NPCI, SBI, and HDFC targeted by ransomware and DDoS in India's worst banking cyberattack year. 580 million data records exposed. State actors from North Korea and China suspected by CERT-In.
Audio version coming soon
Between January and May 2026, India's banking and payments infrastructure faced its most severe coordinated cyberattack sequence in recorded history. Three major institutions were targeted in overlapping campaigns. First, in February, the National Payments Corporation of India (NPCI) — which operates UPI, RuPay, and IMPS — faced a prolonged Distributed Denial of Service (DDoS) attack that disrupted UPI transactions for 14 hours across peak trading hours. Second, in March, the State Bank of India (SBI) disclosed a breach involving a third-party vendor's system that exposed transaction metadata for approximately 280 million accounts over a three-week window. Third, in April, HDFC Bank's corporate banking portal was hit by a ransomware attack (identified as a variant of the LockBit 4.0 strain), which encrypted backend credit systems and forced manual processing for 72 hours. CERT-In (India's national cyber response team) issued emergency advisories after each incident and opened formal investigations. The RBI's Cyber Resilience Framework, updated in January 2026, was immediately invoked to compel all scheduled commercial banks to submit incident reports within 6 hours.
India's financial digital infrastructure grew faster than its security posture. The UPI ecosystem, which processed ₹199 lakh crore worth of transactions in FY25, became one of the world's most significant real-time payment systems — and therefore one of the most attractive targets for state-sponsored and criminal hackers. Three structural factors created vulnerability. First, concentration risk: UPI routes through NPCI's central switch, creating a single-point-of-failure that no amount of redundancy has fully mitigated. Second, third-party supply chain exposure: India's major banks use dozens of fintech partners, data analytics firms, and cloud service providers — each with varying security standards. The 2022 Juspay breach (100 million card fingerprints) and the 2023 MobiKwik data leak were early warnings that went partially unheeded. Third, global state-actor escalation: following Russia's Ukraine invasion, North Korea's Lazarus Group ramped up financial institution attacks globally to fund sanctions-busted weapons programmes. India — with its large English-language banking ecosystem and relatively immature cyber defence — was identified as a soft target.
Unread picks stay on top. Fresh stories may appear as they are ready — no extra loading.
UnreadEight Google Brain engineers published 'Attention Is All You Need.' In five years it reorganized the tech industry around one architecture and gave OpenAI the building blocks for ChatGPT.
UnreadGlobal multinationals now run almost every critical function — AI research, legal ops, finance, product design — from India. The GCC industry hit $64 billion in revenue in FY25 and is on track.
UnreadA non-profit (NPCI), one API standard, and an RBI policy bet built the world's largest real-time payments rail — making even small Indian merchants deeply digital.
Lazarus Group (North Korea) — CERT-In's April 2026 technical indicators of compromise linked the HDFC ransomware strain's command-and-control infrastructure to known Lazarus Group servers, consistent with the group's global bank-targeting campaigns. APT41 (China-linked) — attributed by cybersecurity firm CloudSEK to the NPCI DDoS campaign, which used a botnet pattern previously seen in attacks on South Asian financial institutions. CERT-In (Indian Computer Emergency Response Team) under Sanjay Bahl (Director General) — coordinated all three response efforts, published indicators of compromise, and invoked emergency measures. RBI's Cyber Security Unit — mandated 6-hour incident reporting and deployed on-site teams to SBI and HDFC. Infosys BPM and TCS — the outsourced IT vendors operating backend systems for SBI and NPCI respectively; both were scrutinised for third-party security gaps. Ministry of Finance — convened an emergency task force in April 2026 following the HDFC attack to fast-track the Data Protection and Cybersecurity (Banking) Rules under the new DPDP Act.
In 2020, CERT-In had a staff of roughly 50 analysts and processed around 1.4 million cybersecurity incident reports annually. Banks reported breaches voluntarily and often delayed by weeks. The RBI's IT Framework for banks (2016) was the primary regulatory instrument — useful but outdated for the era of ransomware-as-a-service and nation-state attacks. By 2026, the picture is more robust but still inadequate for the threat. CERT-In's staff has tripled to 150+. The Digital Personal Data Protection Act (2023) mandates data breach disclosure. The RBI's Cyber Resilience Framework (January 2026) imposes 6-hour incident reporting, sector-wide threat intelligence sharing, and mandatory third-party security audits annually. However, India's National Cyber Coordination Centre (NCCC) — intended to be a real-time threat intelligence hub — remains under-resourced and lags China's equivalent (CNCERT) by a decade. The 2026 attacks happened despite all these improvements because attackers evolve faster than defenders, and India's financial sector's attack surface expanded 10x between 2019 and 2026 alongside the UPI boom.
Five structural changes are necessary to prevent recurrence at scale. First, decentralise NPCI's UPI switch architecture — the current centralised model is inherently fragile; a federated approach with multiple processing nodes reduces DDoS impact significantly. Second, mandate zero-trust architecture across all scheduled commercial banks for inter-bank API communications by 2027 — RBI has proposed but not yet enforced this. Third, fund a national threat intelligence fusion centre under the Home Ministry with dedicated staff from IB, RAW, and military intelligence to attribute and respond to state-actor attacks. Fourth, legislate minimum cybersecurity standards for fintech third parties that handle more than 1 million transaction records annually. Fifth, create a national cyber insurance pool — currently India's banking sector's cyber insurance penetration is less than 15%, meaning most breach losses fall directly on affected institutions. The cost of the 2026 attacks — in remediation, reputational damage, and regulatory fines — has been estimated at ₹4,500 crore across all three affected institutions. The cost of prevention would have been a fraction of that.
The 2026 banking cyberattacks are not just a security failure — they are a warning about the consequences of building a digital economy faster than the governance structures that protect it. India's UPI revolution is one of the world's most remarkable financial inclusion stories: 580 million Indians now transact digitally, rural merchants accept payments on smartphones, and micro-transactions of ₹1 are processed at scale. But this success created a surface area of risk that is now being exploited by state actors who understand that disrupting India's payments infrastructure is more economically damaging than any traditional military action. The long-term impact and lesson is clear: digital infrastructure is now strategic infrastructure, indistinguishable from power grids, water systems, and defence communications in its importance to national security. Nations that treat it otherwise — regulating it as a consumer service rather than a critical national asset — invite exactly the kind of attack India experienced in 2026. The shape of future conflict is hybrid: economic, informational, and digital. India's experience should accelerate not just domestic hardening but a push for international norms against state-sponsored financial cyberattacks — starting with BRICS and the G20 digital economy frameworks India championed during its 2023 presidency.
Chronology
Follow the arc from background to turning points. On mobile, swipe the cards and use the step rail below; on desktop, use the spine to jump.
Indian payment gateway Juspay confirms a data breach affecting 100 million masked card records. The incident reveals systemic gaps in fintech supply chain security that regulators fail to address comprehensively.
A massive DDoS attack on NPCI's UPI infrastructure disrupts 14 crore daily UPI transactions for 14 hours. CERT-In links the attack to APT41 botnet infrastructure. The RBI emergency protocol is invoked for the first time.
SBI discloses a breach through a third-party analytics vendor that exposed transaction metadata for approximately 280 million accounts. The breach lasted three weeks before detection. SBI becomes India's largest financial data breach.
HDFC Bank's corporate banking portal is encrypted by LockBit 4.0 ransomware, forcing 72 hours of manual credit processing. CERT-In links the attack to Lazarus Group. Government convenes emergency cybersecurity task force.
The Reserve Bank of India mandates an emergency 60-day cyber resilience audit of all 12 public sector banks and top 10 private banks, requiring third-party security assessments and zero-trust architecture roadmaps submitted by July 2026.
Step 1/5 events
Understand why it happened, how we got here, and what might come next.