- Network
- A
The Cost of a Single Typo: How Three Wrong Letters Foiled a Billion-Dollar Cyber Heist
SWIFT system hacks often seem like something out of Hollywood fantasy, but in 2016 the Lazarus group proved the opposite. In this article we break down step by step the architecture of one of the most daring APT attacks in history: the attack on the Central Bank of Bangladesh. You will learn how hackers used targeted phishing for initial infiltration, how they bypassed the built-in cryptography of the Alliance Access software in RAM, and why they needed to modify the firmware of a regular dot matrix printer. This is the story of how total savings on network infrastructure almost cost a sovereign state a billion dollars.
1. A Billion in the Crosshairs: How Bangladesh's Central Bank Became the Perfect Target
To steal a billion dollars from a state, you don't need to break into vaults full of gold bars. In the modern international banking system, money is just entries on servers. Like many other central banks around the world, Bangladesh's Central Bank held its foreign exchange reserves in accounts at the Federal Reserve Bank of New York (the Fed).
To transfer these funds anywhere, all it takes is to send a legitimate request via the interbank system for messaging and payments — SWIFT.
Why Bangladesh specifically? Hacking the servers of the New York Fed or the core of the SWIFT network is technically impractical — these are systems with an unprecedented level of security. But the interface for accessing funds (the SWIFT terminal) is located on the client side. And it was the infrastructure of Bangladesh's Central Bank that turned out to be the perfect entry point.
The reason is mundane: total skimping on basic cybersecurity:
Lack of segmentation: The room housing the SWIFT terminal is supposed to be strictly isolated from the rest of the corporate network. This was not done in Bangladesh.
Cheap hardware: Instead of enterprise-grade solutions, managed switches, and hardware firewalls, the bank used regular second-hand routers costing around $10.
Leaky perimeter: Any compromised device belonging to a regular employee provided a direct path to mission-critical servers.
Entry Point In January 2016, hackers from the North Korean group Lazarus launched an operation starting with classic targeted spear-phishing (spear-phishing).
An email from a job applicant named “Russell Alam” (Rasel Ahlam) landed in the inboxes of several bank employees. Inside was a file with a resume and cover letter that appeared harmless at first glance. In reality, the file contained a hidden trojan (most likely a document with malicious macros or a packed executable file).
One of the clerks downloaded the resume and opened it on their work computer. That single click was all it took. The malware ran silently in the background, established persistence in the system, and opened a backdoor. The Lazarus hackers gained access to the bank’s internal network and began their path toward the SWIFT terminal.
2. Ghost in the System: How to Hack SWIFT
After gaining initial access, the Lazarus hackers did not immediately start breaking servers and attempting to transfer funds out. Any anomaly on the central bank’s network would have triggered an alert. Instead, they went into deep reconnaissance, which lasted several weeks.
Combat Reconnaissance Throughout this period, the attackers moved quietly across the network (lateral movement), dumped passwords, and studied internal processes. They needed to understand the business logic: what hours operators started and ended their shifts, who authorized transactions and how, and on which days the largest sums were transferred out.
Hackers installed keyloggers and captured screenshots from the clerks' work machines. The primary objective was to thoroughly study the SWIFT message format (standards such as MT103 and MT202) and the specifics of completing the relevant fields. To ensure the Federal Reserve Bank of New York approved transfers worth hundreds of millions of dollars without raising any questions, the requests had to look completely routine.
Technical Background The SWIFT system itself is not just a desktop application. It is a secure hardware-software complex. Banks connect to the global financial network via specialized server software — Alliance Access.
Exploiting the network's weak architecture (those same cheap switches and the lack of strict isolation of the SWIFT segment), the hackers compromised the domain controller, obtained the necessary user credentials, and gained access to the servers running Alliance Access.
Custom Malware Simply gaining access to the server was not enough. SWIFT has built-in robust mechanisms for cryptographic protection and data integrity verification. Therefore, Lazarus developed custom malware designed exclusively for hacking Alliance Access.
This malware (later identified by cybersecurity researchers as a set of modified DLL libraries and executable files) injected itself deep into the bank software's processes. It performed three core actions:
Hijacked control of Alliance Access processes running in RAM.
Spoofed checks of built-in validation mechanisms and bypassed the integrity control system for the local Oracle database that the software relied on.
Created money transfer requests on behalf of the Central Bank of Bangladesh, bypassing operators, and automatically signing them with the bank's legitimate cryptographic keys.
To the servers of the Federal Reserve Bank of New York, everything looked exactly like an authorized employee in Dhaka had logged onto a terminal and sent funds through standard procedures. The malware had fully taken over the entire software suite. All that remained was to choose the right moment to strike.
3. Blind Printer and Perfect Timing: Theft Under the Cover of Weekends
A perfect hack requires not only sophisticated code, but also flawless timing planning. To steal a billion dollars, the hackers needed a window of time when no one would be monitoring screens or reconciling account balances.
Timing Selection The attack launched on the evening of Thursday, February 4, 2016. The date was chosen with mathematical precision:
In Bangladesh, Friday and Saturday are official public holidays, so the bank is empty.
In the United States (where the Federal Reserve Bank of New York is located), weekends are Saturday and Sunday.
This discrepancy in holiday schedules and time zones gave the Lazarus group nearly four full days of an ideal "blind spot". During this period, there were no staff at either bank able to contact each other promptly and block the transfers.
Erasing Evidence in the Physical World Erasing digital traces inside a compromised server is only half the battle. In a secure room at Bangladesh's central bank, there was an independent control mechanism: a standard dot-matrix printer. It was configured to automatically print paper receipts for every incoming and outgoing SWIFT transaction.
For bank staff, this was the primary physical log. If money was withdrawn from an account, the printer was supposed to start making noise and print a confirmation receipt. Paper cannot be deleted remotely.
Printer Mechanism Patch Hackers had to solve the physical-world problem using software. The malware installed on SWIFT servers included a special module that intercepted and blocked the transmission of data to the printer.
When the malware began generating dozens of fake transfer requests for $1 billion to the Federal Reserve Bank of New York on Thursday evening, the printer in Bangladesh simply went silent.
On Sunday morning, when central bank staff arrived for work (the start of their work week), they found the printer was not working. At first, they chalked it up to a routine hardware glitch. Hours were spent repairing the network and rebooting the equipment. When the printer finally came back to life and started continuously spewing out the accumulated slips documenting the withdrawal of hundreds of millions of dollars, it was too late — the requests had long since reached New York.
4. Fatal Typo: Fandation Instead of Foundation
The New York Fed began automatically processing incoming requests. The cryptographic signatures were authentic, the message formats were correct. The system saw no reason to block the transactions. The first four transactions totaling $81 million successfully passed all checks and were sent off to pre-prepared accounts in the Philippines. The heist was going according to plan.
Human Factor The fifth transfer for $20 million was sent to the account of a non-profit organization in Sri Lanka named Shalika Foundation.
This is where human fatigue or a simple lack of English proficiency intervened in the otherwise flawless technical plan. While entering the recipient's details, the hacker made a trivial typo. Instead of Foundation, he typed Fandation.
Intervention of Chance International transfers rarely move directly, they usually pass through correspondent banks. The payment to Sri Lanka was routed through Deutsche Bank.
The erroneous word Fandation caught the attention of the automated compliance system (or a vigilant operations officer). In the heavily regulated banking sector, discrepancies in the names of legal entities are a red flag. Deutsche Bank suspended the transaction and sent a routine request to the Central Bank of Bangladesh to confirm the recipient details.
It was this very request that unraveled the entire scheme. By that point, the New York Fed's fraud monitoring systems had also sounded the alarm, having detected an anomalous volume of transfers from a sovereign state's reserves to accounts of dubious private funds. The chain was broken. The Fed urgently blocked the remaining transfers totaling $850 million.
The extremely complex, months-long cyber operation that relied on custom malware and physical device tampering failed due to three mistyped letters on a keyboard.
5. On the Trail of $81 Million: Casinos, the Philippines, and the Lazarus Legacy
The $81 million that managed to slip through the Fed's filters vanished without a trace in Southeast Asia. This phase of the operation demonstrated just how thorough the planning had been.
Perfect Money Laundering The funds landed in four accounts at Philippine bank RCBC in Manila. These accounts had been opened using forged documents a full year before the attack, in May 2015, and had sat with a $500 balance the entire time, waiting for their moment.
As soon as the millions hit the accounts, they were immediately transferred to brokers, converted into Philippine pesos, and withdrawn as cash. The final stop on the route were Manila's major casinos. On the casino floors, cash was exchanged for chips, run through baccarat tables, and then converted back to cash. At this point, the transaction chain was permanently broken: in the world of legal gambling, traces of such funds are lost forever. Only the meager crumbs of the stolen sum were ever recovered.
Geopolitical context The investigation into the incident was taken over by top cybersecurity firms (FireEye, Symantec, Kaspersky). Analyzing logs, IP addresses and fragments of custom malware code, researchers found direct overlaps with the toolset of the notorious Lazarus group.
This discovery established a unique historical precedent. Until that point, it was believed that elite government hackers (APT groups) exclusively engaged in cyber espionage, theft of military secrets or sabotage of enemy infrastructure. North Korea changed the rules of the game: an entire state used cyber weapons and top specialists to carry out a run-of-the-mill bank robbery, to replenish its budget amid harsh international sanctions.
Conclusion The story of the Bangladesh Central Bank hack is a classic example of how in the cybersecurity field, technology always comes up against the human factor.
The Lazarus group carried out phenomenal work: they spent months operating within the network, wrote an extremely complex exploit to breach the closed SWIFT system, and even remotely patched a dot matrix printer to blind the physical security service. And this entire multi-million dollar intelligence operation, whose preparation took more than a year, failed spectacularly all because of a basic lack of English language proficiency and the routine attentiveness of a bank clerk. A three-letter typo saved the world 850 million dollars.
Announcements of new articles, useful materials, and also if you run into any difficulties during the process, you can discuss them or ask a question about this article in my Telegram community. Feel free to join if something goes wrong — we will try to sort it out together.
Write comment