As Bangladesh rapidly digitalises, it faces escalating cybersecurity threats despite efforts to bolster national cyber resilience. Rampant cybercrimes targeting institutions and citizens underscore the urgency of addressing digital vulnerabilities.

Bangladesh's digital transformation is accelerating. As of early 2023, well over a third of the population was online, approximately 77 million people. At least a quarter of all Bangladeshis, some 45 million people (most of them male), are also regular social media users. And while the rapid penetration of digital devices, social networks and technological systems is stimulating positive changes to governance, commerce and civic action, it also has a dark side. Rising digital dependencies are generating cyber threats and vulnerabilities, what SecDev describes as “digital harms”.

Despite extensive investments in cybersecurity, Bangladesh faces mounting risks from foreign and domestic threat actors

Bangladesh’s national authorities take cyber security seriously. Building on a National ICT Policy released in 2009 and Digital Security Act in 2018, the public authorities established a National Cybersecurity Strategy in 2021. Along with a Cyber Tribunal and a Computer Security Incident Response Team (BGD e-GOV CIRT), the national authorities also stood-up a Cyber Police Center (CPC) in 2017 with as many as 600 personnel focused on cyber investigations and digital forensics as well as social media monitoring. Notwithstanding concerns about uneven enforcement, the International Telecommunication Union (ITU) described Bangladesh’s cybersecurity preparedness as a “positive outlier” among least developed countries. The country ranked 53 out of 182 in the 2020 Global Cybersecurity Index. 

Despite Bangladesh’s extensive investments in cybersecurity, the country faces mounting risks from foreign and domestic threat actors. In many cases, state institutions themselves are targeted. In late June 2023, for example, independent researchers discovered that the private information of at least 50 million citizens were exposed due to a leaky National Identification (NID) database. Although the BGD e-GOV CIRT was alerted and the government shut-down the site, it is unclear how much data was illegally retrieved. Meanwhile, fraudulent websites and phishing campaigns proliferated during the pandemic, with the national COVID-19 vaccination site suffering repeated attacks. In March, hackers demanded $5 million in ransom from Biman Bangladesh while holding 100 gigabytes of non-public data hostage. A rapid analysis by SecDev has also revealed that multiple critical infrastructure websites lack rudimentary cybersecurity features like SSL encryption (http instead of https). No surprise, then, that despite international accolades, the BGD e-GOV CIRT describes Bangladesh as “one of the most vulnerable countries in cyberspace”. 

Bangladesh’s military, law enforcement agencies and critical infrastructure are also routinely targeted by cyber threats. For example, email service domains connected to the Bangladesh navy, airforce and army as well as police agencies are regularly subjected to phishing attempts. In August 2021, the BGD e-GOV CIRT issued a nationwide cyber alert after observing several Distributed Denial of Service (DDoS) attacks targeting mission-critical infrastructures across the country (Bangladesh ranks sixth in the APAC region for DDoS attacks). Since 2021, national authorities have documented close to 15,000 IP addresses from Bangladesh identified as compromised by malware, possibly indicative of ransomware attack strategies.

Among the most commonly attacked entities in Bangladesh are banks and financial institutions. In some cases, technicians associated with the SWIFT network themselves are believed to have introduced vulnerabilities into banking software. A Bangladesh Institute of Bank Management (BIBM) report from 2020 noted that over 52 percent of all banks faced “grave risks” of cyber compromise. There are signs that foreign actors are involved, as was the case in 2016 when North Korean hackers attempted to steal close to USD1 billion using malware from the central bank (and made away with $63 million). And in 2019, three local private banks in Bangladesh were victims of hackers who stole around USD 3 million from cash machines in Cyprus, Russia and Ukraine using cloned credit cards.

Cybercrimes target Bangladeshi citizens and not just public and private institutions

Cybercrimes are not just targeting public and private institutions, they are also honing in on Bangladeshi citizens. SecDev’s digital harms monitoring system revealed that Bangladeshi citizens, especially women and girls, are victims of cyber crimes. Drawing on publicly available data between 2019 and 2023, SecDev identified over 300 cases of cybercrimes. In more than one-third of these cases women and girls were victims of social media-enabled sexual exploitation, online harassment and blackmailing, or “sextortion”. In SecDev’s taxonomy of digital harms, these incidents are considered ‘cyber-enabled offenses’ and include crimes committed using digital technologies for personal or financial gain or harm. Virtually all the cases involved the involuntary sharing of private images of victims online. In some cases, perpetrators raped victims and later uploaded photos and videos, with at last 10 victims subsequently committing suicide. Comparatively low levels of digital awareness and hygiene are making a bad problem potentially much worse. 

Online scamming is a common digital harm identified by SecDev. A total of 53 people were arrested in 24 scamming incidents in 2022 alone, including for fraudulent e-commerce practices. Throughout 2021-2022, the e-commerce sector in Bangladesh also registered large-scale scams, including on popular sites (e.g. Evaly and E-Orange). At least $34 million worth of “advance payments” by customers and merchants on the Evaly platform in the first few months of 2023 could not be traced. In spite of increased measures to improve awareness and prevent scamming, increasing digitalization invariably opens up new possibilities for cybercrime involving mobile-based money transfer and payment services. SecDev has likewise uncovered evidence of online immigration scams targeting would-be migrants. 

Online gambling is another phenomenon generating widespread digital harm. The gradual penetration of the internet has expanded access to betting sites and online casinos, many of them operated from outside Bangladesh. Gambling is illegal in Bangladesh even if the legality of online gambling is blurred. Nevertheless, it is aggressively targeted by law enforcement agencies in Bangladesh. SecDev identified 18 incidents (4 percent of total) that led to the arrest of over 70 individuals. In at least one case, online gambling led to a reported suicide. According to news reports, many youth are becoming addicted to online gambling which has also contributed to debt-related crime as well as self-harm.

Violent extremist groups are also increasingly turning to cybercrime

Beyond financial losses, the human costs of digital harms are profound. For example, hackers have reportedly infiltrated Facebook accounts and extorted ex-partners. When victims fail to pay-up, perpetrators publish intimate and compromising photos and videos. One Bangladeshi individual was recently exposed in international sextortion and child pornography enterprises. Police also busted a sexploitation gang selling illegal videos to 400,000 subscribers using Telegram groups. According to the Bangladesh National Woman Lawyer Association, an average of 11 women commit suicide annually due to cybercrime. The Police Cyber Support for Women (PSCW) unit, responsible for handling cybercrimes targeting women, receive over 13,000 complaints annually. 

SecDev has also detected the spread of online violent extremist propaganda and radicalization. While ostensibly “criminal”, it is also increasingly normalized. Notwithstanding a decline of incidents of terrorist activity in the country, online content seeking to radicalize Bangladeshis has accelerated. Violent extremist groups are also themselves heavily involved in spamming and hacking websites and social media profiles of secular activists and commentators. Many seek to disable content deemed un-Islamic using various techniques including coordinated reporting, false copyright claims, as well as conventional hacking tools. 

SecDev has identified several Facebook groups with thousands of members involving al Qaeda sympathizers. Sympathetic channels and influencers urge readers to target social media accounts and websites considered to be unfaithful to Islamic Shariah. For  example, on July 11 2023, the An-Nusrah Islamic Cyber Squad attacked and removed content from the Facebook page of Asad Noor, a secular activist. On the same day, they threatened Asif Mohiuddin, another activist who was attacked by AQIS-affiliated terrorists in 2013 but survived. Both Asad Noor and Asif Mohiduddin had to flee the country and are currently living abroad. The Facebook group also claimed that they had previously taken down websites from the United States, France and Israel. SecDev has likewise exposed cybersecurity and hacking tutorials published by the violent extremist groups for training the online fighters. While they have refrained from large-scale cyber attacks, this does not discount mounting threats in the future.

Enjoying Flashnotes?

We provide tailored premium subscription levels to match your specific requirements. Our comprehensive coverage spans from geopolitical risks to technology foresight, backed by specialized research. We utilize cutting-edge open-source artificial intelligence for our analysis, drawing upon publicly available and exclusive curated data sources. Reach out to us and let's discuss how we can serve your needs.

About SecDev

SecDev is next generation consultancy firm working at the intersection of geopolitical, digital, urban, energy and cyber risk. Our mission is to deliver high quality, data-driven advice, and solutions powered by seamlessly integrated human and artificial intelligence. Our global network and ability to see ahead of the curve earns us the trust of global leaders in business, government, and intergovernmental organizations. We foster transformative change and to create enduring value for a better, more secure future.

www.secdev.com