HACKING & CYBER ATTACKS IN 2019

1. SIM Swap Scam 

Two hackers from Navi Mumbai were arrested for transferring 4 crore rupees from
numerous bank accounts in August 2018. The illegally transferred money from bank
accounts of many individuals. By fraudulently gaining SIM card information, both attackers
blocked individuals’ SIM cards and by the help of fake document posts, they carried out
transactions via online banking. They also tried to hack accounts of various targeted
companies.

2.Dutch Bangla Bank Limited

Dutch Bangla Bank Limited (DBBL) was the biggest victim, losing as much as $3 million
(around Tk 25 crore) to global cybercriminals, according to sources in the banking
sector. hackers planted a malware in the bank’s switch (card management system) around
three months ago and made a perfect replica of the switch, which the bank could not
detect.

3.The digital bank Monzo

The digital bank Monzo has told 480,000 customers to change their PINs after it discovered
an error that allowed unauthorised staff to view sensitive information.

Monzo said that it normally stored PINs in a “particularly secure” part of its systems that
only select employees can access. However, on Friday, 2 August, it learned that it had been
recording some people’s PINs in a different part of its system.

Although the information was in encrypted log files, more than 100 Monzo engineers could
view the information.

The organisation has since deleted the data that was incorrectly stored, and updated its
apps to fix the issue.

4.Hack Attack on Indian Healthcare Websites 

Indian-based healthcare websites became a victim of cyber-attack recently in 2019. As
stated by US-based cyber-security firms, hackers broke in and invaded a leading India-based
healthcare website. The hacker stole 68 lakh records of patients as well as doctors. 
5.Cayman National Bank and Trust Data Theft

NOVEMBER 18

On November 18, 2019, the Cayman National Bank and Trust Company confirmed it had
been breached and had confidential data stolen.

TARGET

Location: United Kingdom

Date Breach First Reported: 11/18/2019

INCIDENT

Method: Unknown

Type: Data breach

ACTOR

Type: Non-state actor

Attribution: Speculated

DESCRIPTION

On November 18, 2019, the Cayman National Bank and Trust Company confirmed it had
been breached and had confidential data stolen. The Cayman National Bank did not
elaborate on the extent of the breach but confirmed it was working with law enforcement.
This announcement corroborated an earlier claim by Phineas Fisher, a vigilante hacker
persona, who publicized the hack to encourage similar hacktivism. Phineas Fisher offered
$100,000 USD to hacktivists who breach and leak documents from bank, oil companies,
surveillance spyware vendors, and others.

6.Cardplanet Fraud

NOVEMBER 13
On November 13, 2019, the United States charged a Russian man for running ‘Cardplanet,’ a
card trading platform worth almost $20 million USD that buys and sells stolen payment card
details.

TARGET

Location: Unknown

Date Breach First Reported: 11/13/2019

INCIDENT

Method: N/A

Type: N/A

ACTOR

Type: Non-state actor

Attribution: High confidence

DESCRIPTION

On November 13, 2019, the United States charged a Russian man for running ‘Cardplanet,’ a
card trading platform worth almost $20 million USD that buys and sells stolen payment card
details. He is facing a number of charges including access device fraud, identity theft, and
computer intrusion.

OCTOBER 16

On October 16, 2019, it was reported that ‘BriansClub’, one of the largest underground
markets for stolen credit card and payment details, was hacked by a competitor who stole
26 million card details.

TARGET

Location: Unknown

Date Breach First Reported: 10/16/2019

INCIDENT
Method: Unknown

Type: Theft

ACTOR

Type: Non-state actor

Attribution: Speculated

DESCRIPTION

On October 16, 2019, it was reported that ‘BriansClub’, one of the largest underground
markets for stolen credit card and payment details, was hacked by a competitor who stole
26 million card details. The credit card data was added to BriansClubbetween 2015-2019,
representing 30 percent of the total cards that are currently being sold on the underground
market.

8. Sberbank Data Leak

OCTOBER 4

On October 4, 2019, it was reported that Sberbank, one of Russia’s largest banks, was
investigating a suspected data leak that affected at least 200 customers, and potentially
data on 60 million credit cards.

TARGET

Location: Russia
Date Breach First Reported: 10/4/2019

INCIDENT

Method: N/A
Type: Data breach

ACTOR

Type: Insider
Attribution: Speculated

DESCRIPTION
On October 4, 2019, it was reported that Sberbank, one of Russia’s largest banks, was
investigating a suspected data leak that affected at least 200 customers, and potentially
data on 60 million credit cards. Sberbank is investigating an internal employee who may be
behind the compromise of the database. Sberbank is working with law enforcement to
investigate the incident further.

9. Indian ATMs Targeted with ATMDtrack Malware

SEPTEMBER 23

On September 23, security researchers reported that North Korean hackers had developed
and inserted malware to steal payment information from Indian ATMs and banking
institutions.

TARGET

Location: India
Date Breach First Reported: 9/23/2019

INCIDENT

Method: Malware
Type: Espionage

ACTOR

Type: State-sponsored actor
Attribution: Speculated

DESCRIPTION

On September 23, security researchers reported that North Korean hackers had developed
and inserted malware to steal payment information from Indian ATMs and banking
institutions. The malware, known as ATMDtrack, began appearing on networks during the
summer of 2018 and is thought to be attributable to Lazarus Group, a hacking group that
has targeted banks, ATMs, and cryptocurrency exchanges in order to fund North Korea's
weapons of mass destruction program.

10.ECB BIRD Site Data Breach

SEPTEMBER 16

On September 16, the European Central Bank (ECB) shut down its Banks’ Integrated
Reporting Dictionary (BIRD) site after routine maintenance uncovered a cyberattack
compromising the information of the site’s newsletter subscribers.
TARGET

Location: Europe
Date Breach First Reported: 9/16/2019

INCIDENT

Method: Unknown
Type: Data breach

ACTOR

Type: Unknown
Attribution: Unknown

DESCRIPTION

On September 16, the European Central Bank (ECB) shut down its Banks’ Integrated
Reporting Dictionary (BIRD) site after routine maintenance uncovered a cyberattack
compromising the information of the site’s newsletter subscribers. The ECB reported that no
market-sensitive data was compromised in the attack, and it planned to contact the 481
individuals whose names, email addresses, and titles may have been accessed by hackers.

11. Hong Kong Exchanges and Clearing Limited DDoS Attack

SEPTEMBER 6

On September 6, 2019, Hong Kong Exchanges and Clearing Limited (HKEx), a Hong Kong-
based stock exchange, suffered a distributed denial-of-service attack (DDoS) and discovered
a technical bug, forcing them to suspend trading

12.BinanceRansomware

AUGUST 6

On August 6, Malta-based cryptocurrency exchange Binance became the victim of

ransomware when attackers demanded 300 bitcoin (around $3.5 million at the time) in
exchange for a Know Your Customer (KYC) database containing the personal information of
around 10,000 users.

CLOSE

TARGET
Location: Multiple
Date Breach First Reported: 8/6/2019

INCIDENT

Method: Ransomware
Type: Unknown

ACTOR

Type: Unknown
Attribution: Unknown

DESCRIPTION

On August 6, Malta-based cryptocurrency exchange Binance became the victim of

ransomware when attackers demanded 300 bitcoin (around $3.5 million at the time) in
exchange for a Know Your Customer (KYC) database containing the personal information of
around 10,000 users. The KYC database allegedly contained personal identification
information and photographs of users with documents like passports. The company
contested the authenticity of the documents, claiming that they lacked digital watermarks,
refused to pay the ransom, and contacted law enforcement for assistance in pursuing the
attacker(s).

13.Capital One Data Breach

JULY 29

On July 29, Capital One announced that it had suffered a data breach compromising the
credit card applications of around 100 million individuals after a software engineer hacked
into a cloud-based server.

TARGET

Location: United States and Canada

Date Breach First Reported: 7/29/2019

INCIDENT

Method: Other
Type: Data breach/theft

ACTOR
Type: Nonstate actor
Attribution: High confidence

DESCRIPTION

On July 29, Capital One announced that it had suffered a data breach compromising the
credit card applications of around 100 million individuals after a software engineer hacked
into a cloud-based server. The applications contained names, dates of birth, credit scores,
contact information, and some American and Canadian social security numbers. The hacker
exploited a misconfigured firewall to gain access to a database of personal information
hosted by Amazon Web Services. Upon gaining access, the hacker posted about it on
GitHub, and an unidentified individual notified Capital One about the presence of the
database on GitHub. Authorities arrested one individual in connection with the data theft.

14.Banco Pan Data Breach

JULY 25

On July 25, security researchers found a file containing 250GB of personal and financial
information, mainly tied to Brazilian financial institution Banco Pan, exposed online.

TARGET

Location: Brazil
Date Breach First Reported: 7/25/2019

INCIDENT

Method: Unknown
Type: Data breach

ACTOR

Type: Unknown
Attribution: Unknown

DESCRIPTION

On July 25, security researchers found a file containing 250GB of personal and financial
information, mainly tied to Brazilian financial institution Banco Pan, exposed online. The
information, which Banco Pan claims is owned by a commercial partner, contained scans of
identification cards and social security cards, proof of address documents, and service
request forms.
15.Jana Bank Data Breach

JULY 23

On July 23, a security researcher reported that Jana Bank, an Indian small finance bank, left
exposed a database containing information on millions of financial transactions.

TARGET

Location: India
Date Breach First Reported: 7/23/2019

INCIDENT

Method: Unknown
Type: Data breach

ACTOR

Type: Unknown
Attribution: Unknown

DESCRIPTION

On July 23, a security researcher reported that Jana Bank, an Indian small finance bank, left
exposed a database containing information on millions of financial transactions. The Know
Your Customer verification database was not password-protected, allowing anyone to
access, alter, or download the information. Jana Bank immediately secured the database
upon learning of its exposure.

16.Remixpoint Inc. Crypto Theft

JULY 12

On July 12, Remixpoint, a Japanese cryptocurrency exchange, halted services after it

discovered the theft of $32 million in digital currencies.

TARGET

Location: Japan
Date Breach First Reported: 7/12/2019

INCIDENT

Method: Unknown
Type: Theft
ACTOR

Type: Unknown
Attribution: Unknown

DESCRIPTION

On July 12, Remixpoint, a Japanese cryptocurrency exchange, halted services after it

discovered the theft of $32 million in digital currencies. After an error appeared in the
exchange’s outgoing funds transfer system, Remixpoint discovered that the funds had been
taken from a “hot” wallet (one that is connected to the internet). No funds had been stolen
from “cold” wallets (those not connected to the internet). The company promised to
investigate the incident and provided no further details.

17. Crypto Exchange Theft

JUNE 25

On June 25, Europol, British law enforcement, and Dutch law enforcement officials arrested
six individuals for cryptocurrency theft amounting to €24 million (over $26 million).

TARGET

Location:Multiple
Date Breach First Reported: 6/25/2019

INCIDENT

Method:Malware
Type: Theft

ACTOR

Type:Unknown
Attribution: Speculated

DESCRIPTION

On June 25, Europol, British law enforcement, and Dutch law enforcement officials arrested
six individuals for cryptocurrency theft amounting to €24 million (over $26 million). The
individuals used a technique known as “typosquatting,” in which they duplicated an online
cryptocurrency exchange to steal information and gain access to victims’ bitcoin wallets. The
attack affected more than 4,000 individuals in at least 12 countries.
18.Bangladesh Switch System Cyberattack

JUNE 22

In June 2019, at least three private Bangladeshi banks were compromised by major
cyberattacks, with one, Dutch Bangla Bank Limited (DBBL), losing as much as TK 25 crore
(around $3 million).

TARGET

Location: Bangladesh

Date Breach First Reported: 6/22/2019

INCIDENT

Method: Malware

Type: Theft

ACTOR

Type: Unknown

Attribution: Unknown

DESCRIPTION

In June 2019, at least three private Bangladeshi banks were compromised by major
cyberattacks, with one, Dutch Bangla Bank Limited (DBBL), losing as much as TK 25 crore
(around $3 million). Attackers deployed malware to duplicate DBBL's Switch payment
management system, allowing fraudulent financial transactions to be executed undetected.
NCC Bank and Prime Bank were also targeted, but both banks reported no financial losses
associated with the attack.

19.First American Financial Corp.

MAY 24

On May 24, First American Financial Corp. suffered a data breach compromising around 885
million files related to mortgage deeds.

TARGET

Location: United States

Date Breach First Reported: 5/24/2019

INCIDENT

Method: Unknown

Type: Data breach

ACTOR

Type: Unknown

Attribution: Unknown

DESCRIPTION

On May 24, First American Financial Corp. suffered a data breach compromising around 885
million files related to mortgage deeds. The documents, which dated back as far as 2003,
contained bank account numbers and statements, mortgage and tax records, social security
numbers, wire transaction receipts, and images of drivers' licenses. The documents were
accessible to anyone with a web browser because the company used a standard format for
document addresses, meaning that anyone with knowledge of at least one document link
could access others simply by modifying the digits associated with the record number.
Although the company took down the website, many of the pages remained accessible on
archive.org. As of August 2019, the U.S. Securities and Exchange Commission had begun an
investigation into the data breach.

20.GozNym Gang Arrested

MAY 16

On May 16, 2019, Europol, the U.S. Department of Justice (DoJ), and six other countries,
dismantled a group of international cyber criminals that used the GozNym malware to steal
over $100 million.

TARGET

Location: Multiple

Date Breach First Reported: 5/16/2019

INCIDENT

Method: Malware
Type: Theft

ACTOR

Type: Nonstate actors

Attribution: High confidence

DESCRIPTION

On May 16, 2019, Europol, the U.S. Department of Justice (DoJ), and six other countries,
dismantled a group of international cyber criminals that used the GozNym malware to steal
over $100 million. The group stole from over 40,000 victims, including the bank accounts of
small businesses, law firms, international corporations, and nonprofit organizations.
Following a law enforcement investigation across the U.S., Bulgaria, Germany, Georgia,
Moldova, and Ukraine, ten members were charged for the crime. The leader of the network
was charged in Georgia while another was extradited from Bulgaria to the U.S. to face trial.
Although some members of the gang are still on the run, the initial charges have been seen
as a success for law enforcement in their efforts to combat international cybercrime.

21.FirstBank Breach

MAY 13

In May 2019, a Colorado bank suffered an external security incident resulting in the
cancellation and redistribution of customer debit cards.

TARGET

Location: United States

Date Breach First Reported: 5/13/2019

INCIDENT

Method: Unknown

Type: Data breach

ACTOR

Type: Unknown

Attribution: Unknown

DESCRIPTION

In May 2019, a Colorado bank suffered an external security incident resulting in the
cancellation and redistribution of customer debit cards. FirstBank, Colorado’s largest locally-
owned bank, issued a security notice on May 13 informing customers of the breach and
instructing them to report any suspicious behavior. The bank confirmed that the breach did
not occur on its online systems but from other merchants where FirstBank customers made
transactions.

22.Retefe Malware Resurfaces in Germany and Switzerland

MAY 2

In May, U.S. security company Proofpoint reported the return of the Retefe banking Trojan
in Germany and Switzerland.

TARGET

Location: Switzerland, Germany

Date Breach First Reported: 5/2/2019

INCIDENT

Method: Malware

Type: Unknown

ACTOR

Type: Unknown

Attribution: Unknown
DESCRIPTION

In May, U.S. security company Proofpoint reported the return of the Retefe banking Trojan
in Germany and Switzerland. Retefe is a malware that installs the Tor internet browser to
redirect infected devices to spoofed banking sites. The Trojan is typically delivered through
email attachments and often attempts to trick users into downloading spoofed mobile
Android applications to bypass two-factor authentication.

In the past, Retefe campaigns have targeted several European countries. In November 2016,
Retefe targeted Tesco Bank and other UK financial institutions. In September 2017, an
updated version of Retefe leveraged the EternalBlue exploit in a campaign against Swiss
targets. Since April, the Trojan has reemerged in German and Swiss banks.

23.Romanian ATM Skimmer Gang Arrested in Mexico

APRIL 4

On March 31, Mexican law enforcement arrested two senior members of a Romanian cyber
criminal group allegedly behind an ATM skimming operation in Mexico.

TARGET

Location: Mexico

Date Breach First Reported: 4/4/2019

INCIDENT

Method: Skimmer

Type: Theft

ACTOR

Type: Nonstate actor

Attribution: High confidence

DESCRIPTION

On March 31, Mexican law enforcement arrested two senior members of a Romanian cyber
criminal group allegedly behind an ATM skimming operation in Mexico. One suspect is
believed to be the head of Instacash, a fraudulent ATM service provider operating out of
Mexico. The head of Instacash allegedly bribed and coerced ATM technicians to install
sophisticated Bluetooth-based skimmers inside competitor’s ATMs, enabling the Romanian
cyber criminal group to steal PINs and card data remotely from ATMs throughout popular
tourist destinations in Mexico.

24.Royal Bank of Scotland Security Flaw

MARCH 22

In early 2019, the Royal Bank of Scotland’s (RBS) customer accounts were exposed to a
security flaw after introducing a new customer security service.

TARGET

Location: United Kingdom

Date Breach First Reported: 3/22/2019

INCIDENT

Method: Software vulnerability

Type: N/A

ACTOR

Type: Unknown

Attribution: Unknown

DESCRIPTION
In early 2019, the Royal Bank of Scotland’s (RBS) customer accounts were exposed to a
security flaw after introducing a new customer security service. In January, RBS launched a
free endpoint security service for customers in partnership with Danish firm Hedimal
Security. While the security service was intended to detect threats and protect RBS
customers from attacks, researchers discovered a software flaw that enabled access to
customer emails, banking details and internet history. Hedimal Security has since released
an update to fix the security flaw and insisted that only 50,000 computers were effected.
They claim that there were no intrusions as a result of the security flaw.

25. Ursnif Malware Attack on Japanese Banks

MARCH 12

The Ursnif banking Trojan, which was discovered in 2007, was repurposed in a campaign
targeting Japanese banks that began in 2016.

TARGET

Location: Japan

Date Breach First Reported: 3/12/2019

INCIDENT

Method: Malware

Type: Unknown

ACTOR

Type: Unknown

Attribution: Unknown

DESCRIPTION
The Ursnif banking Trojan, which was discovered in 2007, was repurposed in a campaign
targeting Japanese banks that began in 2016. Ursnif, also known as Gozi ISFB, is a popular
malware that steals information on infected Windows devices. Ursnif has been deployed in
a new campaign that specifically targets banks in Japan. The malware terminates itself on
devices outside of the country. The campaign uses a distribution network of spam botnets
and compromised web servers to deliver the Trojan. Between 2016 and 2017, researchers at
Palo Alto Networks observed millions of infected emails sent to banks in Japan. Researchers
have not been able to identify the operation behind the campaign, but evidence suggests it
may be connected to the Cutwill Botnet, a cyber criminal operation active since 2007.

26.Bank of Valletta

FEBRUARY 13

On February 13, the Bank of Valletta (BOV), Malta’s largest and oldest bank, shut down
operations after an attempted theft of €13 million.

TARGET

Location: Malta

Date Breach First Reported: 2/14/2019

INCIDENT

Method: Unknown

Type: Disruption

ACTOR

Type: Unknown

Attribution: Unknown

DESCRIPTION
On February 13, the Bank of Valletta (BOV), Malta’s largest and oldest bank, shut down
operations after an attempted theft of €13 million. Attackers made multiple transfer
requests from the Maltese bank to accounts in the UK, United States, Czech Republic, and
Hong Kong. The bank’s employees discovered the fraudulent activity during their daily
reconciliation of international orders. Within the hour, BOV notified other banks in an
attempt to freeze the transactions. It also closed all its branches, shut down its ATMs and
point-of-sale system, and stopped all other electronic services, which were restored the
following day. In a statement, BOV said it was working with local and international police
authorities to track down the attackers. They also announced that customer accounts were
not effected in the incident.

27. U.S. Credit Union Spear-Phishing

FEBRUARY 8

Multiple credit unions in the United States were hit by spear-phishing emails impersonating
compliance officers from other credit unions.

TARGET

Location: United States

Date Breach First Reported: 2/8/2019

INCIDENT

Method: Phishing

Type: N/A

ACTOR

Type: Unknown

Attribution: Unknown

DESCRIPTION
Multiple credit unions in the United States were hit by spear-phishing emails impersonating
compliance officers from other credit unions. Under the Bank Secrecy Act (BSA), financial
institutions are required to have dedicated compliance personnel responsible for reporting
suspicious transactions and potentially fraudulent activity to the U.S. government. Emails
sent to these compliance officers contained a PDF with a malicious link. While it is believed
that no employee clicked the link, there is speculation as to how the attackers obtained the
email addresses of the compliance officers.

28. SBI Breach

FEBRUARY 4

The State Bank of India, the country’s largest, has denied claims that its servers were
compromised during a recent intrusion.

TARGET

Location: India

Date Breach First Reported: 2/4/2019

INCIDENT

Method: Unknown

Type: Unknown

ACTOR

Type: Unknown

Attribution: Unknown

DESCRIPTION
The State Bank of India, the country’s largest, has denied claims that its servers were
compromised during a recent intrusion. Multiple media outlets reported an SBI server was
unprotected, and as a result attackers were able to gain access to the system and steal
users’ personal information. Despite the claims, the bank said their investigation revealed
that SBI’s servers remained fully protected and that no breach had occurred.

29. Metro Bank 2FA Breach

FEBRUARY 2

UK-based Metro Bank became the first major bank to suffer from a new type of cyber
intrusion that intercepts text messages with two-factor authentication codes used to verify
various customer transactions.

TARGET

Location: United Kingdom

Date Breach First Reported: 2/2/2019

INCIDENT

Method: Other

Type: Disruption

ACTOR

Type: Unknown

Attribution: Unknown

DESCRIPTION

UK-based Metro Bank became the first major bank to suffer from a new type of cyber
intrusion that intercepts text messages with two-factor authentication codes used to verify
various customer transactions. The attackers exploited flaws in the Signaling System 7 (SS7)
protocol, which is used by telecommunications companies to route text messages around
the world. A spokesperson for the bank stated that only a small number of those defrauded
were Metro Bank customers.
30. Chile ATM Attack

JANUARY 10

In December, hackers infiltrated Chile’s ATM interbank network, Redbanc, after tricking an
employee into downloading a malicious program during a fake job interview over Skype.

TARGET

Location: Chile

Date Breach First Reported: 1/15/2019

INCIDENT

Method: Other

Type: Espionage

ACTOR

Type: State-sponsored actor

Attribution: Speculated

DESCRIPTION
In December, hackers infiltrated Chile’s ATM interbank network, Redbanc, after tricking an
employee into downloading a malicious program during a fake job interview over Skype. It is
believed that the Redbanc employee saw a LinkedIn job advertisement and attended a
Skype interview where the attackers asked him to download a software program to submit
his application form. The attackers tricked the victim into downloading malware on his
system, giving them access to Redbanc’s network. Redbanc claims the event had no impact
on its business operations.

31.Fuze Cards

JANUARY 10

The U.S. Secret Service has identified a number of criminal rings turning to Fuze cards in an
attempt to avoid detection by U.S. law enforcement.
TARGET

Location: United States

Date Breach First Reported: 1/10/2019

INCIDENT

Method: Cards

Type: Theft

ACTOR

Type: Nonstate actor

Attribution: High confidence

DESCRIPTION

The U.S. Secret Service has identified a number of criminal rings turning to Fuze cards in an
attempt to avoid detection by U.S. law enforcement. A Fuze card is a data storage device
that looks like a bank card, but can hold account data for up to thirty cards. Using smartcard
technology can help criminals avoid raising suspicions at payment points or if stopped by
authorities, as it reduces the need for them to carry large numbers of counterfeit cards on
their person.
32. Himalayan ATM Heist

SEPTEMBER 2

On September 2, Nepalese police arrested five Chinese nationals in connection with

cyberattacks that cost Nepalese banks more than 35 million rupees (over $300,000).

TARGET

Location: Nepal
Date Breach First Reported: 9/2/2019

INCIDENT

Method: Other
Type: Theft

ACTOR

Type: State-sponsored actor
Attribution: Speculated

DESCRIPTION

On September 2, Nepalese police arrested five Chinese nationals in connection with

cyberattacks that cost Nepalese banks more than 35 million rupees (over $300,000). The
attackers targeted the Nepal Electronic Payment System, which was established to
coordinate cash withdrawals at 17 Nepalese banks, and inserted malware that directed
ATMs to process withdrawal requests without first verifying with member banks. Staff at
one Nepali bank discovered the theft when ATMs began running out of cash sooner than
expected and informed authorities. Police recovered 12.63 million rupees (more than
$110,000) during the arrests.