Central Bank Reserve Transfer Authority Failure Through Compromised SWIFT Terminal Credentials at Bangladesh Bank

Bangladesh Bank maintained approximately $1 billion in foreign reserves held at the Federal Reserve Bank of New York, as is standard practice for central banks maintaining dollar-denominated reserves in correspondent accounts at the Fed. Transfers from this account were initiated through SWIFT—the Society for Worldwide Interbank Financial Telecommunication—a messaging network used by over 11,000 financial institutions worldwide to transmit payment instructions. SWIFT messages authenticated by a member institution's terminal credentials carry the institutional authority of the sending bank, and receiving institutions process instructions that pass SWIFT authentication as legitimate transfer orders from the authenticated sender.

The SWIFT messaging system authenticates messages at the terminal level. Each member institution operates SWIFT-connected terminals with unique authentication credentials—digital keys and operator codes—that identify messages as originating from that institution. When the Federal Reserve Bank of New York receives a SWIFT-authenticated transfer instruction from Bangladesh Bank's terminal, the authentication confirms that the message originated from Bangladesh Bank's SWIFT infrastructure. The authentication does not confirm that the message was authorized by Bangladesh Bank's management, that it reflects a legitimate transaction, or that the human operators initiating the message are authorized personnel. The system verifies that the terminal is genuine, not that the instruction is genuine.

The attackers timed the operation for Thursday evening in Dhaka—the beginning of the Bangladeshi weekend—when the bank's offices would be minimally staffed. Because of the time zone difference, the transfer requests arrived at the Federal Reserve Bank of New York during its business day on Thursday, February 4. The Fed began processing the authenticated SWIFT instructions, which directed transfers from Bangladesh Bank's reserve account to accounts in the Philippines and Sri Lanka.

Of the 35 transfer requests totaling approximately $951 million, five were processed before the remaining thirty were halted. Four transfers totaling $81 million were directed to accounts at the Rizal Commercial Banking Corporation (RCBC) in Manila. A fifth transfer of $20 million was directed to an account in Sri Lanka. The Sri Lanka transfer was flagged and reversed because the request misspelled the word "foundation" as "fandation" in the beneficiary name, prompting a routing bank to flag the instruction for manual review. The remaining thirty requests—totaling approximately $850 million—were halted when the Fed's compliance systems flagged the transfers for additional review due to the routing of funds through a bank branch that appeared on a sanctions monitoring list.

The transfer authorization system failed because SWIFT terminal authentication was treated as sufficient authorization for transfers of any size. The Federal Reserve Bank of New York received SWIFT-authenticated messages from Bangladesh Bank's terminal and processed them as legitimate instructions from Bangladesh Bank. The authentication confirmed message origin—the messages came from Bangladesh Bank's SWIFT infrastructure—without confirming message authorization—that Bangladesh Bank's management had directed the transfers. When the terminal credentials were compromised, every message sent through the captured terminal carried the same authentication as a legitimate instruction, and the receiving institution had no mechanism within the SWIFT channel to distinguish authorized from unauthorized messages.

No mandatory out-of-band confirmation requirement existed for transfers of this magnitude between these correspondent banks. An independent verification channel—a phone call, a separate electronic confirmation, or a secondary authentication through a different system—would have required the Fed to confirm with Bangladesh Bank through a communication path not controlled by the attackers. Such confirmation would have immediately revealed that Bangladesh Bank had not authorized the transfers, because the attackers controlled only the SWIFT terminal, not Bangladesh Bank's telephone lines or management personnel. The absence of a mandated second-channel verification for high-value transfers meant that a single compromised channel was sufficient to authorize the movement of nearly a billion dollars.

Bangladesh Bank recovered the $20 million transferred to Sri Lanka after the routing bank flagged the misspelling. The $81 million transferred to the Philippines was largely unrecovered, with only a small fraction returned through legal proceedings. The Philippine Senate conducted an investigation into the role of RCBC's Jupiter Street branch and the casino channels used to launder the funds. RCBC was fined $21 million by the Philippine central bank for failures in anti-money laundering compliance.