Skip to content
Cyber Breaches
Search
MalwareResolved

Far Eastern International Bank SWIFT heist

North Korea's Lazarus Group used custom malware to commandeer Far Eastern International Bank's SWIFT terminal and wire roughly $60 million to accounts in the U.S., Cambodia, and Sri Lanka, deploying Hermes ransomware as a diversion.

Victim
Far Eastern International Bank (FEIB)
Loss
$500.0K
SectorFinance
CountryTaiwan
Threat actorLazarus Group (DPRK, BAE Systems attribution)
Named attackersLazarus Group operators

In October 2017, Taiwan's Far Eastern International Bank (FEIB) became the latest victim in North Korea's campaign to plunder the global financial system. Attackers later linked to the Lazarus Group planted custom malware inside the bank, hijacked its connection to the SWIFT interbank messaging network, and pushed through fraudulent transfers totalling roughly $60 million before staff noticed.

What happened

The intruders deployed malware described by FEIB as "of a type never seen before" across the bank's computers and servers. The toolset harvested the credentials needed to commandeer the bank's SWIFT terminal — the endpoint that authorises international wire transfers. With control of that terminal, the operators issued instructions moving funds to beneficiary accounts in the United States, Cambodia, and Sri Lanka.

Crucially, the SWIFT network itself was not compromised. As in the 2016 Bangladesh Bank heist, the breach occurred at the bank's own endpoint, where attackers abused legitimate access rather than breaking SWIFT's cryptography.

To slow the bank's response, the attackers detonated Hermes ransomware across FEIB machines. BAE Systems assessed that the encryption was not a money-making scheme but a distraction or cover-up to occupy the security team while the heist completed.

Impact

  • Approximately $60 million in fraudulent transfers were initiated.
  • Thanks to rapid coordination with correspondent banks and SWIFT, almost all of the money was clawed back — only about $500,000 remained unrecovered.
  • Two suspects were arrested in Sri Lanka, including the head of the state-run Litro Gas company, in whose personal account about $1.1 million had landed.

Attribution

Researchers at BAE Systems tied the operation to Lazarus, North Korea's state-linked threat group. Samples reused an x86 variant of the fdsvc.dll backdoor seen in earlier Lazarus attacks in Poland and Mexico, contained Russian-transliterated commands such as "Nachalo" and "vykhodit," and routed money through Sri Lanka and Cambodia — both previously used as Lazarus cash-out destinations. The methodology mirrored the Bangladesh Bank theft.

Why it matters

FEIB demonstrated that the SWIFT endpoint remained a soft target two years after Bangladesh, and that state-sponsored financial theft had become a recurring revenue stream for a sanctioned regime. It also showcased a now-signature Lazarus tactic: pairing a wire-fraud heist with destructive ransomware as cover, foreshadowing the Hermes-derived Ryuk ransomware that would terrorise enterprises in the following years. The near-total recovery underscored that speed of detection and interbank cooperation — not perimeter defences alone — can blunt even a well-resourced nation-state heist.

Timeline

  1. Lazarus operators activate custom malware on FEIB systems and begin issuing fraudulent SWIFT transfer instructions.

  2. Roughly $60 million is wired to beneficiary accounts in the United States, Cambodia, and Sri Lanka; Hermes ransomware is deployed on bank machines as a diversion.

  3. FEIB staff notice the anomalous transactions and alert correspondent banks and SWIFT to begin clawing back funds.

  4. The bank reports that all but about $500,000 of the stolen funds has been recovered.

  5. Two suspects are arrested in Sri Lanka, including the head of state-run Litro Gas, after $1.1 million is traced to a personal account.

  6. BAE Systems researchers publicly link the toolset and ransomware diversion to North Korea's Lazarus Group.

Sources

  1. theregister.comhttps://www.theregister.com/2017/10/11/hackers_swift_taiwan/
  2. baesystemsai.blogspot.comhttps://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html
  3. securityweek.comhttps://www.securityweek.com/taiwan-bank-heist-linked-north-korean-hackers/
  4. bankinfosecurity.comhttps://www.bankinfosecurity.com/report-malware-wielding-hackers-hit-taiwanese-bank-a-10368

Related incidents

MalwareContained

152 'live wallpaper' Chrome extensions caught harvesting user data and faking Google search traffic

Socket's Threat Research Team uncovered a coordinated family of 152 new-tab 'live wallpaper' Chrome extensions, spread across 38 publisher accounts and three brands, that secretly logged user telemetry and laundered extension-generated visits into fake Google organic search traffic despite declaring they collected no data.

Victim
Google Chrome Web Store users
Data breachResolved

The Fly on the Wall data breach (2017)

In December 2017, the stock market news website The Fly on the Wall suffered a data breach. The data in the breach included 84k unique email addresses as well as purchase histories and credit card data.

Victim
The Fly on the Wall
Records
84.0K
Data breachResolved

Moneycontrol data breach (2017)

In April 2021, hackers posted data for sale originating from the online Indian financial platform, Moneycontrol. The data included 763 thousand unique email addresses (allegedly a subset of a larger 40 million account breach), alongside geographic locations, phone numbers, genders, dates of birth…

Victim
Moneycontrol
Records
762.9K