as Zeus was used in numerous criminal operations to steal data on Windows devices.

Learn More

Target

Location: N/A
Date Breach First Reported: 3/1/2009

Incident

Method: Malware
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

Between 2007 and 2011, a Trojan malware known as Zeus was used in numerous criminal operations to steal data on Windows devices. Zeus was widely traded on criminal forums as a way to harvest online credentials. Its source code was made public in 2011 after its purported creator announced his retirement, which allowed multiple versions to spread. The Trojan included a keylogger that recorded bank login credentials and a botnet that executed attacks using infected devices.

In March 2009, a security firm discovered an online data trove of stolen information from 160,000 computers infected by Zeus malware, including devices at Metro City Bank. A criminal gang also used Zeus in a global scheme to wire millions of dollars from five banks to overseas accounts, according to U.S. and UK officials who made more than 100 arrests in October 2010. The gang recruited mules to launder the stolen funds and withdraw money from ATMs around the world.

The variant Gameover Zeus was controlled by a group of hackers in Russia and Ukraine from October 2011 onward, according to the FBI. Among its many uses was as a platform to infect systems with Cryptolocker ransomware. Operation Tovar, an international law enforcement effort in June 2014, resulted in the seizure of key Gameover Zeus infrastructure and the release of up to 1 million victim machines from the botnet. The authorities believe the gang stole more than $100 million. The Russian man accused of authoring both Zeus and Gameover Zeus remains at large.

Skimer ATM Malware Attack

March 1

In 2009, security researchers discovered Skimer, an advanced multifunctional malware employed in several ATM heists across the world.

Learn More

Target

Location: Multiple
Date Breach First Reported: 3/1/2009

Incident

Method: Malware
Type: Theft

Actor

Type: Unknown
Attribution: Unknown

Description

In 2009, security researchers discovered Skimer, an advanced multifunctional malware employed in several ATM heists across the world. Skimer is capable of executing over twenty malicious commands, including withdrawing ATM funds and collecting customer information such as bank account numbers and payment card PINs. To install Skimer, attackers had to access ATMs and install backdoors in the device’s Windows operating system. Then, the attackers could silently siphon card numbers and customer information for later use in fraudulent transactions. Once correct details were entered into the ATM pin pad, Skimer gave attackers a control panel to execute multiple commands from cashing out an ATM to deleting traces of the infection from the system. The malware has continued to evolve with later variants still in use around the world.

2008

RBS WorldPay Hack

November 1

Toward the end of 2008, Atlanta-based credit card processing company RBS WorldPay was breached by an international crime ring.

Learn More

Target

Location: United States
Date Breach First Reported: 11/1/2008

Incident

Method: Multiple
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

Toward the end of 2008, Atlanta-based credit card processing company RBS WorldPay was breached by an international crime ring. The group used sophisticated hacking techniques to break the encryption used by RBS WorldPay to protect customer data on payroll debit cards. Once bypassed, the group created counterfeit payroll debit cards and raised their account limits. The group employed a network of individuals to use the cards to withdraw over $9 million from more than 2,100 ATMs in at least 280 cities worldwide. The investigation of the incident identified over 1.5 million customers whose confidential information was compromised. Individuals in Russia, Moldova, Nigeria, and Estonia were indicted from the hack in 2009. To date, U.S. authorities have charged fourteen men.

United Arab Emirates ATM Fraud

September 9

In September 2008, six banks in the UAE alerted customers to change their PINs after concerns over a spike in ATM fraud in the region.

Learn More

Target

Location: Middle East
Date Breach First Reported: 9/9/2008

Incident

Method: Unknown
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

In September 2008, six banks in the UAE alerted customers to change their PINs after concerns over a spike in ATM fraud in the region. HSBC, one of the affected banks, said the move was in response to counterfeit ATM card usage from abroad, highlighting an early case of financial attacks operating on an international scale.

Russian Cyber Attacks on Georgia

July 20

Between July and August, Georgia became the victim of a coordinated defacement and DDoS campaign that disrupted government and bank websites during the lead up to a war with Russia.

Learn More

Target

Location: Georgia
Date Breach First Reported: 7/20/2008

Incident

Method: Multiple
Type: Disruption

Actor

Type: State-sponsored actor
Attribution: High confidence

Description

Between July and August, Georgia became the victim of a coordinated defacement and DDoS campaign that disrupted government and bank websites during the lead up to a war with Russia. The first incident occurred on July 20, when the website of then Georgian president Mikheil Saakashvili was disrupted by a DDoS attack, just weeks before Russia invaded the country. The DDoS attack was directed using a strain of Pinch malware frequently used in Russia, which flooded websites with traffic that included the phrase “win love in Russia.”

As part of the conflict and war that took place from August 7 to 12, 2008, numerous Georgian government and media sites were defaced and disrupted, including depictions of Saakashvili next to Hitler on the president’s website. The only impact on the financial sector throughout this campaign was the defacement of the National Bank of Georgia’s website. A group by the name of South Ossetia Hack Crew claimed responsibility for the attacks. However, Georgia would later attribute the attack to the Russia government, which denied the allegations.

HSBC Insider Fraud

July 7

On April 18, a clerk at HSBC’s headquarters in London fraudulently wired €90 million to accounts in Manchester and Morocco.

Learn More

Target

Location: United Kingdom
Date Breach First Reported: 7/7/2008

Incident

Method: Other
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

On April 18, a clerk at HSBC’s headquarters in London fraudulently wired €90 million to accounts in Manchester and Morocco. The employee used passwords stolen from colleagues to execute two transactions on a Friday afternoon. He was caught when he forgot to leave the original accounts with zero balances, which HSBC staff in Malaysia spotted over the weekend. He was jailed for nine years, and the money was returned to its owners. Investigators in the UK would later uncover the gang that masterminded the fraud.

Citibank ATM Theft

July 1

In early 2008, a Russian hacking ring stole $2 million after penetrating a network of Citibank-affiliated ATMs across New York City.

Learn More

Target

Location: United States
Date Breach First Reported: 7/1/2008

Incident

Method: Malware
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In early 2008, a Russian hacking ring stole $2 million after penetrating a network of Citibank-affiliated ATMs across New York City. The group gained access to a server that processed ATM withdrawals within 7-Eleven stores. This enabled them to steal debit card numbers and PINs from 2,200 machines, which they used to withdraw the $2 million. Three members of the group were arrested and pleaded guilty to numerous counts of fraud and conspiracy later that year. Investigators later linked this theft to a global network of hackers that had stolen card information as early as 2005. A hacker identified as the ringleader by authorities was jailed in 2010. He would also be linked to the Nasdaq intrusion two years later.

Société Générale Rogue Trader

January 1

In January 2008, a junior trader at the French bank Société Générale executed fraudulent transactions to cover up $7.2 billion in losses from risky futures trades.

Learn More

Target

Location: France
Date Breach First Reported: 1/1/2008

Incident

Method: Insider threat
Type: Theft

Actor

Type: Nonstate actor
Attribution: High confidence

Description

In January 2008, a junior trader at the French bank Société Générale executed fraudulent transactions to cover up $7.2 billion in losses from risky futures trades. The rogue trader hid his losses by booking fake offsetting trades on colleagues’ accounts and using knowledge from his previous role in the back office to alter internal risk controls so he would not trigger internal alerts. At one point, the portfolio of unauthorized trades was worth over €50 billion, approximately the same value as the entire firm. The employee was arrested and sentenced to three years in prison in 2010. The bank suffered one of the biggest trading losses on record due to the incident, and the French banking regulator imposed a $6 million penalty for its lax controls.

2007

DA Davidson Data Breach

December 25

On December 25–26, 2017, confidential information from 192,000 customers was stolen from financial services holding company DA Davidson.

Learn More

Target

Location: United States
Date Breach First Reported: 12/25/2007

Incident

Method: SQL injection
Type: Data breach

Actor

Type: Nonstate actor
Attribution: High confidence

Description

On December 25–26, 2017, confidential information from 192,000 customers was stolen from financial services holding company DA Davidson. Attackers deployed a SQL injection into the brokerage’s website over the Christmas holiday to access customer records. The breach was discovered after the perpetrators attempted to blackmail the firm several weeks later. The U.S. Secret Service launched an investigation that identified four suspects, three of whom were Latvian nationals, who were extradited from the Netherlands to face charges in the United States. Following the breach, the Financial Industry Regulatory Authority issued a $375,000 fine to DA Davidson for its failure to protect confidential customer information.

TD Ameritrade Data Breach

September 14

On September 14, 2007, online brokerage firm TD Ameritrade revealed that its database was the target of a data breach that led to the theft of 6.3 million customer account records.

Learn More

Target

Location: United States
Date Breach First Reported: 9/14/2007

Incident

Method: Phishing
Type: Data breach

Actor

Type: Unknown
Attribution: Unknown

Description

On September 14, 2007, online brokerage firm TD Ameritrade revealed that its database was the target of a data breach that led to the theft of 6.3 million customer account records. The attackers gained access to Ameritrade’s database via investment-themed phishing emails. According to Ameritrade, sensitive data on the database, such as social security numbers, were not accessed during the breach. No identify theft was detected in the aftermath of the breach. However, customers did claim to have received spam emails. The FBI and U.S. financial regulators investigated the incident, but no arrests were reported. On September 13, 2011, TD Ameritrade agreed to pay customers $6.5 million to settle a class action suit in relation to the breach.

Estonian DDoS Attacks

April 26

Following the contentious relocation of a Soviet-era statue in Tallinn, Estonia fell victim to a series of coordinated DDoS attacks against government, bank, university, and newspaper websites that lasted three weeks.

Learn More

Target

Location: Estonia
Date Breach First Reported: 4/26/2007

Incident

Method: DDoS
Type: Disruption

Actor

Type: State-sponsored actor
Attribution: Speculated

Description

Following the contentious relocation of a Soviet-era statue in Tallinn, Estonia fell victim to a series of coordinated DDoS attacks against government, bank, university, and newspaper websites that lasted three weeks. The attacks began on April 26, when government and political party email servers and websites were disrupted. The following week, a second wave began that disrupted access to Estonian news websites. The final wave, which began on May 9, was the heaviest and targeted the Estonian banking sector. The attack forced two major Estonian banks to suspend online banking, disabling bank card transactions and ATM withdrawals. The disruption did not end until the attackers’ botnet contracts expired on May 19. The attacks were carried out by Russian hacktivists communicating openly on Russian-language chatrooms, where users shared precise instructions on how to conduct the attacks. Estonia accused the Russian government of ordering the attacks but was unable to produce definitive proof.

Developed in association with

BAE Systems logo

Please note...

You are leaving the website for the Carnegie-Tsinghua Center for Global Policy and entering a website for another of Carnegie's global centers.

请注意...

你将离开清华—卡内基中心网站,进入卡内基其他全球中心的网站。