On Feb. 4, 2016, as employees left work to enjoy their weekends, the central bank of Bangladesh began firing off dozens of transfer orders to the Federal Reserve Bank of New York, asking to remove money from its accounts -- almost $1 billion.
It was a heist. The robbers hadn't walked in with guns or tunneled into a vault to get the money. They'd hijacked the bank's computer systems to access an international financial network, SWIFT, which shunts around billions of dollars a day. The invisible thieves made off with $81 million before officials halted the geyser of cash.
The attack's audacity, and the weaknesses it exposed, stunned bankers and financial regulators. Months later, cybersecurity researchers concluded that it was yet another notch in the belt of one of the most destructive hacker collectives on the internet, the "Lazarus Group," accused of previously being behind the devastating 2014 Sony Pictures Entertainment hack and other attacks -- and accused of working for North Korea.
Now, the Lazarus Group has been tentatively linked to another audacious attack for cash, raising the question of whether North Korea has started sticking up internet users while carrying out its very public standoff with the United States.
Hundreds of thousands of computers have been hijacked in the last week by a virus called "WannaCry," which freezes files on computers and demands a ransom for their release. It's called ransomware, and it's a new spin on old-fashioned stickups: Pay up with bitcoin, the digital currency, or lose the files forever.
WannaCry spread to at least 150 nations over last weekend, including the U.S., shutting down hospitals in Britain and hijacking terminal screens at train stations in Germany, probably causing billions of dollars in damage. The virus was initially notable because it was an adaptation of a cybertool to hack Windows that had been developed by, and then stolen from, the U.S. National Security Agency.
But as analysts and investigators began picking apart WannaCry for forensic clues -- the digital equivalent of dusting for prints -- a cybersecurity researcher at Google named Neel Mehta found something in an older version of the virus. It was just a few lines of code, but it has appeared only in one other known place: hacking tools created by the Lazarus Group. Word spread rapidly among researchers.
The connection to the Lazarus Group so far is only tentative, researchers caution, suggesting that it's possible the code was inserted as a "false flag" to throw off investigators. Officials in Europe and the U.S., still in the beginning stages of their investigations, have not named the Lazarus Group or North Korea as a suspect.
But "with a group like Lazarus, where we have a long history," said Eric Chien, a technical director at the Mountain View, Calif.-based internet security firm Symantec, "I would suspect that within a couple of weeks we should be able to rule them in or rule them out."
The hacker group was identified and given a name in a collaborative investigation published in February 2016 called "Operation Blockbuster," which was undertaken by several cybersecurity companies seeking to examine the perpetrators of the 2014 Sony hack.