Bangladesh Bank robbery

The Federal Reserve Bank of New York Building

The Bangladesh Bank robbery, also known colloquially as the Bangladesh Bank cyber heist,[1] was a theft that took place in February 2016. Thirty-five fraudulent instructions were issued by security hackers via the SWIFT network to illegally transfer close to US$1 billion from the Federal Reserve Bank of New York account belonging to Bangladesh Bank, the central bank of Bangladesh. Five of the thirty-five fraudulent instructions were successful in transferring US$101 million, with US$81 million traced to the Philippines and US$20 million to Sri Lanka. The Federal Reserve Bank of New York blocked the remaining thirty transactions, amounting to US$850 million, due to suspicions raised by a misspelled instruction.[2] As of 2018, only around US$18 million of the US$81 million transferred to the Philippines has been recovered,[3] and all the money transferred to Sri Lanka has since been recovered. Most of the money transferred to the Philippines went to four personal accounts, held by single individuals, and not to companies or corporations.

Background

[edit]

Like many other national banks, Bangladesh Bank, the central bank of Bangladesh, maintains an account with the Federal Reserve Bank of New York to deposit, maintain, and transfer foreign currency reserve of Bangladesh. The foreign currency reserve of Bangladesh, a growing economy, often reaches multiple billions of US dollars. As of September 2020, Bangladesh has a foreign currency reserve of US$39 billion.[4] The Society for Worldwide Interbank Financial Telecommunication (SWIFT) network is used to communicate with the bank holding the foreign exchange account in order to withdraw, transfer, or deposit the currency.

The 2016 cyber-attack on the Bangladesh Bank was not the first attack of its kind. In 2013, the Sonali Bank of Bangladesh was also successfully targeted by hackers who were able to remove US$250,000.

In both cases, the perpetrators were suspected to have been aided by insiders within the targeted banks, who assisted in taking advantage of weaknesses in the banks' access to the SWIFT global payment network.[5][6]

Events

[edit]
Bangladesh Bank Building in Motijheel commercial area, Dhaka

Capitalizing on weaknesses in the security of the Bangladesh central bank, including the possible involvement of some of its employees,[7] perpetrators attempted to steal US$951 million from the Bangladesh Bank's account with the Federal Reserve Bank of New York. The theft happened sometime between 4–5 February 2016, when Bangladesh Bank's offices were closed for the weekend.

The perpetrators managed to compromise Bangladesh Bank's computer network, observe how transfers are done, and gain access to the bank's credentials for payment transfers. They used these credentials to authorise about three dozen requests to the Federal Reserve Bank of New York. These requests were made to transfer funds to accounts in the Philippines and Sri Lanka.

Thirty transactions worth US$851 million were flagged by the banking system for staff review, but five requests were granted; US$20 million to Sri Lanka (later recovered),[8][9] and US$81 million lost to the Philippines, entering the Southeast Asian country's banking system on 5 February 2016. This money was laundered through casinos and some later transferred to Hong Kong.

According to a report published in The Straits Times, investigators suspected that the criminals used the Dridex malware for the attack.[10]

Funds diverted to the Philippines

[edit]

The money transferred to the Philippines was deposited in five separate accounts with the Rizal Commercial Banking Corporation (RCBC); the accounts were later found to be under fictitious identities. The funds were then transferred to a foreign exchange broker to be converted to Philippine pesos, returned to the RCBC and consolidated in an account of a Chinese-Filipino businessman;[11][9] the conversion was made from 5 to 13 February 2016.[12] It was also found that the four U.S. dollar accounts involved were opened at the RCBC as early as 15 May 2015, remaining untouched until 4 February 2016, the date the transfer from the Federal Reserve Bank of New York was made.[12]

On 8 February 2016, during the Chinese New Year, Bangladesh Bank informed RCBC through SWIFT to stop the payment, refund the funds, and to "freeze and put the funds on hold" if the funds had already been transferred. Chinese New Year is a non-working holiday in the Philippines and a SWIFT message from Bangladesh Bank containing similar information was received by RCBC only a day later. By this time, a withdrawal amounting to about US$58.15 million had already been processed by RCBC's Jupiter Street (in Makati City) branch.[12]

On 16 February, the Governor of Bangladesh Bank requested Bangko Sentral ng Pilipinas' assistance in the recovery of its US$81 million funds, saying that the SWIFT payment instructions issued in favor of RCBC on 4 February 2016, were fraudulent.[12]

Attempted fund diversion to Sri Lanka

[edit]

The US$20 million transfer to Sri Lanka was intended by hackers to be sent to the Shalika Foundation, a Sri Lanka-based private limited company. The hackers misspelled "Foundation" in their request to transfer the funds, spelling the word as "Fundation". This spelling error gained suspicion from Deutsche Bank, a routing bank which put a halt to the transaction in question after seeking clarifications from Bangladesh Bank.[8][13][14]

Sri Lanka-based Pan Asia Bank initially took notice of the transaction, with one official noting the transaction as too big for a country like Sri Lanka. Pan Asia Bank was the one which referred the anomalous transaction to Deutsche Bank. The Sri Lankan funds have been recovered by Bangladesh Bank.[8]

Investigation

[edit]

Bangladesh

[edit]

Initially, Bangladesh Bank was uncertain if its system had been compromised. The governor of the central bank engaged World Informatix Cyber Security, a US-based firm, to lead the security incident response, vulnerability assessment and remediation. World Informatix Cyber Security brought in the forensic investigation company Mandiant, for the investigation. These investigators found "footprints" and malware of hackers, which suggested that the system had been breached. The investigators also said that the hackers were based outside Bangladesh. An internal investigation has been launched by Bangladesh Bank regarding the case.[8]

The Bangladesh Bank's forensic investigation found out that malware was installed within the bank's system sometime in January 2016, and gathered information on the bank's operational procedures for international payments and fund transfers.[12]

The investigation also looked into an unsolved 2013 hacking incident at the Sonali Bank, wherein US$250,000 was stolen by still unidentified hackers. According to reports, just as in the 2016 central bank hack, the theft also used fraudulent fund transfers using the SWIFT global payment network. The incident was treated by Bangladeshi police authorities as a cold-case until the suspiciously similar 2016 Bangladesh central bank robbery.[15]

The Philippines

[edit]

The Philippines' National Bureau of Investigation (NBI) launched a probe and looked into a Chinese-Filipino who allegedly played a key role in the money laundering of the illicit funds. The NBI is coordinating with relevant government agencies including the country's Anti-Money Laundering Council (AMLC). The AMLC started its investigation on 19 February 2016, of bank accounts linked to a junket operator.[12] AMLC has filed a money laundering complaint before the Department of Justice against a RCBC branch manager and five unknown persons with fictitious names in connection with the case.[16]

A Philippine Senate hearing was held on 15 March 2016, led by Senator Teofisto Guingona III, head of the Blue Ribbon Committee and Congressional Oversight Committee on the Anti-Money Laundering Act.[17] A closed-door hearing was later held on 17 March.[18] Philippine Amusement and Gaming Corporation (PAGCOR) has also launched its own investigation.[8] On 12 August 2016, RCBC was reported to have paid half of the Ph₱ 1 billion penalty imposed by the Filipino central bank (BSP).[19] Prior to that, the bank reorganized its board of directors by increasing the number of independent directors from four to seven.[20]

On 10 January 2019, Maia Santos Deguito, a former manager at RCBC, was convicted on 8 counts of money laundering and sentenced to 4 to 7 years imprisonment for each count at a Makati City Regional Trial Court.[21] On 12 March 2019, RCBC sued Bangladesh Bank for embarking "on a massive ploy and scheme to extort money from plaintiff RCBC by resorting to public defamation, harassment and threats geared towards destroying RCBC's good name, reputation, and image."[22]

On 6 February 2023, the First Division of the Court of Appeals dismissed Deguito's appeal and upheld the Makati City Regional Trial Court's conviction in 2019.[23]

In the February 29, 2024 judgment on the Bangladesh Bank robbery, the New York Supreme Court dismissed 3 causes of action—conversion, aiding and abetting conversion, and conspiracy to commit conversion—against Rizal Commercial Banking Corporation and defendants Ismael Reyes, Brigitte Capiña, Romualdo Agarrado and Nestor Pineda for lack of personal jurisdiction. It however allowed the Bangladesh Bank case concerning the $81-million cyberheist to proceed on other grounds including the return of money received.[24]

United States

[edit]

FireEye's Mandiant forensics division and World Informatix Cyber Security, both US-based companies, investigated the hacking case. According to investigators, the perpetrators' familiarity with the internal procedures of Bangladesh Bank was probably gained by spying on its workers. The US Federal Bureau of Investigation (FBI) reported that agents have found evidence pointing to at least one bank employee acting as an accomplice. The FBI also alleged that there is evidence that points to several more people as possibly assisting hackers in navigating the Bangladesh Bank's computer system.[25] The government of Bangladesh has considered suing the Federal Reserve Bank of New York in order to recover the stolen funds.[8]

FBI suspicion of North Korea

[edit]

Federal prosecutors in the United States have revealed possible links between the government of North Korea and the theft.[26] According to this report, U.S. prosecutors suspected that the theft was perpetrated by criminals backed by the government of North Korea. The report also said that to be included in the charges are "alleged Chinese middlemen", who facilitated the transfer of the funds after it had been diverted to the Philippines.[27]

Some security companies, including Symantec Corp and BAE Systems, claimed that the North Korea-based Lazarus Group, one of the world's most active state-sponsored hacking collectives, were probably behind the attack. They cite similarities between the methods used in the Bangladesh heist and those in other cases, such as the hack of Sony Pictures Entertainment in 2014, which U.S. officials also attributed to North Korea. Cybersecurity experts say Lazarus Group was also behind the WannaCry ransomware attack in May 2017 that infected hundreds of thousands of computers around the world.[28]

The Cybersecurity and Infrastructure Security Agency published an alert "FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks", which attributed the Bank of Bangladesh hack in 2016 to BeagleBoyz. The agency claimed that BeagleBoyz is a threat actor group under the North Korean government's Reconnaissance General Bureau, and have been active since 2014.[29]

US National Security Agency Deputy Director Richard Ledgett was also quoted as saying that, "If that linkage from the Sony actors to the Bangladeshi bank actors is accurate—that means that a nation state is robbing banks."[30]

The U.S. has charged a North Korean computer programmer, Park Jin Hyok,[31] with hacking the Bangladesh Bank, alleging this was carried out on behalf of the regime in Pyongyang. The same programmer has also been charged in connection with the WannaCry 2.0 virus and the 2014 Sony Pictures attack.[32]

Other attacks

[edit]

Computer security researchers have linked the theft to as many as eleven other attacks, and alleged that North Korea had a role in the attacks, which, if true, would be the first known incident of a state actor using cyberattacks to steal funds.[33][34]

Response from linked organizations

[edit]
Atiur Rahman, Governor of Bangladesh Bank who resigned from his post in response to the case.

The Rizal Commercial Banking Corporation (RCBC) said it did not tolerate the illicit activity in the RCBC branch involved in the case. Lorenzo V. Tan, RCBC's president, said that the bank cooperated with the Anti-Money Laundering Council and the Bangko Sentral ng Pilipinas regarding the matter.[35] Tan's legal counsel has asked the RCBC Jupiter Street branch manager to explain the alleged fake bank account that was used in the money laundering scam.[36]

The RCBC's board committee also launched a separate probe into the bank's involvement in the money laundering scam. RCBC president Lorenzo V. Tan filed an indefinite leave of absence to give way to the investigation by the authorities on the case.[37][38] On 6 May 2016, despite being cleared of any wrongdoing by the bank's internal investigation, Tan resigned as President of RCBC to "take full moral responsibility" for the incident.[39][40] Helen Yuchengco-Dee, daughter of RCBC founder Alfonso Yuchengco, will take over the bank's operations. The bank also apologised to the public for its involvement in the robbery.

Bangladesh Bank chief, governor Atiur Rahman, resigned from his post amid the investigation of the central bank robbery and subsequent laundering of the money by the RCBC staff in the Philippines. He submitted his resignation letter to Prime Minister Sheikh Hasina on 15 March 2016. Before the resignation was made public, Rahman stated that he would resign for the sake of his country.[41] After his resignation, Rahman defended himself by claiming that he had foreseen cyber security vulnerabilities one year ago and had hired an American cyber security firm to bolster the firewall, network and overall cyber security of the bank. However, he blamed bureaucratic hurdles for preventing the security firm from starting its operations in Bangladesh until after the cyber heist.[42]

On 5 August 2016, the Bangko Sentral ng Pilipinas approved a ₱1 billion (US$52.92 million) fine against RCBC for its non-compliance with banking laws and regulations in connection with the bank robbery. This is the largest monetary fine ever approved by BSP against any institution. RCBC stated that the bank would comply with the BSP's decision and pay the imposed fine.[43]

The Bangladesh Bank continued its efforts to retrieve the stolen money and had only recovered about US$15 million, mostly from a gaming junket operator based in Metro Manila. In February 2019, the Federal Reserve pledged it would help Bangladesh Bank recover the money and SWIFT has also decided to help the central bank rebuild its infrastructure. The Bangladeshi central bank also believed that RCBC was complicit with the robbery filing a legal case in U.S. District Court for the Southern District of New York regarding the case in early 2019 accusing the Philippine bank of "massive conspiracy". In response, RCBC filed a lawsuit accusing Bangladesh Bank of defamation believing that Bangladesh Bank's claims are baseless.[44]

In 2020, the Bangladesh Bank filed a case in the New York Supreme Court against RCBC over multiple causes of action. Three of these causes of action were dismissed on 29 February 2024. In June of the same year, the New York Court of Appeals rejected RCBC's petition to have the case heard in a different court.[45]

Aftermath

[edit]

The case threatened to reinstate the Philippines to the Financial Action Task Force on Money Laundering blacklist of countries that made insufficient efforts against money laundering.[46] Attention was given to a potential weakness of Philippine authorities' efforts against money laundering after lawmakers in 2012 managed to exclude casinos from the roster of organizations required to report to the Anti-Money Laundering Council regarding suspicious transactions.

The case also highlighted the threat of cyber attacks to both government and private institutions by cyber criminals using real bank authorisation codes to make orders look genuine. Swift created the Swift CSP (customer security programme) as a response. SWIFT has advised banks using the SWIFT system to strengthen their cyber security posture and ensure they are following SWIFT security guidelines known as CSCF (customer security compliance framework).[47]

[edit]

See also

[edit]

References

[edit]
  1. ^ "The great Bangladesh cyber heist shows truth is stranger than fiction". Dhaka Tribune. 12 March 2016. Retrieved 25 May 2018.
  2. ^ Schram, Jamie (22 March 2016). "Congresswoman wants probe of 'brazen' $81M theft from New York Fed". New York Post.
  3. ^ Cabalza, Dexter. "Ex-RCBC branch manager free on bail". Philippine Daily Inquirer.
  4. ^ "Bangladesh forex reserves hit record high over $39 billion". New Age. Retrieved 18 September 2020.
  5. ^ Das, Krishna; Paul, Ruma (25 May 2016). "Exclusive: Bangladesh probes 2013 hack for links to central bank heist". Reuters. Retrieved 26 August 2016.
  6. ^ "Bangladesh probes 2013 hack for links to Swift-linked central bank heist". Reuters. 25 May 2016. Retrieved 26 August 2016.
  7. ^ Finkle, Jim; Miglani, Sanjeev (10 May 2016). "SWIFT rejects Bangladeshi claims in cyber heist, police stand firm". Reuters.
  8. ^ a b c d e f Quadir, Serajul (11 March 2016). "Spelling mistake stops hackers stealing $1 billion in Bangladesh bank heist". The Independent. Retrieved 13 March 2016.
  9. ^ a b Byron, Rejaul Karim (10 March 2016). "Hackers' bid to steal $870m more from Bangladesh central bank foiled". Asia News Network. The Daily Star. Archived from the original on 12 March 2016. Retrieved 11 March 2016.
  10. ^ "Dridex malware linked to Bangladesh heist". Straits Times. Singapore Press Holdings Ltd. Co. Bloomberg. Retrieved 1 February 2017.
  11. ^ Ager, Maila (3 March 2016). "Senate to probe $100-M laundering via PH, says Osmeña". Philippine Daily Inquirer. Retrieved 11 March 2016.
  12. ^ a b c d e f Byron, Rejaul Karim; Rahman, Md Fazlur (11 March 2016). "Hackers bugged Bangladesh Bank system in Jan". Asia News Network. The Daily Star. Archived from the original on 12 March 2016. Retrieved 13 March 2016.
  13. ^ Aneez, Shihar (31 March 2016). "Sri Lankan in Bangladesh cyber heist says she was set up by friend". Reuters.
  14. ^ "Story behind Shalika Foundation". Ceylon Today. Archived from the original on 19 August 2016.
  15. ^ "Bangladesh probes 2013 hack for links to Swift-linked central bank heist". CNBC. 26 May 2016.
  16. ^ "RCBC manager, others face anti-money laundering complaint". Rappler. 5 March 2016. Retrieved 5 March 2016.
  17. ^ Pasion, Patty (15 March 2016). "RCBC manager invokes right vs self-incrimination at Senate probe". Rappler. Retrieved 20 March 2016.
  18. ^ Yap, Cecilia; Calonzo, Andreo (17 March 2016). "Printer error foiled billion-dollar bank heist". Sydney Morning Herald. Retrieved 20 March 2016.
  19. ^ Rada, Julito. "RCBC pays half of P1-b penalty". Archived from the original on 22 January 2018. Retrieved 19 August 2016.
  20. ^ "RCBC reorganizes board after Bangladesh Bank heist scandal". Rappler.
  21. ^ "Ex-RCBC manager Deguito found guilty of money laundering". ABS-CBN News. 10 January 2019.
  22. ^ "Philippines' RCBC sues 'vicious' Bangladesh Bank over heist claim". Reuters. 12 March 2019.
  23. ^ "CA upholds Maia Deguito's money laundering conviction over Bangladesh bank heist". ABS-CBN News. 19 April 2023.
  24. ^ Camus, Miguel (2 March 2024). "RCBC mulls over appeal of NY decision on Bangladesh cyberheist". Philippine Daily Inquirer. Retrieved 2 March 2024.
  25. ^ "FBI suspects inside job in Bangladesh bank heist".
  26. ^ Corkery, Michael; Goldstein, Matthew (22 March 2017). "North Korea Said to Be Target of Inquiry Over $81 Million Cyberheist (Published 2017)". The New York Times.
  27. ^ "U.S. may accuse North Korea in Bangladesh cyber heist: WSJ". Reuters. 22 March 2017.
  28. ^ "A Baccarat Binge Helped Launder the World's Biggest Cyberheist". Bloomberg Markets. 3 August 2017.
  29. ^ "FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks | CISA". us-cert.cisa.gov.
  30. ^ Groll, Elias. "NSA Official Suggests North Korea Was Culprit in Bangladesh Bank Heist". Foreign Policy.
  31. ^ "FBI Most Wanted". FBI Most Wanted.
  32. ^ "US charges North Korean in Bangladesh Central Bank Hack". ABS-CBN News.
  33. ^ Shen, Lucinda (27 May 2016). "North Korea Has Been Linked to the SWIFT Bank Hacks". Fortune. Retrieved 28 May 2016.
  34. ^ Agcaoili, Lawrence (10 March 2016). "RCBC denies alleged money laundering". The Philippine Star. Retrieved 11 March 2016.
  35. ^ "Explain 'fake account,' RCBC chief tells branch manager". ABS-CBN News. 13 March 2016. Retrieved 13 March 2016.
  36. ^ Dumlao-Abadilla, Doris (23 March 2016). "RCBC chief goes on leave amid US$ 81 million dirty money probe". Philippine Daily Inquirer. Retrieved 24 March 2016.
  37. ^ Agcaoili, Lawrence (23 March 2016). "RCBC president goes on leave". The Philippine Star. Retrieved 24 March 2016.
  38. ^ "RCBC Prexy resigns after board clears him of wrongdoing". Manila Bulletin.
  39. ^ "Tan cleared of wrong doing, resigns to take full moral responsibility". Archived from the original on 1 August 2016. Retrieved 3 August 2016.
  40. ^ "Bangladesh central bank governor quits over $81m heist". The Daily Star/Asia News Network. 15 March 2016. Retrieved 11 May 2016.
  41. ^ Bahree, Megha (22 June 2016). "Former Bangladesh Bank Chief Blames Global System for Theft". The New York Times. New York Times. Archived from the original on 25 June 2016. Retrieved 27 October 2018.
  42. ^ "Bangko Sentral slaps P1-B fine on RCBC for stolen Bangladesh Bank fund". GMA News.
  43. ^ "Philippines' RCBC Sues Bangladesh Central Bank over 'Vicious' Cyber Heist Claims". Insurance Journal. Reuters. 13 March 2019. Retrieved 13 March 2019.
  44. ^ Adonis, Meg J. (15 June 2024). "NY Court denies RCBC plea to change trial venue of cyberheist case". Inquirer.net. Retrieved 12 July 2024.
  45. ^ Remitio, Rex (3 March 2016). "Sen. Osmeña: PH may suffer if money laundering is proven". CNN Philippines. Archived from the original on 10 March 2016. Retrieved 11 March 2016.
  46. ^ Tweed, David; Devnath, Arun (10 March 2016). "$1 Billion Plot to Rob Fed Accounts Leads to Manila Casinos". Bloomberg. Retrieved 11 March 2016.
  47. ^ "'Billion Dollar Heist' Review: How to Rob a Bank, Digitally". 17 August 2023. Retrieved 19 August 2023.
[edit]