Banxico SPEI interbank heist (Mexico, 2018)
Attackers exploited third-party software connecting Mexican banks to SPEI, the central bank's interbank payment system, injecting phantom transfers and draining roughly 300-400 million pesos (~$15-20 million) via cash withdrawals by money mules.
- Victim
- Banco de México (Banxico) / SPEI participant banks
- Loss
- $20.0M
In April and May 2018, Mexico's interbank payment backbone — SPEI (Sistema de Pagos Electrónicos Interbancarios), operated by central bank Banco de México (Banxico) — was abused in a series of cyberattacks that injected fraudulent transfers and drained an estimated 300 to 400 million pesos (roughly $15-20 million). It remains one of the most significant attacks ever against a national payment system.
What happened
Critically, the SPEI core was not breached. Instead, attackers exploited weaknesses in the third-party and in-house software that individual banks used to connect their systems to SPEI. By compromising those connection components, the perpetrators were able to forge payment orders — phantom transfers that SPEI processed as legitimate because they arrived through an authenticated participant link.
The fraudulent transfers funneled money into accounts at other institutions controlled by the attackers. Accomplices — money mules — then withdrew the funds in cash at bank branches, an unusual pattern of large withdrawals that suggested possible insider assistance. At least five financial institutions were affected, with reporting naming Banorte, Banco del Bajío and Banjército among those targeted.
Impact
- An estimated 300-400 million pesos (~$15-20 million) was diverted and cashed out.
- Because the stolen funds moved between institutional accounts, ordinary customers' balances were reported not to have been directly debited.
- Banxico activated a contingency scheme that slowed and rerouted transfers, causing settlement delays and longer transaction times across the banking system for weeks.
Why it matters
The SPEI episode is a landmark case in payment-system and third-party risk. It showed that a robust central infrastructure can be undermined through the weakest participant's integration layer, and that financial criminals could combine a technical software compromise with a physical cash-out network. In response, Banxico imposed mandatory minimum cybersecurity standards for SPEI participants and pushed institutions toward a separate, hardened connection architecture — reforms that reshaped how Mexican banks attach to the national payment rails.
Timeline
The first fraudulent SPEI transactions are injected through compromised third-party software at a participant institution.
Banco de México warns SPEI participants of anomalies; Banorte, Banco del Bajío and Banjército are reported among those targeted.
Banxico activates a contingency scheme, slowing transfers and routing affected banks through alternative connections; settlement delays ripple across the system.
Authorities estimate 300-400 million pesos (~$15-20 million) was diverted and withdrawn in cash by money mules at bank branches.
Banxico issues new mandatory cybersecurity rules for institutions connecting to SPEI, including a separate, hardened connection architecture.
Sources
- threatpost.comhttps://threatpost.com/mexicos-banking-system-sees-18m-siphoned-off-in-phantom-transactions/132004/
- bankinfosecurity.comhttps://www.bankinfosecurity.com/mexico-investigates-suspected-cyberattacks-against-banks-a-11008
- welivesecurity.comhttps://www.welivesecurity.com/2018/05/24/mexico-cybercriminals-steal-400-million/
- msspalert.comhttps://www.msspalert.com/news/five-mexican-banks-financial-groups-pesos-stolen
- lexology.comhttps://lexology.com/commentary/banking-financial-services/mexico/hogan-lovells-bstl-sc/numerous-cyberattacks-breach-banxicos-interbank-electronic-payments-system