Case Studies: Historical Grid
Bangladesh Bank SWIFT Heist (2016)
Lazarus Group Steals $81 Million via SWIFT Credential Theft, Forged Transfers, and Custom Banking Malware
In February 2016, Lazarus Group deployed keylogger malware inside Bangladesh Bank to steal SWIFT credentials, then issued 35 fraudulent transfer requests — five succeeded, moving $81 million to Philippines casinos. Mandiant investigators recovered custom malware that interfaced directly with SWIFT Alliance Access software, and the FBI identified evidence of an insider accomplice. The heist established financial sector forensics as a discipline requiring SWIFT audit log reconstruction and cross-border transaction tracing.
Ashley Madison Breach (2015)
The Impact Team Wipes Its Tracks and Vanishes: 37 Million Records, PGP-Signed Leaks, No Identified Suspects
In July 2015, the Impact Team compromised extramarital dating site Ashley Madison, stealing records on 37 million users and releasing 9.7 GB publicly in August with PGP-signed authenticity. Forensic investigation found attackers escalated to administrator level and wiped logs that would have contained their indicators of compromise, rendering attribution impossible. Despite FBI and RCMP investigation, no suspects were ever identified — a landmark study in attacker log-wiping tradecraft and the limits of log-dependent forensics.
Silk Road Investigation (2013)
Dread Pirate Roberts Unmasked: Live RAM Capture and Bitcoin Forensics Bring Down the Dark Web's First Empire
In October 2013, FBI agents arrested Ross Ulbricht in a San Francisco library with his laptop open and unlocked — capturing running processes, active Silk Road admin sessions, and credentials in live RAM before any encryption could engage. Bitcoin blockchain analysis then linked $13.4 million in transaction proceeds to Ulbricht's real-world identity through wallet clustering. The case established live system forensics and on-chain attribution as foundational DFIR disciplines for dark web investigations.
Careto / The Mask APT (2007–2014)
Seven Years Undetected: Kaspersky Uncovers a Multi-Platform Nation-State Operation Spanning 31 Countries
Discovered by Kaspersky Lab in 2014, The Mask (Careto) had operated undetected since 2007 — targeting government institutions, embassies, energy companies, and research organizations across 31 countries. The platform ran simultaneously on Windows, macOS, and Linux with rootkit and bootkit persistence modules. Forensic attribution required multi-platform malware analysis, C2 traffic correlation, and registry artifact reconstruction, establishing the investigative playbook for nation-state multi-platform APTs.
— Page 2 —