This timeline chronicles ~200 cyber incidents targeting financial institutions since 2007, and can be filtered by country, region, year, attribution, incident type, and actor type. Cybersecurity risks to the financial system have grown in recent years, in part because the cyber threat landscape is worsening; in particular, state-sponsored cyberattacks targeting financial institutions are becoming more frequent, sophisticated, and destructive. In 2017, the G20 warned that cyberattacks could “undermine the security and confidence and endanger financial stability.”
To keep track of the evolution of the threat landscape, Carnegie’s Technology and International Affairs Program updates this timeline with data from provided by the Cyber Threat Intelligence unit of BAE Systems. The timeline has not been designed to cover every single incident but rather to provide insight into key trends and how the threat landscape is evolving over time.
On April 17, 2022, the decentralised finance platform Beanstalk Farms lost $180 million in a cryptocurrency heist.
Location: United States
Date Breach First Reported: 4/18/2022
Method: Other
Type: Theft
Type: Unknown
Attribution: Unknown
On April 17, 2022, the decentralised finance platform Beanstalk Farms lost $180 million in a cryptocurrency heist. The attackers took out a large enough loan to acquire enough voting rights to make the necessary governance changes to move all of Beanstalk’s reserves. The price of each Bean has since plumeted to near zero before coming back up to around one dollar.
On April 11, 2022, researchers reported on the banking trojan Fakecalls, which has the ability to ‘talk’ to victims and pretend to be a employee of the bank.
Location: South Korea
Date Breach First Reported: 4/11/2022
Method: Malware
Type: Multiple
Type: Unknown
Attribution: Unknown
On April 11, 2022, researchers reported on the banking trojan Fakecalls, which has the ability to ‘talk’ to victims and pretend to be a employee of the bank. Fakecalls mimics the mobile apps of popular Korean-based banks. The trojan seeks to gain access to the victims contacts, microphone, camera, location and call handling, and attackers attempt to gain payment data or confidential information from the victim. Fakecalls also has a spyware toolkit.
On April 6, 2022, India-based loans app CashMama reported a data breach, in which customer data that was invasively collected and stored was exposed.
Location: India Date Breach First Reported: 4/6/2022
Method: Other
Type: Data breach
Type: Unknown
Attribution: Unknown
On April 6, 2022, India-based loans app CashMama reported a data breach, in which customer data that was invasively collected and stored was exposed. CashMama’s Amazon S3 bucket was left in open form, which exposed customers’ personal data and other sensitive information.
On April 1, 2022, North Korean state-sponsored threat group Lazarus was found to be using ‘Trojanised’ decentralised finance apps to deliver malware in their latest spearphishing campaign.
Location: Multiple
Date Breach First Reported: 4/1/2022
Method: Malware
Type: Multiple
Type: State-sponsored actor
Attribution: High confidence
On April 1, 2022, North Korean state-sponsored threat group Lazarus was found to be using ‘Trojanised’ decentralised finance apps to deliver malware in their latest spearphishing campaign. The malware is a full-featured backdoor containing sufficient capabilities to control the compromised victim.
On March 23 2022, blockchain project Ronin lost $615 million in ether and USD Coin tokens in the second largest cryptocurrency heist to date.
Location: Canada
Date Breach First Reported: 3/29/2022
Method: Other
Type: Theft
Type: State-sponsored actor
Attribution: High confidence
On March 23 2022, blockchain project Ronin lost $615 million in ether and USD Coin tokens in the second largest cryptocurrency heist to date. Hackers exploited a feature allowing users to transfer their digital assets from crypto network to another. Ronin is used to power the popular online blockchain game Axie Infinity. The US subsequently attributed the incident to North Korean state-backed hacking collective Lazarus Group and announced new sanctions against an ethereum wallet belonging to the group.
Credit bureau TransUnion SA suffered a cyber attack which saw around three million customer's data stolen by a criminal third party.
Location: South Africa
Date Breach First Reported: 3/17/2022
Method: Malware
Type: Data breach
Type: Unknown
Attribution: Unknown
Credit bureau TransUnion SA suffered a cyber attack which saw around three million customer's data stolen by a criminal third party. The attackers demanded a ransom but TransUnion refused to pay.
On February 28, 2022, the Moscow Stock Exchange and Sberbank, Russia’s largest lender, were hit by DDoS attacks that took their websites offline.
Location: Russia
Date Breach First Reported: 2/28/2022
Method: Unknown
Type: Disruption
Type: Non-state actor
Attribution: Speculated
On February 28, 2022, the Moscow Stock Exchange and Sberbank, Russia’s largest lender, were hit by DDoS attacks that took their websites offline. The incidents were claimed by the Ukrainian IT Army, a crowdsourced community of hackers created by the Ukrainian government.
On February 25, 2022, global insurance and reinsurance broker, Aon was hit by a ransomware attack, causing limited disruption to a number of their services.
Location: United States
Date Breach First Reported: 2/28/2022
Method: Ransomware
Type: Disruption
Type: Unknown
Attribution: Unknown
On February 25, 2022, global insurance and reinsurance broker, Aon was hit by a ransomware attack, causing limited disruption to a number of their services. The attack reportedly left no significant impact on the company, and Aon has not disclosed further details about the incident.
On February 15, 2022, the web portal of Ukraine’s defence ministry and the banking and terminal services at several large state-owned lenders were downed in the largest DDoS attacks to hit the country to date.
Location: Ukraine
Date Breach First Reported: 2/16/2022
Method: DDoS
Type: Disruption
Type: State-sponsored actor
Attribution: High confidence
On February 15, 2022, the web portal of Ukraine’s defence ministry and the banking and terminal services at several large state-owned lenders were downed in the largest DDoS attacks to hit the country to date. The Ukrainian government publicly attributed the incident to Moscow. The Kremlin has denied involvement for the operation, which hit Ukraine at a time when the country is bracing itself for a possible invasion from Russian forces.
On February 8, 2022, IRA Financial Trust, which offers self-directed retirement accounts, lost $36 million in cryptocurrency when unknown threat actors drained $21 million in Bitcoin and $15 million in Ethereum from the accounts of IRA customers.
Location: United States
Date Breach First Reported: 2/14/2022
Method: Unknown
Type: Theft
Type: Unknown
Attribution: Unknown
On February 8, 2022, IRA Financial Trust, which offers self-directed retirement accounts, lost $36 million in cryptocurrency when unknown threat actors drained $21 million in Bitcoin and $15 million in Ethereum from the accounts of IRA customers. IRA Financial allows its customers to purchase cryptocurrency through a partnership with the cryptocurrency exchange Gemini Trust Co.
On February 4, 2022, researchers reported that the Medusa Android banking Trojan has increased infection rates and the scope of geographic regions targeted.
Location: Multiple
Date Breach First Reported: 2/7/2022
Method: Malware
Type: Multiple
Type: Unknown
Attribution: Unknown
On February 4, 2022, researchers reported that the Medusa Android banking Trojan has increased infection rates and the scope of geographic regions targeted. The malware aims to steal online credentials to go on and perform financial fraud. Medusa has begun targeting victims in North America and Europe, using the same distribution service as FluBot malware to carry out their smishing campaigns.
On February 2, 2022, cryptocurrency platform Wormhole lost an estimated $322 million worth of Ether currency when a threat actor exploited a vulnerability in the platform’s smart contracts, making it the second largest hack of a decentralized platform to date.
Location: Switzerland
Date Breach First Reported: 2/2/2022
Method: Other
Type: Theft
Type: Unknown
Attribution: Unknown
On February 2, 2022, cryptocurrency platform Wormhole lost an estimated $322 million worth of Ether currency when a threat actor exploited a vulnerability in the platform’s smart contracts, making it the second largest hack of a decentralized platform to date. Wormhole is offering the hacker $10 million in exchange for return of the stolen funds.
On January 27, 2022, decentralized finance platform Qubit Finance suffered a breach, in which threat actors were able to steal $80 million worth of cryptocurrency.
Location: United Kingdom
Date Breach First Reported: 1/28/2022
Method: Other
Type: Theft
Type: Unknown
Attribution: Unknown
On January 27, 2022, decentralized finance platform Qubit Finance suffered a breach, in which threat actors were able to steal $80 million worth of cryptocurrency. The attackers exploited a vulnerability in one of its Ethereum blockchain contracts. Qubit has offered to pay the attacker a bounty to return the stolen funds.
On January 26, 2022, the TeaBot and FluBot banking trojans were detected to be targeting Android devices once again.
Location: Multiple
Date Breach First Reported: 1/26/2022
Method: Phishing
Type: Theft
Type: Unknown
Attribution: Unknown
On January 26, 2022, the TeaBot and FluBot banking trojans were detected to be targeting Android devices once again. The banking trojans steal banking, contact, and SMS data from infected machines, and are being dispatched in phishing campaigns.
On January 17, 2022, Multichain, a platform that allows users to swap tokens between blockchains, lost approximately $1.4 million when hackers exploited a vulnerability in the blockchain service.
Location: Multiple
Date Breach First Reported: 1/19/2022
Method: Other
Type: Theft
Type: Unknown
Attribution: Unknown
On January 17, 2022, Multichain, a platform that allows users to swap tokens between blockchains, lost approximately $1.4 million when hackers exploited a vulnerability in the blockchain service. One of the attackers is now negotiating with the victims to return 80% of the stolen funds and keep the remaining 20% as a ‘tip’.
On January 17, 2022, major cryptocurrency exchange Crypto.com suffered a cyber attack that led to unauthorized withdrawals of bitcoin and Ether worth $35 million and affected at least 483 user accounts.
Location: Multiple
Date Breach First Reported: 1/17/2022
Method: Other
Type: Theft
Type: Unknown
Attribution: Unknown
On January 17, 2022, major cryptocurrency exchange Crypto.com suffered a cyber attack that led to unauthorized withdrawals of bitcoin and Ether worth $35 million and affected at least 483 user accounts. The exchange has subsequently instituted strict 2FA measures a fund restoration program for qualifying users.
On January 9, 2022, the biggest bank in Finland, OP Financial Group suffered a cyberattack which disrupted its services.
Location: Finland Date Breach First Reported: 1/11/2022
Method: Unknown
Type: Disruption
Type: Unknown
Attribution: Speculated
On January 9, 2022, the biggest bank in Finland, OP Financial Group suffered a cyberattack which disrupted its services. The attack also affected logins to the site but online services were restored shortly after and no customer’s information or funds were compromised.
On December 23, 2021, around 790 banking customers of Singporean bank OCBC were targeted in a phishing scam resulting in a loss of at least $13.7 million.
Location: Multiple
Date Breach First Reported: 1/11/2022
Method: Phishing
Type: Theft
Type: Unknown
Attribution: Unknown
On December 23, 2021, around 790 banking customers of Singporean bank OCBC were targeted in a phishing scam resulting in a loss of at least $13.7 million. Once victims clicked on the link provided and typed in their credentials, attackers were able to gain access to victim’s bank accounts and drain it of its entire funds.
On December 12, 2021, crypto exchange AscendEX lost $77.7 million in a breach of its hot wallet.
Location: Multiple
Date Breach First Reported: 12/11/2021
Method: Unknown
Type: Theft
Type: Unknown
Attribution: Unknown
On December 12, 2021, crypto exchange AscendEX lost $77.7 million in a breach of its hot wallet. Assets were taken across three blockchains—Ethereum, Binance Smart Chain, and Polygon—with stolen tokens including significant amounts of stablecoins. The firm subsequently froze deposits and withdrawals.
On December 4, 2021, Bitmart, a crypto trading platform, experienced a major security breach, resulting in hackers withdrawing almost $200 million in assets.
Location: Multiple
Date Breach First Reported: 12/5/2021
Method: Multiple
Type: Theft
Type: Unknown
Attribution: Unknown
On December 4, 2021, Bitmart, a crypto trading platform, experienced a major security breach, resulting in hackers withdrawing almost $200 million in assets. The security breach was mainly caused by a stolen private key, which affected two of its ethereum and binance smart chain hot wallets. Bitmart says it will reimburse victims for all losses.
On December 2, 2021, decentralied finance ("DeFi") protocol BadgerDAO was hit by a cyber attack in which hackers stole $120.3 million in crypto.
Location: Multiple Date Breach First Reported: 12/2/2021
Method: Multiple
Type: Theft
Type: Unknown
Attribution: Unknown
On December 2, 2021, decentralied finance ("DeFi") protocol BadgerDAO was hit by a cyber attack in which hackers stole $120.3 million in crypto. The DAO paused all smart contracts in order to prevent further withdrawals. Crypto lender Celsius Network subsequently confirmed the company had lost money from the hack.
On December 1, 2021, blockchain startup MonoX Finance lost $31M when a threat actor exploited a vulnerability in the software the company uses to draft smart contracts.
Location: Singapore
Date Breach First Reported: 12/07/2021
Method: Other
Type: Theft
Type: Unknown
Attribution: Unknown
On December 1, 2021, blockchain startup MonoX Finance lost $31M when a threat actor exploited a vulnerability in the software the company uses to draft smart contracts. The threat actor was able to inflate the price of the MONO token and use it to cash out all the other deposited tokens.
From the end of November 2021, Taiwan’s financial sector was hit by a months-long cyber espionage campaign attributed to Chinese state-sponsored group APT 10.
Location: Taiwan
Date Breach First Reported: 2/21/2022
Method: Malware
Type: Espionage
Type: State-sponsored actor
Attribution: Speculated
From the end of November 2021, Taiwan’s financial sector was hit by a months-long cyber espionage campaign attributed to Chinese state-sponsored group APT 10. Attackers ran malicious code on local systems and installed a RAT that allowed them to maintain persistent remote access to the infected system.
On November 18, 2021, the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency issued a joint final rule to establish computer security incident notification requirements for banking organisations and their service providers.
Location: United States
Date Breach First Reported: 11/18/2021
Method: N/A
Type: N/A
Type: N/A
Attribution: N/A
On November 18, 2021, the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency issued a joint final rule to establish computer security incident notification requirements for banking organisations and their service providers. The rule seeks to provide agencies with early warnings of suspected threats.
On November 8, 2021, Robinhood, the American stock trading platform, disclosed a data breach after their systems were hacked.
Location: United States
Date Breach First Reported: 11/8/2021
Method: Other
Type: Data breach
Type: Unknown
Attribution: Unknown
On November 8, 2021, Robinhood, the American stock trading platform, disclosed a data breach after their systems were hacked. A threat actor gained access to the personal information of around 7 million customers.
On November 6, 2021, threat actors stole an estimated $55 million from bZx, a decentralised finance platform that allows users to borrow, loan, and speculate on cryptocurrency price varations.
Location: Multiple
Date Breach First Reported: 11/6/2021
Method: Phishing
Type: Theft
Type: Unknown
Attribution: Unknown
On November 6, 2021, threat actors stole an estimated $55 million from bZx, a decentralised finance platform that allows users to borrow, loan, and speculate on cryptocurrency price varations. A bZx developer was sent a phishing email with a malicious Word document attached. Threat actors compromised the developer's mnemonic wallet phrase and emptied their personal wallet before stealing two private keys for bZx's Polygon and Binance Smart Chain (BSC) blockchains.
On November 4, 2021, the FBI warned that scams involving cryptocurrency ATMs and QR codes are on the rise.
Location: United States
Date Breach First Reported: 11/4/2021
Method: Other
Type: Theft
Type: Non-state actor
Attribution: Unknown
On November 4, 2021, the FBI warned that scams involving cryptocurrency ATMs and QR codes are on the rise. Cybercriminals have started to abuse QR codes to receive fraudulent cryptocurrency payments from their victims.
Since November 2021, the banking trojan Zloader has been exploiting Microsoft’s digital signature verification method to inject malicious code into a signed system dynamic link library (DLL).
Location: Multiple Date Breach First Reported: 01/07/2022
Method: Malware
Type: Theft
Type: Unknown
Attribution: Unknown
Since November 2021, the banking trojan Zloader has been exploiting Microsoft’s digital signature verification method to inject malicious code into a signed system dynamic link library (DLL). The banking trojan leverages Atera, an enterprise remote monitoring and management application, for intial access to targeted machines, and as of January 2022, the malicious DLL had been downloaded to 2000+ unique victim IPs.
In late October 2021, researchers from Cleafy and ThreatFabric discovered a new Android banking Trojan called SharkBot.
Location: Italy, United Kingdom Date Breach First Reported: 11/1/2021
Method: Malware
Type: Multiple
Type: Unknown
Attribution: Unknown
In late October 2021, researchers from Cleafy and ThreatFabric discovered a new Android banking Trojan called SharkBot. The trojan tricks targets into downloading malicious apps from Google Play Store and grants itself admin rights, collects keystrokes, intercepts/hides F2A SMS messages, and accesses mobile banking and crypocurrency apps to transfer funds. SharkBot has been detected targeting international banks from the United Kingdom and Italy and five different cryptocurrency services.
On November 1, 2021, the FBI warned that ransomware actors have been using significant financial events and stock information, specifically, publicly available information such as upcoming mergers to inform their targeting and extortion of victims.
Location: United States Date Breach First Reported: 11/1/2021
Method: Ransomware
Type: Multiple
Type: Unknown
Attribution: Unknown
On November 1, 2021, the FBI warned that ransomware actors have been using significant financial events and stock information, specifically, publicly available information such as upcoming mergers to inform their targeting and extortion of victims.
On October 29, 2021, the National Bank of Pakistan suffered a destructive cyber attack, which is said to have impacted some of its services including the bank's ATMs, internal network, and mobile apps.
Location: Pakistan Date Breach First Reported: 11/2/2021
Method: Multiple
Type: Disruption
Type: Unknown
Attribution: Unknown
On October 29, 2021, the National Bank of Pakistan suffered a destructive cyber attack, which is said to have impacted some of its services including the bank's ATMs, internal network, and mobile apps. Steps were taken immediately to isolate the incident, and the bank stated that no data was breached and no funds were stolen.
On October 27, 2021, in their third attack this year, attackers stole around $130 million from Cream Finance, a decentralized finance ("DeFi") platform.
Location: Poland Date Breach First Reported: 10/27/2021
Method: Other
Type: Theft
Type: Unknown
Attribution: Unknown
On October 27, 2021, in their third attack this year, attackers stole around $130 million from Cream Finance, a decentralized finance ("DeFi") platform. The attackers exploited a vulnerability in the platform's lending system (flash loaning) to steal all of their assets and tokens running on the Ethereum blockchain.
On October 28, 2021, researchers from Positive Technologies discovered vulnerabilities in the Wincor Cineo ATMs, owned by Diebold Nixdorf, an American multinational financial and retail technology company.
Location: United States Date Breach First Reported: 10/25/2021
Method: Other
Type: Theft
Type: Unknown
Attribution: Unknown
On October 28, 2021, researchers from Positive Technologies discovered vulnerabilities in the Wincor Cineo ATMs, owned by Diebold Nixdorf, an American multinational financial and retail technology company. With access to the dispenser controller's USB port, outdated or modified firmware could be installed to bypass the encryption and make cash ATM withdrawals.
On October 26, 2021, the Nigerian Communications Commission announced the discovery of a new malware, dubbed Flubot, targeting Android devices with fake security updates and application installations.
Location: Nigeria Date Breach First Reported: 10/1/2021
Method: Malware
Type: Multiple
Type: Unknown
Attribution: Unknown
On October 26, 2021, the Nigerian Communications Commission announced the discovery of a new malware, dubbed Flubot, targeting Android devices with fake security updates and application installations. The malware draws fake web views on infected devices, with the goal of stealing personal data, particularly credit card details or online banking credentials.
On October 15, 2021, researchers discovered that Russian-linked TA505 was targeting financial institutions globally in a new malware campaign, tracked as MirrorBlast.
Location: Russia Date Breach First Reported: 10/15/2021
Method: Malware
Type: Multiple
Type: Non-state actor
Attribution: High confidence
On October 15, 2021, researchers discovered that Russian-linked TA505 was targeting financial institutions globally in a new malware campaign, tracked as MirrorBlast. The infection begins with an email attachment document. After clicking the URL, targets will be directed to a fake OneDrive site, a compromised SharePoint, displaying a sign-in requirement to evade sandboxes.
On October 10, 2021, Pichincha Bank in Ecuador was hit by a cyber attack that disrupted customers' access to bank services, including their online and mobile app tools.
Location: Ecuador Date Breach First Reported: 10/12/2021
Method: Other
Type: Disruption
Type: Unknown
Attribution: Unknown
On October 10, 2021, Pichincha Bank in Ecuador was hit by a cyber attack that disrupted customers' access to bank services, including their online and mobile app tools. The bank stated that they had identified a cybersecurity incident that had partially disabled their services.
On October 2, 2021, Porto Seguro, Brazil's third-largest insurance company, suffered a cyberattack.
Location: Brazil Date Breach First Reported: 10/15/2021
Method: Multiple
Type: Disruption
Type: Unknown
Attribution: Unknown
On October 2, 2021, Porto Seguro, Brazil's third-largest insurance company, suffered a cyberattack. The attack resulted in temporary instability to its service channels and some of its systems. No data leakage has been identified in relation to the company or its subsidiaries, customers, or partners, including any personal data.
In late 2021, a long list of brands and online retailers were infected with the banking Trojan, Ramnit.
Location: Multiple Date Breach First Reported: 1/31/2022
Method: Malware
Type: Theft
Type: Unknown
Attribution: Unknown
In late 2021, a long list of brands and online retailers were infected with the banking Trojan, Ramnit. Ramnit aims to take over targets online accounts to steal their card payment data and has been detected in use since 2010. Ramnit was the top active banking Trojan for 2021.
On September 29, 2021, researchers from Check Point Research discovered a new wave of malicious Android applications targeting Brazilian banking applications, including the Central Bank's Pix payment system.
Location: Brazil Date Breach First Reported: 9/29/2021
Method: Malware
Type: Theft
Type: Unknown
Attribution: Speculated
On September 29, 2021, researchers from Check Point Research discovered a new wave of malicious Android applications targeting Brazilian banking applications, including the Central Bank's Pix payment system. One of the malicious applications contains a never-seen-before functionality which steals victims' money using Pix transactions, dubbed PixStealer.
On September 22, 2021, researchers reported that Android phone banking customers in India were being targeted the Drinik banking trojan malware.
Location: India Date Breach First Reported: 9/22/2021
Method: Malware
Type: Multiple
Type: Unknown
Attribution: Unknown
On September 22, 2021, researchers reported that Android phone banking customers in India were being targeted the Drinik banking trojan malware. The malware stole users' personal data and funds using phishing techniques.
On September 8, 2021, the websites of various New Zealand financial institutions and the national postal service were down due to a suspected cyber attack.
Location: New Zealand, Australia Date Breach First Reported: 9/8/2021
Method: DDOS
Type: Disruption
Type: Unknown
Attribution: Unknown
On September 8, 2021, the websites of various New Zealand financial institutions and the national postal service were down due to a suspected cyber attack. The financial institutions included Australia and New Zealand Banking Grp Ltd and Kiwibank, with the latter facing challenges into the next week.
On September 1, 2021, Kapersky reported that it had detected over 1,500 fraudulent global resources targeting potential crypto investors/users interested in mining, and prevented over 70,000 user attempts to visit such sites, since the beginning of 2021.
Location: Multiple Date Breach First Reported: 9/1/2021
Method: Malware
Type: Theft
Type: N/A
Attribution: N/A
On September 1, 2021, Kapersky reported that it had detected over 1,500 fraudulent global resources targeting potential crypto investors/users interested in mining, and prevented over 70,000 user attempts to visit such sites, since the beginning of 2021.
On August 30, 2021, Cream Finance, a Taiwanese decentralised finance platform, lost over $29 million in cryptocurrency assets to hackers.
Location: Taiwan Date Breach First Reported: 8/30/2021
Method: Other
Type: Theft
Type: Unknown
Attribution: Unknown
On August 30, 2021, Cream Finance, a Taiwanese decentralised finance platform, lost over $29 million in cryptocurrency assets to hackers. The hackers exploited a bug and used a re-entrancy attack to steal AMP tokens and ETH coins.
On August 25, 2021, FIN8, the financially motivated cybercriminal gang, backdoored and breached the network of two unidentified U.S. financial organizations.
Location: United States
Date Breach First Reported:8/25/2021
Method: Malware
Type: Theft
Type: Non-state actor
Attribution: High confidence
On August 25, 2021, FIN8, the financially motivated cybercriminal gang, backdoored and breached the network of two unidentified U.S. financial organizations. The attack was conducted using the new Sardonic malware, an updated version of the BadHatch backdoor.
On August 18, 2021, Liquid, a Japanese cryptocurrency exchange, was the target in a cyber attack that resulted in a loss of $97 million worth of digital coins.
Location: Japan
Date Breach First Reported: 8/18/2021
Method: N/A
Type: Theft
Type: Unknown
Attribution: Unknown
On August 18, 2021, Liquid, a Japanese cryptocurrency exchange, was the target in a cyber attack that resulted in a loss of $97 million worth of digital coins. According to researchers, $45 million were in ethereum tokens, which were converted to ether, to prevent the assets from being frozen.
On August 16, 2021, Nigerian police arrested a suspected fraudster, who revealed that the country's Access Bank and First Bank were the easiest banks to hack.
Location: Nigeria
Date Breach First Reported:8/16/2021
Method: Multiple
Type: Theft
Type: Non-state actor
Attribution: High confidence
On August 16, 2021, Nigerian police arrested a suspected fraudster, who revealed that the country's Access Bank and First Bank were the easiest banks to hack. The fraudster further disclosed how his gang emptied the bank accounts of Nigerians using missing or stolen SIM cards.
On August 13, 2021, Brazil's National Treasury was hit by a ransomware attack.
Location: Brazil
Date Breach First Reported:8/15/2021
Method: Ransomware
Type: Multiple
Type: Unknown
Attribution: Unknown
On August 13, 2021, Brazil's National Treasury was hit by a ransomware attack. Assessments found there was no damage to the structuring systems of the National Treasury or to programs that enable the purchase of Brazilian government bonds.
On August 10, 2021, Poly Network, a Chinese blockchain site, lost $600 million after hackers exploited a vulnerability in their system to steal thousands of digital tokens.
Location: China
Date Breach First Reported:8/11/2021
Method: Other
Type: Theft
Type: Unknown
Attribution: Unknown
On August 10, 2021, Poly Network, a Chinese blockchain site, lost $600 million after hackers exploited a vulnerability in their system to steal thousands of digital tokens. While dubbed one of the largest cryptocurrency heists ever, the hackers subsequently returned all of the funds stolen in the hack
On July 27, 2021, Cleafy researchers reported that users of banking applications in Spain, Poland, Germany, Turkey, the United States, Japan, Italy, Australia, France, and India were being targeted by a botnet campaign dubbed UBEL.
Location: Spain, Poland, Germany, Turkey, United States, Japan, Italy, Australia, France, India
Date Breach First Reported:7/27/2021
Method: Malware
Type: Multiple
Type: Unknown
Attribution: Unknown
On July 27, 2021, Cleafy researchers reported that users of banking applications in Spain, Poland, Germany, Turkey, the United States, Japan, Italy, Australia, France, and India were being targeted by a botnet campaign dubbed UBEL. UBEL can gain access to sensitive information and exfiltrate it back to a remote server, hiding its presence and achieving persistence. The campaign relied on a botnet created from the Android malware Oscorp. The malware was previously observed abusing accessibility services to hijack user credentials from European banking applications.
On July 16, 2021, BackNine, an insurance tech start-up, exposed thousands of sensitive insurance applications in a data breach.
Location: United States
Date Breach First Reported:7/16/2021
Method: Other
Type: Data breach
Type: N/A
Attribution: N/A
On July 16, 2021, BackNine, an insurance tech start-up, exposed thousands of sensitive insurance applications in a data breach. One of BackNine’s storage servers, hosted on Amazon’s cloud, was misconfigured to allow anyone access to the 711,000 files inside, including completed insurance applications that contain highly sensitive personal and medical information on the applicant and their family.
On July 9, 2021, the FBI warned cryptocurrency owners, exchanges, and third-party payment platforms of threat actors actively targeting virtual assets.
Location: United States
Date Breach First Reported:7/9/2021
Method: Multiple
Type: Theft
Type: N/A
Attribution: N/A
On July 9, 2021, the FBI warned cryptocurrency owners, exchanges, and third-party payment platforms of threat actors actively targeting virtual assets. According to the FBI, attackers are using several tactics to steal and launder cryptocurrency, including technical support fraud, SIM swapping (aka SIM hijacking), and taking control of their targets' cryptocurrency exchange accounts via identity theft or account takeovers.
On July 10, 2021, Morgan Stanley, the American investment banking giant, reported a data breach tied to zero-day attacks on Accellion's legacy File Transfer Appliance.
Location: United States
Date Breach First Reported:7/10/2021
Method: Ransomware
Type: Theft
Type: Non-state actor
Attribution: High confidence
On July 10, 2021, Morgan Stanley, the American investment banking giant, reported a data breach tied to zero-day attacks on Accellion's legacy File Transfer Appliance. Attackers stole personal information belonging to its customers by hacking into the Accellion FTA server of its third-party vendor, Guidehouse.
On June 16, 2021, researchers at RiskIQ discovered that a Google IP address briefly hosted a malicious card skimmer domains.
Location: N/A
Date Breach First Reported:6/16/2021
Method: Other
Type: Theft
Type: Non-state actor
Attribution: High confidence
On June 16, 2021, researchers at RiskIQ discovered that a Google IP address briefly hosted a malicious card skimmer domains. This IP then hosted a domain offering a helpful service for card skimmers (bit2check), allowing them to authenticate stolen payment data for a fee. Researchers found that the individual behind bit2check is a Kurdish actor calling themself Hama.
On June 12, 2021, Intuit, an American financial software company, notified TurboTax customers that some of their personal and financial data has been compromised in account takeover attacks.
Location: United States
Date Breach First Reported:6/12/2021
Method: Credential Stuffing
Type: Data breach
Type: Unknown
Attribution: Unknown
On June 12, 2021, Intuit, an American financial software company, notified TurboTax customers that some of their personal and financial data has been compromised in account takeover attacks. Criminals gained access to victims' account using credentials stolen from previously breached online services.
On June 4, 2021, Fiducia & GAD IT, a German company that operates technology on the nation's cooperative banks, was hit by a DDoS attack, disrupting more than 800 financial institutions in the country.
Location: Germany
Date Breach First Reported:6/4/2021
Method: DDoS
Type: Disruption
Type: Unknown
Attribution: Unknown
On June 4, 2021, Fiducia & GAD IT, a German company that operates technology on the nation's cooperative banks, was hit by a DDoS attack, disrupting more than 800 financial institutions in the country.
On May 25, 2021, UK-based insurance firm One Call stated that it had successfully restored its systems onto a new environment separate from the one that was impacted by a ransomware attack on May 13, adding that a ransomware note purportedly from DarkSide could not be verified as authentic.
Location: United Kingdom
Date Breach First Reported:5/25/2021
Method: Ransomware
Type: Theft
Type: Unknown
Attribution: Unknown
On May 25, 2021, UK-based insurance firm One Call stated that it had successfully restored its systems onto a new environment separate from the one that was impacted by a ransomware attack on May 13, adding that a ransomware note purportedly from DarkSide could not be verified as authentic.
On May 24, 2021, two ransomware groups, DarkSide and Ragnar Locker, demanded ransom from three small banks after posting evidence of stolen customer data belonging to the banks.
Location: United States
Date Breach First Reported:5/24/2021
Method: Ransomware
Type: Theft
Type: Unknown
Attribution: Unknown
On May 24, 2021, two ransomware groups, DarkSide and Ragnar Locker, demanded ransom from three small banks after posting evidence of stolen customer data belonging to the banks.
From May to August 2021, researchers from Cyren reported a 300% increase in phishing attacks targeting Chase Bank.
Location: United States
Date Breach First Reported:10/5/2021
Method: Phishing
Type: Theft
Type: Unknown
Attribution: Unknown
From May to August 2021, researchers from Cyren reported a 300% increase in phishing attacks targeting Chase Bank. The XBALTI phishing kits were designed to mimic the Chase banking portal. Researchers stated that the phishing kits were highly sophisticated and designed to harvest more than just email addresses and passwords, including banking and credit card information, social security numbers, and home addresses.
On May 16, 2021, French insurer Axa said that its branches in Thailand, Malaysia, Hong Kong and the Philippines had been struck by a ransomware attack.
Location: N/A
Date Breach First Reported:5/16/2021
Method: Ransomware
Type: Theft
Type: Non-state actor
Attribution: Known
On May 16, 2021, French insurer Axa said that its branches in Thailand, Malaysia, Hong Kong and the Philippines had been struck by a ransomware attack. A day before, the Avaddon ransomware group claimed to have stolen 3 TB of sensitive data from AXA's Asian operations and initiated DDoS attacks.
On May 12, 2021, Sophos, a cybersecurity firm, identified 167 fake Android and iOS financial trading, banking, and cryptocurrency apps being used by hackers to steal money.
Location: N/A
Date Breach First Reported:5/12/2021
Method: Malware
Type: Theft
Type: Unknown
Attribution: Unknown
On May 12, 2021, Sophos, a cybersecurity firm, identified 167 fake Android and iOS financial trading, banking, and cryptocurrency apps being used by hackers to steal money. The attackers used social engineering techniques, counterfeit websites including a fake iOS App Store download page, and an iOS app-testing website to distribute the fake apps to unsuspecting users.
On May 24, 2021, researchers from ClearSky determined that the North Korean state-sponsored group Lazarus was behind multiple attacks on cryptocurrency exchanges, previously attributed to a threat actor they named CryptoCore.
Location: United States, Israel, Japan
Date Breach First Reported:5/24/2021
Method: Multiple
Type: Theft
Type: State-sponsored actor
Attribution: High confidence
On May 24, 2021, researchers from ClearSky determined that the North Korean state-sponsored group Lazarus was behind multiple attacks on cryptocurrency exchanges, previously attributed to a threat actor they named CryptoCore. The group is believed to have stolen hundreds of millions of U.S. dollars by breaching cryptocurrency exchanges in the U.S., Israel, Europe, and Japan over the past three years.
On May 17, 2021, a cybersecurity firm uncovered a new banking trojan family dubbed "Bizarro" that rampantly scaled up its operations from Brazil to Europe.
Location: N/A
Date Breach First Reported:5/17/2021
Method: Malware
Type: Theft
Type: Unknown
Attribution: Unknown
On May 17, 2021, a cybersecurity firm uncovered a new banking trojan family dubbed "Bizarro" that rampantly scaled up its operations from Brazil to Europe. These trojans have been used to try and steal credentials from customers of 70 banks from different European and South American countries.
On April 11, 2021, stockmarket broker Upstox announced a data breach that compromised contact data and KYC details of its users from third-party data-warehouse systems.
Location: India
Date Breach First Reported:4/11/2021
Method: Ransomware
Type: Theft
Type: Unknown
Attribution: Unknown
On April 11, 2021, stockmarket broker Upstox announced a data breach that compromised contact data and KYC details of its users from third-party data-warehouse systems. Hackers apparently demanded a ransom of $1.2 million in order to not go public with the data.
On September 22, 2021, Debt-IN Consultants, a South African debt collector, was hit by a major ransomware attack, resulting in a significant data breach of consumer and employee personal information.
Location: South Africa
Date Breach First Reported:9/22/2021
Method: Ransomware
Type: Data breach
Type: Non-state actor
Attribution: Speculated
On September 22, 2021, Debt-IN Consultants, a South African debt collector, was hit by a major ransomware attack, resulting in a significant data breach of consumer and employee personal information. The data of more than 1.4 million South Africans was illegally accessed from the company’s servers, with confidential consumer data and voice recordings of calls between Debt-IN debt recovery agents and financial services customers posted on the dark web.
On March 21, 2021, CNA Financial suffered a ransomware attack which disrupted the company’s employee and customer services for three days.
Location: United States
Date Breach First Reported:3/23/21
Method: Ransomware
Type: Theft
Type: Non-state actor
Attribution: High confidence
On March 21, 2021, CNA Financial suffered a ransomware attack which disrupted the company’s employee and customer services for three days. The insurance company engaged third-party forensic experts and also alerted law enforcement to begin further investigations. CNA later revealed that over 75,000 people's personal data was exposed during the attack. Subsequent reporting revealed the firm paid $40 million in ransom.
On March 17, 2021, the database of the card shop Swarmshop was leaked on a rival underground forum.
Location: N/A
Date Breach First Reported:4/8/2021
Method: Unknown
Type: Theft
Type: Non-state actor
Attribution: Unknown
On March 17, 2021, the database of the card shop Swarmshop was leaked on a rival underground forum. The compromised data contained 623,036 payment-card records, 498 sets of online banking account credentials, 69,592 sets of American Social Security Numbers and Canadian Social Insurance Numbers, and 12,344 records of user data. The leak was discovered on April 8, 2021 by a computer intelligence firm.
On March 17, 2021, the Federal Trade Commission (FTC) issued an alert warning individuals of an e-mail scam about COVID-19 stimulus payments.
Location: United States
Date Breach First Reported:3/17/21
Method: N/A
Type: Theft
Type: N/A
Attribution: N/A
On March 17, 2021, the Federal Trade Commission (FTC) issued an alert warning individuals of an e-mail scam about COVID-19 stimulus payments. The new scam emails appear to be from acting FTC Chairwoman Rebecca Slaughter.
On March 17, 2021, the FBI released its Internet Crime Report 2020 which stated that American victims reported $4.2 billion in losses as a result of cybercrime and internet fraud to the FBI last year.
Location: United States, Canada, South Africa, Panama, Italy
Date Breach First Reported:3/17/21
Method: N/A
Type: Theft
Type: N/A
Attribution: N/A
On March 17, 2021, the FBI released its Internet Crime Report 2020 which stated that American victims reported $4.2 billion in losses as a result of cybercrime and internet fraud to the FBI last year. The FBI’s Internet Crime Complaint Center claimed that it received an average of more than 2,000 complaints per day through 2020. Losses of $1.8 billion, $29.1 million, and $146 million were suffered due to BEC scams, ransomware attacks, and technology support scams respectively in the United States.
On April 19, 2021, a cybersecurity firm reported a new set of fraudulent Android apps in the Google Play store, primarily targeting users in Southwest Asia and the Arabian Peninsula.
Location: N/A
Date Breach First Reported:4/19/2021
Method: Malware
Type: Theft
Type: Unknown
Attribution: Unknown
On April 19, 2021, a cybersecurity firm reported a new set of fraudulent Android apps in the Google Play store, primarily targeting users in Southwest Asia and the Arabian Peninsula. The apps, suspected to belong to the "Joker" malware, work by hijacking SMS message notifications to carry out billing fraud. More than 700,000 downloads were recorded before the apps were removed from the platform.
On March 10, 2021, Bitdefender reported re-emergence of the threat actor FIN 8 in 2020 and the subsequent updated versions of its point-of-sale malware, BadHatch.
Location: United States, Canada, South Africa, Panama, Italy
Date Breach First Reported:3/10/21
Method: Ransomware
Type: Theft
Type: Non-state actor
Attribution: High confidence
On March 10, 2021, Bitdefender reported re-emergence of the threat actor FIN 8 in 2020 and the subsequent updated versions of its point-of-sale malware, BadHatch. FIN8 has been using new versions of BadHatch backdoor to compromise companies in chemical insurance, retail, and technology in the United States, Canada, South Africa, Panama, and Italy.
On March 04, 2021, the Financial Industry Regulatory Authority (FINRA) warned member firms of an ongoing phishing campaign involving emails sent by impersonators.
Location: United States
Date Breach First Reported:3/4/21
Method: Phishing
Type: Theft
Type: Unknown
Attribution: Unknown
On March 04, 2021, the Financial Industry Regulatory Authority (FINRA) warned member firms of an ongoing phishing campaign involving emails sent by impersonators. The emails urged recipients to respond to a non-compliance issue by opening a corrupt link or document.
On March 3, 2021, a cybersecurity firm reported Capital Call Investment scams as the latest threat vector used to swindle exorbitant amount of money from Wall Street firms and their clients.
Location: United States
Date Breach First Reported:3/3/21
Method: Other
Type: Theft
Type: Unknown
Attribution: Unknown
On March 3, 2021, a cybersecurity firm reported Capital Call Investment scams as the latest threat vector used to swindle exorbitant amount of money from Wall Street firms and their clients. Scammers have been impersonating investment firms to seek funds for investment commitments.
On March 02, 2021, a cybersecurity firm disclosed a new variant of the malware Ploutus which has been targeting ageing ATM devices produced by Itautec.
Location: N/A
Date Breach First Reported:3/2/21
Method: Malware
Type: Theft
Type: Unknown
Attribution: Unknown
On March 02, 2021, a cybersecurity firm disclosed a new variant of the malware Ploutus which has been targeting ageing ATM devices produced by Itautec. Ploutus-I operates by communicating directly with XFS to command the ATMs to disgorge cash.
On July 9, 2021, CNA Financial Corporation, a leading US-based insurance company, notified customers of a data breach following a March 2021 ransomware attack.
Location: United States
Date Breach First Reported: 7/9/2021
Method: Ransomware
Type: Data breach
Type: Non-state actor
Attribution: High confidence
On July 9, 2021, CNA Financial Corporation, a leading US-based insurance company, notified customers of a data breach following a March 2021 ransomware attack. Over 75,000 individuals are estimated to be affected.
On February 19, 2021, Sequoia Capital informed its investors of a data breach jeopardizing some of their personal and financial information.
Location: United States
Date Breach First Reported:2/20/21
Method: Phishing
Type: Theft
Type: Unknown
Attribution: Unknown
On February 19, 2021, Sequoia Capital informed its investors of a data breach jeopardizing some of their personal and financial information. The company claimed to have been a victim of a phishing attack.
On February 17, 2021, a federal indictment charged three North Korean computer programmers with participating in a wide-ranging criminal conspiracy including conducting a series of destructive cyberattacks, stealing and extorting more than $1.3 billion of money and cryptocurrency from financial institutions and companies, creating and deploying multiple malicious cryptocurrency applications, and developing and fraudulently marketing a blockchain platform.
Location: North Korea
Date Breach First Reported: 2/17/21
Method: N/A
Type: Theft
Type: State-sponsored actor
Attribution: High confidence
On February 17, 2021, a federal indictment charged three North Korean computer programmers with participating in a wide-ranging criminal conspiracy including conducting a series of destructive cyberattacks, stealing and extorting more than $1.3 billion of money and cryptocurrency from financial institutions and companies, creating and deploying multiple malicious cryptocurrency applications, and developing and fraudulently marketing a blockchain platform. The suspects were believed to have been working for the North Korean military and were linked to the prolific North Korean threat group Lazarus. The trio are thought to be behind cyberattacks beginning as early as November 2014 targeting the media industry.
On February 16, 2021, the New York State Department of Financial Services (DFS) alerted all its regulated entities of a cybercampaign stealing customer’s personal information from public-facing websites.
Location: United States
Date Breach First Reported:2/16/21
Method: Phishing
Type: Theft
Type: Unknown
Attribution: Unknown
On February 16, 2021, the New York State Department of Financial Services (DFS) alerted all its regulated entities of a cybercampaign stealing customer’s personal information from public-facing websites. The criminals are suspected of using the stolen data to illegally access pandemic and unemployment benefits.
On February 10, 2021, the Internal Revenue Service (IRS) warned US tax professionals of a phishing scam attempting to steal the tax preparer’s identity.
Location: United States
Date Breach First Reported:2/10/21
Method: Phishing
Type: Theft
Type: Unknown
Attribution: Unknown
On February 10, 2021, the Internal Revenue Service (IRS) warned US tax professionals of a phishing scam attempting to steal the tax preparer’s identity. The scammers have been impersonating the IRS to trick tax preparers to disclose sensitive information that would allow them to file fraudulent tax returns.
On February 3, 2021, Automatic Funds Transfer Services, a payment processor, suffered a ransomware attack by a group called Cuba Ransomware.
Location: United States
Date Breach First Reported:2/18/21
Method: Malware
Type: Theft
Type: Unknown
Attribution: Unknown
On February 3, 2021, Automatic Funds Transfer Services, a payment processor, suffered a ransomware attack by a group called Cuba Ransomware. The group claimed to have stolen sensitive information including financial documents, correspondences with bank employees, account movements, balance sheets, and tax documents. The attack sparked data breach notifications from numerous US state agencies.
On May 12, 2021 the FBI warned of a spear-phishing campaign impersonating Truist Bank, in an attempt to get recipients to download a fake Windows application.
Location: United States
Date Breach First Reported:5/12/21
Method: Multiple
Type: Theft
Type: Unknown
Attribution: Unknown
On May 12, 2021 the FBI warned of a spear-phishing campaign impersonating Truist Bank, in an attempt to get recipients to download a fake Windows application. Other U.S. and UK financial institutions have also been impersonated in the campaign, spoofing these institutions through registered domains, email subjects, and applications.
On May 13, 2021, a cybersecurity firm discovered a new backdoor malware called Lizar being employed by the FIN7 cybercrime gang.
Location: N/A
Date Breach First Reported: 5/13/21
Method: Malware
Type: Theft
Type: Non-state actor
Attribution: Known
On May 13, 2021, a cybersecurity firm discovered a new backdoor malware called Lizar being employed by the FIN7 cybercrime gang. The group has been impersonating a legitimate cybersecurity company to distribute Lizar as a penetration testing tool for Windows networks.
The Reserve Bank of New Zealand suffered a data breach after actors illegally accessed its information through one of the bank's third-party file sharing services.
Location: New Zealand
Date Breach First Reported:1/10/21
Method: Unknown
Type: Data Breach
Type: Unknown
Attribution: Unknown
The Reserve Bank of New Zealand suffered a data breach after actors illegally accessed its information through one of the bank's third-party file sharing services. The Bank is now actively seeking a new platform to replace the previously compromised file sharing service.
Claiming over 30,000 victims within the US, the large-scale cyberattack on Microsoft Exchange servers was first discovered by a security testing firm on January 6, 2021.
Location: N/A
Date Breach First Reported:1/6/21
Method: N/A
Type: Data Breach
Type: Non-state actor
Attribution: Speculated
Claiming over 30,000 victims within the United States, the large-scale cyberattack on Microsoft Exchange servers was first discovered by a security testing firm on January 6, 2021. The hackers dubbed Hafnium exploited four zero-day vulnerabilities in the servers to claim hundreds of thousands of victims globally including the European Banking Authority and Chile's Comisión para el Mercado Financiero. On March 5 2021, Microsoft released security updates to patch the vulnerabilities which prompted the hackers to hasten their operation.
A hacker posted data of 10,000 Mexico-based American Express card users on a forum for free.
Location: Mexico
Date Breach First Reported:1/5/21
Method: Unknown
Type: Data Breach
Type: Unknown
Attribution: Unknown
A hacker posted data of 10,000 Mexico-based American Express card users on a forum for free. Information included full credit card numbers and personal information such as emails and addresses, but did not contain passwords or expiration dates. In the forum post, the hacker also claimed to have more data information from Mexican bank customers of Santander, American Express, and Banamex.
Chinese cybercrime group Rocke released an improved version of its cryptojacking malware Pro-Ocean targeting cloud applications with the goal of mining Monero, a decentralized cryptocurrency.
Location: N/A
Date Breach First Reported:1/27/21
Method: Malware
Type: Theft
Type: State-sponsored actor
Attribution: High confidence
Chinese cybercrime group Rocke released an improved version of its cryptojacking malware Pro-Ocean targeting cloud applications with the goal of mining Monero, a decentralized cryptocurrency. The latest variant comes with better worm and rootkit capabilities and has been leveraging known vulnerabilities to target Apache ActiveMQ, Oracle WebLogic, and Redis.
A new SMS-based phishing scheme has been targeting PayPal in an attempt to gain access to accounts.
Location: N/A
Date Breach First Reported:1/4/21
Method: Phishing
Type: Theft
Type: Unknown
Attribution: Unknown
A new SMS-based phishing scheme has been targeting PayPal in an attempt to gain access to accounts. The messages impersonate the payment processor, warning users that their accounts have been limited and that they need to verify their identities.
At the beginning of January 2021, a cybersecurity firm discovered a new Android banking trojan dubbed as TeaBot.
Location: N/A
Date Breach First Reported:05/10/21
Method: Malware
Type: Theft
Type: Unknown
Attribution: Unknown
At the beginning of January 2021, a cybersecurity firm discovered a new Android banking trojan dubbed as TeaBot. The malware aims to steal victim’s credentials and SMS messages to carry out fraudulent transactions against a predefined list of banks.
Two million credit score records from Chqbook, an Indian FinTech startup, were found on the dark web.
Location: India
Date Breach First Reported:1/27/21
Method: Unknown
Type: Data Breach
Type: Unknown
Attribution: Unknown
Two million credit score records from Chqbook, an Indian FinTech startup, were found on the dark web. The leaked data contained users’ names, contact details, and loan detail information. The hacking group ShinyHunters was believed to have been responsible for the leak.
On January 22, hackers published over 4,000 documents from the Scottish Environmental Protection Agency (SEPA) after the organization refused to pay a ransom.
Location: United Kingdom
Date Breach First Reported:1/22/21
Method: Unknown
Type: Theft
Type: Unknown
Attribution: Unknown
On January 22, hackers published over 4,000 documents from the Scottish Environmental Protection Agency (SEPA) after the organization refused to pay a ransom. SEPA fell victim to a hack on December 24, where around 1.2GB of data was stolen from its servers. However, the agency has refused to entertain ransom demands.
Starting in mid-December 2020, cybercriminal groups linked to FIN11 and the Clop group began exploiting multiple zero-day vulnerabilities in Accellion's legacy File Transfer Appliance.
Location: Australia, New Zealand, United States
Date Breach First Reported:12/20/20
Method: Malware
Type: Theft
Type: Non-state actor
Attribution: Known
Starting in mid-December 2020, cybercriminal groups linked to FIN11 and the Clop group began exploiting multiple zero-day vulnerabilities in Accellion's legacy File Transfer Appliance. Globally, around 100 Accellion customers using the software were targeted including the Australian Securities and Investment Commission (ASIC), Michigan FlagStar bank, and New Zealand’s central bank.
On December 8, FBI Director Christopher Wray warned banks to be wary of "cyber criminals targeting the vulnerabilities in third-party services” as a way in to financial institution data.
Location: United States
Date Breach First Reported:12/8/20
Method: Multiple
Type: Theft
Type: N/A
Attribution: N/A
On December 8, FBI Director Christopher Wray warned banks to be wary of "cyber criminals targeting the vulnerabilities in third-party services” as a way in to financial institution data. Wray issued this warning at a conference on financial crimes enforcement.
Researchers from IBM Trusteer discovered that criminals had been using mobile device emulators to steal millions from European and American banks.
Location: N/A
Date Breach First Reported:12/16/20
Method: Multiple
Type: Theft
Type: Unknown
Attribution: Unknown
Researchers from IBM Trusteer discovered that criminals had been using mobile device emulators to steal millions from European and American banks. The hackers used around 20 emulators to spoof more than 16,000 phones belong to customers with compromised accounts. By entering usernames and passwords through these emulators, hackers were able to initiate fraudulent money orders and siphon money from mobile accounts.
Shirbit, an Israeli-based insurance company, was hit by a ransomware attack that appears to be the work of the hacker group BlackShadow.
Location: Israel
Date Breach First Reported:12/4/20
Method: Ransomware
Type: Theft
Type: Non-state actor
Attribution: High confidence
Shirbit, an Israeli-based insurance company, was hit by a ransomware attack that appears to be the work of the hacker group BlackShadow. The group demanded 50 bitcoin at first, gradually increasing its demands to 200 bitcoin. Although BlackShadow released several rounds of sensitive data, Shirbit refused to pay the ransom.
On December 3, Absa, a South African bank, confirmed that an employee working as a credit analyst sold the personal information of some 200,000 customers to third parties.
Location: South Africa
Date Breach First Reported:12/3/20
Method: Insider Threat
Type: Theft
Type: Non-state actor
Attribution: High confidence
On December 3, Absa, a South African bank, confirmed that an employee working as a credit analyst sold the personal information of some 200,000 customers to third parties.
In 2020, a Russian-based cybercrime operation, known as "Classiscam," helped classified ad scammers steal more than $6.5M from users in Europe and the United States.
Location: N/A
Date Breach First Reported:1/14/21
Method: Multiple
Type: Theft
Type: Unknown
Attribution: Unknown
In 2020, a Russian-based cybercrime operation, known as "Classiscam," helped classified ad scammers steal more than $6.5M from users in Europe and the United States. Scammers expanded operations by employing native speakers to lure potential buyers into conversations on WhatsApp and other messaging platforms.
A new remote access tool (RAT) has become prevalent in a new campaign against cryptocurrency users.
Location: N/A
Date Breach First Reported:12/1/20
Method: Malware
Type: Theft
Type: Unknown
Attribution: Unknown
A new remote access tool (RAT) has become prevalent in a new campaign against cryptocurrency users. Dubbed "ElectroRAT," the new tool is written in the Go programming language and appears to target a variety of operating systems, including Windows, MacOS, and Linux. Security researchers believe that the RAT has been in use for at least a year.//frst-timeline-block
On June 29, 2021, Denmark’s central bank disclosed that it was compromised in the 2020 global SolarWinds hacking operation.
Location: Denmark
Date Breach First Reported:6/29/2021
Method: Multiple
Type: Data breach
Type: State-sponsored actor
Attribution: Speculated
On June 29, 2021, Denmark’s central bank disclosed that it was compromised in the 2020 global SolarWinds hacking operation. While a backdoor to its network was open for seven months, the bank said there's been no evidence of compromise beyond the first stage of attack.
Earlier in 2020, hackers broke into SolarWinds' "Orion" system, an IT-management instrument used by multiple U.S. government agencies and many major companies.
Location: United States
Date Breach First Reported:12/13/20
Method: Malware
Type: Espionage
Type: State-sponsored actor
Attribution: High confidence
Earlier in 2020, hackers broke into SolarWinds' "Orion" system, an IT-management instrument used by multiple U.S. government agencies and many major companies. The hack appears to be the work of state-sponsored actors operating out of Russia. Although no initial reports indicated that major U.S. banks were targets, FS-ISAC has been partnering with Wall Street to offer strategic risk mitigation strategies.
On November 16, security researchers discovered that a widespread security application used by South Korean banks and government agencies had been compromised through a novel supply-chain attack.
Location: South Korea
Date Breach First Reported:11/16/20
Method: Malware
Type: Theft
Type: Non-state actor
Attribution: High confidence
On November 16, security researchers discovered that a widespread security application used by South Korean banks and government agencies had been compromised through a novel supply-chain attack. The attack compromised the digital security certificates of two firms, corrupting browser software and enabling the spread of trojan malware. The Lazarus Group is thought to be behind the attacks.
On Monday, November 16, Australia's stock exchange halted trading 20 minutes after opening due to a software issue that caused inaccurate market data.
Location: Australia
Date Breach First Reported:11/16/21
Method: N/A
Type: Disruption
Type: N/A
Attribution: N/A
On Monday, November 16, Australia's stock exchange halted trading 20 minutes after opening due to a software issue that caused inaccurate market data. The problem was remedied overnight and the exchange reopened on Tuesday.
Over the course of the week of November 15, fraudsters scammed employees at GoDaddy, the world's largest domain name registrar, into transferring ownership and/or control of targeted domains to unauthorized users.
Location: N/A
Date Breach First Reported:11/20/20
Method: Multiple
Type: Theft
Type: Unknown
Attribution: Unknown
Over the course of the week of November 15, fraudsters scammed employees at GoDaddy, the world's largest domain name registrar, into transferring ownership and/or control of targeted domains to unauthorized users. Then, these scammers were able to redirect email and web traffic destined for several crytocurrency trading platforms.
Ghimob, a banking malware originating from Brazil, has recently begun spreading globally.
Location: Brazil
Date Breach First Reported:11/9/20
Method: Malware
Type: Theft
Type: Non-state actor
Attribution: Unknown
Ghimob, a banking malware originating from Brazil, has recently begun spreading globally. The malware is a fully featured trojan that allows hackers to access the infected device remotely and complete the fraudulent transaction with the victim's smartphone, thereby avoiding anti-fraud behavioral systems run by financail institutions.
On November 23, security researchers became aware of a resurgence in Gootkit infections in Germany.
Location: Germany
Date Breach First Reported:11/23/20
Method: Multiple
Type: Theft
Type: Non-state actor
Attribution: Speculated
On November 23, security researchers became aware of a resurgence in Gootkit infections in Germany. Gootkit is a capable banking trojan designed to steal financially-related information. In this latest campaign, attackers used compromised websites to trick users into downloading malicious files.
On October 31, Indonesian fintech company Cermati reported 2.9 million users' information was leaked and sold in a hacker forum.
Location: Indonesia
Date Breach First Reported:10/31/20
Method: Unknown
Type: Data Breach
Type: Unknown
Attribution: Unknown
On October 31, Indonesian fintech company Cermati reported 2.9 million users' information was leaked and sold in a hacker forum. User information included full names, email addresses, physical addresses, phone numbers, bank accounts, and tax and national ID numbers.
On October 23, a software defect led to a disruption to the European Central Bank’s main payment system for almost 11 hours.
Location: Germany
Date Breach First Reported:10/28/20
Method: N/A
Type: Disruption
Type: N/A
Attribution: N/A
On October 23, a software defect led to a disruption to the European Central Bank’s main payment system for almost 11 hours. The disruption affected ECB's Target2 critical function.
On October 19, 2020, researchers from IBM uncovered a new form of malware using remote overlay attacks to strike Brazilian bank account holders, which has been dubbed Vizom.
Location: Brazil
Date Breach First Reported:10/19/20
Method: Malware
Type: Theft
Type: Unknown
Attribution: Unknown
On October 19, 2020, researchers from IBM uncovered a new form of malware using remote overlay attacks to strike Brazilian bank account holders, which has been dubbed Vizom. It is being utilized in an active campaign across Brazil designed to compromise bank accounts via online financial services. Vizom spreads through spam-based phishing campaigns and disguises itself as popular videoconferencing software, tools that have become crucial to business and social life due to the coronavirus pandemic.
On October 14, FireEye reported that FIN11, a financial cybercrime group active since 2016, has recently switched to ransomware as its primary mode of attack.
Location: N/A
Date Breach First Reported:10/14/20
Method: Ransomware
Type: Theft
Type: Non-state actor
Attribution: High confidence
On October 14, FireEye reported that FIN11, a financial cybercrime group active since 2016, has recently switched to ransomware as its primary mode of attack. FIN11 has been conducting attacks around the world since 2016. FIN11 campaigns initially focused on entering networks to steal data, with researchers noting that the hacking group commonly deployed BlueSteal, a tool used to steal banking information from Point-of-Sale (POS) terminals.
On October 11, nearly 4000 clients of BetterSure, a South African home insurance company, experienced a phishing attack but no data was comprised.
Location: South Africa
Date Breach First Reported:10/12/20
Method: Phishing
Type: Data breach
Type: Unknown
Attribution: Unknown
On October 11, nearly 4000 clients of BetterSure, a South African home insurance company, experienced a phishing attack but no data was comprised. Using a phishing e-mail, the attackers gained access to an internal e-mail account of a BetterSure administration employee. However, the bank says its firewall and e-mail security system immediately picked up on the threat. The bank claims that no personal data was accessed.
On October 3, 2020, hackers targeted Pegasus Technologies, a firm that processes mobile money transactions for two telecom firms, MTN Uganda and Airtel.
Location: Uganda
Date Breach First Reported:10/5/20
Method: SIM Card Fraud
Type: Theft
Type: Unknown
Attribution: Unknown
On October 3, 2020, hackers targeted Pegasus Technologies, a firm that processes mobile money transactions for two telecom firms, MTN Uganda and Airtel. The service was temporarily suspended, causing a halt to much of the mobile money transfer ecosystem in the country. At least $3.2 million is estimated to have been stolen in the hack.
On October 1, 2020, a technical glitch halted trading on Japan’s stock exchanges, including the Nikkei 225.
Location: Japan
Date Breach First Reported:10/1/20
Method: N/A
Type: Disruption
Type: N/A
Attribution: N/A
On October 1, 2020, a technical glitch halted trading on Japan’s stock exchanges, including the Nikkei 225. The disruption happened when a backup system failed to kick in after a hardware malfunction, according to the Japan Exchange Group. The halt wasn't connected to a cyber attack. Trading was suspended at the main Tokyo stock exchange along with connected bourses in Nagoya, Fukuoka and Sapporo.
On September 23, 2020, several Hungarian banking and telecommunication services were disrupted by a powerful DDoS attack launched from computer servers in Russia, China, and Vietnam, telecoms firm Magyar Telekom reported.
Location: Hungary
Date Breach First Reported:9/26/20
Method: DDoS
Type: Disruption
Type: Unknown
Attribution: Unknown
On September 23, 2020, several Hungarian banking and telecommunication services were disrupted by a powerful DDoS attack launched from computer servers in Russia, China, and Vietnam, telecoms firm Magyar Telekom reported. The volume of data traffic in the attack was 10 times higher than the amount usually seen in DDoS events, the company said.
On September 23, 2020, Group-IB reported that a cybercrime gang dubbed 'OldGremlin' had been targeting banks and other businesses in Russia with ransomware since early March, 2020.
Location: Russia
Date Breach First Reported:9/23/20
Method: Ransomware
Type: Theft
Type: Non-state actor
Attribution: Unknown
On September 23, 2020, Group-IB reported that a cybercrime gang dubbed 'OldGremlin' had been targeting banks and other businesses in Russia with ransomware since early March, 2020. OldGremlin uses spear-phishing emails to enter networks and then encrypts data for a ransom of around $50,000. The Russian-speaking group is also notable for its apparent focus on Russian-based companies.
On September 6, 2020, Banco Estado, the only public bank in Chile and one of the three largest in the country, had to shut down its nationwide operations on Monday due to a ransomware cyberattack launched by REvil.
Location: Chile
Date Breach First Reported: 9/6/20
Method: Ransomware
Type: Theft
Type: Non-state actor
Attribution: High confidence
On September 6, 2020, Banco Estado, the only public bank in Chile and one of the three largest in the country, had to shut down its nationwide operations on Monday due to a ransomware cyberattack launched by REvil.
On August 28, 2020, Morocco’s CIH Bank experienced a breach customer accounts resulting in unauthorized transactions.
Location: Morocco
Date Breach First Reported:8/29/20
Method: Skimmer
Type: Theft
Type: Unknown
Attribution: Unknown
On August 28, 2020, Morocco’s CIH Bank experienced a breach customer accounts resulting in unauthorized transactions. According to the bank, the customers’ accounts were hacked after their owners used their credit cards to make online purchases from a scam website, indicating a card skimming scheme. CIH bank has assured customers it will reimburse them for any fraudulent transactions and advised its users to turn off international transactions between use to prevent further fraud.
On August 26, 2020, the U.S. government issued a joint alert to warn the public about an ongoing cyber campaign by North Korea-backed 'BeagleBoyz' group which is using remote access malware tools to steal millions from financial institutions in at least 38 countries around the world.
Location: Argentina, Brazil, Bangladesh, Bosnia and Herzegovina, Bulgaria, Chile, Costa Rica, Ecuador, Ghana, India, Indonesia, Japan, Jordan, Kenya, Kuwait, Malaysia, Malta, Mexico, Mozambique, Nepal, Nicaragua, Nigeria, Pakistan, Panama, Peru, Philippines, Singapore, South Africa, South Korea, Spain, Taiwan, Tanzania, Togo, Turkey, Uganda, Uruguay, Vietnam, Zambia
Date Breach First Reported: 8/26/20
Method: Malware
Type: Theft
Type: State-sponsored actor
Attribution: High confidence
On August 26, 2020, the U.S. government issued a joint alert to warn the public about an ongoing cyber campaign by North Korea-backed 'BeagleBoyz' group which is using remote access malware tools to steal millions from financial institutions in at least 38 countries around the world.
The U.S. government considers BeagleBoyz to be a subset of HIDDEN COBRA activity. According to U.S. CISA, 'BeagleBoyz overlap to varying degrees with groups tracked by the cybersecurity industry as Lazarus, Advanced Persistent Threat 38 (APT38), Bluenoroff, and Stardust Chollima and are responsible for the FASTCash ATM cash outs reported in October 2018, fraudulent abuse of compromised bank-operated SWIFT system endpoints since at least 2015, and lucrative cryptocurrency thefts'.
On August 26, 2020, Kaspersky revealed a new hack-for-hire group, DeathStalker, had been targeting institutions worldwide since 2012, with a focus law firms and financial entities.
Location: Argentina, China, Cyprus, India, Israel, Lebanon, Switzerland, Russia, Taiwan, Turkey, the United Kingdom, the United Arab Emirates
Date Breach First Reported:8/26/20
Method: Multiple
Type: Multiple
Type: Unknown
Attribution: Unknown
On August 26, 2020, Kaspersky revealed a new hack-for-hire group, DeathStalker, had been targeting institutions worldwide since 2012, with a focus law firms and financial entities. Kaspersky researchers report that DeathStalker is not motivated by financial gain. Victim organizations are small and medium-sized businesses located in Argentina, China, Cyprus, India, Israel, Lebanon, Switzerland, Russia, Taiwan, Turkey, the United Kingdom and the United Arab Emirates.
On August 26, the New Zealand Stock Exchange's network provider experienced an extended DDoS attack that lasted several days and caused the Exchange to shut down operations.
Location: New Zealand
Date Breach First Reported:8/26/20
Method: DDoS
Type: Disruption
Type: Unknown
Attribution: Unknown
On August 26, the New Zealand Stock Exchange's network provider experienced an extended DDoS attack that lasted several days and caused the Exchange to shut down operations. The NZX website and markets announcement platform were also impacted. The Australian government and other member states of the Five Eyes alliance reportedly helped with response and recovery efforts.
On August 19, 2020, Experian South Africa, a major credit bureau, experienced a data breach that exposed personal information of up to 24 million South Africans according to the South Africa Banking Risk Information Centre; however, Experian South Africa disputed the reported numbers.
Location: South Africa
Date Breach First Reported: 8/19/20
Method: Unknown
Type: Data Breach
Type: Unknown
Attribution: Unknown
On August 19, 2020, Experian South Africa, a major credit bureau, experienced a data breach that exposed personal information of up to 24 million South Africans according to the South Africa Banking Risk Information Centre; however, Experian South Africa disputed the reported numbers. 793,749 business entities are thought to be affected.
On August 18, 2020, payments processor Juspay's was hacked through a compromised server, resulting in the leak of over 100 million debit and credit card users.
Location: N/A
Date Breach First Reported: 1/4/21
Method: Unknown
Type: Theft
Type: Unknown
Attribution: Unknown
On August 18, 2020, payments processor Juspay's was hacked through a compromised server, resulting in the leak of over 100 million debit and credit card users. Juspay processes payments from many major companies, including Amazon, Swiggy, and MakeMyTrip. On January 4, 2021, Juspay confirmed the hack.
On August 17, Akamai, a global content delivery network, reported an ongoing campaign of RDoS (Ransom DDoS) attacks targeting the financial sector and other businesses.
Location: N/A
Date Breach First Reported:8/17/20
Method: DDoS
Type: Disruption
Type: Unknown
Attribution: Unknown
On August 17, Akamai, a global content delivery network, reported an ongoing campaign of RDoS (Ransom DDoS) attacks targeting the financial sector and other businesses. The extortion demands are similar to those used by DDoS ransom groups in the past. The actors claimed to be Fancy Bear and targeted businesses in multiple countries including the UK, the United States, and the APAC region.
On August 15, 2020, the Government of Canada reported that it’s GCKey, a critical single sign-on (SSO) system, had been subject to credential stuffing attacks aimed at stealing COVID-19 relief funds.
Location: Canada
Date Breach First Reported:8/15/20
Method: Other
Type: Theft
Type: Unknown
Attribution: Unknown
On August 15, 2020, the Government of Canada reported that it’s GCKey, a critical single sign-on (SSO) system, had been subject to credential stuffing attacks aimed at stealing COVID-19 relief funds. Attackers were able to get away with 11,200 GCKey accounts. GCKey provides access to crucial services for immigration, taxes, pension, and benefits across Canadian government institutions.
On August 6, Pepperstone, a Melbourne-based global derivatives broker, was subject to a data breach, compromising the personal data of an unknown number of customers.
Location: Australia
Date Breach First Reported:8/6/20
Method: Unknown
Type: Data Breach
Type: Unknown
Attribution: Unknown
On August 6, Pepperstone, a Melbourne-based global derivatives broker, was subject to a data breach, compromising the personal data of an unknown number of customers. Pepperstone’s subsequent investigation showed that no trading accounts or funds had been corrupted.
On August 4, 2020, McAfee reported that ransomware-as-a-service (RaaS) provider NetWalker had made $25 million over the previous five months through ransomware attacks.
Location: N/A
Date Breach First Reported:8/4/20
Method: Ransomware
Type: Theft
Type: Non-state actor
Attribution: Unknown
On August 4, 2020, McAfee reported that ransomware-as-a-service (RaaS) provider NetWalker had made $25 million over the previous five months through ransomware attacks.
From August 2020, Taiwanese financial institutions have been targeted by a state-sponsored, Chinese advanced peristent threat group, Antlion, in an espionage campaign.
Location: Taiwan
Date Breach First Reported:2/3/2022
Method: Other
Type: Espionage
Type: State-sponsored actor
Attribution: High confidence
From August 2020, Taiwanese financial institutions have been targeted by a state-sponsored, Chinese advanced peristent threat group, Antlion, in an espionage campaign. Using the customised backdoor xPack, Antlion gained access to target’s machines, from which they were able to exfiltrate vast amounts of data.
On July 25, 2020, hackers published data and personal information of 7.5 million users of ‘Dave’ banking app.
Location: United States
Date Breach First Reported:7/25/20
Method: Other
Type: Data breach
Type: Non-state actor
Attribution: Unknown
On July 25, 2020, hackers published data and personal information of 7.5 million users of ‘Dave’ banking app. The attackers accessed and exfiltrated data between June 10 and July 3, 2020 by entering through Waydev, a third party analytics platform used by the Dave engineering team. The company has since patched the security gap, but the data has been leaked onto the hacker forum RAID and was available for free download by forum members. The breach included full names, emails, birth dates, and home addresses, encrypted social security numbers, and hashed passwords.
On July 30, 2020, Rwanda Investigation Bureau (RIW) revealed that they had arrested a hacker suspected of stealing Rwf 22.5 million from Nesen Industry Company's bank.
Location: Rwanda
Date Breach First Reported:7/30/20
Method: Unknown
Type: Theft
Type: Non-state actor
Attribution: High confidence
On July 30, 2020, Rwanda Investigation Bureau (RIW) revealed that they had arrested a hacker suspected of stealing Rwf 22.5 million from Nesen Industry Company's bank. The theft had been executed through a local bank's automated payment system to transfer cash to different bank accounts. The bank had initially reported the incident on July 24, 2020.
On July 26, three suspects were arrested by South African authorities for attempting to hack into the South African Social Security Agency (SASSA).
Location: South Africa
Date Breach First Reported:7/26/20
Method: Unknown
Type: Theft
Type: Non-state actor
Attribution: High confidence
On July 26, three suspects were arrested by South African authorities for attempting to hack into the South African Social Security Agency (SASSA). In a court hearing held two a few months after the incident, two of the hackers known to be first time offenders were granted bail.
On July 21, Scotiabank warned “a limited number” of customers of a data breach after Scotiabank bank an employee accessed client accounts without a valid business reason.
Location: Canada
Date Breach First Reported:7/21/20
Method: Other
Type: Data breach
Type: Unknown
Attribution: Unknown
On July 21, Scotiabank warned “a limited number” of customers of a data breach after Scotiabank bank an employee accessed client accounts without a valid business reason.
On July 21, observed Emotet, a known botnet, spreading the QakBot banking trojan at an unusually high rate.
Location: N/A
Date Breach First Reported:7/21/20
Method: Malware
Type: Theft
Type: Non-state actor
Attribution: Unknown
On July 21, observed Emotet, a known botnet, spreading the QakBot banking trojan at an unusually high rate. QakBot recently replaced the longtime TrickBot payload.
On July 16, researchers discovered GMERA malware embedded within Kattana, a cryptocurrency app, being used to steal wallet information.
Location: N/A
Date Breach First Reported:7/16/20
Method: Malware
Type: Theft
Type: Unknown
Attribution: Unknown
On July 16, researchers discovered GMERA malware embedded within Kattana, a cryptocurrency app, being used to steal wallet information.
On July 15, several notable Twitter accounts including Joe Biden and Elon Musk were hacked to post a Bitcoin address purporting to double any contributions to the address.
Location: United States
Date Breach First Reported: 7/15/20
Method: Multiple
Type: Theft
Type: Unknown
Attribution: Unknown
On July 15, several notable Twitter accounts including Joe Biden and Elon Musk were hacked to post a Bitcoin address purporting to double any contributions to the address. The spear phishing operation targeted Twitter employees and was able to gain access to admin-level tools; in all, the hackers made more than $113,500.
On July 31, a 17-year-old suspect related to the recent Twitter Bitcoin scam was arrested in Florida.
On July 13, Argenta, a Belgian savings bank shut down 143 cash machines after suffering a cyber-attack from unknown criminals.
Location: Belgium
Date Breach First Reported:7/13/20
Method: Multiple
Type: Theft
Type: Unknown
Attribution: Unknown
On July 13, Argenta, a Belgian savings bank shut down 143 cash machines after suffering a cyber-attack from unknown criminals. The attack was self-reported by Argenta, who refused to say how much money was affected. The criminals tried to leverage the technique known as 'jackpotting' to take control of the cash machines.
In July 2020, Avast found Cerberus malware hidden in a cryptocurrency converter app used to infect victims of Android devices.
Location: N/A
Date Breach First Reported: 7/12/20
Method: Malware
Type: Theft
Type: Unknown
Attribution: Unknown
In July 2020, Avast found Cerberus malware hidden in a cryptocurrency converter app used to infect victims of Android devices.
Primarily used by Spanish speaking users, the dropper embedded in the app later became active to download another malicious APK. Shortly after the malicious C&C communication was seized and the malware became dormant/harmless once again. The app had amassed thousands of downloads before being taken down.
On July 10, the SEC issued a warning about a rise in ransomware attacks on U.S. financial firms.
Location: United States
Date Breach First Reported:7/10/20
Method: Ransomware
Type: Theft
Type: N/A
Attribution: N/A
On July 10, the SEC issued a warning about a rise in ransomware attacks on U.S. financial firms. These attacks focus on gaining access to the company and then enacting ransomware and have targeted firms all across the financial services sector.
Cybersecurity firm Sophos has found evidence tying the operations of MrbMiner, a crypto-mining botnet, to a boutique software development firm in Shiraz, Iran.
Location: Iran
Date Breach First Reported:1/21/21
Method: Malware
Type: Theft
Type: Non-state actor
Attribution: Speculated
Cybersecurity firm Sophos has found evidence tying the operations of MrbMiner, a crypto-mining botnet, to a boutique software development firm in Shiraz, Iran. MrbMiner has been operational since the summer of 2020, launching brute-force attacks against Microsoft SQL Servers databases to gain access to poorly secured accounts. Once inside, the botnet would create a backdoor and download a cryptocurrency miner.
On June 25, 2020, cryptocurrency hardware wallet manufacturer Ledger's e-commerce database was breached.
Location: N/A
Date Breach First Reported:12/20
Method: Other
Type: Data Breach
Type: Unknown
Attribution: Unknown
On June 25, 2020, cryptocurrency hardware wallet manufacturer Ledger's e-commerce database was breached. The company initially discovered the breach in July after it was tipped off by a researcher, and began an internal investigation. Months later, stolen data — including email addresses, phone numbers, and addresses of customers — were put up on the sharing martketplace Raidforums for free.
On June 25, 2020, researchers identified a new backdoor trojan, dubbed 'GoldenSpy,' in Chinese tax software.
Location: China
Date Breach First Reported: 6/25/20
Method: Multiple
Type: Multiple
Type: Speculated
Attribution: Speculated
On June 25, 2020, researchers identified a new backdoor trojan, dubbed 'GoldenSpy,' in Chinese tax software. Shortly after the discovery, the actors behind it delivered a silent uninstaller to remove all traces of the said malware. While the attribution remains unknown, researchers speculated that it has the characteristics similar to a coordinated APT campaign that focuses on foreign companies operating in China.
Researchers further uncovered an earlier campaign tied to GoldenSpy malware that came installed with Chinese tax software. New evidence suggests that GoldenSpy was preceded by another piece of malware that employed similar capabilities to infect taxpayers within China. This earlier version of GoldenSpy is called GoldenHelper."
On June 22, 2020, researchers identified a new variant of the IcedID banking trojan that uses COVID-19 related phishing lures.
Location: N/A
Date Breach First Reported:6/22/20
Method: Multiple
Type: Theft
Type: Unknown
Attribution: Unknown
On June 22, 2020, researchers identified a new variant of the IcedID banking trojan that uses COVID-19 related phishing lures. This new variant is using steganography to infect the victims and comes equipped with fresh anti-detection capabilities.
On June 21, 2020, a large unidentified European bank was the target of a massive DDoS attack that sent 809 million packets per second through its network.
Location: N/A
Date Breach First Reported:6/23/20
Method: DDoS
Type: Disruption
Type: Unknown
Attribution: Unknown
On June 21, 2020, a large unidentified European bank was the target of a massive DDoS attack that sent 809 million packets per second through its network. Akami, a global content delivery network and IT services provider, called the attack the “largest ever recorded” on their platforms, but reported it was able to mitigate the attack against the undisclosed customer.
On June 4, 2020 Coincheck, a Japanese digital currency exchange, paused remittances after unknown attackers gained access to Coincheck's domain registry service and fraudulently obtained user email addresses as well as personal data.
Location: Japan
Date Breach First Reported:6/4/20
Method: Other
Type: Data breach
Type: Unknown
Attribution: Unknown
On June 4, 2020 Coincheck, a Japanese digital currency exchange, paused remittances after unknown attackers gained access to Coincheck's domain registry service and fraudulently obtained user email addresses as well as personal data.
On May 21, 2020, the operators of the Maze Ransomware released 2GB of data, including credit card credentials, from Banco BCR, the state-owned Bank of Costa Rica.
Location: Costa Rica
Date Breach First Reported: 5/23/20
Method: Ransomware
Type: Theft
Type: Non-state actor
Attribution: Unknown
On May 21, 2020, the operators of the Maze Ransomware released 2GB of data, including credit card credentials, from Banco BCR, the state-owned Bank of Costa Rica. Notably, the attackers claimed they decided not to encrypt Banco BCR data with ransomware because “the possible damage was too high.”
Three weeks previously on May 1, 2020, the operators announced that they had breached Banco BCR, first in August 2019, and then in February 2020 at which point they stole 11 million credit card credentials and other data.
On May 14, the U.S. Secret Service Bulletin alerted citizens to multiple fraudulent claims targeting state unemployment benefit programs.
Location: United States
Date Breach First Reported:5/14/20
Method: Multiple
Type: Theft
Type: Non-state actor
Attribution: Speculated
On May 14, the U.S. Secret Service Bulletin alerted citizens to multiple fraudulent claims targeting state unemployment benefit programs. A group of Nigerian cybercriminals known as "Scattered Canary" appear to be behind the attacks, which targeted unemployment systems in Washington State as well as Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, and Wyoming. The group was able to steal millions from Washington State through fraudulent claims, although at least $300 million was recovered.
On May 14, CERT-In, India’s national CERT, released a warning that a mobile banking malware called 'EventBot' that steals personal financial information was affecting Android users in India.
Location: India
Date Breach First Reported: 5/14/20
Method: Malware
Type: Theft
Type: Unknown
Attribution: Unknown
On May 14, CERT-In, India’s national CERT, released a warning that a mobile banking malware called 'EventBot' that steals personal financial information was affecting Android users in India.
EventBot is a mobile-banking Trojan Trojan that targets over 200 financial applications, money-transfer services and cryptocurrency wallets across the US, Europe, and now India. It steals user data from financial applications, reads user SMS messages, and intercepts SMS messages to bypass 2FA.
On May 13, Norfund, Norway's state investment fund, was subject to a $10 million heist that involved business email compromise.
Location: Norway
Date Breach First Reported: 5/14/20
Method: Other
Type: Theft
Type: Unknown
Attribution: Unknown
On May 13, Norfund, Norway's state investment fund, was subject to a $10 million heist that involved business email compromise. Scammers were able to gain access to the email system, which allowed them to actively monitor internal communications.
The attackers spent months doing reconnaissance in Norfund’s email system to design their fraudulent scheme. According to Norfund, they “manipulated and falsified information exchange between Norfund and the borrowing institution,” resulting in the attackers intercepting a $10 million loan that was meant for a microfinance institution in Cambodia.
On May 11, 2020, American ATM manfacturer Diebold Nixdorf was hit by a ransomware attack that caused 'a limited IT systems outage'.
Location: United States
Date Breach First Reported: 5/11/20
Method: Other
Type: Theft
Type: Unknown
Attribution: Unknown
On May 11, 2020, American ATM manfacturer Diebold Nixdorf was hit by a ransomware attack that caused 'a limited IT systems outage'. ATMs were not affected.
While the company did not give any details, additional reporting suggests that the ransomware in question might have been 'ProLock', the successor of 'PwndLocker'. ProLock was found to be using QakBot and unprotected Remote Desktop Protocol (RDP) servers with weak credentials.
Group-IB has reported that PerSwaysion, a cybercrime group operating since mid-2019, has breached the email accounts of high-ranking executives at more than 150 firms.
Location: N/A
Date Breach First Reported:4/30/20
Method: Phishing
Type: Data breach
Type: Non-state actor
Attribution: Speculated
Group-IB has reported that PerSwaysion, a cybercrime group operating since mid-2019, has breached the email accounts of high-ranking executives at more than 150 firms. The group appears to have primarily targeted the financial sector, although it has expanded into other verticals, and typically uses phishing campaigns to breach corporate email accounts. The group members appear to be based in Nigeria and South Africa.
On April 23, it was reported that North Korean hackers had been using webskimming malware to steal payment card details from online stores since at least May 2019.
Location: Serbia, Montenegro, Croatia, Slovenia, Bosnia and Herzegovina
Date Breach First Reported:4/23/20
Method: Malware
Type: Theft
Type: State-sponsored actor
Attribution: High confidence
On April 23, it was reported that North Korean hackers had been using webskimming malware to steal payment card details from online stores since at least May 2019. The attacks seem to be focused on the Balkans. The impact is not clear, but the attack was simple enough to execute multiple times on one target.
On April 21, 2020 an attacker stole $25 million in Ethereum, a popular cryptocurrency, from the dForce platform, a cryptocurrency firm, only to return the funds two days later.
Location: China
Date Breach First Reported:4/21/20
Method: Unknown
Type: Theft
Type: Unknown
Attribution: Unknown
On April 21, 2020 an attacker stole $25 million in Ethereum, a popular cryptocurrency, from the dForce platform, a cryptocurrency firm, only to return the funds two days later. The attacker did not return all funds in the same distribution of currencies that were taken but instead returned some in different tokens. It is not known why the attacker is returning the stolen funds.
On April 13, 2020, IBM researchers reported that Spanish banks had been the target of by a Brazilian banking Trojan, Grandoreiro, in a campaign lasting months.
Location: Spain
Date Breach First Reported: 4/13/20
Method: Malware
Type: Theft
Type: Non-state actor
Attribution: Unknown
On April 13, 2020, IBM researchers reported that Spanish banks had been the target of by a Brazilian banking Trojan, Grandoreiro, in a campaign lasting months. The campaign exploits the Coronavirus outbreak by using videos themed on the pandemic that convince users to run a hidden executable.
Grandoreiro is a remote-overlay banking trojan that, upon a user accessing their online banking, can display images to impersonate said bank. This allows attacks to then then move money from the victims accounts. The malware executes upon access to a hardcoded list of entities, mostly local banks.
On April 9, 2020, a cache of 400,000 payment card records from banks in South Korea and the U.S. were uploaded to a well-known underground marketplace.
Location: South Korea, United States
Date Breach First Reported: 4/24/20
Method: Unknown
Type: Theft
Type: Unknown
Attribution: Unknown
On April 9, 2020, a cache of 400,000 payment card records from banks in South Korea and the U.S. were uploaded to a well-known underground marketplace.
According to Group-IB, a security firm, the data dump was identified as the biggest sale of South Korea related bank records in 2020. The database contained mostly Track 2 information, meaning the data stored on the magnetic stripe of a card such as the bank identification number (BIN), the account number, expiration date and CVV.
Operating since April 2020, Turkey Dog activity has been luring unaware Turkish speakers into downloading malicious Android trojans through fake click-baits.
Location: Turkey
Date Breach First Reported:2/24/20
Method: Malware
Type: Theft
Type: Unknown
Attribution: Unknown
Operating since April 2020, Turkey Dog activity has been luring unaware Turkish speakers into downloading malicious Android trojans through fake click-baits. The banking trojans, Cerberus and Anubis, have been used to steal user credentials to gain access to bank accounts.
On March 30, researchers reported that U.S., Canadian, and Australian banks were being increasingly targeted by Zeus Sphinx, a banking trojan that had been dormant for three years.
Location: United States, Canada, Australia
Date Breach First Reported: 5/11/20
Method: Malware
Type: Theft
Type: Unknown
Attribution: Unknown
On March 30, researchers reported that U.S., Canadian, and Australian banks were being increasingly targeted by Zeus Sphinx, a banking trojan that had been dormant for three years. The attackers target those waiting on government relief payments from Covid-19.
The campaign used COVID-19 as a lure, such as sending booby-trapped document files named “COVID 19 relief.” Zeus Sphinx gained notoriety in 2015 for being used to target major financial institutions in the UK, and eventually in Brazil, Australia and North America. This version of the malware underwent core changes in its persistence mechanism, injections tactics, and bot configuration.
On March 30, 2020, attackers breached email accounts of employees at Monte dei Paschi bank, an Italian state-owned bank, and sent messages to clients with voice mail attachments.
Location: Italy
Date Breach First Reported:4/11/20
Method: Unknown
Type: Data breach
Type: Unknown
Attribution: Unknown
On March 30, 2020, attackers breached email accounts of employees at Monte dei Paschi bank, an Italian state-owned bank, and sent messages to clients with voice mail attachments. The bank notified customers on March 30 but did not disclose if there had been a data breach, the nature of the sent emails or if customers had been impacted.
On March 26, 2020, Insurer Chubb was targeted by Maze ransomware and the attackers claimed to have data stolen.
Location: United States
Date Breach First Reported:3/26/20
Method: Ransomware
Type: Data breach
Type: Unknown
Attribution: Unknown
On March 26, 2020, Insurer Chubb was targeted by Maze ransomware and the attackers claimed to have data stolen. Chubb claimed its networks were unaffected but admitted investigating an incident relating to the access of third-party data. Chubb itself offers insurance to compensate those who suffer costs from data breaches.
On March 25, 2020, Square Milner, one of the largest accountancy firms in the US, experienced a possible data breach.
Location: United States
Date Breach First Reported:4/22/20
Method: Unknown
Type: Data breach
Type: Unknown
Attribution: Unknown
On March 25, 2020, Square Milner, one of the largest accountancy firms in the US, experienced a possible data breach. According to Squar Milner, the data breach may have included names, addresses, Social Security numbers or Tax ID numbers. It appears client data was accessed via credential stuffing but an actual data breach of their systems is yet to be ruled out.
On March 20, 2020, Finastra, a large London-based financial technology company, stated they were the victim of a ransomware attack.
Location: United Kingdom
Date Breach First Reported: 3/20/20
Method: Ransomware
Type: Data breach
Type: Unknown
Attribution: Unknown
On March 20, 2020, Finastra, a large London-based financial technology company, stated they were the victim of a ransomware attack. The attack resulted in disruption of Finastra services as they shut down certain servers in response to the attack which had most impact on their North America operations.
Finastra employs more than 10,000 people and provides services to nearly all of the top 50 banks globally. The company claimed there was no evidence of customer or employee data exfiltration.
On March 6, 2020, it was reported that over 200,000 credit card details from top banks in Singapore, Malaysia, the Phillippines, Vietnam, Indonesia, and Thailand were stolen and published online.
Location: Malaysia; Singapore; Philippines; Vietnam; Indonesia; Thailand
Date Breach First Reported:3/6/2020
Method: Unknown
Type: Data breach
Type: Unknown
Attribution: Unknown
On March 6, 2020, it was reported that over 200,000 credit card details from top banks in Singapore, Malaysia, the Phillippines, Vietnam, Indonesia, and Thailand were stolen and published online. Security researchers determined that the Philippines had 172,828 cards breached, Malaysia and Singapore had 37,145 and 25,290 cards breached respectively. One of the banks, CIMB Group Holdings, responded that they were confident there was no breach and the details would have been obtained elsewhere.
On March 3, 2021, researchers at Avast reported that at least 100 Italian banks were compromised in attacks using the Ursnif banking Trojan.
Location: Italy
Date Breach First Reported:3/3/2020
Method: Multiple
Type: Theft
Type: Non-state actor
Attribution: High confidence
On March 3, 2021, researchers at Avast reported that at least 100 Italian banks were compromised in attacks using the Ursnif banking Trojan. Over 1,700 credentials were also stolen from a single payment processor. In June 2021, researchers discovered the trojan had incorporated the Cerberus malware into its tool set to increase its attack surface.
On February 25, 2020, it was reported that Australian banks and other financial institutions were being extorted by the Silence group with DDoS attacks unless they paid a ransom.
Location: Australia
Date Breach First Reported:2/25/2020
Method: DDoS
Type: Disruption
Type: Unknown
Attribution: Unknown
On February 25, 2020, it was reported that Australian banks and other financial institutions were being extorted by the Silence group with DDoS attacks unless they paid a ransom. DDoS attacks have taken place but not against all targets, as they do not have the resources to attack all those threatened. The Silence group has also been linked to stealing from banks across Eastern Europe, South and Central Asia, and more recently, Sub-Saharan Africa. The group demanded payment in the cryptocurrency Monero to prevent the attack.
On February 21, 2020, hackers targeted PayPal accounts to carry out unauthorized purchases, estimated to be worth tens of thousands of euros, by exploiting PayPal’s Google Pay integration.
Location: United States, Germany
Date Breach First Reported:2/25/2020
Method: Unknown
Type: Theft
Type: Unknown
Attribution: Unknown
On February 21, 2020, hackers targeted PayPal accounts to carry out unauthorized purchases, estimated to be worth tens of thousands of euros, by exploiting PayPal’s Google Pay integration. The purchases were made at a variety of Target stores in the United States. Most of the victims appear to be German PayPal users.
On February 20, Loqbox, a UK-based credit score builder startup, was the victim of a data breach in which customer details were compromised.
Location: United Kingdom
Date Breach First Reported:3/2/2020
Method: Unknown
Type: Data breach
Type: Unknown
Attribution: Unknown
On February 20, Loqbox, a UK-based credit score builder startup, was the victim of a data breach in which customer details were compromised. This included names, dates of birth, addresses, and phone numbers. Partial card and account details were exposed although not enough to make payments or access accounts. Loqbox claims all funds are secure and have not been accessed by attackers.
In February 2020, Bank Rakyat Indonesia was reported to have been targeted by the North Korean hacking group, Lazarus.
Location: Indonesia
Date Breach First Reported:10/26/21
Method: Malware
Type: Multiple
Type: State-sponsored actor
Attribution: High confidence
In February 2020, Bank Rakyat Indonesia was reported to have been targeted by the North Korean hacking group, Lazarus. The attackers are believed to have gained access to the bank's computer networks using malware previously used in the Bangladesh bank heist, BEEFEATER. It remains unclear whether or not the attackers stole any funds.
On February 13, 2020, Nedbank, a major bank in southern Africa, notified its customers of a breach of a third-party service provider hired by the bank for its marketing and promotional activites.
Location: South Africa, Angola, Kenya, Lesotho, Malawi, Mozambique, Namibia, Swaziland, Zimbabwe
Date Breach First Reported:2/13/20
Method: Other
Type: Data breach
Type: Unknown
Attribution: Unknown
On February 13, 2020, Nedbank, a major bank in southern Africa, notified its customers of a breach of a third-party service provider hired by the bank for its marketing and promotional activites. The personal information of 1.7 million customers of the bank was leaked through the breach.
On January 15, 2020, hackers transferred $35 million from a Hong Kong-based bank, using "deep voice" technology to clone a bank director’s speech.
Location: United Arab Emirates
Date Breach First Reported:10/13/2021
Method: Multiple
Type: Theft
Type: Unknown
Attribution: Unknown
On January 15, 2020, hackers transferred $35 million from a Hong Kong-based bank, using "deep voice" technology to clone a bank director’s speech. The U.A.E. has sought American investigators’ help in tracing $400,000 of stolen funds that went into U.S.-based accounts held by Centennial Bank.
In the first week of January 2020, it was reported that major banks in sub-Saharan Africa were targeted by the Silence hacking group.
Location: Africa
Date Breach First Reported:1/17/2020
Method: Malware
Type: Theft
Type: Nonstate actor
Attribution: Speculated
In the first week of January 2020, it was reported that major banks in sub-Saharan Africa were targeted by the Silence hacking group. According to Kaspersky, who attributed the attacks to the Silence group based on malware used, the general outline of such an attack involved phishing emails being sent with the malware, data gathering, and then withdrawing large amounts of cash in one go via ATMs. As of mid-January 2020, the attacks are ongoing and persist in targeting large banks.
On April 7, 2021, VISA warned that threat actors are increasingly deploying web shells on compromised servers to exfiltrate credit card information stolen from online store customers.
Location: N/A
Date Breach First Reported:4/7/2021
Method: Malware
Type: Theft
Type: Unknown
Attribution: Unknown
On April 7, 2021, VISA warned that threat actors are increasingly deploying web shells on compromised servers to exfiltrate credit card information stolen from online store customers. At least 45 eSkimming attacks occured in 2020 using web shells.
On December 31, 2019, Travelex, a major foreign exchange company, took all its computer systems offline after company systems were infected with Sodinokibi ransomware and the attackers demanded $6 million to remove it.
Location: United Kingdom
Date Breach First Reported:12/31/2019
Method: Malware
Type: Theft
Type: Nonstate actor
Attribution: Unknown
On December 31, 2019, Travelex, a major foreign exchange company, took all its computer systems offline after company systems were infected with Sodinokibi ransomware and the attackers demanded $6 million to remove it. This also impacted the exchange services of many major banks including Lloyds, Barclays, and RBS, who all use Travelex. The attackers also claimed to have exfiltrated 5GB of personal customer data that they threatened would be released if they did not receive payment. The attackers are believed to have used a VPN exploit that remained unpatched to access the firm’s systems. As of the end of January it has taken over a month for Travelex to restore its site and even then, only partially. It is unclear whether Travelex paid the ransom in this time.
On December 24, 2019, researchers discovered a data breach from Advantage and Argus Capital Funding, a NY-based private equity firm, which included 425GB of 500,000 legal and financial documents, including tax returns and social security information.
Location: United States
Date Breach First Reported: 12/24/19
Method: Unknown
Type: Data breach
Type: Unknown
Attribution: Unknown
On December 24, 2019, researchers discovered a data breach from Advantage and Argus Capital Funding, a NY-based private equity firm, which included 425GB of 500,000 legal and financial documents, including tax returns and social security information.
The breach was discovered by vpnMentor who claim data including credit reports, bank statements, tax returns and social security information could be accessed without authentication. The database was linked to MCA Wizard, an application developed by Advantage and Argus Capital Funding. The database was stored in an unencrypted S3 bucket on Amazon Web Service. The vulnerability was patched by AWS on January 9, 2020.
On December 10, 2019, Wawa Inc., a U.S.-based convenience store chain, discovered that its payment card processing systems had been breached for a 9-month long period in which customers in any of its worldwide locations could have had their card data stolen.
Location: United States
Date Breach First Reported:12/19/2019
Method: Unknown
Type: Data breach
Type: Unknown
Attribution: Unknown
On December 10, 2019, Wawa Inc., a U.S.-based convenience store chain, discovered that its payment card processing systems had been breached for a 9-month long period in which customers in any of its worldwide locations could have had their card data stolen. On January 27, 30 million card details believed to be part of the breach posted for sale online, including card numbers and expiration dates. Pins and CVV records were not exposed.
On December 10, 2019, it was reported that Mellat, Tejarat, and Sarmayeh, Iran’s three largest banks, had been breached and that the attacker had published 15 million bank debit cards on social media in the aftermath of anti-government demonstrations.
Location: Iran
Date Breach First Reported:12/10/2019
Method: Unknown
Type: Data breach
Type: Unknown
Attribution: Unknown
On December 10, 2019, it was reported that Mellat, Tejarat, and Sarmayeh, Iran’s three largest banks, had been breached and that the attacker had published 15 million bank debit cards on social media in the aftermath of anti-government demonstrations. Iran’s information and telecommunications minister denied this was due to attackers but an inside contractor who had access to the data. Researchers are disputing this and suggest it was likely a nation state actor.
On December 3, 2019, 3 private equity firms in the UK and Israel had £600k stolen by attackers, known as the “The Florentine Banker,” through a sophisticated business email compromise scheme.
Location: United Kingdom, Israel
Date Breach First Reported: 12/3/19
Method: Phishing
Type: Theft
Type: Unknown
Attribution: Unknown
On December 3, 2019, 3 private equity firms in the UK and Israel had £600k stolen by attackers, known as the “The Florentine Banker,” through a sophisticated business email compromise scheme.
The attackers gained control over the victim's email accounts and intercepted specific emails involving the planned transfer of funds. The group used email rules to divert those they deemed interesting into another folder. They then registered similar domains to those on the other side of the conversation, diverted the legitimate communication and instead sent their own modified emails. In this way the attackers could manipulate all the parties involved into transferring funds to their own accounts instead of those intended by impersonating both sides of the conversation. £600k was taken by the group in 3 different transactions. Researchers noted many other spoofed domains that appear to have been registered by the attackers suggesting that the group is targeting other organizations in similar attacks.
On November 27, 2019, $48.5 million in virtual currency was stolen from Upbit a South Korean cryptocurrency exchange.
Location: South Korea
Date Breach First Reported: 11/28/19
Method: Unknown
Type: Theft
Type: Unknown
Attribution: Unknown
On November 27, 2019, $48.5 million in virtual currency was stolen from Upbit a South Korean cryptocurrency exchange. The identity of the attackers remains unknown.
$48.5 million in Ethereum was taken from exchange Upbit's hot wallet in 17 transactions. Upbit have stated they will cover any loss to customers.
On November 21, 2019, Edenred, a payment solutions provider, reported that it was infected by malware that affected a number of the organization’s computers.
Location: Europe
Date Breach First Reported:11/21/2019
Method: Malware
Type: Unknown
Type: N/A
Attribution: Unknown
On November 21, 2019, Edenred, a payment solutions provider, reported that it was infected by malware that affected a number of the organization’s computers. Edenred’s payment platform operates across 46 countries and in 2018 they managed 2.5 billion payment transactions. According to a statement released by the organization, as soon as the incident was detected they implemented countermeasures to prevent further infections. The number of computers effected and the extent of the attack is still currently unknown.
On November 18, 2019, the Cayman National Bank and Trust Company confirmed it had been breached and had confidential data stolen.
Location: United Kingdom
Date Breach First Reported:11/18/2019
Method: Unknown
Type: Data breach
Type: Non-state actor
Attribution: Speculated
On November 18, 2019, the Cayman National Bank and Trust Company confirmed it had been breached and had confidential data stolen. The Cayman National Bank did not elaborate on the extent of the breach but confirmed it was working with law enforcement. This announcement corroborated an earlier claim by Phineas Fisher, a vigilante hacker persona, who publicized the hack to encourage similar hacktivism. Phineas Fisher offered $100,000 USD to hacktivists who breach and leak documents from bank, oil companies, surveillance spyware vendors, and others.
On November 13, 2019, the United States charged a Russian man for running ‘Cardplanet,’ a card trading platform worth almost $20 million USD that buys and sells stolen payment card details.
Location: Unknown
Date Breach First Reported:11/13/2019
Method: N/A
Type: N/A
Type: Non-state actor
Attribution: High confidence
On November 13, 2019, the United States charged a Russian man for running ‘Cardplanet,’ a card trading platform worth almost $20 million USD that buys and sells stolen payment card details. He is facing a number of charges including access device fraud, identity theft, and computer intrusion.
On November 1, 2019, authorities apprehended twelve individuals over a cyber-fraud attempt on Equity Bank Rwanda.
Location: Rwanda
Date Breach First Reported:11/1/19
Method: Unknown
Type: Theft
Type: Non-state actor
Attribution: High confidence
On November 1, 2019, authorities apprehended twelve individuals over a cyber-fraud attempt on Equity Bank Rwanda. The individuals include eight Kenyans, three Rwandans, and one Ugandan who were attempting to hack the local bank. Officials noted that the hack was thwarted and that the fraudsters did not steal any funds.
On December 11, 2019, it was reported that 463,378 Turkish payment cards from Turkish banks had been posted for sale online between late October and late November, for an estimated total value of USD $500,000.
Location: Turkey
Date Breach First Reported: 12/11/19
Method: Unknown
Type: Data breach
Type: Unknown
Attribution: Unknown
On December 11, 2019, it was reported that 463,378 Turkish payment cards from Turkish banks had been posted for sale online between late October and late November, for an estimated total value of USD $500,000. Full card details were available as well as personal data including emails and phone numbers. Security researchers from Group-IB speculated the payment card information was stolen from online card payments using a JavaScript-based skimmer, such as Magecart.
On October 24, 2019, the City of Johannesburg reported a breach of its network and shut down its website and all e-services.
Location: South Africa
Date Breach First Reported:10/25/19
Method: Unknown
Type: Data breach
Type: Non-state actor
Attribution: Speculated
On October 24, 2019, the City of Johannesburg reported a breach of its network and shut down its website and all e-services. Earlier that day, the city had received a bitcoin ransom note from a group called the Shadow Kill Hackers, who demanded payment of 4.0 bitcoins by October 28. The hack appeared to occur at the same time as several South African banks reported internet problems believed to also be related to cyber attacks.
On October 23, 2019, the South African Banking Risk Information Centre (SABRIC) reported a series of distributed denial-of-service attacks which targeted several public facing services across multiple banks in the country.
Location: South Africa
Date Breach First Reported:10/23/2019
Method: DDOS
Type: Disruption
Type: Unknown
Attribution: Unknown
On October 23, 2019, the South African Banking Risk Information Centre (SABRIC) reported a series of distributed denial-of-service attacks which targeted several public facing services across multiple banks in the country. The attacks started with a ransom note delivered via email to several publicly available addresses.
In October 2019, a group of cybercriminals masquerading as ”Fancy Bear,” the infamous hacking group associated with the DNC hack of 2016 among other major breaches, launched a series of distributed denial-of-service attacks against companies in the financial sector.
Location: Singapore, South Africa, Scandinavian Countries
Date Breach First Reported:10/24/2019
Method: DDOS
Type: Disruption
Type: Non-state actor
Attribution: Speculated
In October 2019, a group of cybercriminals masquerading as ”Fancy Bear,” the infamous hacking group associated with the DNC hack of 2016 among other major breaches, launched a series of distributed denial-of-service attacks against companies in the financial sector. The group demanded ransom payments of up to 2 bitcoin.
On October 16, 2019, it was reported that ‘BriansClub’, one of the largest underground markets for stolen credit card and payment details, was hacked by a competitor who stole 26 million card details.
Location: Unknown
Date Breach First Reported:10/16/2019
Method: Unknown
Type: Theft
Type: Non-state actor
Attribution: Speculated
On October 16, 2019, it was reported that ‘BriansClub’, one of the largest underground markets for stolen credit card and payment details, was hacked by a competitor who stole 26 million card details. The credit card data was added to BriansClub between 2015-2019, representing 30 percent of the total cards that are currently being sold on the underground market.
On October 4, 2019, it was reported that Sberbank, one of Russia’s largest banks, was investigating a suspected data leak that affected at least 200 customers, and potentially data on 60 million credit cards.
Location: Russia
Date Breach First Reported:10/4/2019
Method: N/A
Type: Data breach
Type: Insider
Attribution: Speculated
On October 4, 2019, it was reported that Sberbank, one of Russia’s largest banks, was investigating a suspected data leak that affected at least 200 customers, and potentially data on 60 million credit cards. Sberbank is investigating an internal employee who may be behind the compromise of the database. Sberbank is working with law enforcement to investigate the incident further.
On September 23, security researchers reported that North Korean hackers had developed and inserted malware to steal payment information from Indian ATMs and banking institutions.
Location: India
Date Breach First Reported:9/23/2019
Method: Malware
Type: Espionage
Type: State-sponsored actor
Attribution: Speculated
On September 23, security researchers reported that North Korean hackers had developed and inserted malware to steal payment information from Indian ATMs and banking institutions. The malware, known as ATMDtrack, began appearing on networks during the summer of 2018 and is thought to be attributable to Lazarus Group, a hacking group that has targeted banks, ATMs, and cryptocurrency exchanges in order to fund North Korea's weapons of mass destruction program.
On September 16, the European Central Bank (ECB) shut down its Banks’ Integrated Reporting Dictionary (BIRD) site after routine maintenance uncovered a cyberattack compromising the information of the site’s newsletter subscribers.
Location: Germany
Date Breach First Reported:9/16/2019
Method: Unknown
Type: Data breach
Type: Unknown
Attribution: Unknown
On September 16, the European Central Bank (ECB) shut down its Banks’ Integrated Reporting Dictionary (BIRD) site after routine maintenance uncovered a cyberattack compromising the information of the site’s newsletter subscribers. The ECB reported that no market-sensitive data was compromised in the attack, and it planned to contact the 481 individuals whose names, email addresses, and titles may have been accessed by hackers.
On September 6, 2019, Hong Kong Exchanges and Clearing Limited (HKEx), a Hong Kong-based stock exchange, suffered a distributed denial-of-service attack (DDoS) and discovered a technical bug, forcing them to suspend trading.
Location: China
Date Breach First Reported:9/6/2019
Method: DDoS
Type: Disruption
Type: Unknown
Attribution: Unknown
On September 6, 2019, Hong Kong Exchanges and Clearing Limited (HKEx), a Hong Kong-based stock exchange, suffered a distributed denial-of-service attack (DDoS) and discovered a technical bug, forcing them to suspend trading. Attackers sent high volumes of traffic to the organization’s website, causing it to slow down and display limited information on exchange prices. Although services resumed once the issues were resolved, this is the second time that HKEx has suffered an attack of this kind. In 2011 a DDoS attack forced the organizations to suspend their services, and the individual behind the attack was later sentenced to nine months in prison.
On September 2, Nepalese police arrested five Chinese nationals in connection with cyberattacks that cost Nepalese banks more than 35 million rupees (over $300,000).
Location: Nepal
Date Breach First Reported:9/2/2019
Method: Other
Type: Theft
Type: State-sponsored actor
Attribution: Speculated
On September 2, Nepalese police arrested five Chinese nationals in connection with cyberattacks that cost Nepalese banks more than 35 million rupees (over $300,000). The attackers targeted the Nepal Electronic Payment System, which was established to coordinate cash withdrawals at 17 Nepalese banks, and inserted malware that directed ATMs to process withdrawal requests without first verifying with member banks. Staff at one Nepali bank discovered the theft when ATMs began running out of cash sooner than expected and informed authorities. Police recovered 12.63 million rupees (more than $110,000) during the arrests.
On August 23, 2019, it was reported that financial institutions in Bulgaria, Chile, Costa Rica, and Ghana were compromised by the Silence Group.
Location: Bulgaria, Chile, Costa Rica, Ghana
Date Breach First Reported: 08/23/2019
Method: Multiple
Type: Theft
Type: Non-state actor
Attribution: High confidence
On August 23, 2019, it was reported that financial institutions in Bulgaria, Chile, Costa Rica, and Ghana were compromised by the Silence Group. Since 2016, the Silence Group had stolen a cumulative $4.2 million USD from banks in Eastern and Western Europe and Asia.
Since 2018, Silence has sent over 170,000 phishing attacks to financial institutions. The group has refined its techniques since it was first spotted in 2016. Silence now uses fileless techniques, repurposed open-source projects, and old vulnerabilities.
On August 6, Malta-based cryptocurrency exchange Binance became the victim of ransomware when attackers demanded 300 bitcoin (around $3.5 million at the time) in exchange for a Know Your Customer (KYC) database containing the personal information of around 10,000 users.
Location: Malta
Date Breach First Reported:8/6/2019
Method: Ransomware
Type: Unknown
Type: Unknown
Attribution: Unknown
On August 6, Malta-based cryptocurrency exchange Binance became the victim of ransomware when attackers demanded 300 bitcoin (around $3.5 million at the time) in exchange for a Know Your Customer (KYC) database containing the personal information of around 10,000 users. The KYC database allegedly contained personal identification information and photographs of users with documents like passports. The company contested the authenticity of the documents, claiming that they lacked digital watermarks, refused to pay the ransom, and contacted law enforcement for assistance in pursuing the attacker(s).
On July 29, Capital One announced that it had suffered a data breach compromising the credit card applications of around 100 million individuals after a software engineer hacked into a cloud-based server.
Location: United States and Canada
Date Breach First Reported: 7/29/2019
Method: Other
Type: Data breach/theft
Type: Nonstate actor
Attribution: High confidence
On July 29, Capital One announced that it had suffered a data breach compromising the credit card applications of around 100 million individuals after a software engineer hacked into a cloud-based server. The applications contained names, dates of birth, credit scores, contact information, and some American and Canadian social security numbers. The hacker exploited a misconfigured firewall to gain access to a database of personal information hosted by Amazon Web Services. Upon gaining access, the hacker posted about it on GitHub, and an unidentified individual notified Capital One about the presence of the database on GitHub. Authorities arrested one individual in connection with the data theft.
On July 25, security researchers found a file containing 250GB of personal and financial information, mainly tied to Brazilian financial institution Banco Pan, exposed online.
Location: Brazil
Date Breach First Reported:7/25/2019
Method: Unknown
Type: Data breach
Type: Unknown
Attribution: Unknown
On July 25, security researchers found a file containing 250GB of personal and financial information, mainly tied to Brazilian financial institution Banco Pan, exposed online. The information, which Banco Pan claims is owned by a commercial partner, contained scans of identification cards and social security cards, proof of address documents, and service request forms.
On July 23, a security researcher reported that Jana Bank, an Indian small finance bank, left exposed a database containing information on millions of financial transactions.
Location: India
Date Breach First Reported: 7/23/2019
Method: Unknown
Type: Data breach
Type: Unknown
Attribution: Unknown
On July 23, a security researcher reported that Jana Bank, an Indian small finance bank, left exposed a database containing information on millions of financial transactions. The Know Your Customer verification database was not password-protected, allowing anyone to access, alter, or download the information. Jana Bank immediately secured the database upon learning of its exposure.
On July 12, Remixpoint, a Japanese cryptocurrency exchange, halted services after it discovered the theft of $32 million in digital currencies.
Location: Japan
Date Breach First Reported:7/12/2019
Method: Unknown
Type: Theft
Type: Unknown
Attribution: Unknown
On July 12, Remixpoint, a Japanese cryptocurrency exchange, halted services after it discovered the theft of $32 million in digital currencies. After an error appeared in the exchange’s outgoing funds transfer system, Remixpoint discovered that the funds had been taken from a “hot” wallet (one that is connected to the internet). No funds had been stolen from “cold” wallets (those not connected to the internet). The company promised to investigate the incident and provided no further details.
On July 12, 2019, approximately $32 million in virtual currency was stolen from Bitpoint, a Japanese cryptocurrency exchange.
Location:Japan
Date Breach First Reported: 07/12/2019
Method: Unknown
Type: Theft
Type: Unknown
Attribution: Unknown
On July 12, 2019, approximately $32 million in virtual currency was stolen from Bitpoint, a Japanese cryptocurrency exchange. The identity of the attackers remains unknown.
On June 25, Europol, British law enforcement, and Dutch law enforcement officials arrested six individuals for cryptocurrency theft amounting to €24 million (over $26 million).
Location: Netherlands, United Kingdom
Date Breach First Reported:6/25/2019
Method: Malware
Type: Theft
Type: Unknown
Attribution: Speculated
On June 25, Europol, British law enforcement, and Dutch law enforcement officials arrested six individuals for cryptocurrency theft amounting to €24 million (over $26 million). The individuals used a technique known as “typosquatting,” in which they duplicated an online cryptocurrency exchange to steal information and gain access to victims’ bitcoin wallets. The attack affected more than 4,000 individuals in at least 12 countries.
In June 2019, at least three private Bangladeshi banks were compromised by major cyberattacks, with one, Dutch Bangla Bank Limited (DBBL), losing as much as TK 25 crore (around $3 million).
Location: Bangladesh
Date Breach First Reported:6/22/2019
Method: Malware
Type: Theft
Type: Unknown
Attribution: Unknown
In June 2019, at least three private Bangladeshi banks were compromised by major cyberattacks, with one, Dutch Bangla Bank Limited (DBBL), losing as much as TK 25 crore (around $3 million). Attackers deployed malware to duplicate DBBL's Switch payment management system, allowing fraudulent financial transactions to be executed undetected. NCC Bank and Prime Bank were also targeted, but both banks reported no financial losses associated with the attack.
On April 23, 2019, it was reported the Silence Group had targeted financial institutions in the UK, India, and South Korea since the end of 2018, and had stolen from at least one institution.
Location: Bangladesh, India, Sri Lanka, Kyrgyzstan
Date Breach First Reported: 05/31/2019
Method: Multiple
Type: Theft
Type: Non-state actor
Attribution: High confidence
On May 31, 2019, the Silence Group stole $3 million from Bangladesh’s Dutch Bangla Bank via ATM cash outs. Three other undisclosed financial institutions in India, Sri Lanka, and Kyrgyzstan were also attacked in the same timeframe. Until recently, Silence had focused on Russia and the Commonwealth of Independent States.
Local media found a video of two Ukrainian men visiting Dutch Bangla Bank ATMs, making a phone call, and then withdrawing large sums of money.
On May 25, 2019, attackers attempted to steal from Upbit, a South Korean cryptocurrency exchange, but were thwarted by East Security, a security firm.
Location: South Korea
Date Breach First Reported: 08/30/2019
Method: Unknown
Type: Theft
Type: State-sponsored actor
Attribution: High confidence
On May 25, 2019, attackers attempted to steal from Upbit, a South Korean cryptocurrency exchange, but were thwarted by East Security, a security firm. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.
Attackers sent phishing emails to Upbit users in an attempt to steal their funds. It appears as though no losses have resulted from the emails.
On May 24, First American Financial Corp. suffered a data breach compromising around 885 million files related to mortgage deeds.
Location: United States
Date Breach First Reported:5/24/2019
Method: Unknown
Type: Data breach
Type: Unknown
Attribution: Unknown
On May 24, First American Financial Corp. suffered a data breach compromising around 885 million files related to mortgage deeds. The documents, which dated back as far as 2003, contained bank account numbers and statements, mortgage and tax records, social security numbers, wire transaction receipts, and images of drivers' licenses. The documents were accessible to anyone with a web browser because the company used a standard format for document addresses, meaning that anyone with knowledge of at least one document link could access others simply by modifying the digits associated with the record number. Although the company took down the website, many of the pages remained accessible on archive.org. As of August 2019, the U.S. Securities and Exchange Commission had begun an investigation into the data breach.
On May 16, 2019, Europol, the U.S. Department of Justice (DoJ), and six other countries, dismantled a group of international cyber criminals that used the GozNym malware to steal over $100 million.
Location: Multiple
Date Breach First Reported:5/16/2019
Method: Malware
Type: Theft
Type: Nonstate actors
Attribution: High confidence
On May 16, 2019, Europol, the U.S. Department of Justice (DoJ), and six other countries, dismantled a group of international cyber criminals that used the GozNym malware to steal over $100 million. The group stole from over 40,000 victims, including the bank accounts of small businesses, law firms, international corporations, and nonprofit organizations. Following a law enforcement investigation across the U.S., Bulgaria, Germany, Georgia, Moldova, and Ukraine, ten members were charged for the crime. The leader of the network was charged in Georgia while another was extradited from Bulgaria to the U.S. to face trial. Although some members of the gang are still on the run, the initial charges have been seen as a success for law enforcement in their efforts to combat international cybercrime.
In May 2019, a Colorado bank suffered an external security incident resulting in the cancellation and redistribution of customer debit cards.
Location: United States
Date Breach First Reported:5/13/2019
Method: Unknown
Type: Data breach
Type: Unknown
Attribution: Unknown
In May 2019, a Colorado bank suffered an external security incident resulting in the cancellation and redistribution of customer debit cards. FirstBank, Colorado’s largest locally-owned bank, issued a security notice on May 13 informing customers of the breach and instructing them to report any suspicious behavior. The bank confirmed that the breach did not occur on its online systems but from other merchants where FirstBank customers made transactions.
In May, U.S. security company Proofpoint reported the return of the Retefe banking Trojan in Germany and Switzerland.
Location: Switzerland, Germany
Date Breach First Reported: 5/2/2019
Method: Malware
Type: Unknown
Type: Unknown
Attribution: Unknown
In May, U.S. security company Proofpoint reported the return of the Retefe banking Trojan in Germany and Switzerland. Retefe is a malware that installs the Tor internet browser to redirect infected devices to spoofed banking sites. The Trojan is typically delivered through email attachments and often attempts to trick users into downloading spoofed mobile Android applications to bypass two-factor authentication.
In the past, Retefe campaigns have targeted several European countries. In November 2016, Retefe targeted Tesco Bank and other UK financial institutions. In September 2017, an updated version of Retefe leveraged the EternalBlue exploit in a campaign against Swiss targets. Since April, the Trojan has reemerged in German and Swiss banks.
On April 23, 2019, it was reported the Silence Group had targeted financial institutions in the UK, India, and South Korea since the end of 2018, and had stolen from at least one institution.
Location: United Kingdom, India, South Korea
Date Breach First Reported: 04/23/2019
Method: Multiple
Type: Theft
Type: Nonstate actor
Attribution: Known
On April 23, 2019, it was reported the Silence Group had targeted financial institutions in the UK, India, and South Korea since the end of 2018, and had stolen from at least one institution.
On March 31, Mexican law enforcement arrested two senior members of a Romanian cyber criminal group allegedly behind an ATM skimming operation in Mexico.
Location: Mexico
Date Breach First Reported:4/4/2019
Method: Skimmer
Type: Theft
Type: Nonstate actor
Attribution: High confidence
On March 31, Mexican law enforcement arrested two senior members of a Romanian cyber criminal group allegedly behind an ATM skimming operation in Mexico. One suspect is believed to be the head of Instacash, a fraudulent ATM service provider operating out of Mexico. The head of Instacash allegedly bribed and coerced ATM technicians to install sophisticated Bluetooth-based skimmers inside competitor’s ATMs, enabling the Romanian cyber criminal group to steal PINs and card data remotely from ATMs throughout popular tourist destinations in Mexico.
On March 29, 2019, approximately $20 million in virtual currency was stolen from BitHumb, a South Korean cryptocurrency exchange, marking the fourth theft in two years.
Location: South Korea
Date Breach First Reported:08/30/2019
Method: Unknown
Type: Theft
Type: State-sponsored actor
Attribution: High confidence
On March 29, 2019, approximately $20 million in virtual currency was stolen from BitHumb, a South Korean cryptocurrency exchange, marking the fourth theft in two years. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the theft.
On March 27, 2019, attackers stole $49 million from a bank in Kuwait.
Location: Kuwait
Date Breach First Reported: 08/30/2019
Method: Unknown
Type: Theft
Type: State-sponsored actor
Attribution: High confidence
On March 27, 2019, attackers stole $49 million from a bank in Kuwait. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.
While the UN Security Council Panel of Experts did not reveal the name of the bank in Kuwait, the Gulf Bank of Kuwait announced a technical failure in its system of international remittances on Twitter on March 27.
On March 24, 2019, $7 million in virtual currency was stolen from DragonEx, a Singapore based cryptocurrency exchange.
Location: Singapore
Date Breach First Reported: 03/24/2019
Method: Unknown
Type: Theft
Type: State-sponsored actor
Attribution: High confidence
On March 24, 2019, $7 million in virtual currency was stolen from DragonEx, a Singapore based cryptocurrency exchange. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the theft.
Stolen coins were across a range of currencies including bitcoin, ether, xrp, litecoin and EOS. DragonEx released the addresses of 20 wallets where funds were transferred in the hopes of blocking the movement of these funds.
In early 2019, the Royal Bank of Scotland’s (RBS) customer accounts were exposed to a security flaw after introducing a new customer security service.
Location: United Kingdom
Date Breach First Reported:3/22/2019
Method: Software vulnerability
Type: N/A
Type: Unknown
Attribution: Unknown
In early 2019, the Royal Bank of Scotland’s (RBS) customer accounts were exposed to a security flaw after introducing a new customer security service. In January, RBS launched a free endpoint security service for customers in partnership with Danish firm Hedimal Security. While the security service was intended to detect threats and protect RBS customers from attacks, researchers discovered a software flaw that enabled access to customer emails, banking details and internet history. Hedimal Security has since released an update to fix the security flaw and insisted that only 50,000 computers were effected. They claim that there were no intrusions as a result of the security flaw.
The Ursnif banking Trojan, which was discovered in 2007, was repurposed in a campaign targeting Japanese banks that began in 2016.
Location: Japan
Date Breach First Reported:3/12/2019
Method: Malware
Type: Unknown
Type: Unknown
Attribution: Unknown
The Ursnif banking Trojan, which was discovered in 2007, was repurposed in a campaign targeting Japanese banks that began in 2016. Ursnif, also known as Gozi ISFB, is a popular malware that steals information on infected Windows devices. Ursnif has been deployed in a new campaign that specifically targets banks in Japan. The malware terminates itself on devices outside of the country. The campaign uses a distribution network of spam botnets and compromised web servers to deliver the Trojan. Between 2016 and 2017, researchers at Palo Alto Networks observed millions of infected emails sent to banks in Japan. Researchers have not been able to identify the operation behind the campaign, but evidence suggests it may be connected to the Cutwill Botnet, a cyber criminal operation active since 2007.
In March 2019, attackers attempted to steal $9.3 million from a Gambian financial institution.
Location: The Gambia
Date Breach First Reported:08/30/2019
Method: Multiple
Type: Theft
Type: State-sponsored actor
Attribution: High confidence
In March 2019, attackers attempted to steal $9.3 million from a Gambian financial institution. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.
In March 2019, attackers attempted to steal $12.2 million from a Nigerian financial institution.
Location: Nigeria
Date Breach First Reported:08/30/2019
Method: Multiple
Type: Theft
Type: State-sponsored actor
Attribution: High confidence
In March 2019, attackers attempted to steal $12.2 million from a Nigerian financial institution. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.
On February 13, the Bank of Valletta (BOV), Malta’s largest and oldest bank, shut down operations after an attempted theft of €13 million.
Location: Malta
Date Breach First Reported: 2/14/2019
Method: Unknown
Type: Theft
Type: Nonstate actor
Attribution: Unknown
On February 13, the Bank of Valletta (BOV), Malta’s largest and oldest bank, shut down operations after an attempted theft of €13 million. In August 2019, the UNSC Panel of Experts indicated DPRK-affiliated actors were behind the attack.
Attackers made multiple transfer requests from the Maltese bank to accounts in the UK, United States, Czech Republic, and Hong Kong. The bank’s employees discovered the fraudulent activity during their daily reconciliation of international orders. Within the hour, BOV notified other banks in an attempt to freeze the transactions. It also closed all its branches, shut down its ATMs and point-of-sale system, and stopped all other electronic services, which were restored the following day. In a statement, BOV said it was working with local and international police authorities to track down the attackers. On January 30, 2020, the UK's National Crime Agency issued arrests in London and Belfast, suspected to be in connection to the BOV heist.
Multiple credit unions in the United States were hit by spear-phishing emails impersonating compliance officers from other credit unions.
Location: United States
Date Breach First Reported:2/8/2019
Method: Phishing
Type: N/A
Type: Unknown
Attribution: Unknown
Multiple credit unions in the United States were hit by spear-phishing emails impersonating compliance officers from other credit unions. Under the Bank Secrecy Act (BSA), financial institutions are required to have dedicated compliance personnel responsible for reporting suspicious transactions and potentially fraudulent activity to the U.S. government. Emails sent to these compliance officers contained a PDF with a malicious link. While it is believed that no employee clicked the link, there is speculation as to how the attackers obtained the email addresses of the compliance officers.
The State Bank of India, the country’s largest, has denied claims that its servers were compromised during a recent intrusion.
Location: India
Date Breach First Reported:2/4/2019
Method: Unknown
Type: Unknown
Type: Unknown
Attribution: Unknown
The State Bank of India, the country’s largest, has denied claims that its servers were compromised during a recent intrusion. Multiple media outlets reported an SBI server was unprotected, and as a result attackers were able to gain access to the system and steal users’ personal information. Despite the claims, the bank said their investigation revealed that SBI’s servers remained fully protected and that no breach had occurred.
UK-based Metro Bank became the first major bank to suffer from a new type of cyber intrusion that intercepts text messages with two-factor authentication codes used to verify various customer transactions.
Location: United Kingdom
Date Breach First Reported:2/2/2019
Method: Other
Type: Disruption
Type: Unknown
Attribution: Unknown
UK-based Metro Bank became the first major bank to suffer from a new type of cyber intrusion that intercepts text messages with two-factor authentication codes used to verify various customer transactions. The attackers exploited flaws in the Signaling System 7 (SS7) protocol, which is used by telecommunications companies to route text messages around the world. A spokesperson for the bank stated that only a small number of those defrauded were Metro Bank customers.
In February 2019, attackers attempted to steal $32 million from a a Spanish financial institution.
Location: Spain
Date Breach First Reported: 08/30/2019
Method: Multiple
Type: Theft
Type: State-sponsored actor
Attribution: High confidence
In February 2019, attackers attempted to steal $32 million from a a Spanish financial institution. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.
Spain’s National Cryptologic Centre (CCN), under the National Intelligence Centre stated in its 2019 Cyberthreats and Trends report that hackers associated with the DPRK government conducted the largest number of reported cyberattacks against Spain in 2018.
In December, hackers infiltrated Chile’s ATM interbank network, Redbanc, after tricking an employee into downloading a malicious program during a fake job interview over Skype.
Location: Chile
Date Breach First Reported: 1/15/2019
Method: Other
Type: Espionage
Type: State-sponsored actor
Attribution: Speculated
In December, hackers infiltrated Chile’s ATM interbank network, Redbanc, after tricking an employee into downloading a malicious program during a fake job interview over Skype. In August 2019, the UNSC Panel of Experts indicated DPRK-affiliated actors were behind the attack.
It is believed that the Redbanc employee saw a LinkedIn job advertisement and attended a Skype interview where the attackers asked him to download a software program to submit his application form. The attackers tricked the victim into downloading malware on his system, giving them access to Redbanc’s network. Redbanc claims the event had no impact on its business operations.
The U.S. Secret Service has identified a number of criminal rings turning to Fuze cards in an attempt to avoid detection by U.S. law enforcement.
Location: United States
Date Breach First Reported:1/10/2019
Method: Cards
Type: Theft
Type: Nonstate actor
Attribution: High confidence
The U.S. Secret Service has identified a number of criminal rings turning to Fuze cards in an attempt to avoid detection by U.S. law enforcement. A Fuze card is a data storage device that looks like a bank card, but can hold account data for up to thirty cards. Using smartcard technology can help criminals avoid raising suspicions at payment points or if stopped by authorities, as it reduces the need for them to carry large numbers of counterfeit cards on their person.
On April 6, 2021, a security firm reported a new banking trojan called Janeleiro that has been targeting corporate users in Brazil since 2019.
Location: Brazil
Date Breach First Reported:4/6/2021
Method: Malware
Type: Theft
Type: Unknown
Attribution: Unknown
On April 6, 2021, a security firm reported a new banking trojan called Janeleiro that has been targeting corporate users in Brazil since 2019. The affected sectors include engineering, healthcare, retail, manufacturing, finance, transportation, and government. The malware steals the personal information and banking credentials of users through fake pop-ups that imitate Brazilian banks websites.
In November, hackers breached Evercore gaining access to thousands of sensitive documents from the global investment bank.
Location: Western Europe
Date Breach First Reported:12/23/2018
Method: Phishing
Type: Data breach
Type: Nonstate actor
Attribution: Speculated
In November, hackers breached Evercore gaining access to thousands of sensitive documents from the global investment bank. The attackers used phishing tactics to gain access to an employee’s inbox, enabling them to steal around 160,000 pieces of data including documents, diary invitations, and emails. A source at the bank believes the motivation for the breach was to access the administrator's address book to send more phishing emails. The source also claims no data had been misused in result of the breach.
In August 2017, Click2Gov, an online bill-payment portal used to pay for local government services in the United States, was the victim of a data breach.
Location: United States
Date Breach First Reported:12/18/2018
Method: Other
Type: Data breach
Type: Nonstate actor
Attribution: Speculated
In August 2017, Click2Gov, an online bill-payment portal used to pay for local government services in the United States, was the victim of a data breach. The breach exposed customer data including payment card details and log-in credentials of users in over forty U.S. cities. Threat intelligence firm Gemini Advisory discovered that several users’ card details were sold on the dark web for approximately £10. Gemini identified 294,929 compromised payment records, resulting in at least $1.7 million in earnings for the criminals.
In mid-December, a report revealed that over 2,000 mobile banking users in Brazil downloaded an Android-based Trojan through Google Play applications.
Location: Brazil
Date Breach First Reported:12/13/2018
Method: Malware
Type: Theft
Type: Nonstate actor
Attribution: Speculated
In mid-December, a report revealed that over 2,000 mobile banking users in Brazil downloaded an Android-based Trojan through Google Play applications. Victims unknowingly downloaded the malware, allowing attackers to gain access to user devices and data. The “Android.BankBot.495” malware was designed to read the victim’s information when they logged into their mobile banking app. Reports suggest that the malware also targeted apps such as Uber, Netflix, and Twitter using phishing tactics.
In late 2018, security researchers uncovered that Cobalt, a state-sponsored threat group that specializes in attacks on financial institutions, had begun employing a new variant of the ThreadKit exploit builder kit to execute phishing schemes utilizing Microsoft Office documents.
Location: Eastern Europe (Ukraine; Poland; Romania; Czech Republic; Hungary; Belarus; Bulgaria; Slovakia; Moldova)
Date Breach First Reported:12/11/2018
Method: Phishing
Type: Espionage
Type: State-sponsored actor
Attribution: Speculated
In late 2018, security researchers uncovered that Cobalt, a state-sponsored threat group that specializes in attacks on financial institutions, had begun employing a new variant of the ThreadKit exploit builder kit to execute phishing schemes utilizing Microsoft Office documents. First observed in October 2017, the new tactics show an evolution of the ThreadKit macro delivery tool and demonstrate the growing range of techniques employed by malicious actors.
In 2017 and 2018, eight banks in Eastern Europe were targeted by attackers who connected electronic devices directly to the banks’ infrastructure.
Location: Eastern Europe
Date Breach First Reported:12/6/2018
Method: Other
Type: Theft
Type: Unknown
Attribution: Unknown
In 2017 and 2018, eight banks in Eastern Europe were targeted by attackers who connected electronic devices directly to the banks’ infrastructure. Attackers used a range of readily available devices such as netbooks, inexpensive laptops, USB tools, and other devices. The attackers disguised themselves as job seekers or couriers and gained access to the local network from various places inside the victims’ central or regional offices, and even from company branches in different countries. Once they gained access to the target bank’s infrastructure, the attackers scanned its networks to collect valuable information, such as account details for making payments. The attacks are believed to have caused tens of millions of dollars in damages.
On November 14, two Venezuelan men were found guilty of jackpotting, where they installed malicious software or hardware on ATMs to force the machines to dispense huge volumes of cash on demand.
Location: United States
Date Breach First Reported:11/14/2018
Method: Malware
Type: Theft
Type: Nonstate actor
Attribution: High Confidence
On November 14, two Venezuelan men were found guilty of jackpotting, where they installed malicious software or hardware on ATMs to force the machines to dispense huge volumes of cash on demand. From February to March, the duo stole $125,000 from four ATMs in Indiana, Kentucky, Wisconsin, and most recently Michigan, where they were apprehended.
In December 2018, Postbank, the banking division of South Africa’s post office, experienced an internal data breach resulting in the theft of over $3.2 million and the forced replacement of 12 million cards.
Location: South Africa
Date Breach First Reported: 06/18/2020
Method: Multiple
Type: Theft
Type: Insider
Attribution: Speculated
In December 2018, Postbank, the banking division of South Africa’s post office, experienced an internal data breach resulting in the theft of over $3.2 million and the forced replacement of 12 million cards. Employees stole Postbank’s 36-digit master encryption key and used it to access account balances in 25.000 fraudulent transactions over the course of a year.
According to internal documents acquired by journalists, the stolen 36-digit encryption key, “allows anyone who has it to gain unfettered access to the bank’s systems, and allows them to read and rewrite account balances, and change information and data on any of the bank’s 12-million cards.
In November, HSBC reported that hackers had gained access to customer data including names, addresses, phone numbers, and account details.
Location: United States
Date Breach First Reported:11/6/2018
Method: Unknown
Type: Data breach
Type: Unknown
Attribution: Unknown
In November, HSBC reported that hackers had gained access to customer data including names, addresses, phone numbers, and account details. When HSBC discovered the compromised accounts, they suspended online access for affected customers to prevent further entry to the accounts. At the time of release, HSBC did not provide details on the number of customers affected. However, claims estimate that less than 1 percent of the bank’s U.S. online accounts were potentially compromised.
In early November, Lloyds Banking Group and other UK banks were forced to replace payment cards after the breach of numerous retail sites.
Location: United Kingdom
Date Breach First Reported:11/2/2018
Method: Other
Type: Theft
Type: Unknown
Attribution: Unknown
In early November, Lloyds Banking Group and other UK banks were forced to replace payment cards after the breach of numerous retail sites. Websites for retailers, including Ticketmaster and British Airways, were manipulated to skim card information from hundreds of thousands of customers using the Magecart toolset.
On October 29, 2018, Bank Islami in Pakistan detected a cyber attack on its international payment card network.
Location: Pakistan
Date Breach First Reported:10/29/2018
Method: Unknown
Type: Theft
Type: Unknown
Attribution: Unknown
On October 29, 2018, Bank Islami in Pakistan detected a cyber attack on its international payment card network. The bank uncovered suspicious transactions from payment cards outside of Pakistan and immediately shut down its international payment scheme. The bank confirmed that around 2.6 million Pakistani rupees (roughly $19,500) were withdrawn from customer accounts. Following the incident, the State Bank of Pakistan (SBP) issued directives to all banks, encouraging them to ensure the security of all payment cards and monitor card activity on a real-time basis.
On October 27, cybersecurity firm Group-IB reported a spike in sales of card details from Pakistani customers on Joker’s Stash, a popular online marketplace for stolen information.
Location: Pakistan
Date Breach First Reported: 10/27/2018
Method: Unknown
Type: Data breach
Type: Unknown
Attribution: Unknown
On October 27, cybersecurity firm Group-IB reported a spike in sales of card details from Pakistani customers on Joker’s Stash, a popular online marketplace for stolen information. Group-IB identified more than 150,000 card details from at least three Pakistani banks. The Pakistani Federal Investigation Agency revealed that almost all the nation’s banks had been affected. However, the State Bank of Pakistan has disputed the scale of the incident. The compromise of card details came weeks after Karachi-based Bank Islami suffered a breach of its payment cards system.
On October 22, 2018, unknown hackers attacked insurance firm AXA, causing problems to the SPEI interbank payment matching system.
Location: Mexico
Date Breach First Reported:10/23/2018
Method: Unknown
Type: Data breach
Type: Unknown
Attribution: Unknown
On October 22, 2018, unknown hackers attacked insurance firm AXA, causing problems to the SPEI interbank payment matching system. This incident prompted Mexico’s central bank to raise the security alert level on its payments system. AXA reported no client information or money was affected by the incident.
On October 5, 2018, Hetzner, a popular web hosting platform in South Africa, was once again targeted in a security breach—the second such breach in a year.
Location: South Africa
Date Breach First Reported:10/11/2018
Method: Unknown
Type: Data breach
Type: Unknown
Attribution: Unknown
On October 5, 2018, Hetzner, a popular web hosting platform in South Africa, was once again targeted in a security breach—the second such breach in a year. The hackers gained access to private customer information, including email addresses, phone numbers, and bank account information. Credit card information and user website passwords were not accessed. The company noticed the suspicious activity and launched an investigation, warning customers to beware phishing attacks.
In October 2018, the Indian subsidiary of the State Bank of Mauritius was targeted by attackers who attempted to steal $14 million through compromised IT systems.
Location: Mauritius
Date Breach First Reported:10/2/2018
Method: Unknown
Type: Theft
Type: Unknown
Attribution: Unknown
In October 2018, the Indian subsidiary of the State Bank of Mauritius was targeted by attackers who attempted to steal $14 million through compromised IT systems. The bank managed to recover $10 million in the days following the attack and said no customers would lose money as a result. The thieves reportedly withdrew the funds using fraudulent messages on the SWIFT interbank messaging network.
On September 14, 2018, approximately $60 million in virtual currency was stolen from Zaif, a Japanese cryptocurrency exchange.
Location: Japan
Date Breach First Reported: 09/14/2018
Method: Unknown
Type: Theft
Type: Unknown
Attribution: Unknown
On September 14, 2018, approximately $60 million in virtual currency was stolen from Zaif, a Japanese cryptocurrency exchange.
The attackers accessed the exchange’s hot wallets to steal roughly $60 million in bitcoin, bitcoin cash, and MonaCoin. The identity of the attackers remains unknown.
First reported in 2018, Russian-speaking hackers, dubbed Silence by researchers at Group IB, targeted Russian banks, stealing $550,000 within a year.
Location: Russia
Date Breach First Reported:9/5/2018
Method: Multiple
Type: Theft
Type: Nonstate actor
Attribution: Speculated
First reported in 2018, Russian-speaking hackers, dubbed Silence by researchers at Group IB, targeted Russian banks, stealing $550,000 within a year. After an unsuccessful attempt to penetrate the Russian Central Bank’s automated workstation client, the group attacked ATMs directly and through the supply chain, using phishing emails as its means of entry to the networks.
Over the weekend of August 17–19, 2018, an attack took place on Peruvian banks that forced at least one bank to take down its internet banking services and some card transactions.
Location: Peru, Thailand, Malaysia, Indonesia, United States, Latin America
Date Breach First Reported:8/17/2018
Method: Ransomware
Type: Disruption
Type: State-sponsored actor
Attribution: Speculated
Over the weekend of August 17–19, 2018, an attack took place on Peruvian banks that forced at least one bank to take down its internet banking services and some card transactions. There were reports that a new strain of ransomware was involved. The extent of the damage done remains unclear, but there were no indications in the weeks afterward that the attack targeted payment systems, or was a smokescreen for other activity.
In August 2018, it was reported that Cosmos Bank, the second-biggest cooperative bank in India, lost $13.5 million through ATMs in twenty-eight countries as well as through unauthorized interbank transactions.
Location: India
Date Breach First Reported:8/11/2018
Method: Multiple
Type: Theft
Type: State-sponsored actor
Attribution: Speculated
In August 2018, it was reported that Cosmos Bank, the second-biggest cooperative bank in India, lost $13.5 million through ATMs in twenty-eight countries as well as through unauthorized interbank transactions. The attackers seem to have stolen card information and also set up their own proxy server so transactions with stolen details would not trigger alarms. In August 2019, the UNSC Panel of Experts indicated DPRK-affiliated actors were behind the attack.
Over the course of just a few hours on August 11, the group coordinated almost 15,000 transactions to cash out funds through ATMs worldwide using compromised Visa and Rupay cards. Two days later, the attackers made further fraudulent transactions through the bank’s interface to the SWIFT messaging system—a technique used in numerous bank attacks, including against fellow Indian lender City Union Bank (CUB) in February.
The parallels with the CUB heist continued after police arrested several suspects accused of taking the funds from ATMs. Four of the people involved also admitted playing a role in the earlier theft, according to investigators in September.
The attack left Cosmos’s online banking service offline for more than a week, and the funds have not been recovered. There were signs that an attack on a bank was coming. Two days before the incident, the FBI issued a warning to banks about an imminent ATM cash-out scheme, without providing further public details.
In May 2016 and January 2017, the National Bank of Blacksburg, based in the state of Virginia, was hit by phishing emails that enabled intruders to install malware and pivot into the Star Network, a U.S. bank card processing service.
Location: United States
Date Breach First Reported:7/24/2018
Method: Multiple
Type: Theft
Type: Unknown
Attribution: Unknown
In May 2016 and January 2017, the National Bank of Blacksburg, based in the state of Virginia, was hit by phishing emails that enabled intruders to install malware and pivot into the Star Network, a U.S. bank card processing service. The 2017 attack gave wider access to bank networks and enabled the thieves to withdraw $1.8 million over the course of a weekend, taking total losses to $2.4 million. According to a lawsuit filed by the bank against its insurer to recover more of its losses, an investigation after the second attack concluded that both incidents were by the same group, using tools and servers of Russian origin.
On July 3, 2018, attackers targeted Russia’s version of the SWIFT interbank network, the Automated Workstation Client, to siphon around $1 million from PIR Bank.
Location: Russia
Date Breach First Reported:7/19/2018
Method: Multiple
Type: Theft
Type: Nonstate actor
Attribution: Speculated
On July 3, 2018, attackers targeted Russia’s version of the SWIFT interbank network, the Automated Workstation Client, to siphon around $1 million from PIR Bank. After breaching the network through an outdated router, the group attempted to install Powershell scripts to remain on the banks’ systems. A report by Group IB, which responded to the incident, attributed it to an established criminal group named MoneyTaker that has targeted more than a dozen banks in the United States, Russia, and the UK since 2016.
On June 19, 2018, approximately $31 million in virtual currency was stolen from BitHumb, a South Korean cryptocurrency exchange, marking the third theft in the last 16 months.
Location: South Korea
Date Breach First Reported:08/30/2019
Method: Unknown
Type: Theft
Type: State-sponsored actor
Attribution: High confidence
On June 19, 2018, approximately $31 million in virtual currency was stolen from BitHumb, a South Korean cryptocurrency exchange, marking the third theft in the last 16 months. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the theft. Proceeds were laundered through a separate crypto-currency exchange called YoBit. The company stated they would compensate customers affected.
On June 16, 2018, South African insurer Liberty Holdings was targeted by hackers who claimed to have seized data from the firm.
Location: South Africa
Date Breach First Reported:06/18/2018
Method: Unknown
Type: Data breach
Type: Unknown
Attribution: Unknown
On June 16, 2018, South African insurer Liberty Holdings was targeted by hackers who claimed to have seized data from the firm. The hackers threatened to publicly disclose the data unless compensated. Liberty Holdings refused to pay up, suspecting that the stolen data was largely comprised of recent email exchanges.
On June 10, 2018, approximately $37 million in virtual currency was stolen from Coinrail, a South Korean cryptocurrency exchange.
Location: South Korea
Date Breach First Reported:06/10/2018
Method: Unknown
Type: Theft
Type: Unknown
Attribution: Unknown
On June 10, 2018, approximately $37 million in virtual currency was stolen from Coinrail, a South Korean cryptocurrency exchange. The identity of the attackers remains unknown.
In June 2018, attackers attempted to steal $32 million from a Liberian financial institution.
Location: Liberia
Date Breach First Reported:08/30/2019
Method: Multiple
Type: Theft
Type: State-sponsored actor
Attribution: High confidence
In June 2018, attackers attempted to steal $32 million from a Liberian financial institution. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.
In 2018, it was revealed that up to 90,000 clients of the Canadian banks Simplii and Bank of Montreal (BMO) had been exposed by a data breach that the organization blamed on unidentified fraudsters.
Location: Canada
Date Breach First Reported:5/28/2018
Method: Unknown
Type: Data breach
Type: Unknown
Attribution: Unknown
In 2018, it was revealed that up to 90,000 clients of the Canadian banks Simplii and Bank of Montreal (BMO) had been exposed by a data breach that the organization blamed on unidentified fraudsters. Bank of Montreal said there was a threat to make the data public from the group, which it thinks is behind the thefts from both banks. Simplii and BMO are now facing a class action lawsuit, with those involved arguing that the banks failed to properly protect sensitive information.
In May 2018, Banco de Chile suffered a $10 million theft after the attackers used destructive software as cover for a fraudulent SWIFT transfer.
Location: Chile
Date Breach First Reported:5/24/2018
Method: Malware
Type: Disruption, theft
Type: State-sponsored actor
Attribution: Speculated
In May 2018, Banco de Chile suffered a $10 million theft after the attackers used destructive software as cover for a fraudulent SWIFT transfer. The bank’s 9,000 workstations and 500 servers failed on May 24 as the KillMBR wiper tool rendered them unable to boot up, adding it to the growing ranks of Latin American banks suffering cyber attacks. In August 2019, the UNSC Panel of Experts indicated DPRK-affiliated actors were behind the attack.
On May 23, ViewFines, an online traffic website, suffered a major data breach involving the personal records of 934,000 South African drivers.
Location: South Africa
Date Breach First Reported:5/24/2018
Method: Other
Type: Data breach
Type: Unknown
Attribution: Unknown
On May 23, ViewFines, an online traffic website, suffered a major data breach involving the personal records of 934,000 South African drivers. The leak was the result of the company's faulty practice of creating a temporary backup on a publicly viewable directory. A week after the incident, the company sent warning emails to all of its users about the breach.
Banco de Mexico warned a dozen banks to upgrade their security following $15 million in fraudulent cash withdrawals from five institutions linked to the central bank’s electronic payments system, SPEI.
Location: Mexico
Date Breach First Reported:5/12/2018
Method: Software vulnerability
Type: Theft
Type: Unknown
Attribution: Unknown
Banco de Mexico warned a dozen banks to upgrade their security following $15 million in fraudulent cash withdrawals from five institutions linked to the central bank’s electronic payments system, SPEI. A vulnerability in third-party software connected to SPEI was used by unknown attackers to get into the system and make a series of fraudulent transactions before cashing out.
The investigators have not made clear whether each victim bank was compromised, or whether the attackers moved between them following the initial breach. It is also unclear whether the gang had insider help to clear large transactions through the banks’ security checks. The incidents delayed legitimate transfers but the central bank said client money and the SPEI infrastructure were unaffected.
Following the thefts, Banco de Mexico set up a new cybersecurity unit and asked its members to move to an in-house, encrypted software with SPEI. The incident came five months after Bancomext, the state-owned trade bank, blocked attempts to siphon off $110 million via a compromise in the network that granted attackers access to the global SWIFT interbank system.
In April 2018, it was revealed that authorities in five countries worked together to take down Webstresser, a DDoS-for-hire site they said was behind up to 6 million attacks around the world over three years.
Location: Western Europe
Date Breach First Reported:4/1/2018
Method: DDOS
Type: Disruption
Type: Nonstate actor
Attribution: Speculated
In April 2018, it was revealed that authorities in five countries worked together to take down Webstresser, a DDoS-for-hire site they said was behind up to 6 million attacks around the world over three years. The site was used to launch a coordinated attack on seven UK banks in November 2017, according to the UK’s National Crime Agency. Several people have been arrested, and the U.S. Department of Defense seized the website.
On March 29, 2018, attackers attempted to use fraudulent SWIFT transactions to steal $390 million from the Malaysian Central Bank.
Location: Malaysia
Date Breach First Reported: 08/30/2019
Method: Multiple
Type: Theft
Type: State-sponsored actor
Attribution: High confidence
On March 29, 2018, attackers attempted to use fraudulent SWIFT transactions to steal $390 million from the Malaysian Central Bank.
According to the Malaysian Central Bank no funds were stolen during the incident and the bank's payment systems remained unaffected and operational. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.
In March 2018, two Venezuelan men were arrested for jackpotting, where they installed malicious software or hardware on ATMs to force the machines to dispense huge volumes of cash on demand.
Location: United States
Date Breach First Reported:3/18/2018
Method: Malware
Type: Theft
Type: Nonstate actor
Attribution: High confidence
In March 2018, two Venezuelan men were arrested for jackpotting, where they installed malicious software or hardware on ATMs to force the machines to dispense huge volumes of cash on demand. From February to March, the duo stole $125,000 from four ATMs in Indiana, Kentucky, Wisconsin, and most recently Michigan, where they were apprehended. The pair were sentenced to federal prison in November 2018 for conspiracy to commit bank robbery.
Two financial firms were among the various U.S. targets of a hacking group operating under the guise of the Mabna Institute, which used password spraying to access information.
Location: United States
Date Breach First Reported:3/23/2018
Method: Password spraying
Type: Data breach
Type: State-sponsored actor
Attribution: Speculated
Two financial firms were among the various U.S. targets of a hacking group operating under the guise of the Mabna Institute, which used password spraying to access information. The actors are accused by the United States of stealing 31 terabytes of academic and commercial information in a campaign dating as far back as 2013. Nine Iranians have been charged by the United States, which claims the group acts on behalf of the Islamic Revolutionary Guard Corps and has imposed sanctions on numerous individuals and companies in the country as a result.
In February 2018, City Union Bank in India suffered a breach that allowed $1 million to be transferred to a Chinese institution.
Location: India
Date Breach First Reported:2/18/2018
Method: Malware
Type: Theft
Type: State-sponsored actor
Attribution: Speculated
In February 2018, City Union Bank in India suffered a breach that allowed $1 million to be transferred to a Chinese institution. The attackers tried to make three transactions totaling $2 million, sending money to Dubai and Turkey, but were thwarted by City Union Bank and the corresponding bank on the receiving end of the transfer. Two years earlier, attackers attempted but failed to make a $170 million SWIFT transfer out of the Union Bank of India. In August 2019, the UNSC Panel of Experts indicated DPRK-affiliated actors were behind the attack.
On February 9, 2018, BitGrail, a small Italian cryptocurrency exchange, announced that attackers had stolen $170 million in Nano, a cryptocurrency. The identity of the attackers remains unknown.
Location: Italy
Date Breach First Reported:02/10/2018
Method: Unknown
Type: Theft
Type: Unknown
Attribution: Unknown
On February 9, 2018, BitGrail, a small Italian cryptocurrency exchange, announced that attackers had stolen $170 million in Nano, a cryptocurrency. The identity of the attackers remains unknown.
In February 2018, it was revealed that thirty-six people from seven countries had been indicted in the United States for their alleged involvement in the Infraud Organization, which law enforcement officials say sells stolen personal and financial information.
Location: Netherlands
Date Breach First Reported:2/7/2018
Method: Multiple
Type: Theft
Type: Nonstate actor
Attribution: Speculated
In February 2018, it was revealed that thirty-six people from seven countries had been indicted in the United States for their alleged involvement in the Infraud Organization, which law enforcement officials say sells stolen personal and financial information. More than half a billion dollars was lost by the victims, the U.S. Department of Justice said, with a trail going back to October 2010. The organization was said to have more than 10,000 registered members who bought and sold illicit products including malware, data from credit card dumps, and information needed for identity fraud.
In January, ABN Amro, Rabobank, and ING suffered disruptions to online and mobile banking services, while the Dutch tax authority website was taken down for several minutes.
Location: Netherlands
Date Breach First Reported:1/29/2018
Method: DDOS
Type: Disruption
Type: Nonstate actor
Attribution: High confidence
In January, ABN Amro, Rabobank, and ING suffered disruptions to online and mobile banking services, while the Dutch tax authority website was taken down for several minutes. Initial reports raised concerns of a Russian connection to the attack, as it came a week after a media report that Dutch intelligence agents had infiltrated the Russian threat group APT 29. However, an eighteen-year-old from the Dutch city of Oosterhout was arrested in February for the attack, having claimed online that he bought a “stresser” tool for €40 that enabled him to send a deluge of traffic to victim websites.
On January 26, 2018, $534 million worth of NEM, a cryptocurrency was stolen from Coincheck, a Japanese cryptocurrency exchange, forcing Coincheck to freeze all transactions.
Location: Japan
Date Breach First Reported: 01/26/2018
Method: Unknown
Type: Theft
Type: State-sponsored actor
Attribution: High confidence
On January 26, 2018, $534 million worth of NEM, a cryptocurrency was stolen from Coincheck, a Japanese cryptocurrency exchange, forcing Coincheck to freeze all transactions.
In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the theft. NEM Foundation president Lon Wong called the incident, “the biggest theft in the history of the world.” Group-IB, a Singapore-based security firm, also attributed the theft to Lazarus, a group of North Korean hackers, in October 2018.
On January 17, fraudsters stole Sh29 million from the National Bank of Kenya.
Location: Kenya
Date Breach First Reported:09/21/2018
Method: Unknown
Type: Theft
Type: Unknown
Attribution: Unknown
On January 17, fraudsters stole Sh29 million from the National Bank of Kenya. The bank has noted that the attempted fraud was frustrated by the system's monitoring and security platforms, and that they were confident they could recover the siphoned funds.
On January 9, 2018, attackers attempted to use fraudulent SWIFT transactions to steal $110 million from Bancomext, Mexico’s state-owned trade bank, but the money was ultimately recovered.
Location: Mexico
Date Breach First Reported:08/30/2019
Method: Multiple
Type: Theft
Type: State-sponsored actor
Attribution: High confidence
On January 9, 2018, attackers attempted to use fraudulent SWIFT transactions to steal $110 million from Bancomext, Mexico’s state-owned trade bank, but the money was ultimately recovered. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.
In January 2018, attackers attempted to steal $19 million from a private Costa Rican financial institution.
Location: Costa Rica
Date Breach First Reported: 08/30/2019
Method: Unknown
Type: Theft
Type: State-sponsored actor
Attribution: High confidence
In January 2018, attackers attempted to steal $19 million from a private Costa Rican financial institution. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft.
In a submission to the United Nations Security Council Panel of Experts, the Costa Rican government confirmed that an investigation was launched by the Office of the Public Prosecutor’s Division on Fraud.
On December 6, 2017, approximately $70 million was stolen from NiceHash, a Slovenian cryptocurrency mining service.
Location: Slovenia
Date Breach First Reported:12/06/2017
Method: Unknown
Type: Theft
Type: State-sponsored actor
Attribution: High confidence
On December 6, 2017, approximately $70 million was stolen from NiceHash, a Slovenian cryptocurrency mining service. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the theft.
On December 19, 2017, YouBit, a South Korean cryptocurrency exchange, was hacked for the second time that year and had 17 percent of it's digital currency stolen by attackers, which forced it to stop trading.
Location: South Korea
Date Breach First Reported:12/19/2017
Method: Unknown
Type: Theft
Type: State-sponsored actor
Attribution: Speculated
On December 19, 2017, YouBit, a South Korean cryptocurrency exchange, was hacked for the second time that year and had 17 percent of it's digital currency stolen by attackers, which forced it to stop trading. It later declared bankruptcy as a result. In August 2019, the UNSC Panel of Experts indicated DPRK-affiliated actors were behind the attack.
In November 2017, an unknown whistle-blower leaked a trove of secret records on offshore companies to the German newspaper Süddeutsche Zeitung, which shared the details with 380 journalists around the world.
Location: Multiple
Date Breach First Reported:11/5/2017
Method: Unknown
Type: Data breach
Type: Unknown
Attribution: Unknown
In November 2017, an unknown whistle-blower leaked a trove of secret records on offshore companies to the German newspaper Süddeutsche Zeitung, which shared the details with 380 journalists around the world. The Paradise Papers, covering the law firm Appleby’s business as far back as 1950, shone a light on offshore tax affairs in thirty jurisdictions, including Bermuda and the Cayman Islands, the heart of the global hedge fund industry. Appleby has said it was the victim of a cyber attack, alleging the intruder “deployed the tactics of a professional hacker.” The breach came just over a year after the Panama Papers, documents from law firm Mossack Fonseca that were leaked to the same newspaper.
In early November, Hetzner, one of South Africa’s largest hosting companies, was hacked, exposing hundreds of thousands of domain names, bank account details, and other personal information.
Location: South Africa
Date Breach First Reported:11/6/2017
Method: SQL injection
Type: Data breach
Type: Unknown
Attribution: Unknown
In early November, Hetzner, one of South Africa’s largest hosting companies, was hacked, exposing hundreds of thousands of domain names, bank account details, and other personal information. Although hackers did not gain access to credit card information, the incident did leave many organizations vulnerable to bad actors who could gain control of their websites. An SQL injection vulnerability was identified and fixed.
In October 2017, the Korean Internet Security Agency thwarted an attack on 10 cryptocurrency exchanges in South Korea.
Location: South Korea
Date Breach First Reported:12/15/2017
Method: Unknown
Type: Theft
Type: State-sponsored actor
Attribution: Speculated
In October 2017, the Korean Internet Security Agency thwarted an attack on 10 cryptocurrency exchanges in South Korea. The attack used sophisticated Business Email Compromise. South Korean media reported the attack was carried out by DPRK-affiliated hackers.
In October 2017, Far Eastern International Bank in Taiwan became the victim of a $14 million theft when hackers planted malware in the company’s systems to access a SWIFT terminal, which was then used to make fraudulent transfers.
Location: Taiwan
Date Breach First Reported:10/1/2017
Method: Malware
Type: Theft
Type: State-sponsored actor
Attribution: Speculated
In October 2017, Far Eastern International Bank in Taiwan became the victim of a $14 million theft when hackers planted malware in the company’s systems to access a SWIFT terminal, which was then used to make fraudulent transfers. The attackers used an unusual ransomware variant named Hermes, but this was likely a distraction for their main objective of using administrative credentials to move funds to Cambodia, the United States, and Sri Lanka. The attack is suspected of being performed by a group that has repeatedly intruded on bank networks to carry out thefts. Most of the stolen money was recovered, and two men were arrested in Sri Lanka after they attempted to withdraw funds. In August 2019, the UNSC Panel of Experts indicated DPRK-affiliated actors were behind the attack.
In October 2017, attackers attempted to steal $60 million from a Tunisian financial institution.
Location: Tunisia
Date Breach First Reported:08/30/2019
Method: Unknown
Type: Theft
Type: State-sponsored actor
Attribution: High confidence
In October 2017, attackers attempted to steal $60 million from a Tunisian financial institution. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attack.
On September 23, 2017, virtual currency was stolen from Coinis, a South Korean cryptocurrency exchange, worth an estimate $2.19 million according to reports.
Location: South Korea
Date Breach First Reported:09/23/2017
Method: Unknown
Type: Theft
Type: State-sponsored actor
Attribution: High confidence
On September 23, 2017, virtual currency was stolen from Coinis, a South Korean cryptocurrency exchange, worth an estimate $2.19 million according to reports. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the theft. In December 2017, South Korean newspaper Chosun Ilbo reported that the South Korean government has attributed the attack to DPRK-affiliated actors.
The Securities and Exchange Commission announced in September 2017 that hackers might have accessed inside information from the Edgar database, which contains market-sensitive filings for companies listed on U.S. stock exchanges, and used it to make illegal profits on share trades.
Location: United States
Date Breach First Reported:9/21/2017
Method: Software vulnerability
Type: Data breach
Type: Unknown
Attribution: Unknown
The Securities and Exchange Commission announced in September 2017 that hackers might have accessed inside information from the Edgar database, which contains market-sensitive filings for companies listed on U.S. stock exchanges, and used it to make illegal profits on share trades. The commission did not realize the intrusion, which took place in 2016 through a software vulnerability in a test filing component, could have leaked company secrets until August 2017. The identity of the hackers is unknown, although reports have suggested the perpetrators are based in Eastern Europe.
In one of the biggest data breaches on record, the credit reporting agency Equifax announced in October 2017 that more than 150 million customer records had been compromised, including some sensitive data such as birth dates and 12,000 U.S. social security numbers.
Location: United States
Date Breach First Reported: 9/7/2017
Method: Web app vulnerability
Type: Data breach
Type: State-sponsored actor
Attribution: High confidence
In one of the biggest data breaches on record, the credit reporting agency Equifax announced in October 2017 that more than 150 million customer records had been compromised, including some sensitive data such as birth dates and 12,000 U.S. social security numbers. According to the U.S. government indictments, the breach was carried out by the Chinese People’s Liberation Army (PLA) exploiting a bug in an Apache Struts web application that the company had failed to patch.
The attackers scanned Equifax’s estate for the vulnerability and gained access to the application, an online dispute portal, days after the bug was made public in March—but did not take any data for several months. Once inside the network, the attackers found unencrypted usernames and passwords for other databases, spent seventy-six days on the network, eventually accessing forty-eight different datasets.
Equifax has spent $439 million on redressing the data loss and, a year after disclosure, its share price remained below the pre-breach level. However, the company has avoided fines from the banking regulators in eight U.S. states after agreeing to a deal in June 2018 to improve its cybersecurity oversight.
On February 10 2020, the U.S. Department of Justice indicted four members of the Chinese People’s Liberation Army (PLA) for a targeted intrusion into the networks of Equifax, a credit reporting agency in the United States. The indictment states that the attackers were targeting the private data of millions of Americans, along with Equifax trade secrets, such as ‘data compilations and database plans’. The indictment lists the operators’ affiliation with the 54th Research Institute, formerly part of the PLA and now part of the PLA Strategic Support Force (SSF).
In late August 2017, PesaLink, a jointly-owned payment transfer platform used widely by Kenya's commercial banks, was the victim of a cyberattack.
Location: Kenya
Date Breach First Reported:9/1/2017
Method: Unknown
Type: Theft
Type: Unknown
Attribution: Unknown
In late August 2017, PesaLink, a jointly-owned payment transfer platform used widely by Kenya's commercial banks, was the victim of a cyberattack. An official from the company claimed that the attack was halted successfully and that there was no resulting loss of funds or customer data.
In the summer of 2017, a South Korean company’s server was hijacked by attackers and made to mine 70 Monero coins, a cryptocurrency, worth approximately $25,000.
Location: South Korea
Date Breach First Reported:08/30/2019
Method: Unknown
Type: Theft
Type: State-sponsored actor
Attribution: High confidence
In the summer of 2017, a South Korean company’s server was hijacked by attackers and made to mine 70 Monero coins, a cryptocurrency, worth approximately $25,000. The South Korean Financial Stability Institute attributed the theft to DPRK-affiliated group Andarial in January 2018, and in August 2019, the UN Security Council Panel of Experts also indicated DPRK-affiliated actors were behind the theft.
In February 2017, at least $7 million in virtual currency was stolen from BitHumb, a South Korean cryptocurrency exchange.
Location: South Korea
Date Breach First Reported: 06/29/2017
Method: Unknown
Type: Theft
Type: State-sponsored actor
Attribution: High confidence
On June 29, approximately $7 million in virtual currency was stolen from BitHumb, a South Korean cryptocurrency exchange for the second time in four months. The South Korean National Intelligence Services attributed the theft to the DPRK, and in August 2019, the UN Security Council Panel of Experts also indicated DPRK-affiliated actors were behind the theft.
The attackers gained access to an employee’s personal computer. From there they managed to exfiltrate the details of 3% of the platforms total users including names, emails and phone numbers. The company stated they would compensate customers affected.
On April 22, 2017, approximately $5.6 million in cryptocurrency was stolen from YouBit, a South Korean cryptocurrency exchange then named Yapizon.
Location: South Korea
Date Breach First Reported:12/05/2017
Method: Unknown
Type: Theft
Type: State-sponsored actor
Attribution: High confidence
On April 22, 2017, approximately $5.6 million in cryptocurrency was stolen from YouBit, a South Korean cryptocurrency exchange then named Yapizon. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the theft. Group-IB, a Singapore-based security firm, also attributed the theft to Lazarus, a group of North Korean hackers, in October 2018.
In February 2017, at least $7 million in virtual currency was stolen from BitHumb, a South Korean cryptocurrency exchange.
Location: South Korea
Date Breach First Reported: 12/05/2017
Method: Unknown
Type: Theft
Type: State-sponsored actor
Attribution: High confidence
In February 2017, at least $7 million in virtual currency was stolen from BitHumb, a South Korean cryptocurrency exchange. The hackers also stole PII from 30,000 customers.
In December 2017, the South Korean government attributed the attack to North Korea. In January 16, 2018, Recorded Future, a security firm known for analyzing state-sponsored attacks, attributed the attack to the Lazarus Group in the North Korean government. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the theft.
In December 2016, after a number of DDoS attacks on Russian banks throughout the previous month, the Russian Federal Security Service (FSB) announced that it had discovered pending cyber attacks intended to impact a range of major Russian banks.
Location: Russia
Date Breach First Reported: 12/2/2016
Method: DDOS
Type: Disruption
Type: State-sponsored actor
Attribution: Speculated
In December 2016, after a number of DDoS attacks on Russian banks throughout the previous month, the Russian Federal Security Service (FSB) announced that it had discovered pending cyber attacks intended to impact a range of major Russian banks. Servers and command centers purportedly to be used in these attacks were located in the Netherlands and owned by BlazingFast, a Ukrainian hosting company. BlazingFast said it had no information about the asserted attack and that it was unable to find any malicious data. The Dutch Ministry of Security and Justice said that it was aware its infrastructure could be used for cyber attacks elsewhere, and that if the Russian authorities decided to investigate, the Dutch investigating authorities would provide assistance.
On December 9, Rostelecom, Russia’s telecom operator, said in a statement that it had blocked DDoS attacks against the five biggest banks and financial institutions in Russia on December 5. They reached a peak volume of 3.2 million packets per second, which is low compared to the volume of other recent DDoS attacks. The statement further noted that part of the DDoS attacks involved a botnet similar to that used in prior weeks against Germany’s Deutsche Telekom and Ireland’s Eircom, exploiting a vulnerability in home routers. No perpetrators were identified, though the FSB claimed that it was organized by foreign intelligence services and speculated it had been done on behalf of Ukraine, due to the servers’ location and ownership. The FSB stated that it expected the DDoS attacks to be accompanied by text messages, agitating social network publications, and blog statements about a “crisis in the Russian credit and financial system, bankruptcy and withdrawal of licenses of leading federal and regional banks,” and that “the campaign [would be] directed against several dozen Russian cities.” Presumably, this would be an attempt to create a run on Russian banks, initiating a financial crisis. No evidence exists that such action, complementary to the DDoS attacks, was attempted.
In late 2016, the Securities and Exchange Commission (SEC) sued three Chinese traders, arguing that they had installed malware on the networks of two law firms to steal confidential, market-moving information on mergers and acquisitions.
Location: United States
Date Breach First Reported:12/1/2016
Method: Unknown
Type: Data breach
Type: Unknown
Attribution: Unknown
In late 2016, the Securities and Exchange Commission (SEC) sued three Chinese traders, arguing that they had installed malware on the networks of two law firms to steal confidential, market-moving information on mergers and acquisitions. The men were ordered to pay $8.9 million in penalties, and the trio were also indicted on criminal charges, which are ongoing. Hong Kong refused a request to extradite one of the men to the United States in 2017.
Tesco Bank, a retail bank based in the UK, was the target of thieves who used vulnerabilities in its card issuing process to guess bank card numbers and steal £2.26 million in November 2016.
Location: United Kingdom
Date Breach First Reported: 11/5/2016
Method: Card number guessing
Type: Theft
Type: Unknown
Attribution: Unknown
Tesco Bank, a retail bank based in the UK, was the target of thieves who used vulnerabilities in its card issuing process to guess bank card numbers and steal £2.26 million in November 2016. The unknown attackers likely used an algorithm to generate bank card numbers that used Tesco’s identifying numbers at the start and conformed to the industry-wide Luhn validation scheme that helps protect against accidental errors.
There are around 1 billion possible card numbers for each bank, but regulators have said Tesco Bank’s cards had deficiencies, such as sequential card numbers, that made guessing the full numbers easier. The bank only used basic checks to assess whether cards were genuine, for example merely inspecting whether the debit card would expire in the future instead of making sure the exact expiration date matched its records.
Visa and Mastercard had both previously warned of an increase in the type of fraud seen in this case, which used the magnetic strip to verify the transaction. On November 5, 2016, as the weekend began, the gang started making fraudulent transactions with the card details it had calculated. Almost 9,000 accounts were affected, or 6.6 percent of the bank’s entire customer base. One customer had twenty-two fraudulent transactions totaling £65,000 on his account.
Tesco Bank halted all online and contactless transactions after a day of struggling to block all the fake purchases reported in the United States, Spain, and Brazil. In October 2018, Tesco was fined £16.4 million by the UK’s Financial Conduct Authority for deficiencies in its bank card policies and its response to the incident.
On October 31, a distributed denial-of-service attack was launched against Lonestar MTN, a Liberian network provider.
Location: Liberia
Date Breach First Reported: 11/4/2016
Method: DDoS
Type: Disruption
Type: Non-state actor
Attribution: High confidence
On October 31, a distributed denial-of-service attack was launched against Lonestar MTN, a Liberian network provider. The DDos attack employed the now infamous internet-of-things Mirai botnet to crash large segments of the country's internet. A British hacker named Daniel Kaye was eventually sentenced for the crime after claiming to have been funded by a senior official at Cellcom, another Liberian network provider, to disrupt its competitor Lonestar.
In mid-2016, a number of Indian banks replaced or changed security codes on 3.25 million debit cards after uncovering a breach in Hitachi’s payment switch systems, which link into the ATM network.
Location: India
Date Breach First Reported:10/20/2016
Method: Unknown
Type: Data breach
Type: Unknown
Attribution: Unknown
In mid-2016, a number of Indian banks replaced or changed security codes on 3.25 million debit cards after uncovering a breach in Hitachi’s payment switch systems, which link into the ATM network. Visa, Mastercard, and India’s Rupay cards were all affected by the compromise.
On July 21, 2016, attackers attempted to use fraudulent SWIFT transactions to steal $170 million from the Union Bank of India (UBI), but the money was ultimately recovered within three days after the transactions were flagged.
Location: India
Date Breach First Reported: 08/30/2019
Method: Multiple
Type: Theft
Type: State-sponsored actor
Attribution: High confidence
On July 21, 2016, attackers attempted to use fraudulent SWIFT transactions to steal $170 million from the Union Bank of India (UBI), but the money was ultimately recovered within three days after the transactions were flagged.
Multiple security firms noted the attackers used tactics and techniques similar to the Bangladesh heist four months previously. The attackers sent the money to accounts in Thailand, Cambodia, Australia, Hong Kong and Taiwan, and those accounts belonged to shell companies associated with Chinese-organized crime syndicates. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attempted theft of UBI.
In July 2016, attackers attempted to use fraudulent SWIFT transactions to steal $100 million from a Nigerian bank, but the money was ultimately recovered.
Location: Nigeria
Date Breach First Reported: 08/30/2019
Method: Multiple
Type: Theft
Type: State-sponsored actor
Attribution: High confidence
In July 2016, attackers attempted to use fraudulent SWIFT transactions to steal $100 million from a Nigerian bank, but the money was ultimately recovered.
The attackers initiated fraudulent SWIFT transactions of $100 million from the unnamed Nigerian Bank to bank accounts in Asia, similar to the techniques seen in the 2016 Bangladesh heist. The funds were later returned at the request of the Nigerian bank. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attack on the Nigerian bank, referencing the “African Bank” named in the U.S. Department of Justice 2018 indictment of Park Jin Hyok.
On May 15, 2016, attackers stole $19 million from South Africa’s Standard Bank by making 14,000 withdrawals over 3 hours from 1,700 ATMs across Japan.
Location: South Africa, Japan
Date Breach First Reported: 08/30/2019
Method: Multiple
Type: Theft
Type: State-sponsored actor
Attribution: High confidence
On May 15, 2016, attackers stole $19 million from South Africa’s Standard Bank by making 14,000 withdrawals over 3 hours from 1,700 ATMs across Japan.
UN Security Council Panel of Experts indicated in August 2019 that DPRK-affiliated actors were behind the attack. According to the Japanese government, the attackers used forged cards with data of roughly 3,000 pieces of customer information stolen from Standard Bank to withdraw cash from ATMs located in Tokyo and 16 prefectures across Japan. 260 suspects, including organized crime group members, have been arrested as of July 2019.
In May 2016, hacktivists briefly took down the Bank of Greece’s website, and later did the same to the central banks of Mexico, Panama, Kenya, and Bosnia and Herzegovina.
Location: Panama, Greece, Mexico, Kenya, Bosnia and Herzegovina
Date Breach First Reported:5/4/2016
Method: DDOS
Type: Disruption
Type: Nonstate actor
Attribution: High confidence
In May 2016, hacktivists briefly took down the Bank of Greece’s website, and later did the same to the central banks of Mexico, Panama, Kenya, and Bosnia and Herzegovina. Anonymous claimed responsibility as part of Operation Icarus, a campaign against central banks.
In April 2016, an anonymous source leaked 2.6 terabytes of information from the Panamanian law firm Mossack Fonseca to the German newspaper Süddeutsche Zeitung.
Location: Panama
Date Breach First Reported:4/3/2016
Method: Unknown
Type: Data breach
Type: Unknown
Attribution: Unknown
In April 2016, an anonymous source leaked 2.6 terabytes of information from the Panamanian law firm Mossack Fonseca to the German newspaper Süddeutsche Zeitung. The journalists shared the 11.5 million leaked documents with a dozen global news organizations to simultaneously print stories about the money-laundering, tax affairs, and financial secrecy within. The revelations had far-reaching effects, including the resignation of the Icelandic prime minister, a number of tax evasion investigations, and the closure of Mossack Fonseca.
On February 22, 2016, a hacking group called DownSec Belgium shut down the website for Belgium’s National Bank for most of the morning using DDoS attacks.
Location: Belgium
Date Breach First Reported:2/22/2016
Method: DDOS
Type: Disruption
Type: Nonstate actor
Attribution: High confidence
On February 22, 2016, a hacking group called DownSec Belgium shut down the website for Belgium’s National Bank for most of the morning using DDoS attacks. Little information has been reported about the attack, but it followed similar DDoS attacks by the same group against the websites for the Belgian Federal Agency for Nuclear Control, the country’s Crisis Center, and its federal cyber emergency team. DownSec Belgium claims to fight against corrupt government abuses.
In February 2016, media outlets reported that hackers had breached the network of the Bangladesh central bank and sent thirty-five fraudulent transfer requests to the Federal Reserve Bank of New York, totaling nearly $1 billion.
Location: Bangladesh
Date Breach First Reported: 2/1/2016
Method: Malware
Type: Theft
Type: State-sponsored actor
Attribution: Speculated
In February 2016, media outlets reported that hackers had breached the network of the Bangladesh central bank and sent thirty-five fraudulent transfer requests to the Federal Reserve Bank of New York, totaling nearly $1 billion. Four of these fraudulent requests succeeded, and the hackers were able to transfer $81 million to accounts in the Philippines, representing one of the largest bank thefts in history. A fifth request for $20 million to be sent to an account in Sri Lanka was stopped due to the recipient’s name, Shalika Foundation, being misspelled “fandation.” The remaining transfers, which totaled somewhere between $850 and $870 million, were also stopped before they could be completed due to a stroke of good fortune: the name of the destination bank branch included the word “Jupiter,” which was the name of an unrelated company on a sanctions blacklist. In August 2019, the UNSC Panel of Experts indicated DPRK-affiliated actors were behind the attack.
The hackers had introduced malware onto the Bangladesh central bank’s server and deployed keylogger software that allowed them to steal the bank’s credentials for the SWIFT system. The hackers also custom-designed a malware toolkit that compromised SWIFT’s Alliance Access system and was designed to cover their tracks. This toolkit allowed them to delete records of transfer requests, bypass validity checks, delete records of logins, manipulate reporting of balances, and stop attached printers from printing transaction logs. Although the malware was custom-designed to steal from the Bangladesh central bank, the toolkit could potentially be used against other banks in the SWIFT system running Alliance Access software.
The intruders had monitored the bank’s routine activity in order to create money transfer requests that appeared genuine. Furthermore, they timed the thefts so that it would be the weekend in Bangladesh when the Federal Reserve reached out to confirm the transactions, and then it would be the weekend in New York when the Bangladesh central bank employees instructed the Federal Reserve to cancel the transactions. "
In December 2015, attackers stole $16 million from a Guatemalan financial institution.
Location: Guatemala
Date Breach First Reported:08/30/2019
Method: Unknown
Type: Theft
Type: State-sponsored actor
Attribution: High confidence
In December 2015, attackers stole $16 million from a Guatemalan financial institution. In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the attack.
In late 2015, hackers threatened to disable systems at three Greek banks unless they paid a bitcoin ransom.
Location: Greece
Date Breach First Reported:11/30/2015
Method: DDOS
Type: Disruption
Type: Nonstate actor
Attribution: Speculated
In late 2015, hackers threatened to disable systems at three Greek banks unless they paid a bitcoin ransom. When the banks refused, they had their sites repeatedly knocked out for several hours. The group claiming responsibility for the extortion said it was part of the Armada Collective, which had previously targeted numerous businesses including Cloudflare and Proton Mail, although some investigators believed it might have been a copycat attack using the same name. Some suspected original members of the collective were arrested in Europol’s Operation Pleiades in January 2016, which targeted the group DDoS4Bitcoin that has been active since mid-2014.
In November 2015, a teenager was sentenced to community service after carrying out four DDoS attacks against Nordea and Swedbank.
Location: Denmark, Sweden
Date Breach First Reported:11/6/2015
Method: DDOS
Type: Disruption
Type: Nonstate actor
Attribution: High confidence
In November 2015, a teenager was sentenced to community service after carrying out four DDoS attacks against Nordea and Swedbank. The attacks blocked customers from the banks’ websites for hours at a time. The perpetrator’s lawyers said he was “drawn into a circus” where online groups would test the power of botnets.
Beginning on June 12, 2015, the Shanghai Composite Index began to plummet, and by June 19 it had fallen by 13 percent.
Location: China
Date Breach First Reported:6/12/2015
Method: Unknown
Type: Data breach, disruption
Type: Unknown
Attribution: Unknown
Beginning on June 12, 2015, the Shanghai Composite Index began to plummet, and by June 19 it had fallen by 13 percent. Chinese stock markets continued to fall throughout July and August, and again in January and February 2016. Although there is no public evidence, some have speculated that the initial sudden crash may have been caused by a cyber attack.
In May 2015, the Vietnamese bank Tien Phong announced it had blocked a fraudulent SWIFT transaction worth €1m several months before attackers successfully stole from the Bank of Bangladesh using the same method.
Location: Vietnam
Date Breach First Reported:5/15/2015
Method: Unknown
Type: Theft
Type: State-sponsored actor
Attribution: Speculated
In May 2015, the Vietnamese bank Tien Phong announced it had blocked a fraudulent SWIFT transaction worth €1m several months before attackers successfully stole from the Bank of Bangladesh using the same method. Tien Phong did not name the bank that had been the source of the fraudulent transfer request.
In April 2015, a threat group twinned malware with a sophisticated social engineering tactic to steal more than $1 million from businesses.
Location: Multiple
Date Breach First Reported:4/2/2015
Method: Malware
Type: Theft
Type: Unknown
Attribution: Unknown
In April 2015, a threat group twinned malware with a sophisticated social engineering tactic to steal more than $1 million from businesses. A variant of Dyre malware named Upatre, which spread through victims’ email contacts, was used to block hundreds of bank websites on the victim’s device. The victim was then prompted to call a helpline number—actually staffed by a member of the gang who would then harvest the victim’s banking credentials and subsequently make fraudulent wire transfers.
In February 2015, reports indicated that records for almost 80 million customers were stolen from Anthem, a U.S. healthcare insurer, after attackers deployed a spearphishing email that gave access to ninety of the company’s systems, including its back-end database.
Location: United States
Date Breach First Reported:2/4/2015
Method: Phishing
Type: Data breach
Type: State-sponsored actor
Attribution: Speculated
In February 2015, reports indicated that records for almost 80 million customers were stolen from Anthem, a U.S. healthcare insurer, after attackers deployed a spearphishing email that gave access to ninety of the company’s systems, including its back-end database. The stolen data was taken over the course of several weeks and included personal information, such as social security numbers. A subsequent report by the California Department of Insurance pointed to a national government as the likely culprit for the attack, and suggested the initial breach occurred in February 2014, meaning Anthem was exposed for a year before the compromise was discovered. Anthem ended up settling a lawsuit relating to the data loss for $115 million. Several weeks after the incident was disclosed, fellow insurer Premera Blue Cross announced that around 11 million customer accounts had been compromised by attackers, and rival CareFirst admitted 1.1 million current and former members may have had their information stolen. Some researchers believe the thefts were carried out by the same group. In September 2015, Excellus announced a data loss, with 10 million customers’ data exposed by a breach that initially occurred in December 2013.
In early 2015, a bank in Ecuador was the first known victim in a series of multimillion dollar heists that used compromised payments systems to then transfer funds over the SWIFT interbank messaging network.
Location: Ecuador
Date Breach First Reported: 1/12/2015
Method: Unknown
Type: Theft
Type: Unknown
Attribution: Unknown
In early 2015, a bank in Ecuador was the first known victim in a series of multimillion dollar heists that used compromised payments systems to then transfer funds over the SWIFT interbank messaging network. In January 2015, thieves transferred $12 million out of Banco del Austro and routed most of the proceeds to twenty-three companies registered in Hong Kong.
The same method has been used in several thefts in the preceding years including the $81 million Bank of Bangladesh heist in 2016. If an attacker manages to gain access to a bank’s SWIFT terminal, the system can be used to ask other banks to transfer funds. Banco del Austro said it recovered around $2.8 million of the stolen money. The heist came to light in a lawsuit Banco brought against Wells Fargo, which it alleged failed to spot red flags when it approved the fraudulent transaction. The litigation was settled in February 2018 but no details were disclosed.
The Metel banking Trojan, which was discovered in 2011, was repurposed by a criminal gang in 2015 to steal directly from bank ATMs and even manipulate the Russian exchange rate.
Location: Russia
Date Breach First Reported:1/1/2015
Method: Multiple: malware, phishing and browser vulnerabilities
Type: Theft
Type: Unknown
Attribution: Unknown
The Metel banking Trojan, which was discovered in 2011, was repurposed by a criminal gang in 2015 to steal directly from bank ATMs and even manipulate the Russian exchange rate. The group used spearphishing emails or browser vulnerabilities to deliver Metel, also known as Corcow, and access the bank’s systems before pivoting into areas that allowed them to roll back ATM transactions. This meant they could withdraw unlimited amounts of money, automatically resetting the account balance after each transaction. Researchers at Kaspersky, who first reported on the operation, said the gang comprised fewer than ten members and had made no infections outside Russia. In February 2015, Energobank fell victim to a Metel infection that allowed attackers to place some $500 million in currency orders, sending the ruble swinging with extreme volatility between 55 and 66 rubles per dollar for a period of fourteen minutes. However, there is no evidence the attackers profited from the movement. Metel had infected 250,000 devices and more than 100 financial institutions in 2015, according to researchers at Group IB.
In November 2014, the Hawks (South Africa’s Directorate for Priority Crime Investigation) thwarted an insider attempt to defraud the Gautrain Management Agency (GMA), a roads and transportation agency of Gauteng Province.
Location: South Africa
Date Breach First Reported:11/12/2014
Method: Insider threat
Type: Theft
Type: Nonstate actor
Attribution: High confidence
In November 2014, the Hawks (South Africa’s Directorate for Priority Crime Investigation) thwarted an insider attempt to defraud the Gautrain Management Agency (GMA), a roads and transportation agency of Gauteng Province. The attempted theft could have cost the agency up to R800 million. One of the criminals was identified as a rogue employee who had installed key-loggers and programs to override the security measures in an effort to steal financial information.
In October 2014, reports revealed that criminals had written malware to infect Windows-based ATMs and steal millions from machines primarily in Eastern Europe.
Location: Eastern Europe
Date Breach First Reported:10/7/2014
Method: Malware
Type: Theft
Type: Nonstate actor
Attribution: High confidence
In October 2014, reports revealed that criminals had written malware to infect Windows-based ATMs and steal millions from machines primarily in Eastern Europe. The malware, dubbed Tyupkin, was spread by a CD and once installed it laid low, only accepting commands on Sunday and Monday nights. Mules could type in a randomly generated key allowing them to withdraw 40 banknotes. Similar to the Ploutus campaign in Latin America, the Tyupkin group had an organized gang of mules to access the ATMs and collect the money. Eight Romanian and Moldovan nationals were arrested in connection with the scheme in January 2016.
In October 2014, a group claiming to be affiliated with the so-called Islamic State hacked the internal networks of the Warsaw Stock Exchange and posted dozens of login credentials for brokers online.
Location: Poland
Date Breach First Reported:10/1/2014
Method: Unknown
Type: Data breach
Type: State-sponsored actor
Attribution: Speculated
In October 2014, a group claiming to be affiliated with the so-called Islamic State hacked the internal networks of the Warsaw Stock Exchange and posted dozens of login credentials for brokers online. The means by which the group gained access to the exchange’s networks are unknown, but they were reportedly able to infiltrate an investment simulator and a web portal for managing the stock exchange’s upgrade to a new trading system, as well as render the exchange’s website unavailable for two hours. The exchange’s employees say that the trading system itself was not breached. NATO officials later indicated privately that they believed that the hacking group’s claim of being affiliated with Islamic militants was a false flag operation, and that in fact the breach was conducted by APT 28, a group widely believed by security researchers to be affiliated with the Russian government.
In August 2014, the first reports emerged that account information and home addresses for 83 million customers were exposed after attackers stole login credentials from a JPMorgan Chase employee.
Location: United States
Date Breach First Reported: 8/1/2014
Method: Stolen password
Type: Data breach
Type: Nonstate actor
Attribution: High confidence
In August 2014, the first reports emerged that account information and home addresses for 83 million customers were exposed after attackers stole login credentials from a JPMorgan Chase employee. The group entered the network through a single-factor authentication server that had not been upgraded with the rest of the firm’s estate, before gaining access to more than ninety bank servers for several months. However, the bank said the attackers had not accessed more sensitive information, such as social security numbers.
JPMorgan discovered the breach after reportedly finding the same group on a website for a charity race that it sponsors. The size of the incident prompted the National Security Agency and the FBI to join the investigation. Other companies targeted in the attacks included Dow Jones, Fidelity, E*Trade, and Scottrade. The U.S. authorities believe the harvested information was used in securities fraud, money laundering, credit-card fraud, and fake pharmaceuticals.
Nine people so far have been charged in the ongoing probe. A Russian national was extradited from Georgia to the United States in September 2018, although he denied that he was the central hacker in the attacks. The federal authorities in New York said the man worked with an international syndicate from 2012 to 2015 to steal customer information, which was used in numerous crimes including a spam email campaign to falsely tout stocks and shares to ramp up the price. In September 2019, he pleaded guilty to six felony charges in connection with the data breach and other cybercrimes, and he faces up to a lifetime in prison.
In January 2017, a Florida man pleaded guilty to charges linked to funds processed through Coin.mx, an unlicensed bitcoin exchange owned by an Israeli who the United States has alleged masterminded the information stealing campaign. The supposed ringleader was extradited to the United States in 2016 and, according to media reports, entered a plea deal with prosecutors."
In July 2014, the European Central Bank (ECB) announced that hackers had breached the security of a database holding email addresses and other contact data submitted by people registering for events at the bank.
Location: Eastern Europe, Western Europe
Date Breach First Reported: 7/24/2014
Method: Unknown
Type: Data breach
Type: Unknown
Attribution: Unknown
In July 2014, the European Central Bank (ECB) announced that hackers had breached the security of a database holding email addresses and other contact data submitted by people registering for events at the bank. The ECB said most of the stolen data was encrypted, and no internal systems or sensitive market data had been compromised as the database was separate to those systems. Approximately 20,000 people had their information exposed in non-encrypted form.
The attack came to light after the supposed perpetrators emailed the ECB demanding a ransom payment on July 21. The bank informed the German police, although no further information is available about the investigation.
In July 2014, the pro-Russian group called CyberBerkut hacked into PrivatBank, one of Ukraine’s largest commercial banks, and published stolen customer data on VKontakte, a Russian social media website.
Location: Ukraine
Date Breach First Reported:7/8/2014
Method: Unknown
Type: Data breach
Type: State-sponsored actor
Attribution: Speculated
In July 2014, the pro-Russian group called CyberBerkut hacked into PrivatBank, one of Ukraine’s largest commercial banks, and published stolen customer data on VKontakte, a Russian social media website. The means by which it gained access to the data is unknown. It is believed that CyberBerkut targeted PrivatBank because the bank’s co-owner, Igor Kolomoisky, had offered a $10,000 bounty for the capture of Russian-backed militants in Ukraine. The group warned PrivatBank customers to transfer their money to state-owned banks. CyberBerkut may have connections to the Russian government, but the relative lack of sophistication of their attacks has led some experts to conclude that official links are unlikely.
In 2014, a group of hackers targeted the Road Traffic Management Corporation, stealing R8.5 million through a series of fraudulent transfers before getting caught.
Location: South Africa
Date Breach First Reported:6/14/2014
Method: Unknown
Type: Theft
Type: Non-state actor
Attribution: High confidence
In 2014, a group of hackers targeted the Road Traffic Management Corporation, stealing R8.5 million through a series of fraudulent transfers before getting caught. Eventually, over R4 million was recovered, and several of the hackers were apprehended.
In December 2013, the People’s Bank of China (PBOC) was bombarded with DDoS traffic that reportedly came from disgruntled bitcoin users who were protesting the country’s ban on the decentralized currency.
Location: China
Date Breach First Reported:12/19/2013
Method: DDOS
Type: Disruption
Type: Unknown
Attribution: Unknown
In December 2013, the People’s Bank of China (PBOC) was bombarded with DDoS traffic that reportedly came from disgruntled bitcoin users who were protesting the country’s ban on the decentralized currency. The week before the attack, PBOC had warned that bitcoin was “not a real currency” and that Chinese institutions would not accept bitcoin deposits. With China the largest source of bitcoin trading at the time, the announcement sent the value of the currency down by around 40 percent. The perpetrators of the DDoS attack have not been publicly identified.
In 2013, hackers infected electronic point-of-sale terminals with a malware called Dexter, allowing them to breach most major South African banks and make off with millions of rand.
Location: South Africa
Date Breach First Reported:10/13/2013
Method: Malware
Type: Theft
Type: Non-state actor
Attribution: Speculated
In 2013, hackers infected electronic point-of-sale terminals with a malware called Dexter, allowing them to breach most major South African banks and make off with millions of rand. The fast food industry was a major target for the hackers, who are believed to be part of an organized criminal group.
In September 2013, the malware Ploutus was built to be installed directly on ATMs in order to give an attacker privileged rights, including the ability to dispense cash on demand via SMS or using a keyboard attached to the machine.
Location: Multiple
Date Breach First Reported:9/1/2013
Method: Malware
Type: Theft
Type: Unknown
Attribution: Unknown
In September 2013, the malware Ploutus was built to be installed directly on ATMs in order to give an attacker privileged rights, including the ability to dispense cash on demand via SMS or using a keyboard attached to the machine. The malware has been altered several times to enable its use in new ATM models. Ploutus has resulted in numerous attacks in Mexico and later other countries, including the United States, where in 2018 two men were convicted of installing the malware on cash machines in Connecticut and Rhode Island.
In July 2013, CME Group, which operates the world’s largest futures exchange, announced in November 2013 that its ClearPort clearing service had been compromised the previous July.
Location: United States
Date Breach First Reported:7/1/2013
Method: Unknown
Type: Data breach
Type: Unknown
Attribution: Unknown
In July 2013, CME Group, which operates the world’s largest futures exchange, announced in November 2013 that its ClearPort clearing service had been compromised the previous July. The firm said some customer information was compromised but that trading was not affected. While large financial firms are generally under no obligation to make data breaches public, the company informed affected customers and announced that it was working with the authorities. The FBI investigated the incident but has released no further information.
In 2013, the source code for the Carbanak banking Trojan was leaked online. Since then, the malware has been used by several gangs to steal from dozens of financial institutions.
Location: United States, Russia, Taiwan, Australia
Date Breach First Reported: 6/1/2013
Method: Malware
Type: Theft
Type: Nonstate actor
Attribution: Speculated
In 2013, the source code for the Carbanak banking Trojan was leaked online. Since then, the malware has been used by several gangs to steal from dozens of financial institutions. The attack strategies have changed many times in order to avoid detection.
The malware is often pushed into financial companies by luring employees to click malicious documents, which provide the attackers a foothold to move across the network to remotely manipulate ATMs, known as “jackpotting,” or to compromise point-of-sale data. The gangs planned each theft carefully, taking between two and four months to complete each intrusion, ultimately using mules to withdraw the funds from ATMs and transfer them to the criminals’ accounts.
Fin7, the most prolific group using Carbanak, has stolen more than €1 billion from banks in more than thirty countries over the past three years, according to Europol. As well as using Carbanak, the gang is understood to use widely available tools such as the Cobalt Strike framework. The group recruited developers to work for an Israeli-Russian front company named Combi Security, and it is not clear whether the employees knew the nature of the work.
The authorities arrested a man thought to be the gang’s ringleader in Spain in March 2018, while in August the U.S. Department of Justice arrested three Ukrainian suspects. The United States claims the group stole the details of 15 million payment cards by attacking more than 120 U.S. companies, including the Chipotle and Arby’s restaurant chains.
Another Trojan, which is named Odinaff and bears a resemblance to Carbanak, was spotted attacking banking, trading, and payroll companies in 2016. It is unclear whether this is the work of Fin7 or another gang. While Fin7 appears to have gone quiet, it is unclear whether this is because activity stopped following the arrests or its techniques have changed again.
In March 2013, almost exactly two years since the last DDoS attack on South Korea, the Shinhan, Nonghyup, and Jeju banks were targeted by a Trojan that deleted data and disrupted ATMs, online banking, and mobile payments.
Location: South Korea
Date Breach First Reported:3/20/2013
Method: Diskwiping
Type: Disruption
Type: State-sponsored actor
Attribution: Speculated
In March 2013, almost exactly two years since the last DDoS attack on South Korea, the Shinhan, Nonghyup, and Jeju banks were targeted by a Trojan that deleted data and disrupted ATMs, online banking, and mobile payments. Trojan.Jokra was used to wipe disks, but the attack varied from its predecessors in that it did not include a DDoS attack. After six months of attacks, South Korean politicians said this wave cost the country almost $650 million in economic damage, making it far larger than the two previous campaigns. The incident was attributed by some to the DarkSeoul gang, a threat actor linked to the North Korean regime that would later be tied to the Sony breach in 2014.
On Christmas Eve 2013, Bank of the West was the victim of a DDoS attack used to disguise $900,000 in fraudulent transfers out of accounts belonging to Ascent Builders, a Californian construction firm.
Location: United States
Date Breach First Reported:2/19/2013
Method: Multiple
Type: Theft
Type: Unknown
Attribution: Unknown
On Christmas Eve 2013, Bank of the West was the victim of a DDoS attack used to disguise $900,000 in fraudulent transfers out of accounts belonging to Ascent Builders, a Californian construction firm. The perpetrators made fraudulent, automated clearinghouse and wire transfers before they knocked the bank’s website offline. A network of more than sixty mules was reportedly used to transfer the money into criminal accounts, making the funds more difficult to trace.
In September 2012, a group called the Cyber Fighters of Izz ad-Din al-Qassam launched several waves of DDoS attacks against U.S. financial institutions.
Location: United States
Date Breach First Reported:9/18/2012
Method: DDOS
Type: Disruption
Type: State-sponsored actor
Attribution: Speculated
In September 2012, a group called the Cyber Fighters of Izz ad-Din al-Qassam launched several waves of DDoS attacks against U.S. financial institutions. Naming the campaign Operation Ababil, the group justified their attacks as retribution for an anti-Islam video released by the U.S. pastor Terry Jones. The attacks were powerful, sending 100 gigabits per second of data to the victim sites, prompting claims that this was beyond the capabilities of a hacktivist group. Some reports said the group had ties to Anonymous, while others made links to the Iranian government—however, the group claimed it acted independently. The campaign launched two additional waves of attacks on December 10, 2012, and March 5, 2013.
In August 2012, online payment service provider PayGate suffered a system breach where credit card and banking details were leaked.
Location: South Africa
Date Breach First Reported:11/12/2012
Method: Unknown
Type: Data breach
Type: Unknown
Attribution: Unknown
In August 2012, online payment service provider PayGate suffered a system breach where credit card and banking details were leaked. The company confirmed the hack in November but claimed that the breach was confined to August.
In June 2012, U.S. security researchers uncovered a fraud ring attempting to execute high-value transactions worth between €60 million and €2 billion by using a customized Trojan spyware tool.
Location: United States, Colombia
Date Breach First Reported:6/25/2012
Method: Malware
Type: Theft
Type: Unknown
Attribution: Unknown
In June 2012, U.S. security researchers uncovered a fraud ring attempting to execute high-value transactions worth between €60 million and €2 billion by using a customized Trojan spyware tool. Operation High Roller, as it was named by the researchers who uncovered it, was the first gang to automate many of the steps in fraudulent transactions. The malware automatically checked balances, found active mule accounts that could receive stolen funds, and deleted emails confirming transfers. It also managed to bypass two-factor authentication and run its command servers on the cloud. Its targets were chiefly high-balance bank accounts in Europe. U.S. authorities indicted two men, a Russian and an Albanian, who authored the original SpyEye Trojan in 2011 subsequently used during the operation.
In June 2012, the Shanghai Composite Index saw a severe drop on the anniversary of the Tiananmen Square massacre of 1989.
Location: China
Date Breach First Reported:6/4/2012
Method: Unknown
Type: Multiple
Type: Unknown
Attribution: Unknown
In June 2012, the Shanghai Composite Index saw a severe drop on the anniversary of the Tiananmen Square massacre of 1989. While there is no confirmation of any wrongdoing in this case, the Shanghai Composite Index opened at 2,346.98 and fell exactly 64.89 points, matching the date of the incident (June 4, 1989). This led to widespread but unproven speculation about a protest hack that had manipulated trading that day. The Chinese censors blocked online references to the Shanghai Composite Index and several other terms on the anniversary.
In April 2012, a security researcher, Khosrow Zarefarid, dumped online the names, card numbers, and PINs of 3 million people across twenty-two Iranian banks after his reports on vulnerabilities were ignored by the companies involved.
Location: Iran
Date Breach First Reported:4/16/2012
Method: Other
Type: Data breach
Type: Nonstate actor
Attribution: High confidence
In April 2012, a security researcher, Khosrow Zarefarid, dumped online the names, card numbers, and PINs of 3 million people across twenty-two Iranian banks after his reports on vulnerabilities were ignored by the companies involved. However, no funds were stolen in the breach. Google took down the blog containing the information, and the banks urged customers to change their PINs. Zarefarid maintained that he was a whistleblower rather than a hacker.
In February 2012, financial exchange operators Nasdaq, CBOE, and BATS were hit by DDoS attacks for several days, resulting in patchy access to company websites but with no disruptions to trading.
Location: United States
Date Breach First Reported:2/1/2012
Method: DDOS
Type: Disruption
Type: Nonstate actor
Attribution: High confidence
In February 2012, financial exchange operators Nasdaq, CBOE, and BATS were hit by DDoS attacks for several days, resulting in patchy access to company websites but with no disruptions to trading. The activist group Anonymous claimed responsibility for the incident, saying it acted out of sympathy for the Occupy Wall Street protests in New York.
In January 2012, the hacktivist collective Anonymous used DDoS attacks to bring down numerous Brazilian banking websites to protest corruption and inequality in the country.
Location: Brazil
Date Breach First Reported:1/30/2012
Method: DDOS
Type: Disruption
Type: Nonstate actor
Attribution: High confidence
In January 2012, the hacktivist collective Anonymous used DDoS attacks to bring down numerous Brazilian banking websites to protest corruption and inequality in the country. Banco do Brasil, Itaú Unibanco, Citibank, and Bradesco were among those affected by the #OpWeeksPayment campaign. The attackers reprised their campaign around the World Cup in 2014, which Brazil hosted.
From 2012 to 2014, Boleto Bancario, a payments system used for almost half of non-cash transactions in Brazil, was targeted by malware that manipulated the victim’s browser to reroute payments to attacker-controlled accounts.
Location: Brazil
Date Breach First Reported:1/1/2012
Method: Malware
Type: Theft
Type: Unknown
Attribution: Unknown
From 2012 to 2014, Boleto Bancario, a payments system used for almost half of non-cash transactions in Brazil, was targeted by malware that manipulated the victim’s browser to reroute payments to attacker-controlled accounts. The technique compromised $3.75 billion in payments within a two-year period, using several different versions of malware including Eupuds, Boleteiro, and Domingo, according to researchers at RSA. The unidentified gang responsible later changed its “bolware” strategy to introduce DNS poisoning as a means to install the malware, lessening the need for spam emails to spread the malware.
From January 1-3, hackers targeted Postbank, a division of the South African Post Office, breaching the organization's IT system and siphoning off cash into dummy accounts.
Location: South Africa
Date Breach First Reported:1/15/2012
Method: Other
Type: Theft
Type: Unknown
Attribution: Unknown
From January 1-3, hackers targeted Postbank, a division of the South African Post Office, breaching the organization's IT system and siphoning off cash into dummy accounts. The hackers stole R42 million from accounts through automated teller machines (ATMs) in Gauteng, Free State, and KwaZulu-Natal.
From 2012 to October 2020, an Internet-based fraud scheme generated approximately $50 million in fraudulent investments.
Location: United States
Date Breach First Reported: 01/07/2022
Method: Other
Type: Theft
Type: Unknown
Attribution: Unknown
From 2012 to October 2020, an Internet-based fraud scheme generated approximately $50 million in fraudulent investments. At least 150 fraudulent sites advertising investment opportunities to solicit funds were created as part of the scheme. Victims who reached out following the advertisements spoke with threat actors posing as broker dealers claiming to be employed by finanical institutions that they had spoofed on the scam websites.
In June, Citigroup announced that 360,000 card details in the United States were exposed after attackers exploited a URL vulnerability that allowed them to hop between accounts by slightly changing the website address.
Location: United States
Date Breach First Reported: 6/8/2011
Method: Other
Type: Data breach
Type: Unknown
Attribution: Unknown
In June, Citigroup announced that 360,000 card details in the United States were exposed after attackers exploited a URL vulnerability that allowed them to hop between accounts by slightly changing the website address. The attackers reportedly created a script that would repeat this action tens of thousands of times in order to harvest the information before they were detected by a routine check in early May. The attackers stole names, account numbers, and contact information but were not able to access the card security codes needed to clone the cards, Citigroup said. The bank later settled lawsuits with the states of California and Connecticut over the breach. The website vulnerability was present as early as 2008, according to Connecticut authorities.
In June 2011, bank and retail payment processor Global Payments was hit by a major data breach.
Location: United States
Date Breach First Reported:6/1/2011
Method: Unknown
Type: Theft
Type: Unknown
Attribution: Unknown
In June 2011, bank and retail payment processor Global Payments was hit by a major data breach. The company said unknown attackers had stolen the details of around 1.5 million cards from a handful of servers, with enough information to counterfeit the cards although not customer names or addresses. Details of the intrusion remain scarce, although Vons supermarkets said it detected compromised prepaid credit cards around the same time that appeared related to the Global Payments breach. The incident prompted Mastercard and Visa to warn card-issuing banks about the potential fraud.
In March 2011, South Korea was hit by a widespread DDoS attack, almost two years after a similar campaign in 2009.
Location: South Korea
Date Breach First Reported:3/1/2011
Method: DDOS
Type: Disruption
Type: State-sponsored actor
Attribution: Speculated
In March 2011, South Korea was hit by a widespread DDoS attack, almost two years after a similar campaign in 2009. Targets included Hanabank, Jeilbank, and Wooribank as well as government websites and the network of U.S. Forces Korea. The Koredos Trojan was used to wipe disks on the computers used as command-and-control servers. North Korea is speculated to be behind the ten-day incident.
In February 2011, a criminal gang breached at least three payment processors to take card information during a $55 million stealing spree.
Location: Multiple
Date Breach First Reported: 2/27/2011
Method: Multiple
Type: Theft
Type: Nonstate actor
Attribution: High confidence
In February 2011, a criminal gang breached at least three payment processors to take card information during a $55 million stealing spree. Once inside the processors’ networks, the gang used administrator privileges to steal card and PIN details and lift withdrawal limits. The U.S. authorities said the gang then sent the data to “cashing crews” worldwide, who used it to clone cards. The mules withdrew $10 million through 15,000 fraudulent ATM withdrawals in eighteen countries over the course of a weekend. The American Red Cross had distributed the original prepaid cards to disaster victims.
The gang’s second operation resulted in $5 million in withdrawals in twenty countries. In February 2013, the gang carried out its third and largest operation, taking just hours to withdraw $40 million from twenty-four countries.
A Turkish man named as the gang’s leader, Ercan Findikoglu, was jailed for eight years in the United States in 2017 after extradition from Germany. He has also been convicted in Turkey for conspiring to produce fake cards—with a nineteen-and-a-half-year sentence he is expected to serve upon release in the United States. Three other men were jailed in 2014.
On March 24, 2016, the United States unsealed an indictment of seven Iranians allegedly responsible for the DDoS attacks targeting U.S. financial institutions across a two-year period on behalf of the Iranian government and Islamic Revolutionary Guard Corps.
Location: United States
Date Breach First Reported: 1/1/2011
Method: DDOS
Type: Disruption
Type: State-sponsored actor
Attribution: High confidence
On March 24, 2016, the United States unsealed an indictment of seven Iranians allegedly responsible for the DDoS attacks targeting U.S. financial institutions across a two-year period on behalf of the Iranian government and Islamic Revolutionary Guard Corps. The indictment followed the landmark international deal to limit Iran’s nuclear capabilities in July 2015. Over forty-six financial organizations were targeted over the course of 176 days between December 2011 and mid-2013, the indictment said. The victims, which included Bank of America, the New York Stock Exchange, and Capital One, spent tens of millions of dollars to counteract the attacks, which at their height were occurring on a near-weekly basis.
The seven men were accused of managing several “botnets” consisting of thousands of compromised computers to send malicious traffic to victim website, blocking access for legitimate users. They built the botnet by exploiting a known vulnerability in a popular content management software to install malware. The men worked for two private computer security companies in Iran that allegedly performed tasks for the government. Several were also accused of belonging to hacking groups that have claimed responsibility for attacks on NASA in February 2012.
The political fallout from the attack was far-reaching. The U.S. Treasury Department imposed sanctions against eleven individuals and organizations in September 2017 over their links to Iran, some of whom were accused of participating in the DDoS attack. Meanwhile, U.S. President Donald Trump announced the United States’ withdrawal from the Iran nuclear deal in May 2018.
In early 2011, a virus named Gauss was used to steal inside information from multiple Lebanese banks.
Location: Lebanon
Date Breach First Reported:1/1/2011
Method: Malware
Type: Espionage
Type: State-sponsored actor
Attribution: Speculated
In early 2011, a virus named Gauss was used to steal inside information from multiple Lebanese banks. Gauss, which bore resemblances to the Flame and Stuxnet malware, stole passwords, banking credentials, and browser cookies from infected devices. Most of the 2,500 infections detected by researchers at Kaspersky were on personal computers in Lebanon. News outlets have speculated that this cyber surveillance tool was designed by the U.S. and Israeli governments to circumvent Lebanon’s strict banking secrecy laws, which have made it difficult for global authorities to access information of suspected wrongdoing. These speculations were fueled by a statement made by the United States in March 2011, accusing a Lebanese bank of laundering money for a Mexican drug ring with links to Hezbollah.
On December 24, 2010, South African financial services firm Absa noticed a series of transfers from the Land Bank and froze the accounts.
Location: South Africa
Date Breach First Reported:12/24/2010
Method: Multiple
Type: Theft
Type: Insider
Attribution: High confidence
On December 24, 2010, South African financial services firm Absa noticed a series of transfers from the Land Bank and froze the accounts. Hackers had set up over 30 dummy companies and many more fake accounts, attempting to make off with R150 million. Only R8 million was transferred, with all but R380,000 recovered.
On October 21, 2010, a Malaysian national was arrested by the Secret Service for hacking into Federal Reserve Bank in Cleveland and a range of other U.S. firms.
Location: United States
Date Breach First Reported:11/19/2010
Method: Multiple
Type: Theft
Type: Nonstate actor
Attribution: High confidence
On October 21, 2010, a Malaysian national was arrested by the Secret Service for hacking into Federal Reserve Bank in Cleveland and a range of other U.S. firms. He successfully stole over 400,000 credit and debit card numbers. However, the Federal Reserve said none of its production data was accessed, and that the hacker had only accessed test computers, but the intrusion nevertheless caused thousands of dollars in damage. Several organizations including Fed Comp, a data processor for federal credit unions, were breached. The Malaysian national was jailed for ten years for running the scheme. The U.S. central banking system is a prominent target for attackers. Records obtained by Reuters showed that the Federal Reserve’s Washington-based Board of Governors detected more than fifty breaches between 2011 and 2015.
In October 2010, the FBI detected an intrusion on servers used by financial markets operator Nasdaq.
Location: United States
Date Breach First Reported: 10/1/2010
Method: Malware
Type: Data breach, disruption
Type: Multiple
Attribution: Speculated
In October 2010, the FBI detected an intrusion on servers used by financial markets operator Nasdaq. Further investigation by several U.S. agencies found that hackers had been in the network for around a year. They had used two zero-day exploits to build their presence in the stock exchange’s network, and planted malware on the Director’s Desk system, where directors of publicly held companies share confidential information. Nasdaq said no data was taken, and there was reportedly no evidence of suspicious trades that could be based on information in the system. The malware also included a destructive capability, but it is unclear whether disruption was a goal or simply a tool the attackers might use to cover their tracks. At the same time, a group of criminals penetrated Nasdaq in an incident that some investigators believed was linked. In 2013, following a sprawling investigation, the United States charged four Russians and a Ukrainian man with a string of online break-ins at Nasdaq and other companies dating back to 2005. Carrefour, 7-Eleven, Heartland Payment Systems, and JC Penney were among their other targets, together losing $300 million as a result of the scheme. Breaching Heartland exposed more than 100 million payment cards, ultimately costing the firm $12 million in fines and fees.
The gang was said to have found a vulnerability in the password-reminder page of the Nasdaq site that enabled it to steal information, including hashed passwords, from the firm’s SQL servers.
Two men were jailed in 2018 for twelve years and four years, respectively, for their roles in the gang. The pair helped steal more than 160 million credit card numbers from the companies they breached, according to U.S. prosecutors, using techniques such as “war-driving,” or traveling with a laptop to pick up the signal from unsecured networks. These details were sold via middlemen to “cashers,” who used the information to create cloned cards. Albert Gonzalez, an American known online as Soupnazi, was jailed in 2009 for twenty years. The other indicted men are still at large.
In mid-2010, it was reported that over $200,000 in fraudulent transactions took place in New York and Washington, DC.
Location: United States
Date Breach First Reported:4/15/2010
Method: Other
Type: Theft
Type: Nonstate actor
Attribution: High confidence
In mid-2010, it was reported that over $200,000 in fraudulent transactions took place in New York and Washington, DC. The transactions were traced back to compromised accounts and withdrawals in Pittsburg. Two Romanians were jailed for bank fraud, access device fraud, and aggravated identity theft. While this was one of the first instances of ATM skimming for card details in the United States, the technique was already widespread in Eastern Europe.
In mid-2010, a Russian national based in New York was jailed for three years for stealing and laundering more than $246,000 through Charles Schwab brokerage accounts in 2006.
Location: United States
Date Breach First Reported:4/7/2010
Method: Keylogging
Type: Theft
Type: Nonstate actor
Attribution: High confidence
In mid-2010, a Russian national based in New York was jailed for three years for stealing and laundering more than $246,000 through Charles Schwab brokerage accounts in 2006. The hacker accessed the accounts through a keylogging Trojan, which captured the information of 180 credit cards. The hacker and his accomplices sent a portion of the proceeds back to co-conspirators in Russia, according to the FBI.
In 2010, a Bank of America employee was charged with computer fraud after installing malware on 100 ATMs to steal $304,000 over seven months, in an early example of ATM “jackpotting.”
Location: United States
Date Breach First Reported:4/1/2010
Method: Other
Type: Theft
Type: Nonstate actor
Attribution: High confidence
In 2010, a Bank of America employee was charged with computer fraud after installing malware on 100 ATMs to steal $304,000 over seven months, in an early example of ATM “jackpotting.” The man was jailed for twenty-seven months after admitting to writing code that ordered the ATMs to issue cash without a record of the transaction. He withdrew his funds over the seven months, stopping in October 2009 when Bank of America’s internal control systems spotted the suspicious transactions.
In early 2010, National City Bank identified a number of former debit accounts that had been compromised.
Location: United States
Date Breach First Reported:3/18/2010
Method: Unknown
Type: Data breach
Type: Unknown
Attribution: Unknown
In early 2010, National City Bank identified a number of former debit accounts that had been compromised. The breach was only discovered after PNC Financial Services acquired the bank in 2008, highlighting the importance of assessing cybersecurity during large mergers and acquisitions. While the new owners announced the breach, they did not reveal the number of customers affected or the amount of money stolen.
Morgan Stanley detected a very sensitive network break-in that lasted six months in 2009, according to leaked emails.
Location: United States
Date Breach First Reported:2/28/2010
Method: Unknown
Type: Data breach, theft
Type: State-sponsored actor
Attribution: Speculated
Morgan Stanley detected a very sensitive network break-in that lasted six months in 2009, according to leaked emails. The bank believed the incident was part of Operation Aurora, carried out by the same state-sponsored attackers that targeted Google, Rackspace, Northrop Grumman, and Yahoo earlier that year.
In early 2010, a hacker leaked financial details of banks, tax records, and state-owned firms to a TV station, to raise public awareness of lucrative public sector salaries during a period of austerity in Latvia.
Location: Latvia
Date Breach First Reported: 2/24/2010
Method: Unknown
Type: Data breach
Type: Nonstate actor
Attribution: High confidence
In early 2010, a hacker leaked financial details of banks, tax records, and state-owned firms to a TV station, to raise public awareness of lucrative public sector salaries during a period of austerity in Latvia. Ilmars Poikans, an IT researcher who used the alias Neo, was arrested shortly afterward and sentenced in 2015 to community service for accessing 7.5 million tax records. He was pardoned in December 2017.
In July 2009, financial institutions in the United States and South Korea were among several targets of a widespread DDoS attack.
Location: United States and South Korea
Date Breach First Reported:7/4/2009
Method: DDOS
Type: Disruption
Type: State-sponsored actor
Attribution: Speculated
In July 2009, financial institutions in the United States and South Korea were among several targets of a widespread DDoS attack. The incident, which began over a U.S. holiday weekend, comprised three waves of attacks spanning six days. The botnet of up to 65,000 compromised computers blocked and slowed government and commercial websites for several hours at a time. The New York Stock Exchange website was reportedly affected, as well as those for the Nasdaq, the White House, and the Washington Post. Several days later, the sites of Shinhan Bank, the newspaper Chosun Ilbo, and the National Assembly were hit in South Korea. In total, there were around thirty-five sites targeted by the attacks. Researchers estimated that the botnet generated 23 megabits of data per second, not enough to cause long-lasting disruption to the targeted sites. The malware spread through email with a time bomb in its code to trigger on July 10, when it would overwrite the victim’s hard drive with the string “Memory of the Independence Day.” This destroyed the master boot record and made the device unusable. While no one was publically attributed to the attack, South Korean intelligence suspects it was the work of a specific criminal or state-sponsored organization.
Between June and July, hackers targeted customers of Vodacom with phishing attacks and carried out fradulent bank transactions.
Location: South Africa
Date Breach First Reported:7/9/2009
Method: Phishing
Type: Theft
Type: Nonstate actor
Attribution: High confidence
Between June and July, hackers targeted customers of Vodacom with phishing attacks and carried out fradulent bank transactions. The hackers stole bank account details by imitating bank officials; one employee of Vodacom who was also involved in the scam then intercepted the one-time passwords on fake SIM cards to siphon off cash. Several hackers were arrested in South Africa in July and August.
Between 2007 and 2011, a Trojan malware known as Zeus was used in numerous criminal operations to steal data on Windows devices.
Location: N/A
Date Breach First Reported: 3/1/2009
Method: Malware
Type: Theft
Type: Nonstate actor
Attribution: High confidence
Between 2007 and 2011, a Trojan malware known as Zeus was used in numerous criminal operations to steal data on Windows devices. Zeus was widely traded on criminal forums as a way to harvest online credentials. Its source code was made public in 2011 after its purported creator announced his retirement, which allowed multiple versions to spread. The Trojan included a keylogger that recorded bank login credentials and a botnet that executed attacks using infected devices.
In March 2009, a security firm discovered an online data trove of stolen information from 160,000 computers infected by Zeus malware, including devices at Metro City Bank. A criminal gang also used Zeus in a global scheme to wire millions of dollars from five banks to overseas accounts, according to U.S. and UK officials who made more than 100 arrests in October 2010. The gang recruited mules to launder the stolen funds and withdraw money from ATMs around the world.
The variant Gameover Zeus was controlled by a group of hackers in Russia and Ukraine from October 2011 onward, according to the FBI. Among its many uses was as a platform to infect systems with Cryptolocker ransomware. Operation Tovar, an international law enforcement effort in June 2014, resulted in the seizure of key Gameover Zeus infrastructure and the release of up to 1 million victim machines from the botnet. The authorities believe the gang stole more than $100 million. The Russian man accused of authoring both Zeus and Gameover Zeus remains at large.
In 2009, security researchers discovered Skimer, an advanced multifunctional malware employed in several ATM heists across the world.
Location: Multiple
Date Breach First Reported:3/1/2009
Method: Malware
Type: Theft
Type: Unknown
Attribution: Unknown
In 2009, security researchers discovered Skimer, an advanced multifunctional malware employed in several ATM heists across the world. Skimer is capable of executing over twenty malicious commands, including withdrawing ATM funds and collecting customer information such as bank account numbers and payment card PINs. To install Skimer, attackers had to access ATMs and install backdoors in the device’s Windows operating system. Then, the attackers could silently siphon card numbers and customer information for later use in fraudulent transactions. Once correct details were entered into the ATM pin pad, Skimer gave attackers a control panel to execute multiple commands from cashing out an ATM to deleting traces of the infection from the system. The malware has continued to evolve with later variants still in use around the world.
Toward the end of 2008, Atlanta-based credit card processing company RBS WorldPay was breached by an international crime ring.
Location: United States
Date Breach First Reported:11/1/2008
Method: Multiple
Type: Theft
Type: Nonstate actor
Attribution: High confidence
Toward the end of 2008, Atlanta-based credit card processing company RBS WorldPay was breached by an international crime ring. The group used sophisticated hacking techniques to break the encryption used by RBS WorldPay to protect customer data on payroll debit cards. Once bypassed, the group created counterfeit payroll debit cards and raised their account limits. The group employed a network of individuals to use the cards to withdraw over $9 million from more than 2,100 ATMs in at least 280 cities worldwide. The investigation of the incident identified over 1.5 million customers whose confidential information was compromised. Individuals in Russia, Moldova, Nigeria, and Estonia were indicted from the hack in 2009. To date, U.S. authorities have charged fourteen men.
In September 2008, six banks in the UAE alerted customers to change their PINs after concerns over a spike in ATM fraud in the region.
Location: Middle East
Date Breach First Reported:9/9/2008
Method: Unknown
Type: Data breach
Type: Unknown
Attribution: Unknown
In September 2008, six banks in the UAE alerted customers to change their PINs after concerns over a spike in ATM fraud in the region. HSBC, one of the affected banks, said the move was in response to counterfeit ATM card usage from abroad, highlighting an early case of financial attacks operating on an international scale.
Between July and August, Georgia became the victim of a coordinated defacement and DDoS campaign that disrupted government and bank websites during the lead up to a war with Russia.
Location: Georgia
Date Breach First Reported: 7/20/2008
Method: Multiple
Type: Disruption
Type: State-sponsored actor
Attribution: High confidence
Between July and August, Georgia became the victim of a coordinated defacement and DDoS campaign that disrupted government and bank websites during the lead up to a war with Russia. The first incident occurred on July 20, when the website of then Georgian president Mikheil Saakashvili was disrupted by a DDoS attack, just weeks before Russia invaded the country. The DDoS attack was directed using a strain of Pinch malware frequently used in Russia, which flooded websites with traffic that included the phrase “win love in Russia.”
As part of the conflict and war that took place from August 7 to 12, 2008, numerous Georgian government and media sites were defaced and disrupted, including depictions of Saakashvili next to Hitler on the president’s website. The only impact on the financial sector throughout this campaign was the defacement of the National Bank of Georgia’s website. A group by the name of South Ossetia Hack Crew claimed responsibility for the attacks. However, Georgia would later attribute the attack to the Russia government, which denied the allegations.
On April 18, a clerk at HSBC’s headquarters in London fraudulently wired €90 million to accounts in Manchester and Morocco.
Location: United Kingdom
Date Breach First Reported:7/7/2008
Method: Other
Type: Theft
Type: Nonstate actor
Attribution: High confidence
On April 18, a clerk at HSBC’s headquarters in London fraudulently wired €90 million to accounts in Manchester and Morocco. The employee used passwords stolen from colleagues to execute two transactions on a Friday afternoon. He was caught when he forgot to leave the original accounts with zero balances, which HSBC staff in Malaysia spotted over the weekend. He was jailed for nine years, and the money was returned to its owners. Investigators in the UK would later uncover the gang that masterminded the fraud.
In early 2008, a Russian hacking ring stole $2 million after penetrating a network of Citibank-affiliated ATMs across New York City.
Location: United States
Date Breach First Reported:7/1/2008
Method: Malware
Type: Theft
Type: Nonstate actor
Attribution: High confidence
In early 2008, a Russian hacking ring stole $2 million after penetrating a network of Citibank-affiliated ATMs across New York City. The group gained access to a server that processed ATM withdrawals within 7-Eleven stores. This enabled them to steal debit card numbers and PINs from 2,200 machines, which they used to withdraw the $2 million. Three members of the group were arrested and pleaded guilty to numerous counts of fraud and conspiracy later that year. Investigators later linked this theft to a global network of hackers that had stolen card information as early as 2005. A hacker identified as the ringleader by authorities was jailed in 2010. He would also be linked to the Nasdaq intrusion two years later.
In January 2008, a junior trader at the French bank Société Générale executed fraudulent transactions to cover up $7.2 billion in losses from risky futures trades.
Location: France
Date Breach First Reported:1/1/2008
Method: Insider threat
Type: Theft
Type: Nonstate actor
Attribution: High confidence
In January 2008, a junior trader at the French bank Société Générale executed fraudulent transactions to cover up $7.2 billion in losses from risky futures trades. The rogue trader hid his losses by booking fake offsetting trades on colleagues’ accounts and using knowledge from his previous role in the back office to alter internal risk controls so he would not trigger internal alerts. At one point, the portfolio of unauthorized trades was worth over €50 billion, approximately the same value as the entire firm. The employee was arrested and sentenced to three years in prison in 2010. The bank suffered one of the biggest trading losses on record due to the incident, and the French banking regulator imposed a $6 million penalty for its lax controls.
On December 25–26, 2017, confidential information from 192,000 customers was stolen from financial services holding company DA Davidson.
Location: United States
Date Breach First Reported:12/25/2007
Method: SQL injection
Type: Data breach
Type: Nonstate actor
Attribution: High confidence
On December 25–26, 2017, confidential information from 192,000 customers was stolen from financial services holding company DA Davidson. Attackers deployed a SQL injection into the brokerage’s website over the Christmas holiday to access customer records. The breach was discovered after the perpetrators attempted to blackmail the firm several weeks later. The U.S. Secret Service launched an investigation that identified four suspects, three of whom were Latvian nationals, who were extradited from the Netherlands to face charges in the United States. Following the breach, the Financial Industry Regulatory Authority issued a $375,000 fine to DA Davidson for its failure to protect confidential customer information.
On September 14, 2007, online brokerage firm TD Ameritrade revealed that its database was the target of a data breach that led to the theft of 6.3 million customer account records.
Location: United States
Date Breach First Reported:9/14/2007
Method: Phishing
Type: Data breach
Type: Unknown
Attribution: Unknown
On September 14, 2007, online brokerage firm TD Ameritrade revealed that its database was the target of a data breach that led to the theft of 6.3 million customer account records. The attackers gained access to Ameritrade’s database via investment-themed phishing emails. According to Ameritrade, sensitive data on the database, such as social security numbers, were not accessed during the breach. No identify theft was detected in the aftermath of the breach. However, customers did claim to have received spam emails. The FBI and U.S. financial regulators investigated the incident, but no arrests were reported. On September 13, 2011, TD Ameritrade agreed to pay customers $6.5 million to settle a class action suit in relation to the breach.
Following the contentious relocation of a Soviet-era statue in Tallinn, Estonia fell victim to a series of coordinated DDoS attacks against government, bank, university, and newspaper websites that lasted three weeks.
Location: Estonia
Date Breach First Reported:4/26/2007
Method: DDoS
Type: Disruption
Type: State-sponsored actor
Attribution: Speculated
Following the contentious relocation of a Soviet-era statue in Tallinn, Estonia fell victim to a series of coordinated DDoS attacks against government, bank, university, and newspaper websites that lasted three weeks. The attacks began on April 26, when government and political party email servers and websites were disrupted. The following week, a second wave began that disrupted access to Estonian news websites. The final wave, which began on May 9, was the heaviest and targeted the Estonian banking sector. The attack forced two major Estonian banks to suspend online banking, disabling bank card transactions and ATM withdrawals. The disruption did not end until the attackers’ botnet contracts expired on May 19. The attacks were carried out by Russian hacktivists communicating openly on Russian-language chatrooms, where users shared precise instructions on how to conduct the attacks. Estonia accused the Russian government of ordering the attacks but was unable to produce definitive proof.