The Bangladesh Bank robbery, also known colloquially as the Bangladesh Bank cyber heist, took place in February 2016, when thirty-five fraudulent instructions were issued by security hackers via the SWIFT network to illegally transfer close to US $1 billion from the Federal Reserve Bank of New York account belonging to Bangladesh Bank, the central bank of Bangladesh. Five of the thirty-five fraudulent instructions were successful in transferring $101 million, with $20 million traced to Sri Lanka and $81 million to the Philippines. The Federal Reserve Bank of New York blocked the remaining thirty transactions, amounting to $850 million, due to suspicions raised by a misspelled instruction. All the money transferred to Sri Lanka has since been recovered. However, as of 2018 only around $18 million of the $81 million transferred to the Philippines has been recovered. Most of the money transferred to the Philippines went to four personal accounts, held by single individuals, and not to companies or corporations. It was later suspected that Dridex malware was used for the attack.
The Federal Reserve Bank of New York shares a large portion of the blame for this cyber heist because it failed to notice warning signs early enough, due to worrying weaknesses and disarray at their Central Bank and International Account Services (CBIAS) unit. The Federal Reserve Bank of New York lacked a system for detecting possible fraud in real time, although such systems are used everywhere, and instead it relied on random checks but only after payments were made. Usually these simple checks were for detecting United States sanctions violations and not fraudulence or theft. The suspicious activities of the staff at the Rizal Commercial Banking Corp (RCBC) in the Philippines cannot be ignored either because they acted with lightning speed to launder the money out of the bank and into the gambling industry, in complete violation of the Philippines anti-money laundering laws and in total disregard of the instructions of the central bank of the Philippines, which had ordered a freeze on the accounts. Nearly one year before the robbery, the Governor of Bangladesh Bank had foreseen cyber security vulnerabilities and had hired an American cyber security firm to bolster the firewall, network and overall cyber security of the bank. However, due to multiple bureaucratic hurdles, the security firm could not join and it only started its operations in Bangladesh after the cyber heist.
The 2016 cyber-attack on the Bangladesh central bank was not the first attack of its kind. In 2013, the Sonali Bank of Bangladesh was also successfully targeted by hackers who were able to remove US$250,000.
In both cases, the perpetrators were suspected to have been aided by insiders within the targeted banks, who assisted in taking advantage of weaknesses in the banks' access to the SWIFT global payment network.
Capitalizing on weaknesses in the security of the Bangladesh central bank, including the possible involvement of some of its employees,[10] perpetrators attempted to steal $951 million from the Bangladesh central bank's account with the Federal Reserve Bank of New York sometime between February 4–5 when Bangladesh Bank's offices were closed. The perpetrators managed to compromise Bangladesh Bank's computer network, observe how transfers are done, and gain access to the bank's credentials for payment transfers. They used these credentials to authorise about three dozen requests to the Federal Reserve Bank of New York to transfer funds from the account Bangladesh Bank held there to accounts in Sri Lanka and the Philippines.
Thirty transactions worth $851 million were flagged by the banking system for staff review, but five requests were granted; $20 million to Sri Lanka (later recovered), and $81 million lost to the Philippines, entering the Southeast Asian country's banking system on February 5, 2016. This money was laundered through casinos and some later transferred to Hong Kong.
Attempted fund diversion to Sri Lanka
The $20 million transfer to Sri Lanka was intended by hackers to be sent to the Shalika Foundation, a Sri Lanka-based private limited company. The hackers misspelled "Foundation" in their request to transfer the funds, spelling the word as "Fundation". This spelling error gained suspicion from Deutsche Bank, a routing bank which put a halt to the transaction in question after seeking clarifications from Bangladesh Bank.
Sri Lanka-based Pan Asia Bank initially took notice of the transaction, with one official noting the transaction as too big for a country like Sri Lanka. Pan Asia Bank was the one which referred the anomalous transaction to Deutsche Bank. The Sri Lankan funds have been recovered by Bangladesh Bank.
Funds diverted to the Philippines
The money transferred to the Philippines was deposited in five separate accounts with the Rizal Commercial Banking Corporation (RCBC); the accounts were later found to be under fictitious identities. The funds were then transferred to a foreign exchange broker to be converted to Philippine pesos, returned to the RCBC and consolidated in an account of a Chinese-Filipino businessman; the conversion was made from February 5 to 13, 2016. It was also found that the four U.S. dollar accounts involved were opened at the RCBC as early as May 15, 2015, remaining untouched until February 4, 2016, the date the transfer from the Federal Reserve Bank of New York was made.
On February 8, 2016, during the Chinese New Year, Bangladesh Bank informed RCBC through SWIFT to stop the payment, refund the funds, and to "freeze and put the funds on hold" if the funds had already been transferred. Chinese New Year is a non-working holiday in the Philippines and a SWIFT message from Bangladesh Bank containing similar information was received by RCBC only a day later. By this time, a withdrawal amounting to about $58.15 million had already been processed by RCBC's Jupiter Street (in Makati City) branch.
On February 16, the Governor of Bangladesh Bank requested Bangko Sentral ng Pilipinas' assistance in the recovery of its $81 million funds, saying that the SWIFT payment instructions issued in favor of RCBC on February 4, 2016 were fraudulent.
Bangladesh
Initially, Bangladesh Bank was uncertain if its system had been compromised. The governor of the central bank engaged World Informatix Cyber Security, a US-based firm, to lead the security incident response, vulnerability assessment and remediation. World Informatix Cyber Security brought in the forensic investigation company Mandiant, for the investigation. These investigators found "footprints" and malware of hackers, which suggested that the system had been breached. The investigators also said that the hackers were based outside Bangladesh. An internal investigation has been launched by Bangladesh Bank regarding the case.
The Bangladesh Bank's forensic investigation found out that malware was installed within the bank's system sometime in January 2016, and gathered information on the bank's operational procedures for international payments and fund transfers.
The investigation also looked into an unsolved 2013 hacking incident at the Sonali Bank, wherein US$250,000 was stolen by still unidentified hackers. According to reports, just as in the 2016 central bank hack, the theft also used fraudulent fund transfers using the SWIFT global payment network. The incident was treated by Bangladeshi police authorities as a cold-case until the suspiciously similar 2016 Bangladesh central bank robbery.
Philippines
The Philippines' National Bureau of Investigation (NBI) launched a probe and looked into a Chinese-Filipino who allegedly played a key role in the money laundering of the illicit funds. The NBI is coordinating with relevant government agencies including the country's Anti-Money Laundering Council (AMLC). The AMLC started its investigation on February 19, 2016 of bank accounts linked to a junket operator. AMLC has filed a money laundering complaint before the Department of Justice against a RCBC branch manager and five unknown persons with fictitious names in connection with the case.
A Philippine Senate hearing was held on March 15, 2016, led by Senator Teofisto Guingona III, head of the Blue Ribbon Committee and Congressional Oversight Committee on the Anti-Money Laundering Act.[19] A closed-door hearing was later held on March 17. Philippine Amusement and Gaming Corporation (PAGCOR) has also launched its own investigation. On August 12, 2016, RCBC was reported to have paid half of the Ph₱1 billion penalty imposed by the Central Bank of the Philippines. Prior to that, the bank reorganized its board of directors by increasing the number of independent directors to 7 from the previous 4.
United States
FireEye's Mandiant forensics division and World Informatix Cyber Security, both US-based companies, investigated the hacking case. According to investigators, the perpetrators' familiarity with the internal procedures of Bangladesh Bank was probably gained by spying on its workers. In a separate report, the US Federal Bureau of Investigation (FBI) says that agents have found evidence pointing to at least one bank employee acting as an accomplice, with evidence pointing to several more people as possibly assisting hackers in navigating the Bangladesh Bank's computer system. The government of Bangladesh is considering suing the Federal Reserve Bank of New York in a bid to recover the stolen funds.
FBI suspicion of North Korea
Federal prosecutors in the United States have revealed possible links between the government of North Korea and the theft. U.S. prosecutors are reportedly at work building potential cases that would accuse North Korea of directing the theft of $81 million from Bangladesh Bank's account at the Federal Reserve Bank of New York. The report also said that to be included in the charges are "alleged Chinese middlemen," who facilitated the transfer of the funds after it had been diverted to the Philippines.
Some security companies, including Symantec Corp. and BAE Systems, say that the North Korea-based Lazarus Group, one of the world's most active state-sponsored hacking collectives, were probably behind the attack. They cite similarities between the methods used in the Bangladesh heist and those in other cases, such as the hack of Sony Pictures Entertainment in 2014, which U.S. officials also attributed to North Korea. Cybersecurity experts say Lazarus Group was also behind the WannaCry ransomware attack in May 2017 that infected hundreds of thousands of computers around the world.
Some or all of the stolen funds may eventually have found its way to North Korea. The FBI is examining the possible North Korea's link to the hack, according to two officials with direct knowledge of the investigation.
US National Security Agency Deputy Director Richard Ledgett was also quoted as saying that, “If that linkage from the Sony actors to the Bangladeshi bank actors is accurate—that means that a nation state is robbing banks."
The U.S. has charged a North Korean computer programmer with hacking the Bangladesh Bank, alleging this was carried out on behalf of the regime in Pyongyang. The same programmer has also been charged in connection with two other global cyber attacks, the WannaCry 2.0 virus, the 2014 Sony Pictures attack.
Other attacks
Computer security researchers have linked the theft to as many as eleven other attacks, and alleged that North Korea had a role in the attacks, which, if true, would be the first known incident of a state actor using cyberattacks to steal funds.
The Rizal Commercial Banking Corporation (RCBC) said it did not tolerate the illicit activity in the RCBC branch involved in the case. Lorenzo V. Tan, RCBC's president, said that the bank cooperated with the Anti-Money Laundering Council and the Bangko Sentral ng Pilipinas regarding the matter. Tan's legal counsel has asked the RCBC Jupiter Street branch manager to explain the alleged fake bank account that was used in the money laundering scam.
The RCBC's board committee also launched a separate probe into the bank's involvement in the money laundering scam. RCBC president Lorenzo V. Tan filed an indefinite leave of absence to give way to the investigation by the authorities on the case. On May 6, 2016, despite being cleared of any wrongdoing by the bank's internal investigation, Tan resigned as President of RCBC to "take full moral responsibility" for the incident. Helen Yuchengco-Dee, daughter of RCBC founder Alfonso Yuchengco, will take over the bank's operations. The bank also apologized to the public for its involvement in the robbery.
Bangladesh Bank chief, governor Atiur Rahman, resigned from his post amid the investigation of the central bank robbery and subsequent laundering of the money by the RCBC staff in the Philippines. He submitted his resignation letter to Prime Minister Sheikh Hasina on March 15, 2016. Before the resignation was made public, Rahman stated that he would resign for the sake of his country. After his resignation, Rahman defended himself by claiming that he had foreseen cyber security vulnerabilities one year ago and had hired an American cyber security firm to bolster the firewall, network and overall cyber security of the bank. However, he blamed bureaucratic hurdles for preventing the security firm from starting its operations in Bangladesh until after the cyber heist.
On August 5, 2016, the Bangko Sentral ng Pilipinas approved a ₱1 billion (US$52.92 million) fine against RCBC for its non-compliance with banking laws and regulations in connection with the bank robbery. This is the largest monetary fine ever approved by BSP against any institution. RCBC stated that the bank would comply with the BSP's decision and pay the imposed fine.
The Bangladesh Bank continued its efforts to retrieve the stolen money and had only recovered about $15 million, mostly from a gaming junket operator based in Metro Manila. In February 2019, the Federal Reserve pledged it would help Bangladesh Bank recover the money and SWIFT has also decided to help the central bank rebuild its infrastructure. The Bangladeshi central bank also believed that RCBC was complicit with the robbery filing a legal case in U.S. District Court for the Southern District of New York regarding the case in early 2019 accusing the Philippine bank of "massive conspiracy". In response, RCBC filed a lawsuit accusing Bangladesh Bank of defamation believing that Bangladesh Bank's claims are baseless.
The case threatened to reinstate the Philippines to the Financial Action Task Force on Money Laundering blacklist of countries that made insufficient efforts against money laundering. Attention was given to a potential weakness of Philippine authorities' efforts against money laundering after lawmakers in 2012 managed to exclude casinos from the roster of organizations required to report to the Anti-Money Laundering Council regarding suspicious transactions.
The case also highlighted the threat of cyber attacks to both government and private institutions by cyber criminals using real bank authorisation codes to make orders look genuine. SWIFT has advised banks using the SWIFT Alliance Access system to strengthen their cyber security posture and ensure they are following SWIFT security guidelines. Bangladesh is reportedly the 20th most cyber-attacked country, according to a cyber threat map developed by Kaspersky Lab, which runs in real time.
Being a bank robber is bad for the soul in more ways than one.
Imagine your plans are successful. How do you sleep if you believe there’s nowhere safe to stash your ill-gotten gains?
Other people’s worries, best ignored perhaps, other than as a useful plot device for novels and films.
Except that, in the case of the Philippines-based hackers who stole $100m of the Bangladesh Bank’s money from the Federal Reserve in New York last month, it turns out to be everybody’s problem.
If ever a story had international crime and globalisation running through it as a thread, this is it.
Like other central banks, Bangladesh Bank uses the Federal Reserve as part of its stewardship of Bangladesh’s $28bn foreign currency reserves.
Most of Bangladesh’s reserves can be traced to remittances sent by hard-working migrants in the Middle East and the toil of the millions of garment workers who help clothe Europe and North America, and are responsible for the bulk of the country’s export earnings.
Thanks to the Philippine Daily Inquirer breaking the story, the world knows now that $100m of Bangladesh Bank’s funds was digitally stolen from the Federal Reserve last month. And that the hackers attempted to steal a whole billion dollars, but were foiled by an elementary spelling mistake.
It all sounds like a pulp fiction that would have been rejected as implausible a year ago. But it happened.
A quartet of hackers opens accounts at a Philippines bank. Months later, they fraudulently execute transfer orders from the Bangladesh central bank’s holdings in New York to coincide with not just the usual long weekend of the combined Bangladesh and US working weeks, but also the Philippines’ special Monday closure for Chinese New Year.
This allows extra time for stolen funds to be sent to a Chinese national with casino connections and be converted into pesos and hard to trace chips.
Along the way, half a dozen global banks duly execute orders, making use where called for of the protocols set by the Society for Worldwide Interbank Financial Telecommunication (Swift) based in Belgium.
Fortuitously, one of the routing institutions, Deutsche Bank, seeks clarification of an instruction for $20m to be sent to a Sri Lankan non-profit, because the hackers misspelled “foundation” in the NGO’s name.
Alarm bells ring and Bangladesh Bank scrambles to work with its Philippines counterparts and money laundering investigators to get to the bottom of it all.
That would be a happy ending, if the stolen money turns out to be recoverable. But instead, it’s more likely to only be the start of a tangled web of inquiries and litigation. Already, there is something of a Mexican stand-off between Bangladesh, Philippines, and the US over culpability for the fraudulent transactions going through.
As the prime victim, Bangladesh Bank has a right to expect strict liability for its losses from the Federal Reserve.
But equally the Federal Reserve will want to point to possible holes in BB’s internal security measures.
Throw in the Fed’s concern about the reputational damage of having to explain to its customers (essentially all the world’s banks) how funds earned by millions of poor Bangladeshi workers, were so readily stolen, and the only happy people left in the room will be everyone’s lawyers.
It is not known yet whether there was collusion by complicit individuals which enabled the hackers to mimic BB’s security protocols and passwords, or if the gang simply used diabolical malware to steal them. Take your pick. Either way, it does not change the fact Bangladesh Bank is the victim here.
And that systems used by the world’s most secure bank were spectacularly breached.
Ah, but wait a minute, chorus a plethora of comics and commenters on newspaper websites. Hallmark and various frauds in state-owned banks were a bigger loss for Bangladeshi tax-payers, weren’t they? And didn’t leading banks bankrupt the global financial system in 2008 by gambling trillions of dollars of other people’s money on worthless derivatives?
Well yes, that’s all true. But like should be compared with like.
Bangladesh Bank’s track record on repaying multilateral debt and managing international obligations is a sound one, particularly when compared to the government’s record in controlling state-owned banks. It is self-flagellation to imply as some do, that just because Bangladesh scores poorly on Transparency International’s corruption perception index, this cyber fraud is “just another” scandal to add to the list.
It is not. It is a scarily large and almost wholly successful international robbery. The entire point of systems adopted by Bangladesh Bank, the Federal Reserve, and Swift is to prevent theft, and in this case they were short-circuited.
Little light will be shed by pointing to the crony capitalism and corruption which underlay the many scandals that have plagued Bangladesh state-owned banks. Or for that matter similar dynamics at play in the lobbying that prevents US politicians from fixing the system that gave impunity to reckless Wall Street bankers. Not to mention (but I will) prolonged attempts by successive British governments to suppress reports on corruption allegations in the $40 billion plus Al-Yamamah oil for arms deal with Saudi Arabia in 1984. All these things matter. Venality knows no boundary. But, none of this makes it easier to steal from the Federal Reserve. If it did, the Fed would be successfully robbed every day.
Of course, this sorry tale makes it imperative that Bangladesh Bank and the Federal Reserve do more to make security procedures as secure as they are meant to be. But let’s not overlook the human interest in the story of the Bangladesh cyber-heist. The greed of the cunning individuals involved does not need elaborate theories to be explained. It is the sheer size of the hackers’ ambitions that intrigues and appalls in equal measure.
To appreciate the scale of their theft, take a look at this week’s sentencing in London of the career criminals found guilty of last year’s Hatton Garden jewellery vault raid, which prosecutors called the biggest burglary in English legal history.
As an analogue “hole in the wall job,” carried out over last year’s Easter public holiday by a gang of senior citizens, the oldest of whom was 75 -- it inevitably fascinated tabloids. It even earned a compliment from the sentencing judge for standing “in a class of its own” in terms of planning and organisation.
Not surprisingly, movie producers and Sir Michael Caine have already expressed interest in filming the story. What leaps out most though, is that this raid involved “only” 14 million pounds worth of jewellery, cash, and gold.
Surely an attempted billion dollar robbery, from the Federal Reserve no less, must throw up similar interest from Hollywood? After all, the story is almost tailor-made for US film companies looking to appeal to expanding markets in Asia.
Maybe. But geeks at desks sounds a harder sell then Cockney pensioners “doing one last break-in,” so it would need something of the Mission Impossible to be visually appealing.
I had to ask a colleague for the name of the pre-millennial Sean Connery vehicle about a heist at the Petronas Towers which this chain of thought inevitably led to. All I could remember about Entrapment was Catherine Zeta-Jones limboing around some laser beams for some forgotten but presumably plot germane reason.
After some discussion, we both agreed the cast of international organisations, locations, and casinos involved in the Bangladesh cyber heist, means an Ocean’s Eleven-type scenario is definitely on the cards. It even has room for a role for Sir Michael at the location of his choice.
One day perhaps, an expatriate migrant worker in a desert kingdom whose remittances to Bangladesh found their way via New York to a casino in East Asia, will see a film on a plane about the cyber heist story. And the old Fleet Street cliché will pop up in every viewer’s mind.
You couldn’t make it up.
The $1,000,000,000 North Korean Bank Heist
The Federal Reserve Bank of New York shares a large portion of the blame for this cyber heist because it failed to notice warning signs early enough, due to worrying weaknesses and disarray at their Central Bank and International Account Services (CBIAS) unit. The Federal Reserve Bank of New York lacked a system for detecting possible fraud in real time, although such systems are used everywhere, and instead it relied on random checks but only after payments were made. Usually these simple checks were for detecting United States sanctions violations and not fraudulence or theft. The suspicious activities of the staff at the Rizal Commercial Banking Corp (RCBC) in the Philippines cannot be ignored either because they acted with lightning speed to launder the money out of the bank and into the gambling industry, in complete violation of the Philippines anti-money laundering laws and in total disregard of the instructions of the central bank of the Philippines, which had ordered a freeze on the accounts. Nearly one year before the robbery, the Governor of Bangladesh Bank had foreseen cyber security vulnerabilities and had hired an American cyber security firm to bolster the firewall, network and overall cyber security of the bank. However, due to multiple bureaucratic hurdles, the security firm could not join and it only started its operations in Bangladesh after the cyber heist.
The 2016 cyber-attack on the Bangladesh central bank was not the first attack of its kind. In 2013, the Sonali Bank of Bangladesh was also successfully targeted by hackers who were able to remove US$250,000.
In both cases, the perpetrators were suspected to have been aided by insiders within the targeted banks, who assisted in taking advantage of weaknesses in the banks' access to the SWIFT global payment network.
Capitalizing on weaknesses in the security of the Bangladesh central bank, including the possible involvement of some of its employees,[10] perpetrators attempted to steal $951 million from the Bangladesh central bank's account with the Federal Reserve Bank of New York sometime between February 4–5 when Bangladesh Bank's offices were closed. The perpetrators managed to compromise Bangladesh Bank's computer network, observe how transfers are done, and gain access to the bank's credentials for payment transfers. They used these credentials to authorise about three dozen requests to the Federal Reserve Bank of New York to transfer funds from the account Bangladesh Bank held there to accounts in Sri Lanka and the Philippines.
Thirty transactions worth $851 million were flagged by the banking system for staff review, but five requests were granted; $20 million to Sri Lanka (later recovered), and $81 million lost to the Philippines, entering the Southeast Asian country's banking system on February 5, 2016. This money was laundered through casinos and some later transferred to Hong Kong.
Attempted fund diversion to Sri Lanka
The $20 million transfer to Sri Lanka was intended by hackers to be sent to the Shalika Foundation, a Sri Lanka-based private limited company. The hackers misspelled "Foundation" in their request to transfer the funds, spelling the word as "Fundation". This spelling error gained suspicion from Deutsche Bank, a routing bank which put a halt to the transaction in question after seeking clarifications from Bangladesh Bank.
Sri Lanka-based Pan Asia Bank initially took notice of the transaction, with one official noting the transaction as too big for a country like Sri Lanka. Pan Asia Bank was the one which referred the anomalous transaction to Deutsche Bank. The Sri Lankan funds have been recovered by Bangladesh Bank.
Funds diverted to the Philippines
The money transferred to the Philippines was deposited in five separate accounts with the Rizal Commercial Banking Corporation (RCBC); the accounts were later found to be under fictitious identities. The funds were then transferred to a foreign exchange broker to be converted to Philippine pesos, returned to the RCBC and consolidated in an account of a Chinese-Filipino businessman; the conversion was made from February 5 to 13, 2016. It was also found that the four U.S. dollar accounts involved were opened at the RCBC as early as May 15, 2015, remaining untouched until February 4, 2016, the date the transfer from the Federal Reserve Bank of New York was made.
On February 8, 2016, during the Chinese New Year, Bangladesh Bank informed RCBC through SWIFT to stop the payment, refund the funds, and to "freeze and put the funds on hold" if the funds had already been transferred. Chinese New Year is a non-working holiday in the Philippines and a SWIFT message from Bangladesh Bank containing similar information was received by RCBC only a day later. By this time, a withdrawal amounting to about $58.15 million had already been processed by RCBC's Jupiter Street (in Makati City) branch.
On February 16, the Governor of Bangladesh Bank requested Bangko Sentral ng Pilipinas' assistance in the recovery of its $81 million funds, saying that the SWIFT payment instructions issued in favor of RCBC on February 4, 2016 were fraudulent.
Bangladesh
Initially, Bangladesh Bank was uncertain if its system had been compromised. The governor of the central bank engaged World Informatix Cyber Security, a US-based firm, to lead the security incident response, vulnerability assessment and remediation. World Informatix Cyber Security brought in the forensic investigation company Mandiant, for the investigation. These investigators found "footprints" and malware of hackers, which suggested that the system had been breached. The investigators also said that the hackers were based outside Bangladesh. An internal investigation has been launched by Bangladesh Bank regarding the case.
The Bangladesh Bank's forensic investigation found out that malware was installed within the bank's system sometime in January 2016, and gathered information on the bank's operational procedures for international payments and fund transfers.
The investigation also looked into an unsolved 2013 hacking incident at the Sonali Bank, wherein US$250,000 was stolen by still unidentified hackers. According to reports, just as in the 2016 central bank hack, the theft also used fraudulent fund transfers using the SWIFT global payment network. The incident was treated by Bangladeshi police authorities as a cold-case until the suspiciously similar 2016 Bangladesh central bank robbery.
Philippines
The Philippines' National Bureau of Investigation (NBI) launched a probe and looked into a Chinese-Filipino who allegedly played a key role in the money laundering of the illicit funds. The NBI is coordinating with relevant government agencies including the country's Anti-Money Laundering Council (AMLC). The AMLC started its investigation on February 19, 2016 of bank accounts linked to a junket operator. AMLC has filed a money laundering complaint before the Department of Justice against a RCBC branch manager and five unknown persons with fictitious names in connection with the case.
A Philippine Senate hearing was held on March 15, 2016, led by Senator Teofisto Guingona III, head of the Blue Ribbon Committee and Congressional Oversight Committee on the Anti-Money Laundering Act.[19] A closed-door hearing was later held on March 17. Philippine Amusement and Gaming Corporation (PAGCOR) has also launched its own investigation. On August 12, 2016, RCBC was reported to have paid half of the Ph₱1 billion penalty imposed by the Central Bank of the Philippines. Prior to that, the bank reorganized its board of directors by increasing the number of independent directors to 7 from the previous 4.
United States
FireEye's Mandiant forensics division and World Informatix Cyber Security, both US-based companies, investigated the hacking case. According to investigators, the perpetrators' familiarity with the internal procedures of Bangladesh Bank was probably gained by spying on its workers. In a separate report, the US Federal Bureau of Investigation (FBI) says that agents have found evidence pointing to at least one bank employee acting as an accomplice, with evidence pointing to several more people as possibly assisting hackers in navigating the Bangladesh Bank's computer system. The government of Bangladesh is considering suing the Federal Reserve Bank of New York in a bid to recover the stolen funds.
FBI suspicion of North Korea
Federal prosecutors in the United States have revealed possible links between the government of North Korea and the theft. U.S. prosecutors are reportedly at work building potential cases that would accuse North Korea of directing the theft of $81 million from Bangladesh Bank's account at the Federal Reserve Bank of New York. The report also said that to be included in the charges are "alleged Chinese middlemen," who facilitated the transfer of the funds after it had been diverted to the Philippines.
Some security companies, including Symantec Corp. and BAE Systems, say that the North Korea-based Lazarus Group, one of the world's most active state-sponsored hacking collectives, were probably behind the attack. They cite similarities between the methods used in the Bangladesh heist and those in other cases, such as the hack of Sony Pictures Entertainment in 2014, which U.S. officials also attributed to North Korea. Cybersecurity experts say Lazarus Group was also behind the WannaCry ransomware attack in May 2017 that infected hundreds of thousands of computers around the world.
Some or all of the stolen funds may eventually have found its way to North Korea. The FBI is examining the possible North Korea's link to the hack, according to two officials with direct knowledge of the investigation.
US National Security Agency Deputy Director Richard Ledgett was also quoted as saying that, “If that linkage from the Sony actors to the Bangladeshi bank actors is accurate—that means that a nation state is robbing banks."
The U.S. has charged a North Korean computer programmer with hacking the Bangladesh Bank, alleging this was carried out on behalf of the regime in Pyongyang. The same programmer has also been charged in connection with two other global cyber attacks, the WannaCry 2.0 virus, the 2014 Sony Pictures attack.
Other attacks
Computer security researchers have linked the theft to as many as eleven other attacks, and alleged that North Korea had a role in the attacks, which, if true, would be the first known incident of a state actor using cyberattacks to steal funds.
The Rizal Commercial Banking Corporation (RCBC) said it did not tolerate the illicit activity in the RCBC branch involved in the case. Lorenzo V. Tan, RCBC's president, said that the bank cooperated with the Anti-Money Laundering Council and the Bangko Sentral ng Pilipinas regarding the matter. Tan's legal counsel has asked the RCBC Jupiter Street branch manager to explain the alleged fake bank account that was used in the money laundering scam.
The RCBC's board committee also launched a separate probe into the bank's involvement in the money laundering scam. RCBC president Lorenzo V. Tan filed an indefinite leave of absence to give way to the investigation by the authorities on the case. On May 6, 2016, despite being cleared of any wrongdoing by the bank's internal investigation, Tan resigned as President of RCBC to "take full moral responsibility" for the incident. Helen Yuchengco-Dee, daughter of RCBC founder Alfonso Yuchengco, will take over the bank's operations. The bank also apologized to the public for its involvement in the robbery.
Bangladesh Bank chief, governor Atiur Rahman, resigned from his post amid the investigation of the central bank robbery and subsequent laundering of the money by the RCBC staff in the Philippines. He submitted his resignation letter to Prime Minister Sheikh Hasina on March 15, 2016. Before the resignation was made public, Rahman stated that he would resign for the sake of his country. After his resignation, Rahman defended himself by claiming that he had foreseen cyber security vulnerabilities one year ago and had hired an American cyber security firm to bolster the firewall, network and overall cyber security of the bank. However, he blamed bureaucratic hurdles for preventing the security firm from starting its operations in Bangladesh until after the cyber heist.
On August 5, 2016, the Bangko Sentral ng Pilipinas approved a ₱1 billion (US$52.92 million) fine against RCBC for its non-compliance with banking laws and regulations in connection with the bank robbery. This is the largest monetary fine ever approved by BSP against any institution. RCBC stated that the bank would comply with the BSP's decision and pay the imposed fine.
The Bangladesh Bank continued its efforts to retrieve the stolen money and had only recovered about $15 million, mostly from a gaming junket operator based in Metro Manila. In February 2019, the Federal Reserve pledged it would help Bangladesh Bank recover the money and SWIFT has also decided to help the central bank rebuild its infrastructure. The Bangladeshi central bank also believed that RCBC was complicit with the robbery filing a legal case in U.S. District Court for the Southern District of New York regarding the case in early 2019 accusing the Philippine bank of "massive conspiracy". In response, RCBC filed a lawsuit accusing Bangladesh Bank of defamation believing that Bangladesh Bank's claims are baseless.
The case threatened to reinstate the Philippines to the Financial Action Task Force on Money Laundering blacklist of countries that made insufficient efforts against money laundering. Attention was given to a potential weakness of Philippine authorities' efforts against money laundering after lawmakers in 2012 managed to exclude casinos from the roster of organizations required to report to the Anti-Money Laundering Council regarding suspicious transactions.
The case also highlighted the threat of cyber attacks to both government and private institutions by cyber criminals using real bank authorisation codes to make orders look genuine. SWIFT has advised banks using the SWIFT Alliance Access system to strengthen their cyber security posture and ensure they are following SWIFT security guidelines. Bangladesh is reportedly the 20th most cyber-attacked country, according to a cyber threat map developed by Kaspersky Lab, which runs in real time.
Being a bank robber is bad for the soul in more ways than one.
Imagine your plans are successful. How do you sleep if you believe there’s nowhere safe to stash your ill-gotten gains?
Other people’s worries, best ignored perhaps, other than as a useful plot device for novels and films.
Except that, in the case of the Philippines-based hackers who stole $100m of the Bangladesh Bank’s money from the Federal Reserve in New York last month, it turns out to be everybody’s problem.
If ever a story had international crime and globalisation running through it as a thread, this is it.
Like other central banks, Bangladesh Bank uses the Federal Reserve as part of its stewardship of Bangladesh’s $28bn foreign currency reserves.
Most of Bangladesh’s reserves can be traced to remittances sent by hard-working migrants in the Middle East and the toil of the millions of garment workers who help clothe Europe and North America, and are responsible for the bulk of the country’s export earnings.
Thanks to the Philippine Daily Inquirer breaking the story, the world knows now that $100m of Bangladesh Bank’s funds was digitally stolen from the Federal Reserve last month. And that the hackers attempted to steal a whole billion dollars, but were foiled by an elementary spelling mistake.
It all sounds like a pulp fiction that would have been rejected as implausible a year ago. But it happened.
A quartet of hackers opens accounts at a Philippines bank. Months later, they fraudulently execute transfer orders from the Bangladesh central bank’s holdings in New York to coincide with not just the usual long weekend of the combined Bangladesh and US working weeks, but also the Philippines’ special Monday closure for Chinese New Year.
This allows extra time for stolen funds to be sent to a Chinese national with casino connections and be converted into pesos and hard to trace chips.
Along the way, half a dozen global banks duly execute orders, making use where called for of the protocols set by the Society for Worldwide Interbank Financial Telecommunication (Swift) based in Belgium.
Fortuitously, one of the routing institutions, Deutsche Bank, seeks clarification of an instruction for $20m to be sent to a Sri Lankan non-profit, because the hackers misspelled “foundation” in the NGO’s name.
Alarm bells ring and Bangladesh Bank scrambles to work with its Philippines counterparts and money laundering investigators to get to the bottom of it all.
That would be a happy ending, if the stolen money turns out to be recoverable. But instead, it’s more likely to only be the start of a tangled web of inquiries and litigation. Already, there is something of a Mexican stand-off between Bangladesh, Philippines, and the US over culpability for the fraudulent transactions going through.
As the prime victim, Bangladesh Bank has a right to expect strict liability for its losses from the Federal Reserve.
But equally the Federal Reserve will want to point to possible holes in BB’s internal security measures.
Throw in the Fed’s concern about the reputational damage of having to explain to its customers (essentially all the world’s banks) how funds earned by millions of poor Bangladeshi workers, were so readily stolen, and the only happy people left in the room will be everyone’s lawyers.
It is not known yet whether there was collusion by complicit individuals which enabled the hackers to mimic BB’s security protocols and passwords, or if the gang simply used diabolical malware to steal them. Take your pick. Either way, it does not change the fact Bangladesh Bank is the victim here.
And that systems used by the world’s most secure bank were spectacularly breached.
Ah, but wait a minute, chorus a plethora of comics and commenters on newspaper websites. Hallmark and various frauds in state-owned banks were a bigger loss for Bangladeshi tax-payers, weren’t they? And didn’t leading banks bankrupt the global financial system in 2008 by gambling trillions of dollars of other people’s money on worthless derivatives?
Well yes, that’s all true. But like should be compared with like.
Bangladesh Bank’s track record on repaying multilateral debt and managing international obligations is a sound one, particularly when compared to the government’s record in controlling state-owned banks. It is self-flagellation to imply as some do, that just because Bangladesh scores poorly on Transparency International’s corruption perception index, this cyber fraud is “just another” scandal to add to the list.
It is not. It is a scarily large and almost wholly successful international robbery. The entire point of systems adopted by Bangladesh Bank, the Federal Reserve, and Swift is to prevent theft, and in this case they were short-circuited.
Little light will be shed by pointing to the crony capitalism and corruption which underlay the many scandals that have plagued Bangladesh state-owned banks. Or for that matter similar dynamics at play in the lobbying that prevents US politicians from fixing the system that gave impunity to reckless Wall Street bankers. Not to mention (but I will) prolonged attempts by successive British governments to suppress reports on corruption allegations in the $40 billion plus Al-Yamamah oil for arms deal with Saudi Arabia in 1984. All these things matter. Venality knows no boundary. But, none of this makes it easier to steal from the Federal Reserve. If it did, the Fed would be successfully robbed every day.
Of course, this sorry tale makes it imperative that Bangladesh Bank and the Federal Reserve do more to make security procedures as secure as they are meant to be. But let’s not overlook the human interest in the story of the Bangladesh cyber-heist. The greed of the cunning individuals involved does not need elaborate theories to be explained. It is the sheer size of the hackers’ ambitions that intrigues and appalls in equal measure.
To appreciate the scale of their theft, take a look at this week’s sentencing in London of the career criminals found guilty of last year’s Hatton Garden jewellery vault raid, which prosecutors called the biggest burglary in English legal history.
As an analogue “hole in the wall job,” carried out over last year’s Easter public holiday by a gang of senior citizens, the oldest of whom was 75 -- it inevitably fascinated tabloids. It even earned a compliment from the sentencing judge for standing “in a class of its own” in terms of planning and organisation.
Not surprisingly, movie producers and Sir Michael Caine have already expressed interest in filming the story. What leaps out most though, is that this raid involved “only” 14 million pounds worth of jewellery, cash, and gold.
Surely an attempted billion dollar robbery, from the Federal Reserve no less, must throw up similar interest from Hollywood? After all, the story is almost tailor-made for US film companies looking to appeal to expanding markets in Asia.
Maybe. But geeks at desks sounds a harder sell then Cockney pensioners “doing one last break-in,” so it would need something of the Mission Impossible to be visually appealing.
I had to ask a colleague for the name of the pre-millennial Sean Connery vehicle about a heist at the Petronas Towers which this chain of thought inevitably led to. All I could remember about Entrapment was Catherine Zeta-Jones limboing around some laser beams for some forgotten but presumably plot germane reason.
After some discussion, we both agreed the cast of international organisations, locations, and casinos involved in the Bangladesh cyber heist, means an Ocean’s Eleven-type scenario is definitely on the cards. It even has room for a role for Sir Michael at the location of his choice.
One day perhaps, an expatriate migrant worker in a desert kingdom whose remittances to Bangladesh found their way via New York to a casino in East Asia, will see a film on a plane about the cyber heist story. And the old Fleet Street cliché will pop up in every viewer’s mind.
You couldn’t make it up.
Water Hack Burns 2lb of Fat OVERNIGHT
ReplyDeleteAt least 160 thousand men and women are using a simple and secret "water hack" to lose 1-2lbs each and every night as they sleep.
It is scientific and it works every time.
You can do it yourself by following these easy steps:
1) Take a clear glass and fill it with water half full
2) And then use this strange HACK
and become 1-2lbs thinner when you wake up!