By Michael Raffety
For everyone who does online banking the Bangladesh bank heist may give pause for worry. The bank robbery was reported in February to be an attempt by hackers to steal $1 billion by calling on the New York Federal Reserve Bank to transfer that sum from Bangladesh’s account at the NY Fed.
The thieves were using proper codes for the Bangladesh Central Bank’s Swift account. Swift is the Society for Worldwide Interbank Financial Telecommunication. Begun in 1973 to serve 239 banks, Swift now has 11,000 banks and other users in more than 200 countries who sent more than 25 million messages a day on average in April, according to the May 21 Wall Street Journal.
The amount of money and the volume of requests startled the New York Fed enough that it only released $81 million, which transferred to accounts in the Philippines and another $20 million to a bank in Sri Lanka. The Sri Lanka bank reported the transaction to its central bank and the transfer was reversed. One of the four Philippine banks was considerably more corrupt, with the bank manager bagging up $427,000 in cash and sending it off in a car to a foreign currency account held by a Chinese businessman. The full $81 million wound up in his account, but investigators said somebody forged that account.
Where did the $81 million go? A Philippine casino got $29 million and $21 million went to an international overseas junket operator who brings high rollers to casinos. Another Chinese junketeer got $30 million. So far that leaves about $1 million unaccounted for.
The Bangladesh central banker resigned. The Bangladesh central bank hired American cyber investigator Fire Eye. One of the junket operators reimbursed Bangladesh $4.63 million.
This information was gleaned from several Wall Street Journal articles beginning shortly after the Feb. 5 Bangladesh heist. A New York Times article run May 1 in the Sac Bee was more colorful, though short on factual details, saying, “The thieves in Bangladesh may have spent months lurking inside the central bank’s computers.
“It is the digital version of the heist depicted in the movie ‘Ocean’s Eleven,’ said Adrian Nish, head of the cyber threat intelligence team at BAE Systems, a defense and security company.”
The NYT article concluded by saying the New York Fed transferred the $81 million to the Philippines, “not knowing that someone somewhere, had stolen the credentials of the Bangladesh Bank and installed malware to cover his or her tracks.”
The writer must have watched too many cowboy movies where someone “covered their tracks” by wiping them out with a leafy tree branch.
Despite the NYT’s claim of spending months lurking inside the Bangladesh computer, the FBI, in a May 11 Wall Street Journal story, tagged the theft as partly an inside job. Investigators found evidence pointing to at least one bank employee as an accomplice.
“The evidence suggests a handful of others may have assisted hackers in navigating Bangladesh Bank’s computer system, the people said,” the WSJ wrote.
“The hacking of the Bangladesh Bank system in early February showed a surprising level of understanding of the institution’s inner workings, the people familiar with the investigation said,” WSJ reporters wrote, quoting “people familiar with the FBI investigation.
So, the plot thickens. Not only that, it gets stickier. The hacker bank thieves stole from a second central bank, as noted by the New York Times in a May 13 Sac Bee article. By May 17 a small item in the Wall Street Journal quoting a Reuters story identified the second bank as Vietnam’s Tien Phong Bank, suffering a $1.13 million Swift transfer order. The Vietnam bank identified it as a fraudulent transfer and halted the transfer requests, “the central bank official said.”
But a May 20 detailed WSJ story identified the Vietnam bank hack attempt as having happened in December 2015. That same story identified Swift account losses by an Ecuador Bank in January 2015. Swift officials are unhappy with Ecuador bank for not notifying them of the cyber theft through the bank’s Swift account. It only came to light because the Ecuadorean bank is suing Wells Fargo over the loss — $12 million over 10 days, with most of it going to Hong Kong, $1.5 million to Los Angeles and $1 million to Dubai. Wells Fargo is asking the suit to be thrown out. Banco del Austro recovered $2.8 million and has started legal proceedings in Hong Kong.
My prediction is once the investigators identify the Bangladesh accomplices, they’ll sweat them to identify the hackers.