Case Study: The Cosmos Bank Heist – India’s Major Cyberattack on a
Banking Institution
Introduction
In August 2018, Cosmos Bank, a 112-year-old cooperative bank headquartered in Pune, India,
suffered one of the largest cyberattacks in the country’s history. The attack resulted in the theft of
₹94 crores (approximately $13 million) through fraudulent international transactions and ATM
withdrawals. This heist exposed critical vulnerabilities in banking security infrastructure and served
as a wake-up call for financial institutions across India and the world.
Background of Cosmos Bank
Cosmos Bank is one of India’s oldest and largest cooperative banks, offering a wide range of banking
services, including savings and deposit accounts, loans, and international fund transfers. The bank
uses the SWIFT (Society for Worldwide Interbank Financial Telecommunication) system for secure
cross-border transactions, a system widely adopted by banks globally. At the time of the attack,
Cosmos Bank had more than 140 branches in India.
The Heist: Timeline and Execution
The cyberattack on Cosmos Bank occurred over two days, from August 11 to August 13, 2018. The
attack was conducted in two main phases:
1. Phase 1: ATM Cash-out Attack (August 11, 2018)
Hackers gained unauthorized access to Cosmos Bank’s internal systems, specifically targeting
the SWIFT network and the bank’s ATM server. They infected the bank’s systems with
malware, allowing them to bypass normal security protocols. The malware enabled hackers
to approve transactions without requiring authorization from the core banking system (CBS).
o Cloning Debit Cards: The attackers created thousands of cloned debit cards,
replicating genuine cards issued by Cosmos Bank.
o Global Withdrawals: The cloned cards were used to withdraw money from ATMs
in 28 countries, including the United States, Canada, Hong Kong, and India. Around
₹78 crore was withdrawn in approximately 15,000 transactions worldwide in a span
of a few hours.
2. Phase 2: SWIFT Transaction Manipulation (August 13, 2018)
Two days after the ATM cash-out, the hackers launched a second attack. This time, they
targeted the bank’s SWIFT system, which facilitates international money transfers.
o They transferred an additional ₹13.92 crore (around $2 million) to a Hong Kong-
based bank account, using a fake SWIFT instruction that appeared legitimate.
Modus Operandi
Malware Insertion: The hackers inserted malware into the bank’s servers, enabling them to
manipulate and bypass the security layers in both the ATM switching system and the SWIFT
messaging system. This malware created false approvals for unauthorized transactions.
� Card Cloning: The malware also allowed the hackers to clone thousands of debit cards by
compromising customer data stored on the bank’s servers. These cloned cards were used for
withdrawals at ATMs worldwide.
Coordinated ATM Cash-outs: The attack was highly organized, with hackers coordinating
cash withdrawals from thousands of ATMs globally, all within a short time frame to avoid
detection.
Discovery and Response
The Cosmos Bank heist was discovered after suspicious activities were detected in the bank's systems
and large sums of money were withdrawn internationally. Upon realizing the magnitude of the
attack, Cosmos Bank immediately reported the incident to the Reserve Bank of India (RBI) and local
law enforcement.
Shutdown of Servers: As a defensive measure, Cosmos Bank temporarily shut down its
internet banking services and card payment systems to prevent further fraudulent
transactions.
Involvement of Law Enforcement: The case was handed over to the Maharashtra Cyber
Police and the Economic Offences Wing (EOW). The Indian Computer Emergency Response
Team (CERT-In) and INTERPOL were also involved in investigating the cyberattack due to its
international scope.
Impact of the Heist
Financial Loss: A total of ₹94 crore was siphoned off, causing significant financial losses to
Cosmos Bank. Despite recovering a portion of the stolen funds, the bank's reputation was
severely damaged.
Reputation and Trust: The breach in security raised concerns among customers and
stakeholders regarding the bank’s cybersecurity measures, potentially damaging trust in
cooperative banks in general.
Regulatory Scrutiny: The attack prompted regulators like the Reserve Bank of India (RBI) to
strengthen cybersecurity guidelines for banks, especially cooperative banks that were seen
as particularly vulnerable to cyber threats.
Analysis of Security Flaws
The Cosmos Bank heist exploited several key vulnerabilities:
1. Weak Malware Detection: The bank’s systems failed to detect the sophisticated malware
inserted by hackers, which compromised both the ATM server and the SWIFT system.
2. Lack of Real-time Monitoring: Real-time monitoring of ATM transactions and
international transfers was insufficient. The volume and frequency of transactions should
have triggered alerts much earlier.
3. Inadequate Authentication: The core banking system (CBS) was bypassed in approving the
transactions, indicating a lack of robust authentication mechanisms within the network
infrastructure.
�Lessons Learned
The Cosmos Bank attack underscored several key lessons for financial institutions:
1. Enhanced Cybersecurity Protocols: Banks must implement more robust, multi-layered
security systems, including real-time monitoring of all transactions, advanced malware
detection, and encryption for sensitive data.
2. Regular Security Audits: Frequent security audits and penetration testing should be
conducted to identify and fix vulnerabilities in banking systems.
3. Employee Training: Bank employees need to be trained on cybersecurity best practices to
avoid falling victim to phishing schemes or inadvertently enabling malware installation.
4. Collaboration with Law Enforcement: In case of such attacks, quick reporting and
collaboration with law enforcement agencies, both local and international, are crucial for
damage control and recovery of stolen assets.
Conclusion
The Cosmos Bank heist remains one of the largest and most sophisticated cyberattacks in Indian
banking history. The incident highlighted critical flaws in cybersecurity practices within banking
institutions and served as a stark reminder that even established financial institutions are vulnerable
to advanced cyber threats. Moving forward, banks must invest heavily in cybersecurity infrastructure
to prevent future attacks, while also adhering to stringent regulatory guidelines to protect customer
assets and data.
