{ "id": "6b634b62-e2f6-450f-ba6a-9d5a692b7d6d", "created_at": "2026-04-06T00:11:10.619082Z", "updated_at": "2026-04-10T03:38:20.252929Z", "deleted_at": null, "sha1_hash": "567ec355958b840152542d025a1e33d4e7aa3dc5", "title": "North Korean Hacking Group Steals $13.5 Million From Indian Bank", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 106329, "plain_text": "North Korean Hacking Group Steals $13.5 Million From Indian\r\nBank\r\nBy Jai Vijayan\r\nPublished: 2018-08-27 · Archived: 2026-04-02 12:48:15 UTC\r\nNorth Korean-linked Lazarus Group is believed responsible for stealing $13.5 million from India's Cosmos Bank\r\nin a brazen attack that has exposed limitations in the measures banks use to defend against targeted cyber threats.\r\nThe theft occurred between August 10 and August 13, 2018, and was enabled via thousands of fraudulent ATM\r\ntransactions across 28 countries and by at least three unauthorized money transfers using the bank's access to the\r\nSWIFT international financial network.\r\nIt is still unclear how the threat actors managed to initially infiltrate the bank's network. But based on how Lazarus\r\nGroup actors have typically operated in the past, the attackers broke in via a spear-phishing email and then moved\r\nlaterally within the bank's network, according to researchers at Securonix.\r\n\"This attack is a good example of the fact that, while ATM and SWIFT transaction monitoring is important, it\r\noften is not enough, and may only give you 10%-20% of the required detection coverage,\" the security vendor\r\nnoted in its report.\r\nThe Cosmos Co-operative Bank is a 111-year old co-operative bank in India with branches in 7 states and 39\r\nmajor cities. Between August 10 and August 11, Lazarus Group operators managed to compromise an end-user\r\nsystem at the bank and used that to access and compromise the institution's ATM infrastructure.\r\nPublicly available information and Securonix' own analysis suggest that the attackers used multiple targeted\r\nmalware exploits to set up a malicious ATM/POS proxy switch in parallel with Cosmos Bank's own central\r\nswitch.\r\nThey then broke or redirected the connection between the bank's ATM/POS central switch and its back-end Core\r\nBanking System. Securonix described the banking switch as a component that is primarily used to perform routing\r\nand transaction-processing decisions.\r\n\"Based on the publicly available details, most likely there was no additional hardware installed,\" says Oleg\r\nKolesnikov, a member of the Securonix threat research team. \"The malicious payment switch typically comes in\r\nthe form of software, so this is likely what was installed and/or cloned/modified by the attackers to proxy the\r\nrequests from the ATM terminals instead of the existing switch.\"\r\nATM Withdrawls\r\nThe attackers are believed to have increased the withdrawal limits on hundreds of targeted accounts at the bank\r\nand set them up so cash withdrawals could be made from the accounts from abroad. In total, operators working on\r\nhttps://www.darkreading.com/attacks-breaches/north-korean-hacking-group-steals-$135-million-from-indian-bank-/d/d-id/1332678\r\nPage 1 of 3\n\nbehalf of Lazarus Group used 450 cloned non-EMV debit cards linked to accounts at Cosmos Bank to make some\r\n12,000 international ATM withdrawals and 2,849 domestic transactions totaling $11.5 million.\r\nBecause the attackers had previously tampered with the link between the banks' ATM switch and the core banking\r\nsystem, the required messages and codes for authorizing the debit card withdrawals were never forwarded to the\r\ncore banking system. So typical checks on card number, card status, and PIN were never conducted. Instead, the\r\nattackers used the rogue ATM/POS switch that they had installed to send fake instructions for authorizing the\r\nfraudulent transactions.\r\nAbout two days after the initial break-in, the attackers gained access to Cosmos Banks' SWIFT environment and\r\nused it to illegally transfer $2 million to an account belonging to a trading company at Hang Seng Bank in Hong\r\nKong.\r\nThe attack on Cosmos Bank's ATM network was different from typical jackpotting and black box attacks where\r\nattackers physically tamper with ATMs to get them to spit out large amounts of cash. In this case, the attack\r\ntargeted the bank's core infrastructure and effectively bypassed all measures recommended by the Interpol for\r\nprotecting a bank's ATM infrastructure against logical attacks, Securonix said.\r\nWhat remains unclear is why Cosmos Bank did not receive any alerts when the connection between its ATM\r\nswitch and core banking system was cut or when thousands of ATM transactions that were clearly not normal\r\nwere being made.\r\n\"We do not know for certain, but it is likely that the connection was redirected such that the connection remained\r\nactive, and only the malicious requests in question were selectively redirected by the malicious component,\"\r\nKolesnikov says. This would ensure that the malicious requests never made it to the legitimate payment switch,\r\nand therefore were never visible at the core backend system, he says.\r\nThe attack also likely involved a lot of malicious and suspicious attack behaviors that the bank should have\r\nspotted.\r\nBased on the publicly available details, the attackers had to stand up a proxy switch capable of responding to\r\nmalicious transaction requests from the terminals, Kolesnikov says.\r\nThey also likely had to install some targeted malware components needed to monitor the card management\r\nprocess and the payment infrastructure, to gain access to the SWIFT terminals and to understand the\r\nstandard operating procedures.\r\n Related Content:\r\nBlack Hat Europe returns to London Dec 3-6 2018  with\r\nhands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security\r\nsolutions and service providers in the Business Hall. Click for information on the conference and to register.\r\nAbout the Author\r\nhttps://www.darkreading.com/attacks-breaches/north-korean-hacking-group-steals-$135-million-from-indian-bank-/d/d-id/1332678\r\nPage 2 of 3\n\nContributing Writer\r\nJai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was\r\nmost recently a Senior Editor at Computerworld, where he covered information security and data privacy issues\r\nfor the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other\r\ntechnology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to\r\nComputerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's\r\ndegree in Statistics and lives in Naperville, Ill.\r\nSource: https://www.darkreading.com/attacks-breaches/north-korean-hacking-group-steals-$135-million-from-indian-bank-/d/d-id/1332678\r\nhttps://www.darkreading.com/attacks-breaches/north-korean-hacking-group-steals-$135-million-from-indian-bank-/d/d-id/1332678\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://www.darkreading.com/attacks-breaches/north-korean-hacking-group-steals-$135-million-from-indian-bank-/d/d-id/1332678" ], "report_names": [ "1332678" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434270, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/567ec355958b840152542d025a1e33d4e7aa3dc5.pdf", "text": "https://archive.orkl.eu/567ec355958b840152542d025a1e33d4e7aa3dc5.txt", "img": "https://archive.orkl.eu/567ec355958b840152542d025a1e33d4e7aa3dc5.jpg" } }