Representatives of Cosmos Bank, India's second-largest cooperative bank, revealed this week that hackers breached the bank's servers over the weekend and stole over 940 million rupees ($13.5 million) across three days.

The incident is still under investigation, and the exact date of the intrusion is unknown, but the bank said yesterday that hackers stole money from its accounts in three waves, across three days.

How the hack unfolded

According to the bank and local media, the first two thefts occurred on Saturday, August 11. Hackers withdrew 805 million rupees ($11.4 million) in 14,849 ATM transactions across 28 countries.

The first stage included 12,000 ATM withdrawals via the VISA card system for 780 million rupees ($11 million), with the vast transactions taking place mainly overseas.

A second stage of the attack took place two hours later when hackers also withdrew an additional 25 million rupees ($400,000) via 2,849 ATM transactions via the Rupay debit card system at ATM locations across India.

Cosmos Bank said it detected these suspicious withdrawals while they were taking place and intervened to stop the attack and secure its system.

But hackers remained in the bank's network, and on Monday, August 13, they initiated a third theft by using the bank's SWIFT inter-banking system to send three transactions to a bank account in Hong Kong for another 139 million rupees ($2 million).

Attack traced to Canada, according to first statements

The bank reported the hacks to authorities and disclosed the incidents to the general public in a press conference on Tuesday.

Cosmos Bank said no money was taken from customer accounts, and all losses will be supported by the bank, according to international banking standards.

The bank said it's still investigating the technical details of the attack but revealed that hackers used something called a "proxy switch" to funnel fraudulent payment approvals to the bank's network.

Current evidence suggests the attack came from Canada, but it's highly likely that this was just a relay point attackers used to mask their real location.

There has been a flurry of hacks of banks and financial institutions in the past years, from both nation-state actors and Eastern European hackers. With so many groups active, it's hard to point the finger at a specific threat actor so early in the investigation.