{ "id": "f453aa05-08d7-46e9-94df-6ea4582f2818", "created_at": "2026-04-06T00:16:07.955307Z", "updated_at": "2026-04-10T03:38:19.484095Z", "deleted_at": null, "sha1_hash": "41fe26271bf16377cb33d681760c706e5e220643", "title": "Vietnamese Bank Blocks $1 Million SWIFT Heist", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 98740, "plain_text": "Vietnamese Bank Blocks $1 Million SWIFT Heist\r\nBy Mathew J. Schwartz\r\nArchived: 2026-04-02 12:20:15 UTC\r\nData Loss Prevention (DLP) , Fraud Management \u0026 Cybercrime , Governance \u0026 Risk Management\r\nAttempted Heist Reportedly Targeted TPBank's SWIFT Software With Trojanized PDF Reader (euroinfosec) •\r\nMay 16, 2016    \r\nA Vietnamese bank says it foiled a plot to transfer $1.36 million out of its accounts - via the interbank SWIFT\r\nmessaging system - in the fourth quarter of 2015 as part of a suspected malware attack launched by fraudsters (see\r\nSWIFT Warns Banks: Coordinated Malware Attacks Underway).\r\nSee Also: Proof of Concept: Bot or Buyer? Identity Crisis in Retail\r\nTien Phong Commercial Joint Stock Bank, based in Hanoi, on May 15 said in a statement to Reuters that it\r\ndetected the suspicious transfer requests quickly enough to contact receiving banks and put a stop to the transfers.\r\nThe attempted attack \"did not cause any losses,\" TPBank's statement reportedly said. \"It had no impact on the\r\nSWIFT system in particular and the transaction system between the bank and customers in general.\"\r\nSWIFT, which stands for the Society for Worldwide Interbank Financial Telecommunication, is a Brussels-based\r\ncooperative, owned by 3,000 banks, that was founded in 1973, and which maintains a messaging system used by\r\n11,000 banks.\r\nhttps://www.bankinfosecurity.com/vietnamese-bank-blocks-1-million-online-heist-a-9105\r\nPage 1 of 3\n\nThe State Bank of Vietnam - the country's central bank - is probing the attack after having received related\r\ninformation from TPBank on May 16, spokeswoman Le Thi Thuy Sen tells Bloomberg.\r\nTPBank and the State Bank of Vietnam couldn't be immediately reached for comment on those reports.\r\nSWIFT declined to comment on those reports, except to point to a May 13 security alert that it sent to its\r\ncustomers, warning them of \"a highly adaptive campaign targeting banks' payment endpoints.\" That warning said\r\nan unnamed Vietnamese bank had also been targeted by the same attackers who attempted to transfer $1 billion\r\nout of the central bank of Bangladesh's account at the Federal Reserve of New York.\r\nIn the Bangladesh Bank case, the attackers successfully transferred $100 million to overseas accounts, of which\r\n$81 million is still missing. Investigators say the stolen funds were laundered via casinos in the Philippines.\r\nSWIFT says the attack was carried out in part after attackers used malware to infect a PDF reader used by bank\r\nemployees.\r\nTPBank Blames Third-Party Vendor\r\nTPBank's statement said the fraudulent transfer requests were made using an unnamed third-party vendor with\r\nwhich the bank had contracted, to allow it to interface with the SWIFT network. The bank said that in the wake of\r\nthe fraudulent transfer requests, it stopped working with the third-party provider and now has a more secure\r\nsystem which directly interfaces with the SWIFT platform.\r\nTPBank told Reuters that the attack against it might have been carried out using the Trojanized PDF reader\r\ndetailed in SWIFT's customer alert.\r\nSWIFT: 'Small Number' of Similar Cases\r\nIn its May 13 customer alert, SWIFT warned that beyond Bangladesh Bank, it was aware of a \"small number\" of\r\nsimilar cases at other banks, involving attackers successfully infecting an unnamed PDF reader used at victim\r\nbanks, which could be used to alter statements and disguise fraudulent transfers. Its alert did not name TPBank.\r\nBritish defense contractor BAE Systems on May 13 released research saying that \"a commercial bank in Vietnam\r\n... also appears to have been targeted in a similar fashion using tailored malware, but based off a common code\r\nbase\" (see Bangladesh Bank Attackers Hacked SWIFT Software).\r\nThreat-intelligence firm iSight Partners says there is at least one more victim that has not yet been publicly\r\ndisclosed. \"We believe that at least three financial institutions in the region were affected by these actors, and in\r\ntwo instances, malware was deployed that had functionality specifically associated with SWIFT fraud,\" the firm\r\nsays in a research note that also names the PDF reader targeted by attackers.\r\n\"The malware used to target the Vietnamese bank replaces Foxit's popular PDF reader software to mask records of\r\nSWIFT transactions when read,\" iSight Partners says. \"When reports are read through the PDF reader, SWIFT\r\nrecords are altered to remove traces of fraudulent transactions.\"\r\nThe Lazarus Group Connection\r\nhttps://www.bankinfosecurity.com/vietnamese-bank-blocks-1-million-online-heist-a-9105\r\nPage 2 of 3\n\nBased on its digital forensic investigation, BAE Systems said the malware appeared to be tied to the Lazarus\r\nGroup, as detailed in a February report into Operation Blockbuster that was coordinated by anti-fraud and\r\nanalytics firm Novetta. BAE Systems said the group also appeared to use a code compiler named Kordllbot, and\r\nto have focused its attacks on organizations in South Korea and the United States.\r\nThe Novetta report said the Lazarus Group \"has been active since at least 2009, and potentially as early as 2007,\r\nand was responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment.\"\r\nBAE Systems said that it did not have enough evidence to incontrovertibly attribute the Bangladesh and\r\nVietnamese bank hacks to the same group that hacked Sony. But it said currently available evidence strongly\r\nsuggests a connection. \"We believe that the same coder is central to these attacks,\" it said. \"Who the coder is, who\r\nthey work for, and what their motivation is for conducting these attacks cannot be determined from the digital\r\nevidence alone.\"\r\nWho's Responsible for Securing SWIFT?\r\nThe bank hacking campaign has revealed uneven information security practices at some SWIFT-using banks. In\r\nthe wake of the February theft from Bangladesh Bank, which came to light in March, bank officials publicly said\r\nthe Federal Reserve Bank of New York and SWIFT were at least partially to blame. But the New York Fed fired\r\nback, saying that it had honored valid SWIFT requests, and SWIFT said that the attackers had been able to gain\r\naccess to Bangladesh Bank's back-end systems and submit what appeared to be legitimate SWIFT messages.\r\nA subsequent Bangladesh police investigation reportedly concluded that a SWIFT technician left exploitable\r\nloopholes after connecting the bank to SWIFT's network, to facilitate real-time payments. But other reports\r\nsuggested that the bank lacked robust passwords and authentication controls, or even firewalls (see SWIFT to\r\nBanks: Get Your Security Act Together).\r\nOn May 10, representatives from SWIFT, Bangladesh Bank and New York Fed met to discuss the attack and\r\nrelated investigations, and issued a joint statement pledging greater cooperation.\r\nSWIFT has also continued to urge all customers to conduct a top-to-bottom review of their security defenses.\r\n\"Please remember that as a SWIFT user you are responsible for the security of your own systems interfacing with\r\nthe SWIFT network and your related environment - starting with basic password protection practices - in much the\r\nsame way as you are responsible for your other security considerations,\" its May 13 security alert reads. \"Whilst\r\nwe issue, and have recently reminded you about, security best practice recommendations, these are just a baseline\r\nand general advice.\"\r\nSource: https://www.bankinfosecurity.com/vietnamese-bank-blocks-1-million-online-heist-a-9105\r\nhttps://www.bankinfosecurity.com/vietnamese-bank-blocks-1-million-online-heist-a-9105\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://www.bankinfosecurity.com/vietnamese-bank-blocks-1-million-online-heist-a-9105" ], "report_names": [ "vietnamese-bank-blocks-1-million-online-heist-a-9105" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434567, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/41fe26271bf16377cb33d681760c706e5e220643.pdf", "text": "https://archive.orkl.eu/41fe26271bf16377cb33d681760c706e5e220643.txt", "img": "https://archive.orkl.eu/41fe26271bf16377cb33d681760c706e5e220643.jpg" } }