The $81 Million Warning That Never Stopped: Cybersecurity Threats in South Asia and Bangladesh's Digital Defense Challenge
In February 2016, a group of hackers spent a weekend sending fraudulent transfer instructions through the SWIFT interbank messaging system from Bangladesh Bank's account at the Federal Reserve Bank of New York. By the time anyone noticed what was happening, $81 million had been routed to fictitious accounts in the Philippines — laundered through casinos and dispersed before local banking regulators could act. The attackers had spent over a year planning the operation, beginning their reconnaissance of Bangladesh Bank's systems in October 2014. They had embedded malware via spear-phishing emails, learned the bank's internal procedures by spying on its workers, and exploited the fact that the central bank did not have the most basic security controls — including physical firewalls that cost less than $10 to buy — protecting systems connected to the global financial network.
The operation, later attributed with high confidence to North Korea's Lazarus Group (Bureau 121), was the largest cyber bank heist in history. It was also, in retrospect, a warning that Bangladesh's digital infrastructure was operating at a level of exposure fundamentally inconsistent with the country's growing economic weight and digital ambitions. Nearly a decade later, that warning has produced significant institutional responses — and significant remaining gaps.
The Threat Landscape: What Bangladesh Is Actually Facing
Bangladesh's cybersecurity challenge in 2025 is not hypothetical. BGD e-GOV CIRT's threat landscape reports document an attack environment that is active, diverse, and escalating. In 2024, industrial and financial sector organizations reported being targeted by ransomware. Web defacement attacks and exploitation of web application vulnerabilities resulted in data breaches and data exfiltration. Phishing and Business Email Compromise (BEC) schemes continue to be prevalent — globally, over $55 billion has been lost to BEC scams between 2013 and 2023, and Bangladesh's financial and government sectors are consistently targeted.
Bangladesh Cyber Security Intelligence (BCSI)'s Financial Threat Assessment 2024 presents a stark picture of the banking sector specifically. Most banks in Bangladesh, according to BCSI's analysis, are at high risk of cyberattacks. The systemic weaknesses identified include: IT staff holding certifications with limited practical value against advanced threats; severe shortage of genuinely skilled cybersecurity professionals; widespread use of outdated vulnerability scanning tools, in some cases unauthorized or cracked software; and a corruption dynamic in which cybersecurity contracts are awarded based on personal relationships rather than capability. The talent gap leads to overreliance on automated tools and basic frameworks that are inadequate against sophisticated attackers.
Bangladesh has 132 million internet users as of 2025, according to the Bangladesh Telecommunication Regulatory Commission — one of the largest digital populations in South Asia. The rapid digitization of government services through e-governance initiatives has expanded the attack surface dramatically. The same national portal serving 60 million citizens monthly, the same e-filing systems connecting thousands of government offices, the same Oracle Sovereign Cloud deployment that represents genuine infrastructure modernization — all of these simultaneously represent targets that did not exist a decade ago.
State-sponsored threat actors are the most sophisticated concern. North Korea's Lazarus Group has pivoted substantially toward cryptocurrency theft since the Bangladesh Bank heist, with Chainalysis reporting $2 billion in cryptocurrency theft by North Korean actors in 2025 alone and an all-time total of $6.75 billion. But state-sponsored groups from multiple countries — China, Iran, Russia — are active across South Asia, targeting telecommunications, energy, financial systems, and government networks. France's national cybersecurity agency ANSSI has documented Chinese state-affiliated actors specifically targeting home and office routers as persistent access points. The threat is not coming from individual criminals operating opportunistically. It is coming from well-resourced, patient adversaries conducting long-term reconnaissance campaigns.
The Institutional Response: What Bangladesh Has Built
Bangladesh's institutional cybersecurity architecture has developed substantially since 2016, though it remains incomplete against the scale of current threats.
BGD e-GOV CIRT — the Bangladesh e-Government Computer Incident Response Team, operating under the Bangladesh Computer Council — functions as the national CERT. It is responsible for receiving, reviewing, and responding to security incidents, conducting threat research, providing guidance on vulnerabilities, and coordinating with government agencies, Critical Information Infrastructure operators, financial organizations, law enforcement, academia, and international partners. Bangladesh participates in APCERT (Asia Pacific Computer Emergency Response Team) cooperation frameworks, which provides access to regional threat intelligence sharing. BGD e-GOV CIRT publishes annual threat landscape reports and periodic situational alerts — a practice the National Cyber Security Index recognizes as meeting international standards for public threat communication.
The legislative framework has undergone significant revision. Bangladesh's Digital Security Act of 2018 was criticized internationally — and by domestic civil society — for provisions that effectively criminalized legitimate journalism and political speech. It was replaced by the Cyber Security Act 2023, which retained many of the same controversial provisions. The interim government took a more decisive step in May 2025, enacting the Cyber Security Ordinance 2025. The new ordinance focuses explicitly on cybercrime and Critical Information Infrastructure protection, removing nine provisions from the predecessor legislation that dealt with expression-related offenses rather than genuine security threats. The Ordinance also establishes a supply chain risk management requirement for CII operators — requiring them to identify and manage cybersecurity risks associated with vendors and service providers.
The National Security Operation Centre (NSOC) operates alongside BGD e-GOV CIRT for real-time cyber monitoring and threat detection. Bangladesh's Cybersecurity Strategy 2021-2025 established a framework for strategic coordination across these bodies. The country scores 75% on cyber threat analysis and awareness raising in the National Cyber Security Index — an above-average result for its development tier, reflecting genuine investment in public-facing threat communication infrastructure.
The Critical Gaps: Where Bangladesh Remains Exposed
Despite these advances, the gap between Bangladesh's cybersecurity ambition and its operational capability is large. Security experts interviewed by The Daily Star in mid-2025 identified several structural weaknesses that remain unaddressed.
The most acute is human capacity. Bangladesh does not have enough cybersecurity professionals with genuine advanced skills. Certifications are widespread; real threat-hunting, incident response, and reverse engineering expertise is scarce. The Bangladesh University of Professionals offers a Master's in Cyber Security, and BUET has cybersecurity programming, but the pipeline from education to operational capability has not kept pace with the expansion of digital infrastructure. Meanwhile, the private sector competes aggressively for the same limited pool of qualified professionals, drawing talent away from government agencies and CERT functions that are less able to offer competitive compensation.
Threat intelligence sharing remains underdeveloped. Public-private partnership frameworks exist on paper — BGD e-GOV CIRT's coordination mandate, the BUILD platform, cybersecurity forums — but trust issues limit the open sharing of threat intelligence between government and private sector. Private sector expertise remains underutilized in the national defense posture. Financial institutions, which face the most sophisticated and financially motivated attackers, operate in relative isolation from the government's threat intelligence infrastructure.
Critical Information Infrastructure protection is formally mandated by the Cyber Security Ordinance 2025, but the operational implementation of CII security standards across Bangladesh's most important sectors — banking, telecommunications, energy, transportation, healthcare — is inconsistent. The Bangladesh Bank heist remains the most dramatic demonstration of what inadequate CII security looks like in practice: nearly $1 billion attempted, $81 million successfully transferred, by attackers who had spent 16 months quietly inside the bank's systems before executing their final move. The lesson — that patient, sophisticated attackers can live undetected inside critical systems for extended periods — requires active threat hunting capabilities that most Bangladeshi institutions have not yet built.
Outdated systems are a systemic vulnerability. Analysts cite the lack of modern threat intelligence platforms and widespread use of legacy technology across both government and private sector as persistent weaknesses. Bangladesh's rapid e-governance expansion has in some cases layered new digital services onto old infrastructure that was never designed with security in mind, creating complex attack surfaces that are difficult to monitor and defend comprehensively.
The South Asian Dimension: Why Regional Cooperation Matters
Cyberattacks do not respect borders. The Bangladesh Bank heist demonstrated this with particular clarity: the attackers operated from North Korea, exploited systems in Bangladesh, routed funds through the United States Federal Reserve, and laundered proceeds through financial institutions in the Philippines and Sri Lanka. Effective response required coordination across multiple jurisdictions — and the post-incident investigation and legal proceedings stretched across a decade, involving the New York Supreme Court and multiple national regulatory bodies.
South Asia's cybersecurity cooperation infrastructure has not kept pace with the regional threat environment. India, Pakistan, Bangladesh, and Sri Lanka each maintain national CERTs and operate national cybersecurity frameworks — but cross-border threat intelligence sharing remains limited by political tensions, competitive dynamics, and the absence of formal bilateral cybersecurity agreements comparable to those that exist in more mature regional security communities like Europe.
This gap matters in practical terms. State-sponsored threat actors targeting South Asian financial and government systems operate across the region with a level of coordination that far exceeds anything in the region's defensive infrastructure. Chinese-affiliated actors targeting router infrastructure, North Korean groups targeting financial systems, Iranian-linked actors targeting organizations in sensitive sectors — these threat actors do not confine themselves to one country's networks, and the intelligence about their tactics, techniques, and procedures flows imperfectly between the national CERTs that are supposed to defend against them.
Bangladesh's APCERT participation provides a partial remedy, connecting it to regional threat intelligence through the Asia-Pacific framework. But bilateral deepening of cybersecurity cooperation with India — which shares a threat environment, a geographic position, and a set of critical infrastructure dependencies that create common vulnerabilities — would yield asymmetric gains for both countries. The political obstacles to this cooperation are real. The security case for it is overwhelming.
Building the Defense Bangladesh Needs
What would genuine cybersecurity resilience look like for Bangladesh by 2030? The policy, institutional, and technical requirements are identifiable even if the political will to implement them is uneven.
Human capital development is the long-lead-time investment without which everything else is insufficient. Bangladesh needs a genuine pipeline of advanced cybersecurity professionals — not certification holders, but professionals capable of offensive security research, threat intelligence analysis, incident response at scale, and the kind of deep technical understanding of adversary tradecraft that allows defenders to anticipate rather than react. BUET's potential as a regional center for cybersecurity research and talent development is recognized in Bangladesh's AI policy documents. Realizing that potential requires dedicated investment, competitive compensation structures for government roles, and international partnerships that bring world-class expertise into the domestic ecosystem.
The Cyber Security Ordinance 2025's CII provisions need operational teeth. Mandating supply chain risk management for CII operators is meaningful only if there is a credible audit and enforcement mechanism behind it. Bangladesh's NSOC and BGD e-GOV CIRT need the resources, authority, and technical capability to conduct genuine assessments of whether critical infrastructure operators are meeting the standards the ordinance requires — not merely receiving attestations of compliance.
Threat intelligence sharing needs institutional design that overcomes the trust barrier. The model that has worked in more mature markets is sector-specific Information Sharing and Analysis Centers (ISACs) — closed, trusted communities where participants in the same industry share threat intelligence with legal protections against the shared information being used against them competitively or regulatorily. A Bangladesh Financial Sector ISAC, formally constituted with BGD e-GOV CIRT as a participant alongside the major banks and financial institutions, would create the kind of trust infrastructure that currently prevents the private sector's threat knowledge from reaching the national defense posture.
The Bangladesh Bank heist happened in 2016. The attackers began planning in 2014. They are still operating — now focused on cryptocurrency rather than SWIFT, having pivoted to softer targets after the security community patched the specific vulnerability they exploited. The lesson is not that Bangladesh has been left behind. The lesson is that sophisticated adversaries adapt continuously, and defense requires the same continuous adaptation. Nine years after the heist, Bangladesh has built real institutional cybersecurity capacity. The question for 2026 and beyond is whether that capacity can grow at the pace the threat demands.
win-tk.org is a wintk publication. This article was produced by our editorial team for informational and analytical purposes.
