The 360 analysis links the 2016 Bangladesh Bank SWIFT theft, the 2015 Tien Phong Bank incident, and earlier Ecuadorian and Sonali Bank cases through a shared pattern of obtaining SWIFT authority, issuing fraudulent transfer instructions, and manipulating or deleting records to hide the theft. For Bangladesh Bank, the malware modified SWIFT Alliance Access behavior by patching liboradb.dll permission checks, reading configuration from gpca.dat, tampering with MT900 debit confirmations, reporting login/logout state to C2, and deleting logs, data, and its service after the operation window. The excerpt identifies concrete operational artifacts including the C2 address 196.202.103.174, SWIFT/Oracle paths under D:\Alliance\Access, printer-related paths, and commands for hijacking or restoring nroff.exe. The authors found code reuse in a secure-delete function across Bangladesh Bank and Tien Phong Bank malware and Lazarus-associated activity such as DarkSeoul and Sony, but explicitly caution that this artifact alone is not strong enough to attribute the bank attacks to Lazarus because the code may have been publicly available or intentionally reused as a false lead.