In early February 2016, what initially appeared to be a routine technical malfunction inside Bangladesh Bank would soon reveal itself as one of the most audacious cybercrimes in modern financial history.
At approximately 8:30 p.m. on 5 February 2016, a printer on the tenth floor of Bangladesh Bank’s headquarters in Dhaka began to malfunction. Bank employees, accustomed to minor IT disruptions, initially dismissed the issue. However, when the printer was restarted around 8:45 p.m., it began spewing out urgent messages from the Federal Reserve Bank of New York, where Bangladesh Bank held its US-dollar reserves.
The messages were alarming: instructions had been issued to transfer nearly the entire balance of Bangladesh Bank’s account—approximately USD 966 million. In effect, someone was attempting to drain almost one billion dollars from the nation’s reserves.
This incident would later become known as the Bangladesh Bank Heist, or more widely, “The Lazarus Heist”—a cyber operation so sophisticated that it fundamentally altered how governments and banks perceive digital financial security.
Table of Contents
A Carefully Orchestrated Operation
Subsequent investigations revealed that this was no spontaneous attack. According to extensive reporting by the BBC, including investigations by Geoff White and Jean H. Lee, the operation was the product of years of planning by an elite group of hackers trained under North Korea’s state-sponsored cyber programme, widely known as the Lazarus Group.
The hackers had infiltrated Bangladesh Bank’s systems as early as January 2015, remaining undetected for nearly a year. Their entry point was deceptively simple: a phishing email.
An individual posing as a job applicant named Rasel Ahlam sent emails to multiple bank employees, inviting them to download a CV and cover letter. One employee did so, unknowingly installing malware that spread through the bank’s internal network. This granted the attackers long-term access to critical systems, including terminals connected to SWIFT, the global interbank messaging system used to authorise international money transfers.
Crucially, the hackers did not exploit a flaw in SWIFT itself. Instead, they masqueraded as legitimate bank staff, making fraudulent transfer requests appear entirely authentic.
Laying the Escape Routes
While embedded within the bank’s systems, the attackers began preparing the routes through which the stolen funds would be funnelled.
Several months after gaining access, four bank accounts were quietly opened at a branch of RCBC (Rizal Commercial Banking Corporation) in the Philippines, located on Jupiter Street in Manila. These accounts displayed multiple red flags: forged identity documents, identical job descriptions, and suspiciously similar salary details. Yet none of these warning signs were acted upon.
The accounts remained dormant for months, containing only the minimum opening deposit, while the hackers finalised other aspects of their plan.
Their timing was meticulous. The attack was launched on Thursday, 4 February 2016, just before the Bangladeshi weekend began. By the time the theft was discovered on Saturday, New York was entering its own weekend, delaying any immediate intervention. To further obscure scrutiny, the hackers scheduled the transfers during the Lunar New Year, a five-day holiday across much of Asia, when high transaction volumes are common.
Key Facts at a Glance
| Aspect | Details |
|---|---|
| Date of attack | 4–5 February 2016 |
| Target | Bangladesh Bank |
| Intended theft | USD 951–966 million |
| Amount stolen | USD 81 million |
| Attack group | Lazarus Group (linked to North Korea) |
| Entry method | Phishing email |
| Laundering route | Philippines → Casinos |
| Status of recovery | Ongoing |
Silencing the Alarm
With the escape routes prepared, the hackers moved to neutralise what they knew to be their final obstacle: Bangladesh Bank’s paper-based transaction logging system. Every international transfer generated a printed record, allowing staff to spot irregularities quickly. To avoid detection, the attackers compromised the software controlling the printer on the tenth floor, effectively taking it offline.
At 8:36 p.m. on Thursday, 4 February 2016, the hackers initiated 35 fraudulent transfer requests totalling approximately USD 951 million, nearly the entire balance of Bangladesh Bank’s New York Federal Reserve account. Because the requests appeared to originate from legitimate SWIFT terminals, the system raised no immediate alarms.
By the time bank officials realised something was wrong over the weekend, the damage was already underway.
Discovery and the Race Against Time
As confusion mounted at Bangladesh Bank, Governor Atiur Rahman sought urgent assistance from Rakesh Asthana, head of US-based cybersecurity firm World Informatix. Asthana quickly determined that the attackers had gained privileged access to the bank’s SWIFT infrastructure.
Once some of the transfers reached the Philippines, Bangladesh Bank attempted to halt the transactions—only to learn that Philippine authorities required a court order before any funds could be frozen. By the time legal proceedings began in late February, details of the heist had already become public.
A Costly Clue: “Jupiter”
The hackers’ plan nearly succeeded in full. However, a seemingly trivial detail proved decisive.
Several payment instructions referenced “Jupiter Street”, the location of the RCBC branch in Manila. The Federal Reserve’s automated systems flagged the word “Jupiter” due to past sanctions and compliance triggers. As a result, most transactions were blocked, leaving only five transfers—worth USD 101 million—to go through.
One of those transfers, USD 20 million, was mistakenly routed to a Sri Lankan charity called the Shalika Foundation. A bank employee noticed a spelling discrepancy in the charity’s name and raised concerns, enabling authorities to reverse the transfer. Even so, USD 81 million had already slipped through the net.
Laundering Through Casinos
On Friday, 5 February, the previously dormant RCBC accounts suddenly became active. Funds were rapidly shuffled between accounts, converted into local currency, and partially withdrawn in cash.
The laundering operation then moved to the casino floors of Solaire Resort and Casino and Midas Casino in Manila—venues popular with high-stakes gamblers from mainland China. Of the USD 81 million stolen:
- USD 50 million was deposited into casino accounts
- USD 31 million was handed to Xu Weikang, a Chinese national who reportedly fled aboard a private aircraft and has not been seen since
Casinos offered the perfect cover. Chips could be purchased, wagers placed, and winnings cashed out—severing the link between the funds and their criminal origin. The group reportedly favoured Baccarat, a game with a high return rate that allows launderers to recover most of their capital.
At the time, Philippine gaming laws imposed no meaningful anti–money laundering controls on casinos, leaving authorities largely powerless to trace the funds once they crossed the gaming tables.
Partial Recovery and International Fallout
Bangladesh Bank eventually recovered USD 16 million from Kim Wong, a casino junket operator linked to Midas Casino. Wong was arrested, though charges were later dropped. The remaining funds—estimated at USD 65 million—vanished, with investigators believing they were routed through Macau and onward towards North Korea.
Broader Implications
The Bangladesh Bank heist foreshadowed a new era of state-backed cybercrime. In May 2017, the WannaCry ransomware attack crippled systems worldwide, including the UK’s National Health Service, forcing hospitals to cancel operations and emergency services. Investigators later identified technical similarities between WannaCry and the malware used in the Bangladesh Bank attack.
The FBI subsequently named Park Jin-hyok, a North Korean operative, in connection with both incidents, accusing Pyongyang of using cybercrime and cryptocurrencies to bypass international sanctions.
Where Things Stand Today
Bangladesh Bank continues legal efforts to recover the remaining stolen funds and has pursued cases against multiple entities, including RCBC, which denies wrongdoing. Nearly a decade later, the heist remains a cautionary tale—illustrating how a single phishing email, combined with geopolitical ambition and weak oversight, nearly allowed hackers to steal one billion dollars from a sovereign nation.
A Wake-Up Call for Global Banking
The Bangladesh Bank heist was more than an isolated cybercrime; it was a global wake-up call. Never before had hackers come so close to draining nearly one billion US dollars from a central bank through digital means. The incident exposed deep vulnerabilities—not in banking technology itself, but in human behaviour, institutional oversight, and international coordination.
Perhaps the most sobering lesson was how a single phishing email enabled attackers to compromise an entire financial ecosystem. Despite sophisticated systems like SWIFT being technically secure, the weakest link remained human error. The attackers exploited trust, routine, and complacency—factors that no firewall alone can prevent.
Reforms After the Heist
In the aftermath, Bangladesh Bank undertook major reforms. Cybersecurity protocols were tightened, access controls were strengthened, and monitoring systems were upgraded. Crucially, the bank restructured its IT and risk management divisions, acknowledging that cybersecurity was no longer a back-office concern but a core national security issue.
SWIFT also introduced mandatory security controls for its member banks, including:
- Two-factor authentication
- Improved transaction monitoring
- Stronger endpoint protection
- Regular third-party security audits
Banks worldwide were required to comply with these measures under SWIFT’s Customer Security Programme (CSP).
International Regulatory Gaps
The heist also highlighted regulatory blind spots, particularly in jurisdictions where financial oversight was weaker. The Philippines’ casino sector, at the time unregulated for money laundering, became an unintended accomplice. Following international pressure, Philippine authorities amended laws to bring casinos under anti–money laundering regulations—though critics argue enforcement remains uneven.
This case demonstrated that cybercrime does not respect borders, yet legal systems often remain bound by them. Delays caused by time zones, weekends, and jurisdictional requirements gave the attackers precious hours—if not days—to move stolen funds beyond reach.
The Rise of State-Sponsored Cybercrime
Investigators believe the Lazarus Group’s activities form part of North Korea’s broader strategy to generate foreign currency amid heavy international sanctions. Unlike traditional criminal syndicates, state-backed groups possess long-term funding, geopolitical motivations, and protection from prosecution.
This model of cyber warfare—where financial institutions become battlefields—has since proliferated. Governments now acknowledge that cyberattacks can be as destabilising as conventional military operations, particularly when they target critical infrastructure such as banks, hospitals, and energy grids.
A Lasting Legacy
Nearly a decade later, Bangladesh Bank continues its pursuit of the remaining USD 65 million, while the heist remains a defining case study in cybersecurity, finance, and geopolitics. It reshaped how banks assess risk, how regulators draft policy, and how nations perceive digital threats.