Cosmos Bank SWIFT Heist 2018 — How North Korean Hackers Stole ₹94 Crore from an Indian Co-operative Bank: Anatomy of India’s Largest Bank Heist

The Cosmos Bank heist demonstrated that Indian banking infrastructure was reachable by nation-state-grade threat actors using techniques that had been refined against larger Western targets. The attack chain — months of patient reconnaissance, careful malware deployment, coordinated international cash-out, and use of legitimate SWIFT infrastructure to move stolen funds — was operationally remarkable and educational. This post reconstructs the attack with the benefit of seven years of subsequent analysis, identifies the specific Indian banking system properties that enabled it, and draws lessons for Indian banking cybersecurity in 2025-2026.

What happened — the August 2018 heist over a single weekend

Cosmos Bank discovered the attack on 13 August 2018 when reconciliation processes flagged anomalous withdrawals. The attack itself had been live since approximately 11 August. Forensic reconstruction by RBI investigators, Cosmos Bank’s own response team, and subsequent international cooperation revealed: Stage 1 — months of reconnaissance. Attackers had compromised Cosmos Bank infrastructure earlier in 2018 (specific entry vector reported variously as phishing of bank IT staff or supply-chain compromise of a vendor). They installed remote-access malware and conducted reconnaissance of bank systems including the SWIFT messaging system and the ATM-switching infrastructure. Stage 2 — payment switch malware. Attackers deployed custom malware that intercepted requests to Cosmos Bank’s ATM payment switch — the system that authorises ATM withdrawals against customer accounts. The malware modified responses to authorise withdrawals that the actual core banking system would have rejected. Stage 3 — coordinated cash-out. Money mules at ATMs across 28 countries simultaneously attempted withdrawals using cloned debit cards. The malicious payment switch authorised the withdrawals; the cash was dispensed; mules forwarded the proceeds to attacker-controlled addresses. Stage 4 — SWIFT transfer. Separately, attackers initiated a SWIFT MT103 transfer of ₹13.92 crore from a Cosmos correspondent account to ALM Trading Limited’s Hang Seng Bank account in Hong Kong. The SWIFT message was generated using legitimate Cosmos Bank credentials but for an unauthorised transaction. Total operational duration of active fraud: approximately 26 hours.

Why ₹94 crore — the scale relative to Indian banking

In rupee terms, ₹94 crore is approximately $11-13.5M depending on exchange rates of the time. By global cyber-heist standards this is mid-tier — the Bangladesh Bank Heist of 2016 was attempted at $951M (with ~$81M actually moved). By Indian standards, however, the Cosmos Bank heist remains the largest bank cyberattack on record. Cosmos Bank’s total assets at the time were approximately ₹14,000 crore; the heist represented less than 1% of bank assets but a significant operational and reputational hit. The scale of the ATM cash-out is what made the attack distinctive: approximately 14,800 transactions in 28 countries within hours requires substantial money-mule organisation. Lazarus Group, with extensive experience from the Bangladesh Bank Heist and earlier ATM cash-out operations against Banco de Chile, FNB Cosmos (Mexico), and others, had the operational infrastructure to coordinate such cash-out. Geographic distribution of the cash-out included Hong Kong, Romania, Russia, Spain, India, UAE, US, UK, Canada, Australia, France, Germany, Japan, and other countries — designed to maximise withdrawal volume before any individual country’s law enforcement could respond.

Attribution to Lazarus Group / BeagleBoyz

Multiple investigations attributed the Cosmos Bank attack to Lazarus Group / BeagleBoyz (a Lazarus subgroup specialising in financial-institution attacks). The attribution is supported by: (1) Tactical pattern. The combination of payment-switch malware + coordinated international ATM cash-out + parallel SWIFT transfer is a Lazarus signature. The Bangladesh Bank Heist (2016) used SWIFT manipulation; the FASTCash campaign (against multiple banks 2016-2018) used payment-switch malware for ATM cash-out. Cosmos Bank combined both in a single operation. (2) Malware analysis. Custom malware found on Cosmos Bank systems shared code patterns with Lazarus-attributed samples from other operations. (3) Mule network overlap. Money mules and cash-out infrastructure overlapped with Lazarus operations elsewhere. (4) US government attribution. The US Cybersecurity and Infrastructure Security Agency (CISA), FBI, and Treasury Department published BeagleBoyz advisories explicitly identifying Cosmos Bank as a Lazarus operation. (5) Indictments. US Department of Justice indictments of named North Korean operatives (including Park Jin Hyok, indicted 2018 for the Sony hack and Bangladesh Bank Heist; later indictments in 2021 and 2022 for additional Lazarus members) reference Lazarus financial-institution attacks as a category. The geopolitical reality: North Korean nationals indicted by US authorities are not extraditable; the indictments serve symbolic and sanctions purposes rather than producing custody. Cosmos Bank funds, once moved through international cash-out and crypto laundering, have not been substantively recovered.

Timeline — months of preparation, hours of execution, years of investigation

2017-early 2018: Likely initial compromise; reconnaissance; malware deployment; testing of payment-switch interception. 11 August 2018, late evening: Active fraud begins. Coordinated ATM cash-out across 28 countries via cloned debit cards. 11-13 August 2018: Approximately 14,800 fraudulent withdrawals; cumulative ₹78 crore stolen via ATMs. 13 August 2018: Cosmos Bank reconciliation detects anomalies. Bank notifies RBI and law enforcement. ATM operations suspended. 13 August 2018, evening: SWIFT transfer attempt of ₹13.92 crore to Hong Kong. The transfer cleared and funds reached ALM Trading account before SWIFT recall procedures could effectively reverse. 14 August 2018 onward: Public disclosure; multi-agency investigation begins (Maharashtra Cyber, CBI, Interpol coordination, RBI supervision). September-December 2018: Initial arrests of money mules in India (mostly low-level cash collectors); little reach into actual operators. 2019-2021: US BeagleBoyz advisory published explicitly identifying Lazarus involvement. RBI implements stricter cybersecurity requirements for co-operative banks. 2022-2024: Long tail of investigation; some funds traced through cryptocurrency mixing services; substantial recovery did not occur. Cosmos Bank operations continue despite reputational impact. Ongoing: The attack remains under investigation; specific Lazarus operators remain at large in North Korea.

Technical analysis — payment-switch interception in Indian banking

The Cosmos Bank attack relied on a specific architectural pattern in Indian co-operative banking that defenders should understand. Indian co-operative banks typically operate as smaller institutions with their own core banking systems but rely on shared infrastructure for ATM operations and inter-bank settlement. The “payment switch” is the system that intermediates between ATM transactions and the core banking system: when a customer withdraws cash at an ATM, the ATM transmits an authorisation request through the payment switch to the core banking system; the core banking system verifies account balance and approves; the payment switch authorises the ATM to dispense cash. The Cosmos attack inserted malware at the payment-switch layer that intercepted outbound requests to the core banking system, generated affirmative authorisation responses, and forwarded those responses to ATMs — bypassing actual balance verification. From the core banking system’s perspective, the transactions never occurred at the time of withdrawal; from the ATM network’s perspective, withdrawals were authorised. The mismatch was discovered during end-of-day reconciliation when the core banking system’s records did not match the ATM network’s records. For Indian banking: this attack class targets co-operative and smaller commercial banks because their payment-switch infrastructure is often less sophisticated than tier-1 commercial banks. RBI has progressively tightened requirements but the structural risk remains for institutions that have not modernised. The same pattern was observed in subsequent attacks (City Union Bank 2018, others undisclosed) suggesting the technique remains active in the Lazarus playbook.

The SWIFT manipulation — how Cosmos sent ₹13.92 crore to Hong Kong

Separately from the ATM cash-out, attackers used Cosmos Bank’s SWIFT credentials to initiate a fraudulent MT103 transfer to ALM Trading Limited at Hang Seng Bank Hong Kong. The technique is similar to the Bangladesh Bank Heist (2016): attackers had compromised the operator-level credentials for SWIFT terminal access; they generated SWIFT messages outside business hours when scrutiny was lower; they masked the transactions in audit logs to delay detection. Why Hong Kong: ALM Trading Limited was almost certainly a shell company set up specifically to receive the funds and facilitate further laundering. Hong Kong banking offers operational flexibility for shell companies that some other jurisdictions do not, though Hong Kong authorities have since tightened monitoring. SWIFT-side response: SWIFT (the global financial messaging cooperative) has progressively strengthened security requirements for member institutions since the Bangladesh Bank Heist. The “Customer Security Programme” (CSP) mandates security controls that, if implemented, would make Cosmos-type attacks more difficult. Cosmos Bank’s implementation maturity at the time of the attack was reportedly below CSP expectations; subsequent enforcement has tightened. Recovery: SWIFT transfer recall is theoretically possible but requires rapid response from both sender and receiver banks. Cosmos Bank reported being able to recover some but not all of the ₹13.92 crore; specific recovery percentages are not public.

India's response — RBI cybersecurity framework strengthening

The Cosmos Bank attack triggered specific Indian regulatory responses. (1) RBI cybersecurity framework expansion. The RBI cybersecurity framework for banks (originally 2016) was strengthened through circulars in 2018-2019 specifically addressing payment-system security, SWIFT controls, and incident reporting. (2) Co-operative bank scrutiny. RBI increased supervisory attention to co-operative banks’ cybersecurity posture; subsequent inspections specifically tested payment-switch and SWIFT controls. (3) Sectoral CERT engagement. RBI established the Reserve Bank Information Technology Pvt Ltd (ReBIT) cybersecurity unit; sectoral threat-intelligence sharing with banks improved. (4) Mandatory incident reporting. Bank cybersecurity incidents must be reported to RBI within prescribed timelines; CERT-In separately requires 6-hour reporting under the April 2022 Directions. (5) IDRBT engagement. The Institute for Development and Research in Banking Technology, RBI’s research arm, expanded cybersecurity research and capacity-building programs for Indian banks. (6) Cyber insurance evolution. Indian cyber insurance market grew significantly post-Cosmos; products tailored to bank-specific risks emerged. The structural reality: implementation across 100+ Indian co-operative banks remains uneven. Tier-1 commercial banks (HDFC, ICICI, SBI, Axis, Kotak, IndusInd) have substantially stronger postures than smaller institutions. The Cosmos pattern remains a viable attack class for less-mature targets.

Lessons learned — five durable takeaways

(1) Patient adversaries are the dominant threat for high-value targets. Cosmos Bank was reconnaissance-mapped for months before the active fraud window. Defensive postures must assume that sophisticated attackers will be present in the network well before they act, and detection should focus on the long-dwell behaviour rather than the brief execution window. (2) Payment-switch infrastructure is critical. Indian banks must treat payment-switch and SWIFT terminals as crown-jewel infrastructure with appropriate access controls, monitoring, and integrity verification. (3) Reconciliation is a security control. End-of-day reconciliation discovered the Cosmos fraud after it had completed. Continuous transaction-monitoring with anomaly detection would have detected the cash-out earlier and limited losses. (4) International cooperation has limits. Despite multi-agency international cooperation, substantive funds recovery did not occur. Recovery from Lazarus-class attacks is not the realistic outcome; prevention is. (5) Co-operative banking sector needs sustained attention. India’s co-operative banking sector serves substantial customer populations but operates with thinner cybersecurity resources than commercial banking. Sectoral capacity-building remains necessary.

India context — banking cybersecurity in 2025-2026

The Indian banking cybersecurity landscape has materially strengthened since 2018 but uneven distribution of capability persists. Tier-1 commercial banks have invested heavily in cybersecurity: 24×7 SOC operations, MDR partnerships with global firms, dedicated CISO offices reporting to executive leadership, mature incident response capabilities. Tier-2 and 3 commercial banks are progressively maturing but lag the largest institutions. Co-operative banks remain the structural concern; resource constraints limit cybersecurity investment despite RBI pressure. UPI infrastructure represents a different scale of risk concentration — NPCI’s payment infrastructure handles tens of billions of transactions monthly with mature security operations, but the customer-facing layer (apps, KYC, fraud) is variable across PSPs and banks. 2025-2026 trajectory: continued RBI strengthening of cybersecurity expectations; gradual co-operative-banking sector maturation; emerging concerns about UPI-payment fraud at the consumer-protection layer; increasing regulatory expectation that banks demonstrate rather than just claim security maturity. The Cosmos Bank incident remains the foundational case study for Indian banking cybersecurity discourse.

What every Indian bank cybersecurity team should review

A 90-day program for banking cybersecurity leadership. Month 1 — Critical infrastructure audit. Inventory payment-switch, SWIFT, core banking, ATM-network management infrastructure. For each: who has admin access, what authentication controls, what monitoring and logging, what segmentation. Close any gaps where access is too broad or monitoring is too thin. Month 2 — Adversary-focused testing. Engage red-team / pen-test specifically targeting payment-switch and SWIFT-equivalent infrastructure. Use Lazarus / BeagleBoyz TTPs as the threat model. Identify and close specific gaps. Month 3 — Reconciliation and detection. Move from end-of-day to continuous transaction monitoring. Implement anomaly detection on transaction patterns, geographies, volumes. Tabletop exercise simulating coordinated international cash-out. The cumulative effect over a year: a bank significantly more difficult to compromise than Cosmos Bank was in 2018.

Wider implications — Lazarus continues, defenders adapt

The Cosmos Bank attack is one chapter in an ongoing campaign. Lazarus / BeagleBoyz continues to operate against Indian and other Asian financial institutions. Subsequent attacks observed: City Union Bank India (Feb 2018, attempted SWIFT-based theft of $2M, partially recovered), multiple cryptocurrency exchange hacks (WazirX 2024, Bybit 2025, others), continuing FASTCash-style operations against banks in multiple countries. Defensive evolution: SWIFT CSP enforcement, payment-switch monitoring tools (Diebold Nixdorf, Tidel, others) with anti-fraud capabilities, real-time transaction-pattern analysis, and improved international cooperation. The honest assessment: defensive maturity has improved meaningfully but Lazarus operations continue. The attack class is not solved; it has become harder. Indian banks that have not modernised remain at significant risk. Tier-1 banks face residual but reduced risk. Co-operative banks face the highest residual risk. The Cosmos incident will continue to be cited in Indian banking cybersecurity for the rest of the decade as the canonical example of nation-state-grade attack against Indian financial infrastructure.

FAQ

Did Cosmos Bank customers lose money?

No directly. The fraudulent ATM withdrawals and SWIFT transfer drew from bank reserves, not specific customer accounts. Cosmos Bank absorbed the losses (with some recovery via insurance and partial fund recall). Customer accounts were not directly debited.

Was anyone arrested?

Multiple low-level money mules were arrested in India and other countries in the months following. The actual operators (assessed as Lazarus / North Korean) have not been arrested; US indictments against named Lazarus members remain open but not extraditable.

Could this attack work against a major Indian bank today?

Less easily than against Cosmos Bank in 2018, but not impossible. Tier-1 commercial banks have substantially hardened payment-switch and SWIFT controls; tier-2/3 banks and co-operatives remain at higher risk. The attack class is not eliminated.

What is the relationship between Cosmos and Bangladesh Bank Heist?

Same threat actor (Lazarus Group), similar ultimate techniques (SWIFT manipulation), but Cosmos added the ATM cash-out element. The two events are part of the same multi-year Lazarus banking campaign.

How can a co-operative bank afford comprehensive cybersecurity?

It is genuinely difficult given typical co-operative bank IT budgets. Practical priorities: MFA on all admin and SWIFT access; payment-switch integrity monitoring (vendors offer this); engagement with IDRBT for shared cybersecurity capabilities; cyber insurance with policy support. Sectoral capacity-building (RBI, IDRBT, NPCI) is the structural answer.

Did SWIFT itself fail in this attack?

No — SWIFT infrastructure operated correctly. The compromise was at Cosmos Bank’s SWIFT-terminal credentials and operator-side controls. SWIFT has since strengthened CSP requirements specifically to harden member-bank-side controls.

📰 Note: This analysis is compiled from public reporting (Reuters, Bloomberg, court filings, threat-intel firm publications) and is intended for security education. Some technical details remain disputed in ongoing legal proceedings; we have attributed claims where the source is established and noted where matters remain contested.