- Preliminary industry tallies show the breach disrupted correspondent services at 120+ banks across 38 countries, delaying cross-border payments for up to 48 hours.
- Security teams say attackers exploited credential theft and a supply-chain update mechanism; investigators flag compromised transaction-routing between clearing houses and correspondent banks.
- Regulators in the US, UK, EU and Singapore have issued coordinated advisories and ordered accelerated incident reporting; several banks temporarily suspended certain SWIFT message types.
- Immediate remediation centers on isolating affected nodes, rotating keys and replay-protecting payment rails; industry leaders warn systemic exposure persists until full key and software integrity checks complete.
What happened: a rare, coordinated hit on cross-border plumbing
Late on March 26, multiple international banks began reporting unexplained failures in correspondent payment chains: automated reconciliations stalled, MT103 and MT202 messages were rejected or delayed, and settlement windows slipped. By the morning of March 27, an industry notice circulated among global clearing houses describing “widespread message routing anomalies tied to credential misuse and unauthorized update signatures.”
The pattern — simultaneous failures across unrelated institutions — pointed investigators to a common upstream dependency rather than an isolated bank compromise. Sources in several affected banks, speaking on condition of anonymity, told our reporters that attackers had targeted software update mechanisms used by third-party routing and reconciliation vendors.
Immediate impact: payments delayed, rails throttled, customers inconvenienced
For corporate treasuries and retail customers, the effect was tangible and fast. Treasury teams reported blocked outgoing transfers; importers said funds didn’t arrive at correspondent banks within agreed terms. Smaller banks that rely heavily on a handful of correspondent partners experienced the longest delays.
Industry operations desks estimate that more than 350,000 cross-border payment instructions were queued or reprocessed in the first 24 hours, with average settlement delays rising from under an hour to as much as 36–48 hours for some corridors. Several clearing houses extended their settlement windows to prevent forced auto-debits that could cascade into liquidity squeezes.
Who’s affected — a regional breakdown
No single region escaped. Early reporting by correspondent banks and central bank advisories suggests uneven but widespread disruption.
| Region | Banks affected (est.) | Avg. payment delay | Regulatory action |
|---|---|---|---|
| Europe | 45 | 24–36 hrs | BoE advisory; increased incident reporting |
| North America | 20 | 12–24 hrs | FBI cyber task forces coordinating, OCC notices |
| Asia-Pacific | 30 | 24–48 hrs | Monetary Authority advisories in Singapore and Hong Kong |
| Middle East & Africa | 15 | 18–36 hrs | Targeted outreach by regional central banks |
| Latin America | 10 | 12–24 hrs | Local regulators issued contingency guidance |
How investigators say the attackers worked
Sources with direct knowledge of the forensic process say the intrusion combined credential theft, a signed update pushed through a third-party vendor, and lateral movement inside payment-routing environments. The attack did not rely on an obvious mass malware outbreak; instead, attackers targeted trust relationships that banks maintain with gateway providers and correspondent nodes.
“This is an attack on trust, not just on machines,” said a senior incident responder who has been briefed by multiple banks and asked to remain unnamed. “When the supply chain you depend on signs an update that you trust, you don’t have an easy way to distinguish a legitimate update from one crafted by an adversary with stolen signing keys.”
Investigators are also studying whether the attackers manipulated message metadata to trigger automated exception handling, a tactic that can produce cascading delays as systems attempt to reconcile impossible account states.
Regulatory and industry response
Regulators moved quickly. The U.S. Treasury’s cyber coordinator convened a call with major correspondent banks and key clearing houses within hours. The Bank for International Settlements and SWIFT issued technical advisories urging institutions to:
- Isolate suspicious nodes immediately, disable non-essential update channels and apply manual verification for any signed changes.
- Rotate and revalidate cryptographic keys used for message signing and routing.
- Increase logging and forward logs to coordinated forensic teams for cross-institution analysis.
Several large banks temporarily disabled automated inbound MT103 processing for certain correspondent chains and placed affected transaction queues into manual review to stop automated misrouting.
Why correspondent banking remains a target
Correspondent banking is the set of relationships that lets banks without direct local presence move money globally. A handful of nodes — large correspondent banks and gateways — process the majority of routing for many corridors. That concentration creates chokepoints: compromise a widely used connector and you affect dozens or hundreds of downstream banks.
Payment rails are efficient but brittle. They depend on synchronized software stacks, trusted signing keys and tight uptime SLAs. An attacker who can alter a signed update or impersonate a vendor poses a much bigger threat than one who simply steals a single workstation’s credentials.
Technical mitigations banks are racing to apply
Security teams list a short, urgent checklist they say must be completed before normal operations resume at scale:
- Rotate all message-signing keys and reissue certificates from clean, audited key-generation environments.
- Perform binary and checksum verification on all routing software; if any unsigned changes are found, rebuild the node from known-good images.
- Quarantine third-party updater channels and require multi-party authorization for any future update rollouts.
- Run transaction-replay and reconciliation routines with extended hold times to verify end-to-end integrity before clearing.
What banks and corporates should expect next
Expect more disruption in the near term. Full restoration will require both technical fixes and confidence-building: banks need independent attestations that update channels and signing keys are uncompromised. That validation can take several days for the largest correspondent processors and longer for banks that rely on nested vendor stacks.
For corporate treasurers, the immediate actions are simple but painful: adjust payment timings, prioritize critical supplier payments, and prepare for manual reconciliation that may increase operational costs. Several large multinational treasuries have already shifted liquidity buffers to local clearing windows to avoid failed cross-border legs.
Meanwhile, law enforcement and international cybersecurity task forces are tracing the origin of the signed artifacts and the credential theft. Attribution will take time; past incidents of this complexity have pointed to organized, well-resourced groups that blend criminal and state-level tradecraft.
The most significant figure available now: preliminary industry tallies suggest the breach disrupted correspondent services at 120+ banks across 38 countries, and payment instruction backlogs surged to an estimated 350,000 messages in the first 24 hours — a scale that turned a software-integrity failure into a global liquidity and operational event.