ThinkableWhat is this?

Cryptography & Security

The Billion-Dollar Heist That Never Touched a Bank

In 2016, hackers stole nearly a billion in funds from Bangladesh's central bank using nothing more than stolen credentials and a few well-timed SWIFT messages — and they almost got away with it because of a spelling mistake.

The Idea

Most people imagine cybercrime as something dramatic — code cascading down screens, alarms blaring, systems going dark. The reality is far more mundane and, in some ways, more unsettling. The most devastating attacks rarely involve breaking unbreakable encryption or defeating sophisticated firewalls. They exploit the gap between how secure a system is in theory and how it actually gets used by real humans in real organisations. This is the central insight of modern cybercrime: the weakest link is almost never the technology. It's the trust the technology is built on. Authentication credentials get reused. Emails get clicked. Access permissions get handed out generously and never revoked. Insider knowledge — how a company's systems work, what language its internal messages use, what requests look like on a normal Tuesday — is enormously valuable to attackers. What makes this especially hard to defend against is that sophisticated attackers don't smash their way in. They slip in quietly, then spend weeks or months simply watching. Security researchers call this 'dwell time' — the period between initial compromise and the moment anyone notices. The average dwell time, globally, has historically been measured in months. In that window, attackers are mapping systems, escalating privileges, and waiting for exactly the right moment. By the time an alarm trips, the attacker has often already left — with everything they came for.

In the World

In February 2016, operatives linked to North Korea's Lazarus Group — a state-sponsored hacking unit — breached the Bangladesh Bank's computer systems and gained access to its SWIFT terminal. SWIFT is the messaging network that banks worldwide use to authorise international transfers. With legitimate credentials in hand, the attackers sent 35 fraudulent transfer requests to the Federal Reserve Bank of New York, where Bangladesh held its foreign currency reserves. Five of those requests went through before anyone caught on, directing funds to accounts in the Philippines and Sri Lanka. The total successfully moved: around 81 million. The attackers had attempted nearly a billion — but the Federal Reserve grew suspicious and halted the remaining transfers after one of the requests used the word 'fandation' instead of 'foundation'. A typo. That single spelling error is the reason the story isn't ten times worse. The funds that reached the Philippines were quickly disbursed through casinos — which, at the time, weren't subject to the same anti-money-laundering scrutiny as banks — and largely vanished. Almost none of it was ever recovered. What the investigation revealed was striking: the attackers had been inside Bangladesh Bank's network for weeks before executing the heist, learning the system from the inside. The bank's cybersecurity infrastructure was also notably thin — staff reportedly used second-hand network switches and no firewall. The breach wasn't a feat of cryptographic genius. It was patience, preparation, and an organisation that trusted its internal systems without sufficiently verifying them.

Why It Matters

The Bangladesh Bank heist isn't just a dramatic story — it's a useful lens for understanding where digital risk actually lives. The instinct is to think of security as a technical problem with a technical solution: better encryption, stronger passwords, more sophisticated software. But the more instructive frame is organisational and human. Attackers are, at their core, in the business of exploiting trust — trust between institutions, between colleagues, between users and systems. That means the most important security question is rarely 'how strong is our encryption?' It's 'who has access to what, and why?' And: 'what would a fraudulent request look like if it arrived through a legitimate channel?' This shifts responsibility away from IT departments alone and toward everyone who touches a system. The phishing email that compromises a network wasn't a technical failure — it was a human one, made more likely by poor training, fatigue, or simple inattention. Understanding this makes you a more sceptical and more careful participant in digital life, whether you're managing organisational systems or simply deciding whether to click a link.

A Question to Ponder

If someone wanted to deceive you specifically — using your name, your colleagues' names, the way your organisation actually communicates — how long do you think it would take before you noticed something was wrong?

Get a new one of these every morning.

Start learning with Thinkable
One topic like this, every day.Start free