Cosmos Bank Hit by ₹94.42 Crore Cyber Heist in Coordinated Global Attack
Pune-based Cosmos Bank, one of India’s oldest urban cooperative banks, fell victim to a sophisticated cyberattack on August 11 and 13, resulting in the theft of ₹94.42 crore ($13.5 million). The breach occurred just days after the FBI issued a warning about a planned global "ATM cash-out" fraud targeting financial institutions.
The attack began on August 11, when hackers compromised the bank’s ATM switch server via malware, stealing data linked to VISA and RuPay debit cards. Over 14,849 fraudulent transactions were executed, siphoning ₹80.50 crore ₹78 crore through 12,000 VISA transactions abroad and ₹2.5 crore via 2,849 RuPay transactions within India. The withdrawals, made using cloned cards, ranged from $100 to $11,000 and spanned 28 countries, with the highest single transaction recorded at ₹7.59 lakh.
On August 13, the attackers struck again, exploiting the bank’s SWIFT system to transfer ₹13.92 crore to ALM Trading Limited, an account in a Hong Kong-based bank. Cosmos Bank’s managing director, Suhas Gokhale, filed a complaint with Pune’s Chatushrungi police, who registered a case under the IT Act and other penal provisions.
Bank officials detected the fraud after VISA flagged suspicious transactions at 5 PM on August 11, prompting the bank to disable VISA and RuPay ATM services. A subsequent server inspection on August 12 confirmed the breach, while a second review on August 13 uncovered the SWIFT-based theft. The bank shut down its servers and internet banking to contain the damage.
Cosmos Bank chairman Milind Kale assured customers that depositor funds remained secure, emphasizing that the bank’s security systems were not compromised. The Reserve Bank of India (RBI) had inspected the bank’s IT infrastructure in July, and four RBI officials were later deployed to assess the breach. While cybersecurity experts suspected the involvement of international hacking groups like North Korea’s Lazarus, the bank traced the attack’s origin to Canada, though police refrained from naming a specific culprit.
The bank’s ability to recover the stolen funds remains uncertain, with Kale stating that reconciliation with VISA and RuPay would take 2–7 days, while international recovery efforts would depend on cross-border coordination. The full extent of the financial loss will only be determined after further investigations.
Visa cybersecurity rating report: https://www.rankiteo.com/company/visa
RuPay cybersecurity rating report: https://www.rankiteo.com/company/rupay
Cosmos Co-Operative Bank Ltd. cybersecurity rating report: https://www.rankiteo.com/company/cosmos-bank-pune
"id": "VISRUPCOS1780793686",
"linkid": "visa, rupay, cosmos-bank-pune",
"type": "Breach",
"date": "8/2018",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': '14,849 fraudulent transactions '
'(customers with VISA/RuPay '
'debit cards)',
'industry': 'Banking and Financial Services',
'location': 'Pune, India',
'name': 'Cosmos Bank',
'type': 'Urban Cooperative Bank'}],
'attack_vector': ['Malware',
'Cloned debit cards',
'SWIFT system exploitation'],
'customer_advisories': 'Assurance that depositor funds are secure',
'data_breach': {'data_exfiltration': 'Yes (cloned cards used for withdrawals)',
'number_of_records_exposed': '14,849 fraudulent transactions',
'personally_identifiable_information': 'Debit card details',
'sensitivity_of_data': 'High (payment card information)',
'type_of_data_compromised': ['Debit card data (VISA, RuPay)',
'Transaction details']},
'date_detected': '2018-08-11T17:00:00Z',
'description': 'Pune-based Cosmos Bank, one of India’s oldest urban '
'cooperative banks, fell victim to a sophisticated cyberattack '
'on August 11 and 13, resulting in the theft of ₹94.42 crore '
'($13.5 million). The attack involved compromising the bank’s '
'ATM switch server and SWIFT system, leading to fraudulent '
'transactions across 28 countries.',
'impact': {'brand_reputation_impact': 'Significant',
'data_compromised': 'VISA and RuPay debit card data',
'financial_loss': '₹94.42 crore ($13.5 million)',
'identity_theft_risk': 'High (cloned debit cards used)',
'legal_liabilities': 'Case filed under IT Act and penal provisions',
'operational_impact': 'ATM and internet banking services disabled',
'payment_information_risk': 'High (VISA and RuPay card data '
'compromised)',
'systems_affected': ['ATM switch server',
'SWIFT system',
'Internet banking']},
'initial_access_broker': {'entry_point': 'ATM switch server via malware',
'high_value_targets': 'VISA and RuPay debit card '
'data, SWIFT system'},
'investigation_status': 'Ongoing',
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': ['Server shutdown',
'Internet banking '
'disablement',
'Reconciliation with '
'payment networks'],
'root_causes': ['Malware compromise of ATM switch '
'server',
'SWIFT system exploitation']},
'references': [{'source': 'FBI Warning'},
{'source': 'Cosmos Bank Official Statements'}],
'regulatory_compliance': {'legal_actions': 'Case registered under IT Act and '
'penal provisions',
'regulations_violated': ['IT Act', 'RBI guidelines'],
'regulatory_notifications': 'RBI deployed officials '
'for assessment'},
'response': {'communication_strategy': 'Customer assurance (depositor funds '
'secure)',
'containment_measures': ['Disabled VISA and RuPay ATM services',
'Shut down servers and internet '
'banking'],
'incident_response_plan_activated': 'Yes',
'law_enforcement_notified': 'Yes (Pune Police, RBI)',
'recovery_measures': 'Reconciliation with VISA and RuPay (2-7 '
'days), international recovery efforts '
'pending',
'remediation_measures': ['Server inspection',
'SWIFT system review']},
'stakeholder_advisories': 'RBI inspection and assessment',
'threat_actor': 'International hacking group (suspected Lazarus Group)',
'title': 'Cosmos Bank Hit by ₹94.42 Crore Cyber Heist in Coordinated Global '
'Attack',
'type': ['ATM cash-out fraud', 'SWIFT system breach'],
'vulnerability_exploited': ['ATM switch server compromise',
'SWIFT system vulnerability']}