Almost three years ago to the day, the central bank of Bangladesh fell victim to one of the largest cyber heists in history. The bank was taken for over $100 million USD by hackers, who transferred the money from an account at the Federal Reserve Bank of New York to personal accounts in the Philippines and Sri Lanka. The bulk of the money ($81 million) went to the Philippines and passed through the Rizal Commercial Banking Corp (RCBC), which failed to detect and stop the transactions to five accounts opened with fictitious identities.
RCBC is based in Manila, and was used as the staging point for withdrawal of most of the stolen funds prior to being laundered through casinos in the country. RCBC asserts that the cyber heist was perpetrated by someone inside of Bangladesh Bank; the Philippine central bank has already disagreed with this view, fining RCBC the equivalent of $20 million USD in 2016. Former RCBC branch manager Maia Deguito was found guilty of money laundering in connection to the case in 2016 and was sentenced to at least two years in jail.
The record-setting cyber heist
United States prosecutors believe that state-sponsored hackers from North Korea were behind the cyber heist, with assistance from Chinese middlemen located in the Philippines who laundered the money through the casinos and transferred it to Hong Kong. The as-yet unidentified hackers were most likely members of the notorious Lazarus Group, the outfit behind the WannaCry ransomware attacks in 2017.
The bank heist could have ended up being 10 times as large if not for the exclusion of a single letter. The thieves attempted to steal $1 billion in total, spread across 35 transfer requests. The bulk of these were halted by the Federal Reserve Bank of New York before they could be executed; the hackers attempted to send most of the money to the fictitious “Shalika Foundation” in Sri Lanka, but their misspelling of it as “Fundation” caused most of the transfers to that country to be automatically flagged. Nevertheless, the amount of money that did end up making it through still made it the biggest cyber heist in history at the time.
The timing of the attack is likely the reason why the perpetrators got away with the $81 million that was sent to the Philippines. The initial detection of the hack by Bangladesh Bank came during the Chinese New Year, which is a bank holiday in the Philippines. RCBC thus did not begin to respond to warning signs until the following day, giving the cyber heist numerous extra hours of time to unfold.
After an investigation involving cyber security firms and government agencies from the three countries involved, it was determined that the perpetrators had most likely recruited accomplices at RCBC and spied on Bangladesh Bank workers to set up the scheme. At some point in January of 2016 they gained access to Bangladesh Bank systems and installed malware that was used in the cyber heist, including a couple of programs that North Korean hackers had been known to use in the past.
The lawsuit was initiated by Bangladesh on January 30 in the US District Court for the Southern District of New York. It seems like a strong case, as Bangladesh Bank has a written agreement to receive technical assistance from the Federal Reserve Bank of New York. RCBC’s defense that the “inside job” originated from Bangladesh Bank staff is tough to square with the fact that former RCBC staff have been convicted of money laundering in the case. In addition to the branch manager that has already been sentenced, a former treasure and five lower-level staff members are also facing charges in the Philippines.
However, investigations in the wake of the cyber heist also found fault with the New York Fed’s communication with Bangladesh Bank – it was deemed to be too slow as the incident was unfolding. There is also an unresolved question of how much jurisdiction New York has in the matter, as most of the steps of the cyber heist took place outside of the United States.
To date, only about $15 million of the stolen funds have been recovered from a casino VIP junket operator in Manila.
Regardless of the eventual outcome of this lawsuit, the case as a whole has highlighted important vulnerabilities in the Society for Worldwide Interbank Financial Telecommunication (SWIFT) banking system that are still being addressed.
SWIFT has been in use since the 1970s as one of the primary means by which banks transmit messages and requests to each other internationally. This hack has revealed that perhaps too much trust is being put in SWIFT member banks. Once cyber attacks are able to compromise the internal systems of members, cyber criminals have a relatively clear path to processing transfers to the international account of their choice.
This cyber heist demonstrated that the system is overly vulnerable to simply phishing an employee at a member bank and/or enlisting the help of some conspirators, meaning it is only as good as the security policy at the weakest links among the SWIFT network members. It is also only as good as the host country’s willingness to pursue and prosecute money laundering. A major weakness in the Philippines anti money laundering laws that was exploited here is the lack of a legal requirement for casinos to report suspicious financial transactions.
Security is likely to improve at the Bangladesh Bank, as SWIFT has an agreement in place with them to help rebuild and secure their infrastructure (though it is still unknown if they will assist in the lawsuit in any way). This cyber heist highlights the need for SWIFT to review both security policy for banks and compliance by their members, including related government policy and law enforcement response in member countries.