Case Study

Case Name: Cosmos Bank Cyber Attack

Date: August 11-13, 2018
Suspected Group: International Cybercrime Syndicate
Victim: Cosmos Cooperative Bank, Pune, Maharashtra, India
Agencies Involved: Pune Police Cyber Cell, Interpol, Global Banking Authorities

Highlights
1. Date of Attack: August 11 and August 13, 2018
2. Amount Stolen: ₹94.42 crore
3. Method: Malware attack on ATM switch servers
4. Geographical Reach: Fraudulent ATM withdrawals in 28 countries
5. Key Attack Elements: Cloned debit cards, SWIFT network exploitation
6. Global Cooperation: Assistance from Interpol and international law
enforcement
7. Arrests: Multiple local and international mules apprehended
8. Evidence Gathered: ATM transaction logs, cloned card data, CCTV footage,
malware analysis

Introduction
Two days of cyberattacks were launched against Cosmos Bank in August 2018.
Unauthorized withdrawals from ATMs located in 28 different countries were made po
ssible by an attack on the bank's ATM switch server.
They also transferred money to a Hong Kong account by abusing the SWIFT system.
The hackers were able to pilfer ₹94.42 crore from the bank by using malware and cou
nterfeit debit cards.
The evidence used in the inquiry included CCTV footage, transaction logs, and forensi
c analysis of the malware employed in the attack. (1) (2) (3)
Interpretation and Analysis
The Cosmos Bank cyberattack was a well-planned and intricate robbery involving
numerous layers of technological manipulation. Through breaching the bank's ATM
switch server, the cybercriminals managed to evade established security measures
and approve fraudulent transactions worldwide. The attackers' deep knowledge of
ATM networks and international payment systems is demonstrated by the
widespread usage of counterfeit debit cards for cash withdrawals. Moreover, the
sophisticated character of the attack is demonstrated by the breach of the SWIFT
network for a global money transfer. The weaknesses in financial systems are
highlighted by this example, especially in cooperative banks with weaker
cybersecurity safeguards. (1) (3)

Points of View
1. System Weaknesses: The attack exploited the insufficient security of the ATM
switch server.
2. Global Coordination: The widespread fraudulent transactions across multiple
countries point to a well-organized international syndicate.
3. Delayed Detection: The attack went undetected for a significant period,
allowing numerous fraudulent transactions to occur before the breach was
discovered.
4. Technological Expertise: The malware used was sophisticated and likely
originated from a well-known cybercriminal group.
5. Need for International Collaboration: The involvement of Interpol and other
global authorities highlights the importance of international cooperation in
tackling cybercrime.

Relevant Sections Under the IT Act, 2000 (Amended 2008) (4)

1. Section 43 – Penalty and Compensation for Damage to Computer Systems
o This section imposes liability for unauthorized access, causing damage
or disruption to a computer system. The malware attack on the ATM
switch server falls under this provision, leading to compensation and
penalties.
2. Section 66 – Computer-Related Offenses (Hacking)
 o The unauthorized access, manipulation of data, and hacking into the
bank’s systems to approve fraudulent transactions could be prosecuted
under this section.
3. Section 66C – Identity Theft
o The attackers cloned debit cards by stealing sensitive information,
which is classified as identity theft under this section.
4. Section 66D – Cheating by Personation Using Computer Resources
o The use of cloned debit cards (impersonating genuine account holders)
to withdraw money from ATMs worldwide is covered under this
section.
5. Section 66F – Cyber Terrorism
o In some instances, if the attack had the intent to threaten the unity,
integrity, or security of India, it could be construed as cyber terrorism
under this section. However, this would depend on the intent behind
the attack.
6. Section 67C – Preservation and Retention of Information by Intermediaries
o If Cosmos Bank failed to adequately preserve and retain crucial
transaction logs and data in compliance with legal requirements, they
could be penalized under this section.

Relevant Sections Under the Bharatiya Nyaya Sanhita (BNS), 2023 (5)
1. Section 302 (Theft)
o Equivalent to Section 379 of IPC. The unauthorized withdrawal of
₹94.42 crore from ATMs constitutes theft under BNS. The act of taking
the bank’s money without consent would be classified as theft.
2. Section 309 (Dishonest Misappropriation of Property)
o Equivalent to Section 403 of IPC. The cybercriminals wrongfully
misappropriated the bank's funds, which falls under dishonest
misappropriation.
3. Section 316 (Cheating and Dishonestly Inducing Delivery of Property)
o Equivalent to Section 420 of IPC. This section applies to fraudulent
transactions conducted by the hackers through the use of cloned debit
 cards, deceiving the bank’s systems into approving illegitimate
withdrawals.
4. Section 324 (Forgery)
o Equivalent to Section 465 of IPC. Forging electronic records, such as
creating counterfeit debit cards or manipulating the bank’s digital
transaction records, would be categorized as forgery.
5. Section 326 (Forgery for the Purpose of Cheating)
o Equivalent to Section 468 of IPC. The attackers forged debit cards and
electronic transaction records with the intent to deceive the bank and
commit financial fraud.
6. Section 329 (Using a Forged Document as Genuine)
o Equivalent to Section 471 of IPC. This section applies to the use of
cloned debit cards (forged instruments) to carry out transactions as if
they were genuine.
7. Section 511 (Criminal Conspiracy)
o Equivalent to Section 120B of IPC. Since the cyberattack was a
coordinated effort involving multiple individuals across various
countries, the attackers could be charged with conspiracy under this
section.

Discussion
ATM transaction logs that tracked down the illegal transactions and CCTV footage
from the ATMs that showed the cash mules in action are important pieces of
evidence in this case. The hackers processed unlawful transactions by evading the
bank's fundamental systems, as demonstrated by malware analysis. Several people
involved in the cash-out procedure were arrested as a result of the data breach being
discovered through the examination of duplicate debit card information. A further
element of complexity was added to the attack when SWIFT transaction records
revealed the transfer of ₹14 crore to an account located in Hong Kong. (1) (2)
Conclusion
The cyberattack on Cosmos Bank serves as a reminder of the growing risks that
financial institutions confront, particularly with regard to cybersecurity. It emphasizes
the significance of real-time fraud detection systems and the requirement for
extensive, multi-layered security systems in banking operations. The identification
and apprehension of the involved offenders was made possible by the cooperation of
Interpol, international financial agencies, and Indian law enforcement. However, this
example highlights the global scope of cybercrime and the difficulties in avoiding such
sophisticated operations.

References
1. (Cosmos Bank Malware Attack: Pune Court Convicts 11 Accused | Pune News -
The Indian Express, n.d.)
2. (How Rs 94 Crore Online Fraud Was Carried out in Pune’s Cosmos Bank -
Banking & Finance News | The Financial Express, n.d.)
3. (Cosmos Bank Hit by Cyber Hack, Loses Rs 94 Crore in 2 Days | Pune News -
Times of India, n.d.)
4. https://www.mha.gov.in/sites/default/files/250883_english_01042024.pdf
5. https://www.indiacode.nic.in/bitstream/123456789/13116/1/
it_act_2000_updated.pdf