{
	"id": "afde8558-a69d-4431-adc3-f8ac4ef74e22",
	"created_at": "2026-04-06T00:14:19.169718Z",
	"updated_at": "2026-04-10T03:35:29.097924Z",
	"deleted_at": null,
	"sha1_hash": "ebd5cb92866ebd12c1ed735a31d7e1dd98b34865",
	"title": "'Silence' hackers hit banks in Bangladesh, India, Sri Lanka, and Kyrgyzstan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1235297,
	"plain_text": "'Silence' hackers hit banks in Bangladesh, India, Sri Lanka, and\r\nKyrgyzstan\r\nBy Written by Catalin Cimpanu, ContributorContributor July 3, 2019 at 4:17 a.m. PT\r\nArchived: 2026-04-05 20:11:27 UTC\r\nGroup-IB\r\nSee als\r\nA group of hackers specialized in attacking banks has hit again, and this time they've breached four targets in Asia,\r\nrespectively in Bangladesh, India, Sri Lanka, and Kyrgyzstan, security researchers from Group-IB have told\r\nZDNet.\r\nThe only incident that is currently public is one impacting Dutch Bangla Bank Limited, a bank in Bangladesh,\r\nwhich lost more than $3 million during several rounds of ATM cashout attack that took place during the month of\r\nMay, according to local media reports [1, 2].\r\nSilence group expands beyond Europe\r\nIn a report shared with ZDNet prior to publication, Group-IB tied the Dutch Bangla Bank incident to a group of\r\nhackers known as \"Silence.\"\r\nThe group, which ZDNet previously covered in a September 2018 piece, has been active since 2016 and has\r\nhistorically targeted banks in Russia, former Soviet states, and Eastern Europe.\r\nhttps://www.zdnet.com/article/silence-hackers-hit-banks-in-bangladesh-india-sri-lanka-and-kyrgyzstan/\r\nPage 1 of 3\n\nAccording to Rustam Mirkasymov, Head of Dynamic Analysis of Malicious Code at Group-IB, this is the first\r\ntime the group has ventured into Asia.\r\nDutch Bangla Bank hack tied to Silence infrastructure\r\nMirkasymov told ZDNet that Group-IB has been able to tie the Dutch Bangla Bank hack to Silence's server\r\ninfrastructure.\r\n\"Group-IB has the ability to actively track cybercriminals' infrastructure of this and other financially motivated\r\ncybercriminal groups,\" he told ZDNet in an email. \"This all gives us visibility to indefinitely confirm that an\r\ninfected machine inside the bank's network was communicating with Silence' infrastructure.\"\r\n\"In this case, we discovered that Dutch Bangla Bank's hosts with external IPs 103.11.138.47 and 103.11.138.198\r\nwere communicating with Silence's C\u0026C (185.20.187.89) since at least February 2019,\" Mirkasymov told ZDNet\r\nin an email.\r\nAccording to the researcher, the group appears to have deployed the eponymously named Silence malware on the\r\nbank's network, with modules for running malicious commands on infected hosts and setting up proxy servers to\r\ndisguise malicious traffic.\r\nThe group appears to have used this access to orchestrate coordinated funds withdrawals from the bank's ATMs.\r\nHow these attacks occurred is currently unknown. A YouTube video unearthed by local media shows two men\r\n(later identified as Ukrainians) visiting Dutch Bangla Bank ATMs, making a phone call, and then withdrawing\r\nlarge sums of money. ATM cashouts using Dutch Bangla Bank ATMs occurred on May 31, but before that, crooks\r\nalso used cloned cards with the data of Dutch Bangla Bank customers to withdraw money from ATMs in Cyprus,\r\nRussia and Ukraine.\r\nThis suggests the Silence group might have used their access to the bank's network to facilitate and allow large\r\nATM cashouts without triggering alerts, most likely by deploying their custom-built Atmosphere malware on\r\nsystems that ran ATM-specific software.\r\nTwo other Bangladesh banks also hit\r\nBangladesh local media reported that two other local banks -- NCC Bank and Prime Bank -- also faced similar\r\nissues as Dutch Bangla Bank, but they managed to avert financial losses. It is unclear if Silence was involved in\r\nthose attacks as well.\r\nGroup-IB said Silence did hit banks in three other countries -- India, Sri Lanka, and Kyrgyzstan -- but could not\r\ndisclose their names.\r\nIn September 2018, Group-IB said the group had only been successful in attacks against CIS and Eastern\r\nEuropean countries, but that they were sending spear-phishing emails to banks all over the world.\r\nToday's report shows the group was eventually successful in compromising other targets outside their normal\r\noperational zone.\r\nhttps://www.zdnet.com/article/silence-hackers-hit-banks-in-bangladesh-india-sri-lanka-and-kyrgyzstan/\r\nPage 2 of 3\n\nAccording to the Group-IB report on the Silence hacker group from September 2018, the group is a small two-person operation, with one member being suspected of being part of the cyber-security industry.\r\nHowever, Mirkasymov told ZDNet that \"it is possible that the gang's structure might have changed\" since the\r\nreport's release. Mirkasymov said his company has recently found out that one of the Silence developers had\r\nwrote the \"FlawedAmmyy loader\" malware as a third-party developer for other cyber-criminal operations.\r\nThis article will be updated later today with a link to the Group-IB report, once it becomes publicly available.\r\nThe FBI's most wanted cybercriminals\r\nRelated malware and cybercrime coverage:\r\nUS Cyber Command issues alert about hackers exploiting Outlook vulnerability\r\nNew Dridex malware strain avoids antivirus software detection\r\nNew Silex malware is bricking IoT devices, has scary plans\r\nFlorida city fires IT employee after paying ransom demand last week\r\nFacebook abused to spread Remote Access Trojans since 2014\r\nTen years later, malware authors are still abusing 'Heaven's Gate' technique\r\nMore than 3B fake emails sent daily as phishing attacks persist TechRepublic\r\nGame of Thrones has the most malware of any pirated TV show CNET\r\nSource: https://www.zdnet.com/article/silence-hackers-hit-banks-in-bangladesh-india-sri-lanka-and-kyrgyzstan/\r\nhttps://www.zdnet.com/article/silence-hackers-hit-banks-in-bangladesh-india-sri-lanka-and-kyrgyzstan/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.zdnet.com/article/silence-hackers-hit-banks-in-bangladesh-india-sri-lanka-and-kyrgyzstan/"
	],
	"report_names": [
		"silence-hackers-hit-banks-in-bangladesh-india-sri-lanka-and-kyrgyzstan"
	],
	"threat_actors": [
		{
			"id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0",
			"created_at": "2022-10-25T15:50:23.710403Z",
			"updated_at": "2026-04-10T02:00:05.281246Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"Whisper Spider"
			],
			"source_name": "MITRE:Silence",
			"tools": [
				"Winexe",
				"SDelete"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "e8ebcbda-e8df-4a38-a2a6-63b2608ee6f3",
			"created_at": "2023-01-06T13:46:38.88051Z",
			"updated_at": "2026-04-10T02:00:03.131218Z",
			"deleted_at": null,
			"main_name": "Silence group",
			"aliases": [
				"WHISPER SPIDER"
			],
			"source_name": "MISPGALAXY:Silence group",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7",
			"created_at": "2025-03-29T02:05:20.764715Z",
			"updated_at": "2026-04-10T02:00:03.851829Z",
			"deleted_at": null,
			"main_name": "GOLD WYMAN",
			"aliases": [
				"Silence "
			],
			"source_name": "Secureworks:GOLD WYMAN",
			"tools": [
				"Silence"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "88e53203-891a-46f8-9ced-81d874a271c4",
			"created_at": "2022-10-25T16:07:24.191982Z",
			"updated_at": "2026-04-10T02:00:04.895327Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"ATK 86",
				"Contract Crew",
				"G0091",
				"TAG-CR8",
				"TEMP.TruthTeller",
				"Whisper Spider"
			],
			"source_name": "ETDA:Silence",
			"tools": [
				"EDA",
				"EmpireDNSAgent",
				"Farse",
				"Ivoke",
				"Kikothac",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Meterpreter",
				"ProxyBot",
				"ReconModule",
				"Silence.Downloader",
				"TiniMet",
				"TinyMet",
				"TrueBot",
				"xfs-disp.exe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434459,
	"ts_updated_at": 1775792129,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ebd5cb92866ebd12c1ed735a31d7e1dd98b34865.pdf",
		"text": "https://archive.orkl.eu/ebd5cb92866ebd12c1ed735a31d7e1dd98b34865.txt",
		"img": "https://archive.orkl.eu/ebd5cb92866ebd12c1ed735a31d7e1dd98b34865.jpg"
	}
}