CENTRAL BANKS UNDER ATTACK

Central banks are the apex institutions of national financial systems. They settle interbank payments, hold foreign reserves, supervise commercial banks, and increasingly issue digital currency. That role makes them the highest-value target on any country's threat surface - and, in the African context, a target that nation-state actors, organised criminal groups, and hacktivist collectives have all credibly attacked in the last decade. The 2016 Bangladesh Bank cyber heist demonstrated globally what is achievable: USD 81 million extracted via fraudulent SWIFT instructions, with attempted transfers totalling nearly USD 1 billion. [1] US authorities have publicly attributed that attack, and a wider campaign of bank thefts in Africa and Asia, to the North Korean state-aligned group known as APT38 / BeagleBoyz. [2]

African central banks face the same global threat environment as their peers, but with additional regional pressure points. The Bank of Zambia publicly disclosed a Hive ransomware incident in May 2022 - and notably refused to negotiate. [3] Three months later, in August 2022, the South African Reserve Bank (SARB) was the subject of an intrusion attempt that was flagged to South African authorities by the US FBI; SARB has stated there was no operational impact, while South Africa's Finance Minister publicly characterised the event as a hack. [16] In December 2023 the Central Bank of Lesotho confirmed a cybersecurity incident that forced it to suspend systems and delay payments, with the IMF subsequently citing it as a case of national-payment-system disruption from a single cyber event. [13] In January 2024 Banco Nacional de Angola (BNA) - the Angolan central bank - confirmed a cyberattack on its infrastructure; the BNA reported minimal impact, while independent reporting alleged a ransomware incident that paralysed the country's Real-Time Payments System (SPTR) for more than 24 hours. [14] In 2024 the Bank of Uganda disclosed that an offshore threat actor referred to in public reporting as “Waste” stole approximately UGX 62 billion (~USD 16.8 million) from the central bank. [15] Between 2018 and 2022 the threat actor tracked as OPERA1ER conducted more than 30 successful attacks against banks, financial-services providers, and telecommunications companies across Francophone Africa, stealing at least USD 11 million with assessed total damage of USD 30–50 million. [4] US-CERT's "FASTCash" alert documented tens of millions of US dollars stolen from financial-services firms in Africa and Asia via payment-switch compromise. [5] Beyond direct theft, hacktivist DDoS campaigns - including the October 2019 SABRIC-reported attacks on multiple African banks timed to coincide with payday [6] - have repeatedly disrupted public-facing services.

A serious cyber incident at a central bank is unlike one at any other institution. The direct cost is unbounded - tens to hundreds of millions of dollars in a single SWIFT-based theft. The reputational cost extends to confidence in the national currency, the credibility of monetary policy, and the country's standing in international correspondent banking relationships. World Bank research records the case of a USD 3.2 million theft from a South African bank that ultimately cost the institution over USD 58 million in investigation and mitigation - an 18× multiplier between loss and total impact. [7] The conclusion is unavoidable: for an institution at this level of systemic importance, prevention is the only economically rational posture.

Section 01 · Threat Landscape 01

The Scale of the Threat§

Central banks and financial authorities sit at the top of every national threat model. Nation-state heist groups, organised cybercrime, hacktivist DDoS collectives, and commodity ransomware operators have all credibly attacked African financial institutions in the last decade.

USD 81MStolen from Bangladesh Bank via SWIFT, Feb 2016 [1]

USD 100M+Attributed to APT38 across bank thefts in Africa & Asia [2]

USD 11MOPERA1ER theft across Francophone Africa, 2018–2022 [4]

12African countries targeted by OPERA1ER [4]

Central banks combine three characteristics that attract the most capable adversaries: very large monetary flows, an unmatched concentration of macroeconomic intelligence value, and an institutional reluctance to disclose incidents that could undermine confidence in the currency or in the supervisory function. The result is an attractive target with deliberately limited public reporting - meaning that the publicly documented record of incidents almost certainly undercounts actual activity.

African central banks face the global threat environment with two structural pressure points. First, the SWIFT messaging network - through which central banks settle interbank, correspondent, and reserve-management transactions - is the single most lucrative target on the planet for state-aligned heist groups, and the post-Bangladesh SWIFT Customer Security Programme (CSP) compliance posture is uneven across the continent. Second, the supplier ecosystem for core banking, RTGS, and SWIFT interface software (Alliance Access and similar) is concentrated in a small number of international vendors, meaning that a vulnerability disclosed in one product can expose multiple central banks simultaneously.

Beyond direct theft, two other vectors recur. Ransomware: the Bank of Zambia confirmed a Hive ransomware incident in May 2022 - the bureau de change monitoring system and the public website were affected, core systems were segregated and preserved, and the institution publicly refused to negotiate. [3] Hacktivist and ransom DDoS: in October 2019 the South African Banking Risk and Information Centre (SABRIC) reported a coordinated DDoS campaign against multiple African banks' public-facing assets, accompanied by ransom demands and timed to coincide with payday for maximum disruption. [6]

USD 245MFinancial-sector losses across Kenya, Rwanda, Uganda, Tanzania, Zambia since 2011 [8]

18×Multiplier between direct theft and total impact (SA bank case, World Bank) [7]

USD 4B/yrEstimated annual cyber-loss exposure across Africa [4]

Section 02 · Attack Vectors 02

How Central Banks Are Being Attacked§

Six attack categories account for almost every documented incident against central banks and their commercial-bank supervisees - SWIFT and payment-system fraud, ransomware, hacktivist DDoS, vendor & supply-chain compromise, insider abuse, and state-sponsored espionage. They are frequently combined.

Central banks and the commercial banks they supervise face six primary attack categories. A motivated adversary - particularly a state-aligned heist group - will typically combine several of them in a single operation.

SWIFT itself has not been compromised in any publicly documented incident. What has been compromised, repeatedly, is the bank-side environment in which SWIFT interface software (Alliance Access and equivalents) operates. The pattern was established by the February 2016 Bangladesh Bank heist: phishing → long-dwell network reconnaissance → theft of operator credentials → submission of fraudulent SWIFT messages, with printer logs and operator terminals manipulated to delay detection. [1] US-CERT's "FASTCash" alert extended the playbook to ISO 8583-based payment switches, enabling cash-out fraud against banks in Africa and Asia totalling tens of millions of dollars. [5] The post-Bangladesh SWIFT Customer Security Programme (CSP) and its Customer Security Controls Framework (CSCF) are the baseline expectation for any SWIFT-connected institution; CSP compliance attestation is now mandatory and audited.

Ransomware against a central bank is, on the face of it, less catastrophic than a SWIFT heist - but it remains highly damaging. The Bank of Zambia's May 2022 Hive incident is the publicly documented African precedent: the bureau de change monitoring system and the public website were disrupted, the institution declined to negotiate, and the Bank of Zambia's ICT leadership publicly stated that core systems had been segregated and preserved. [3] The institution's posture - transparent disclosure, refusal to pay, public confirmation that core operations were not affected - has become a useful template for African central-bank peers.

Public-facing services - the bank's website, citizen-facing exchange-rate or licence portals, supervised commercial bank lookup - are the most predictable DDoS targets at any central bank. In October 2019 the South African Banking Risk and Information Centre (SABRIC) reported a coordinated DDoS campaign against multiple African banks' public-facing assets, accompanied by ransom demands and timed to coincide with payday for maximum disruption. [6] Hacktivist motivation is just as potent as financial: in October 2020, during the #EndSARS protests, a hacktivist group targeted the website of the Central Bank of Nigeria with DDoS attacks as part of a wider campaign against the Nigerian government - the apex bank swept into a political campaign it was not itself the target of. [18] The same continent-scale capability was demonstrated by Anonymous Sudan in July 2023, when a single campaign took 10 Kenyan universities, seven hospitals, M-Pesa, and the eCitizen platform offline simultaneously - an unambiguous proof that any African public institution with civilian profile is a viable target.

The supplier ecosystem for core banking, RTGS, and SWIFT interface software is concentrated. A vulnerability disclosed in any one product can simultaneously expose multiple central banks and dozens of commercial-bank supervisees. The same is true of regulatory technology providers, KYC/AML platforms, and the firms that operate national payment switches. Recent reporting on Nigerian and South African financial-sector incidents has highlighted the role of unpatched, internet-exposed software at platforms close to public finance - including services linked to government payments. [9] A robust vendor-risk programme is no longer optional: it is a SWIFT CSP requirement and a Basel operational-resilience principle.

The Bangladesh Bank investigation implicated five bank officials for negligence and for creating the conditions in which the attack succeeded. Earlier, in 2013, the Sonali Bank of Bangladesh had also been successfully attacked in a manner that suggested insider assistance. [1] Central banks operate small, highly-privileged operations teams with access to instruments of unique national significance - SWIFT terminals, RTGS consoles, reserve-management dealing desks, banknote-issuance systems. Zero Trust per-request access verification, separation of duties, dual control on outgoing transactions, and continuous monitoring of privileged sessions are the controls that limit both insider-driven and credential-compromise-driven incidents.

Beyond direct theft, foreign intelligence services have clear interest in central-bank intelligence: pre-publication monetary-policy decisions, foreign-reserve composition, supervisory findings on systemically important commercial banks, and stress-test results. Espionage operations are by design quieter than financial-heist operations, and rarely surface publicly - but the threat is unambiguous and motivates the dual posture of "preventing theft AND preventing exfiltration of policy-sensitive data" that mature central banks now adopt.

Section 03 · Documented Incidents 03

Central Banks & Financial Institutions Under Attack§

Eleven publicly reported incidents - the global precedent that re-shaped central-bank security, plus ten cases directly in or adjacent to African central banks and financial institutions.

The eleven incidents below are drawn from publicly available reporting from US-CERT, the US Department of Justice, the World Bank, Group-IB, SABRIC, the IMF, and central banks' own disclosures. They are presented to give leadership a concrete picture of the patterns to defend against - not to single out any one institution.

Attack Type	Phishing → long-dwell reconnaissance → fraudulent SWIFT messages [1][2]
Impact	Attackers attempted to extract USD 951 million via 35 fraudulent SWIFT instructions sent from Bangladesh Bank's terminal to its Federal Reserve Bank of New York account. Five transactions cleared, totalling USD 101 million - of which USD 20 million was recovered from Sri Lanka and ~USD 15 million from the Philippines. The remaining ~USD 66 million has not been recovered. The thirty other instructions were blocked thanks to a misspelled instruction. US authorities have publicly attributed the attack to North Korea's APT38 / BeagleBoyz. The governor of Bangladesh Bank resigned.
Key Lesson: The bank-side environment of SWIFT (interface software, operator terminals, printer infrastructure) is the target, not SWIFT itself. Network segregation between SWIFT operations and the general bank network, multi-person approval on outgoing instructions, and tamper-resistant logging are the controls that prevent a Bangladesh-pattern incident. SWIFT's Customer Security Programme (CSP) codifies these requirements.

CASE STUDY  |  Zambia  |  May 2022 SEVERITY 3/5 Bank of Zambia - Hive Ransomware (Refused)
Attack Type	Hive ransomware-as-a-service; encryption of Network-Attached Storage [3]
Impact	The Bank of Zambia confirmed in a 13 May 2022 press statement that it had experienced a partial disruption to IT applications on 9 May. The bureau de change monitoring system and the public website were affected. Hive ransomware actors encrypted a Network-Attached Storage device and demanded a ransom. The Bank's ICT Director publicly confirmed that core systems had been segregated and preserved, that only test data was lost, and that the institution would not negotiate. Affected services were fully restored.
Key Lesson: Network segmentation between public-facing services and core monetary-operations infrastructure preserved the institution's primary mission throughout the incident. Public, transparent disclosure - combined with a stated refusal to negotiate - is now a viable and defensible posture for African central banks. It also denies the criminal economy the financial signal that ransomware against central banks is profitable.

CASE STUDY  |  Francophone Africa  |  2018–2022 SEVERITY 4/5 OPERA1ER - Sustained Multi-Country Cybercrime Campaign
Attack Type	Spear-phishing → off-the-shelf tooling → SWIFT-interface access in commercial banks [4]
Impact	Group-IB attributed 30+ successful attacks against banks, financial-services providers, and telecommunications companies in 12 African countries - Côte d'Ivoire, Mali, Burkina Faso, Benin, Cameroon, Gabon, Niger, Nigeria, Senegal, Sierra Leone, Togo, Uganda - to a single organised-crime cluster. At least USD 11 million directly stolen; assessed total damage USD 30–50 million. In at least two incidents, the group reached the SWIFT Alliance Access interface inside victim banks (SWIFT itself was not compromised).
Key Lesson: OPERA1ER's tooling was not advanced - Metasploit, Cobalt Strike, Mimikatz, and high-quality French-language spear-phishing. The campaign succeeded because baseline security hygiene at many regional banks was missing: phishing-resistant MFA, network segmentation, EDR on critical hosts, and prompt detection of commodity tradecraft. The implication for central banks: supervision must include the security posture of supervised institutions, not just their financial soundness.

CASE STUDY  |  Kenya  |  January 2018 SEVERITY 3/5 National Bank of Kenya - Internal Network Compromise
Attack Type	Internal-network compromise → fraudulent payment instructions [10]
Impact	According to public reporting compiled in the World Bank's "Cyber Threats to the Financial Sector in Africa", an organised criminal group stole approximately KSh 29 million (~USD 261,000) from the National Bank of Kenya in January 2018, with anecdotal reporting suggesting the actual sum may have been closer to KSh 340 million (~USD 3 million). The bank cited a compromise of its internal network as the underlying cause. [10]
Key Lesson: An attacker who reaches the internal network of a bank can issue fraudulent instructions in ways that the bank's outbound controls were not designed to catch. The remedy is Zero Trust per-request access control for every internal system, prompt detection of lateral movement, and dual control on outgoing financial instructions - controls that apply equally to commercial banks under central-bank supervision and to the central bank's own operations.

CASE STUDY: COORDINATED DDoS  |  Multi-Country  |  October 2019 SEVERITY 3/5 SABRIC-Reported DDoS Campaign Against African Banks
Attack Type	Coordinated ransom DDoS, payday-timed [6]
Impact	In October 2019 the South African Banking Risk and Information Centre (SABRIC) reported a series of DDoS attacks against multiple African banks' public-facing assets. The attacks were accompanied by a ransom note demanding payment to stop the attacks, and were timed to coincide with payday to cause maximum disruption. The campaign coincided with a separate ransomware attack against the City of Johannesburg's network, which shut down all electronic services, including bill-payment mechanisms, during the same month-end window.
Key Lesson: The public-facing services of a central bank or commercial bank - website, citizen portal, supervised-bank lookup - are the most predictable DDoS targets. Always-on volumetric DDoS protection at a global edge, paired with sector-coordinated threat sharing (the SABRIC role), materially raises the cost of mounting credible campaigns against the regional banking community.

CASE STUDY  |  Seychelles  |  September 2020 SEVERITY 3/5 Development Bank of Seychelles - Calix Ransomware
Attack Type	Ransomware against a central-bank-affiliated development-finance institution [17]
Impact	In September 2020 the Calix ransomware strain infected the Development Bank of Seychelles (DBS), as documented in the World Bank's "Cyber Threats to the Financial Sector in Africa" (March 2022). The DBS is a development-finance institution in which the Government of Seychelles and the Central Bank of Seychelles hold ownership stakes, placing the incident among the small number of publicly documented ransomware events to reach a central-bank-affiliated entity on the continent. It is a concrete demonstration that ransomware operators do not distinguish between commercial and public-sector financial institutions when an exposed attack surface presents itself.
Key Lesson: A central bank's risk perimeter extends beyond the apex institution itself to the development banks, deposit-insurance bodies, and state-owned financial entities within its ambit - any of which can become the soft entry point. The control implication is uniform baseline hygiene across the whole central-banking family: enforced patch SLAs, segmented backups tested for ransomware recovery, and edge-level filtering of inbound exploitation traffic for every affiliated entity, not only the central bank's core.

CASE STUDY  |  Nigeria  |  October 2020 SEVERITY 2/5 Central Bank of Nigeria - Hacktivist DDoS (#EndSARS)
Attack Type	Ideologically motivated (hacktivist) DDoS against the apex bank's public web presence [18]
Impact	In October 2020, during the #EndSARS protests against police brutality, a hacktivist group targeted the website of the Central Bank of Nigeria (CBN) with DDoS attacks, as documented in the World Bank's "Cyber Threats to the Financial Sector in Africa". The action formed part of a wider campaign against Nigerian government institutions rather than a financially motivated attack on the bank specifically. The episode illustrates how a central bank's public-facing services can be swept into broader political or ideological campaigns it is not the primary target of - and how, during periods of civil unrest, the apex bank's digital presence becomes a symbolic target.
Key Lesson: A central bank cannot choose when it becomes a target. Politically driven DDoS surges arrive without warning, often correlated with domestic events entirely outside the bank's control. Always-on, automatically scaling DDoS mitigation at a global edge - rather than appliance-based capacity sized to normal traffic - is the only posture that absorbs an unpredictable hacktivist surge without taking the bank's citizen-facing services offline at the moment public scrutiny is highest.

CASE STUDY  |  South Africa  |  August 2022 SEVERITY 3/5 South African Reserve Bank - FBI-Flagged Intrusion Attempt
Attack Type	Intrusion attempt against the apex bank - characterisation publicly disputed [16]
Impact	On 12 August 2022 the South African Reserve Bank (SARB) was the subject of an intrusion event that South Africa's Finance Minister Enoch Godongwana publicly described as a hack - stating that the US Federal Bureau of Investigation (FBI) had notified South African law enforcement (the Hawks) of the activity before the country's own security cluster detected it. SARB has consistently stated, in subsequent press responses, that the attempted breach had “no impact on the SARB's systems or operations.” The episode is documented in coverage from Bloomberg, IOL/Cape Argus, News24, BusinessTech, Moneyweb, TechCentral, and TRT Afrika. SARB had not previously disclosed the incident publicly; it had been reported to the National Treasury and security agencies.
Key Lesson: Even where a central bank assesses that an intrusion attempt had no operational impact, the institutional fact that a foreign intelligence service detected the activity before the national security cluster did is itself a finding. The control implication: continuous, telemetry-rich monitoring of east-west traffic, identity activity, and outbound DNS, plus formal information-sharing with peer central banks, SWIFT ISAC, and national CSIRTs - so the central bank is rarely the last party to know.

CASE STUDY  |  Lesotho  |  December 2023 SEVERITY 4/5 Central Bank of Lesotho - National Payment System Disruption
Attack Type	Cybersecurity incident → precautionary system suspension → national payment system frozen [13]
Impact	On 11 December 2023 the Central Bank of Lesotho (CBL) disclosed a cybersecurity incident affecting several of its systems. The bank suspended affected systems to prevent further infiltration; consequently, payments across the national payment system - on which all domestic interbank transactions depend - were delayed. The CBL stated that no financial or other loss was incurred. Interbank transfers were restored on 19 December (eight days later); the CBL declared full payment-services restoration on 22 December 2023. The April 2024 IMF Global Financial Stability Report cites the Lesotho incident as a real-world example of how a single cyber event can disrupt the national payment system of a country.
Key Lesson: The Lesotho incident demonstrates that a containment-driven suspension of central-bank systems is, in itself, a national-scale disruption - even where no funds are stolen. The implication is that resilience planning must include rehearsed manual interbank settlement procedures, pre-agreed industry coordination protocols (the Bankers Association of Lesotho played a critical role here), and tested recovery time objectives for the national payment system as a whole, not just for individual applications.

CASE STUDY  |  Angola  |  January 2024 SEVERITY 3/5 Banco Nacional de Angola (BNA) - Confirmed Cyberattack, Disputed Severity
Attack Type	BNA: cybersecurity incident, mitigated. Independent reporting: ransomware against core payment infrastructure [14]
Impact	The Banco Nacional de Angola (BNA), the Angolan central bank, confirmed on 16 January 2024 that it had recorded a cybersecurity incident on 6 January 2024, mitigated by the institution's cybersecurity controls “without significant impacts on its infrastructure and data” (BNA statement, Lusa news agency, 16 January 2024). Independent Angolan publication Maka Angola - run by investigative journalist Rafael Marques - reported the event as a ransomware incident dated 8 January and alleged that Angola's Real-Time Payments System (SPTR), which handles interbank operations across the country (including State financial operations in kwanzas) was paralysed for more than 24 hours, and that SPTR is interconnected with the BNA's Integrated Markets and Asset Management System (SIGMA). Coverage in The Record (Recorded Future) and SC Media notes that several smaller Angolan banks have previously appeared on the leak site of the now-defunct ALPHV/BlackCat ransomware operation. BNA Governor José de Lima Massano had stated in May 2023 that the bank registers approximately 350 cyberattack attempts per day. No threat actor has publicly claimed responsibility for the 6 January incident; no monetary loss has been disclosed.
Key Lesson: The BNA case illustrates a recurring central-bank communications challenge: the institution's own statement and independent reporting diverge on severity, and that gap erodes trust. The control implication is twofold: first, pre-prepared disclosure templates and pre-agreed thresholds for what is communicated, when, and by whom; second - and more important - technical telemetry detailed enough that the central bank can credibly characterise the blast radius (which systems, for how long, with what data) within hours, not weeks.

CASE STUDY  |  Uganda  |  2024 SEVERITY 4/5 Bank of Uganda - UGX 62B Theft (“Waste”)
Attack Type	Offshore-actor theft from the central bank - under parliamentary investigation [15]
Impact	Public reporting in 2024 attributed the theft of approximately UGX 62 billion (~USD 16.8 million) from the Bank of Uganda's accounts to an offshore threat actor referred to in coverage as “Waste”. Disclosure of the loss followed parliamentary scrutiny in Uganda; a portion of the funds was reportedly recovered, with the balance unrecovered. The technical means of access - whether SWIFT-environment compromise, treasury-system fraud, or a separate vector - and full attribution remain subject to ongoing investigation in publicly available reporting. The Bank of Uganda is also one of the twelve countries within the OPERA1ER target list documented by Group-IB.
Key Lesson: The Uganda case is the most recent illustration that direct theft from a central bank's own accounts remains possible - not just theft from accounts the central bank holds on behalf of commercial banks. Dual control on outbound instructions, segregation of treasury and payment infrastructure, behavioural anomaly detection on financial-instruction patterns, and rehearsed claw-back procedures with correspondent banks (which materially affected recovery in the Bangladesh case) are the controls that bound a Uganda-pattern loss.

Section 04 · Impact 04

The Cost of Inaction§

Direct theft, remediation, monetary-policy credibility, correspondent-banking standing, regulatory consequence - for a central bank, every layer of cost compounds the next.

The direct loss in a successful central-bank or commercial-bank heist is open-ended. Bangladesh Bank lost USD 81 million in a single incident with an attempted theft of nearly USD 1 billion. [1] OPERA1ER's cumulative direct theft across Francophone Africa was at least USD 11 million across 30+ attacks. [4] US-CERT attributed more than USD 100 million in confirmed thefts to APT38 against banks in Africa and Asia. [2] For commercial banks under central-bank supervision, World Bank-cited Deloitte research records over USD 245 million in financial-sector losses across Kenya, Rwanda, Uganda, Tanzania, and Zambia since 2011. [8]

Recovering from a successful financial-sector incident requires forensic investigation, supplier-led system restoration, comprehensive review of every internal system, SWIFT re-certification (where the SWIFT environment was involved), and significant security re-engineering. The 18× multiplier the World Bank documented is consistent with patterns elsewhere: investigation, system replacement, control re-architecture, regulatory response, customer notification, and litigation all add cost, all at the same time.

Unique to central banks: a serious incident affects the credibility of the institution that issues the currency, sets policy rates, and supervises the banking system. The Bangladesh Bank governor resigned over the 2016 incident. The reputational halo around a central bank - the perception that it is competent, secure, and reliable - is integral to confidence in the currency and in monetary-policy transmission. That confidence, once damaged, is expensive and slow to rebuild.

Post-Bangladesh, SWIFT mandated the Customer Security Programme (CSP) and the Customer Security Controls Framework (CSCF). Compliance is now a precondition for continued SWIFT access. A serious incident - particularly one involving SWIFT-based theft - can prompt counterparty correspondent banks to reduce or withdraw relationships, with consequences that propagate across the entire national banking system. For African countries already navigating de-risking pressure from global banks, this is a material national-economic risk, not just an institutional one.

For the institutions supervised by a central bank, POPIA in South Africa, the NDPR in Nigeria, Kenya's Data Protection Act, and equivalent regional frameworks impose direct fines for breach. For the central bank itself, the reputational consequences extend beyond money: parliamentary inquiries, peer-review consequences in regional bodies (SADC, ECOWAS, the African Central Bank Governors' Forum), and the durable shift in how supervised institutions perceive the central bank's competence.

Section 05 · The Defence Gap 05

Why Traditional Defences Are Failing§

Perimeter firewalls, signature-based antivirus, and on-premise scrubbing appliances remain necessary baselines - but the adversaries central banks face have moved beyond what those controls were designed to defend against.

Every central bank has firewalls, an enterprise antivirus deployment, SIEM tooling, and some form of perimeter DDoS protection. These are necessary baseline controls. They are no longer sufficient on their own, because the threat landscape and the operating reality of a modern central bank have both moved on.

A modern central bank operates across cloud platforms, third-party regulatory-technology providers, KYC and supervisory platforms, mobile workforce, hybrid data centres, and integrations with national payment switches, RTGS systems, and SWIFT. Legacy firewall-based segmentation protects a boundary that no longer corresponds to where sensitive operations actually live. Zero Trust per-request access verification is the only architecture compatible with this reality.

The 2016 Bangladesh Bank investigation found that the SWIFT terminal had been allowed to share network infrastructure with the rest of the bank, and that no firewall separated them. SWIFT CSP / CSCF now codify a stricter architecture: SWIFT-connected infrastructure must be air-gapped or network-isolated from the broader bank, operator workstations must be dedicated and hardened, and outgoing instructions must be subject to dual control. Compliance attestation is mandatory and audited - but many regional institutions are still completing CSP maturity.

Public-facing central-bank services (the institution's website, citizen portals, supervised-bank lookup, exchange-rate publication) face the same volumetric DDoS landscape as any high-profile civilian site. On-premise scrubbing appliances cannot absorb attacks of the size and complexity now routinely commissioned via DDoS-for-hire services. Defending these surfaces requires a global anycast edge with hundreds of points of presence, including the African PoPs that Cloudflare maintains in major cities across sub-Saharan Africa.

Zero-day vulnerabilities are unknown until exploited. Even when patches are issued, central-bank IT operations - constrained by change-control processes and the need to preserve supervised-system stability - cannot realistically patch all systems within the window between disclosure and active exploitation. Virtual patching at the Web Application Firewall edge bridges that gap.

The adversaries central banks face - APT38, OPERA1ER, ransomware affiliates, hacktivist DDoS collectives, sophisticated insider threats - are professional, well-resourced, and operate at industrial scale. African central-bank security teams are typically small. Expecting an in-house team of that size to detect, contain, and respond to a coordinated, multi-vector attack without an enterprise-grade global security platform is unrealistic. The practical answer is leverage: operate the team you have on top of a global network that does the heavy lifting at the edge.

Section 06 · Action 06

Twelve Recommendations for African Central Banks§

A prescriptive checklist drawn from SWIFT CSP, Basel operational-resilience principles, and the lessons of every incident catalogued in Sections 01–03. Vendor-neutral. Sequenced by impact and dependency.

The recommendations below are stated in deliberately operational language. Each maps to one or more documented incidents in this report; each corresponds to a recognised control in SWIFT CSP, Basel committee guidance, NIST CSF, or the SABRIC sector framework. They are the controls a peer institution would expect to see in place at any SWIFT-connected central bank in 2026.

01

Achieve and maintain SWIFT CSP/CSCF attestation SWIFT Customer Security Programme attestation is mandatory and audited. Engage an independent CSP assessor at least annually; close every gap in the Customer Security Controls Framework within the publicly stated remediation window. CSP compliance is the floor, not the ceiling. [11]

02

Segregate SWIFT, RTGS, dealing, and banknote infrastructure from the general network The 2016 Bangladesh investigation found the SWIFT terminal sharing infrastructure with the general bank network, with no firewall between them. Air-gap or strictly segment every critical operations environment. No shared print, file, or directory services with general office IT.

03

Deploy phishing-resistant MFA on every privileged workstation FIDO2 / WebAuthn (hardware tokens, not SMS, not push) on every operator workstation with access to SWIFT, RTGS, payment switches, dealing systems, or banknote issuance. Phishing is the proximate cause of nearly every documented bank heist on the public record - this control breaks the chain.

04

Enforce dual control and multi-person approval on outbound instructions Every outgoing SWIFT and RTGS instruction must require a second, independently-credentialed approver on a separate device. Tamper-resistant logging of every action, with logs streamed off-host in real time. This is the control that catches the fraudulent message Bangladesh did not catch.

05

Adopt Zero Trust per-request access for all internal systems Replace VPN-based implicit trust with per-request identity-and-device verification for every internal system - supervisor portals, statistical-reporting, KYC platforms, dealing systems. Continuous session monitoring on privileged sessions, automatic revocation on anomaly.

06

Move public-facing services behind a global anycast edge On-premise scrubbing appliances cannot absorb modern volumetric DDoS. The institution website, citizen portals, supervisor lookup, and statistical publishing must sit behind a global edge with always-on volumetric and application-layer protection. The SABRIC October 2019 campaign is the case in point. [6]

07

Inspect every inbound email; train every operator AI-driven email security in front of every staff inbox, scanning for impersonation of SWIFT, peer central banks, the BIS, the Federal Reserve, and supervised commercial banks. Quarterly phishing exercises with measurable failure-rate KRIs. Outstanding remedial training mandatory.

08

Run a formal vendor-risk programme for the supplier ecosystem Continuous third-party risk assessment for every supplier with access to critical infrastructure: core banking, RTGS, SWIFT interface vendors, KYC/AML platforms, national payment-switch operators. Contractual obligation for vendor disclosure of CVEs and breach. Alignment to SWIFT CSP and Basel operational-resilience principles.

09

Participate actively in sectoral threat-intelligence sharing SABRIC (Southern Africa), regional CERTs, FS-ISAC, peer central-bank direct sharing, and the BIS Cyber Resilience Coordination Centre channels. The Bank of Zambia's transparent disclosure posture in 2022 is a useful precedent: shared intelligence raises the cost for every adversary on the continent. [3]

10

Define, document, and test an incident-response plan A central-bank-specific IR playbook covering SWIFT incident, ransomware, DDoS, data exfiltration, and supplier compromise. Pre-negotiated retainer with an external IR firm. Tabletop-tested at the board level at least annually; full technical exercise at least semi-annually.

11

Report cyber risk to the board at every meeting A defined dashboard of Key Risk Indicators reviewed at every board sitting: SWIFT CSP attestation status, mean time to patch critical vulnerabilities, phishing-test failure rate, privileged-access reviews completed, ransomware-recovery tabletop status, vendor-risk red-flags. Cyber as a board agenda item, not an annexure.

12

Treat supervised-institution cyber posture as a supervisory concern OPERA1ER's campaign demonstrated that commercial banks under central-bank supervision are part of the central bank's threat surface. Supervisory examinations should formally include cyber posture - not just financial soundness. The same applies to systemically important payment-system operators and national switches. [4]

Section 07 · Defence 07

Built for Scale, Available for Central Banks§

Cloudflare operates one of the largest global networks in the world, with extensive edge presence across the African continent - the same infrastructure used by global tier-one banks and government agencies, available to African central banks through LockDown IT.

Cloudflare operates one of the largest global networks in the world - 330+ points of presence across more than 120 countries, processing tens of millions of HTTP requests per second and blocking billions of cyber threats every day. The same infrastructure protecting global tier-one banks, regulated financial institutions, and national governments can protect your central bank's public-facing services, supervisor portals, and citizen-touching applications.

Eleven products organised into three layers of central-bank protection. Read this with Section 06 (Recommendations) open in the other hand - the mapping is deliberate.

A one-page checklist a Governor's office can complete in ten minutes. Each item maps to one of the twelve recommendations in Section 06. The goal is not a score - it is a defensible answer to the question "where are we exposed today?"

Acronyms used throughout this report. Listed alphabetically.

APT38 / BeagleBoyz

North Korean state-aligned threat group operating under the DPRK Reconnaissance General Bureau; uniquely focused on the theft of money from financial institutions. Tracked under US-CERT "Hidden Cobra" umbrella; overlaps the wider Lazarus Group.

BIS

Bank for International Settlements (Basel) - the bank for central banks; operates the BIS Cyber Resilience Coordination Centre.

CSCF

SWIFT Customer Security Controls Framework - the specific control set audited under the CSP attestation regime.

CSP

SWIFT Customer Security Programme - post-Bangladesh framework codifying mandatory security controls for all SWIFT-connected institutions. Compliance attestation is mandatory and audited.

DDoS

Distributed Denial of Service - an attack that floods a target with traffic from many sources to make services unavailable.

DPRK

Democratic People's Republic of Korea (North Korea).

ECOWAS

Economic Community of West African States.

EDR

Endpoint Detection and Response - software running on operator workstations and servers, detecting malicious activity in real time.

FASTCash

US-CERT designation for the North Korean campaign that compromised ISO\u00a08583-based payment switches to enable cash-out fraud against banks in Africa and Asia.

FIDO2 / WebAuthn

Open authentication standards for phishing-resistant multi-factor authentication, typically using hardware security keys (YubiKey, Titan).

FS-ISAC

Financial Services Information Sharing and Analysis Center - global threat-intelligence sharing community for the financial sector.

ISO\u00a08583

International standard for financial-transaction card-originated messages; the message format used by most card networks and ATMs.

KRI

Key Risk Indicator - a measurable metric reviewed by management or the board to monitor risk levels.

KYC / AML

Know Your Customer / Anti-Money Laundering - the regulatory framework requiring financial institutions to verify customer identity and screen transactions.

MFA

Multi-Factor Authentication - requiring more than one verification method to log in. "Phishing-resistant MFA" specifically means FIDO2 / WebAuthn, not SMS or push.

NDPR

Nigeria Data Protection Regulation.

OPERA1ER

Group-IB designation for the organised-crime cluster that conducted 30+ successful attacks against banks, FSPs, and telecoms across 12 African countries between 2018 and 2022.

PoP

Point of Presence - a physical edge location in a global network. Cloudflare operates PoPs in Cape\u00a0Town, Johannesburg, Durban, Nairobi, Mombasa, Lagos, Accra and 320+ other cities.

POPIA

South Africa's Protection of Personal Information Act - the country's data-protection law.

RaaS

Ransomware-as-a-Service - the operator model under which Hive and similar groups operate, recruiting affiliates who carry out attacks in exchange for a share of ransom proceeds.

RTGS

Real-Time Gross Settlement - the system through which a central bank settles interbank payments individually and in real time, typically for large-value transactions.

SABRIC

South African Banking Risk Information Centre - sector body coordinating threat intelligence and risk information across South African banks.

SADC

Southern African Development Community.

SIEM

Security Information and Event Management - system that aggregates and analyses log data from across IT infrastructure to detect threats.

SWIFT

Society for Worldwide Interbank Financial Telecommunication - the global messaging network through which banks and central banks settle interbank, correspondent, and reserve-management transactions.

WAF

Web Application Firewall - inspects HTTP/HTTPS requests to a web application and filters malicious or anomalous traffic before it reaches the origin server.

About LockDown IT LockDown IT is a specialist Africa-based cybersecurity company and a Cloudflare Enterprise Services Partner. We design, implement, and manage enterprise cybersecurity solutions for central banks, financial authorities, commercial banks, and other institutions of systemic importance across Sub-Saharan Africa. [email protected] | +27 11 024 5696 | www.lockdownit.co.za

About Cloudflare Cloudflare, Inc. (NYSE: NET) is the leading connectivity cloud company on a mission to help build a better internet. Cloudflare's platform protects and accelerates any internet application online, with Points of Presence throughout Africa. cloudflare.com

© 2026 LockDown IT (Pty) Ltd. All incident data is drawn from public sources.

All statistics and incident data cited in this report are drawn from the following publicly available sources. Reference numbers correspond to citation markers in the body text.

[1]

Bangladesh Bank Cyber Heist (February 2016) USD 81 million stolen via fraudulent SWIFT instructions sent from the Bangladesh Bank terminal to its Federal Reserve Bank of New York account; attempted theft of nearly USD 1 billion. Established the global SWIFT Customer Security Programme (CSP) response. en.wikipedia.org / multiple sources

[2]

US-CERT - APT38 / BeagleBoyz / "Hidden Cobra" US authorities and FireEye/Mandiant publicly attributed more than USD 100 million in bank thefts in Africa and Asia to the North Korean state-aligned group APT38 / BeagleBoyz. Operative Park Jin Hyok was named in US federal charges in connection with the Bangladesh Bank heist. bankinfosecurity.com

[3]

Bank of Zambia - Hive Ransomware Incident (May 2022) Bank of Zambia press statement, 13 May 2022, and follow-up reporting confirmed Hive ransomware affected the bureau de change monitoring system and the public website; the ICT Director confirmed core systems were segregated and preserved, and that the institution declined to negotiate. centralbanking.com

[4]

Group-IB - OPERA1ER Campaign Across Francophone Africa Group-IB attributed 30+ successful attacks against banks, financial-services providers, and telecommunications companies in 12 African countries (2018–2022) to a single criminal cluster. USD 11M directly stolen; total damage assessed at USD 30–50M. Africa loses USD 4B/year to cyber threats. qz.com (Group-IB research)

[5]	US-CERT - "FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks" US-CERT alert documenting payment-switch (ISO 8583) compromise enabling cash-out fraud against financial-services firms in Africa and Asia totalling tens of millions of dollars. bankinfosecurity.com

[6]

SABRIC-Reported DDoS Campaign Against African Banks (October 2019) South African Banking Risk and Information Centre reported a series of DDoS attacks against multiple African banks' public-facing assets, accompanied by ransom demands, timed to coincide with payday for maximum disruption. World Bank "Cyber Threats to the Financial Sector in Africa"

[7]	World Bank / Cimpanu 2020 - Theft-to-Total-Impact Multiplier USD 3.2 million theft from a South African bank required over USD 58 million in subsequent investigation and mitigation - an 18× multiplier between direct loss and total impact. World Bank "Cyber Threats to the Financial Sector in Africa"

[8]	Deloitte / CIO Africa - Financial-Sector Losses in East & Southern Africa Deloitte research cited by CIO Africa places financial-sector losses across Kenya, Rwanda, Uganda, Tanzania, and Zambia at more than USD 245 million since 2011. cioafrica.co

[9]	Ecofin Agency - Recent Nigerian and South African Financial-Sector Incidents Recent reporting on cyber incidents involving banks, insurers, and payment services in Nigeria and South Africa; common themes include unpatched software, weak access control, and uneven incident response. ecofinagency.com

[10]

National Bank of Kenya Theft (January 2018) According to public reporting (compiled in the World Bank report), the National Bank of Kenya lost approximately KSh 29M (~USD 261K) to an internal-network compromise in January 2018, with anecdotal reporting suggesting losses closer to KSh 340M (~USD 3M). World Bank "Cyber Threats to the Financial Sector in Africa"

[11]

SWIFT Customer Security Programme (CSP) and Customer Security Controls Framework (CSCF) Post-Bangladesh framework codifying mandatory security controls for all SWIFT-connected institutions, including network segregation, multi-factor authentication, and operator-environment hardening. Compliance attestation is mandatory and audited. swift.com

[12]	IBM Cost of a Data Breach Report 2024 Average cost of a data breach in South Africa: R53.1 million. Financial services consistently ranks among the highest-cost sectors globally. ibm.com

[13]

Central Bank of Lesotho - December 2023 Cybersecurity Incident CBL public statements (11–22 December 2023) confirming a cybersecurity incident on 11 December 2023, the precautionary suspension of systems, the temporary disruption of the national payment system, the restoration of interbank transfers on 19 December, and full restoration of payment services on 22 December. Independently reported by The Record (Recorded Future News), TechPoint Africa, Sunday World, and the e-Crime Bureau. Subsequently cited in the IMF, Global Financial Stability Report, April 2024, Chapter 3, as an example of cyber-driven national-payment-system disruption. therecord.media · imf.org

[14]

Banco Nacional de Angola (BNA) - January 2024 Cyberattack BNA institutional statement issued to Lusa news agency on 16 January 2024 confirming a cybersecurity incident on 6 January 2024, mitigated “without significant impacts on infrastructure and data”. Independently reported by The Record (Recorded Future News), SC Media, Ver Angola, MenosFios, and BeyondMachines. Independent Angolan publication Maka Angola (Rafael Marques) characterised the event as a ransomware incident and alleged paralysis of the Real-Time Payments System (SPTR) for more than 24 hours, with SPTR interconnected to the BNA's Integrated Markets and Asset Management System (SIGMA). BNA Governor José de Lima Massano, speaking at a Luanda cybersecurity forum in May 2023, stated that the bank registers approximately 350 cyberattack attempts per day. therecord.media · verangola.net

[15]

Bank of Uganda - 2024 Theft (“Waste”) Public reporting attributing the theft of approximately UGX 62 billion (~USD 16.8 million) from Bank of Uganda accounts to an offshore threat actor referred to as “Waste”. Disclosure followed parliamentary scrutiny in Uganda; partial recovery has been publicly reported. Full attribution and the technical vector remain subject to ongoing investigation in publicly available reporting. Regional reporting, 2024 (multi-source)

[16]

South African Reserve Bank (SARB) - August 2022 FBI-Flagged Intrusion On 12 August 2022 the SARB was the subject of an intrusion event that South Africa's Finance Minister, Enoch Godongwana, publicly described at an SA Local Government Association (Salga) event as a hack - stating that the US Federal Bureau of Investigation (FBI) had alerted South Africa's Hawks before the local security cluster had detected the activity. SARB has consistently stated in press responses that the attempted breach had “no impact on the SARB's systems or operations”. Coverage in Bloomberg, IOL/Cape Argus, News24, BusinessTech, Moneyweb, TechCentral, TRT Afrika, and Daily Investor. bloomberg.com · iol.co.za

[17]

Development Bank of Seychelles - Calix Ransomware (September 2020) As documented in the World Bank's "Cyber Threats to the Financial Sector in Africa" (March 2022, Appendix B Case Studies), the Calix ransomware strain infected the Development Bank of Seychelles, a development-finance institution affiliated with the Seychelles' central-banking apparatus (Sweny 2020). One of the few publicly documented ransomware incidents to reach a central-bank-affiliated entity in Africa. World Bank "Cyber Threats to the Financial Sector in Africa" (2022)

[18]

Central Bank of Nigeria - Hacktivist DDoS (#EndSARS, October 2020) As documented in the World Bank's "Cyber Threats to the Financial Sector in Africa" (March 2022, Appendix B Case Studies), during the October 2020 #EndSARS protests a hacktivist group targeted the website of the Central Bank of Nigeria with DDoS attacks as part of a wider campaign against the Nigerian government, demonstrating how financial-service institutions can be caught up in politically or ideologically motivated campaigns (Vermeulen 2019; Olufemi 2020). World Bank "Cyber Threats to the Financial Sector in Africa" (2022)