The Bangladesh Bank Cyber Heist: One of The Largest Bank Robbery in the History

You may be used to seeing stories like robbing money from the vault in movies or TV Series like The Bank Job, Money Heist, and The Vault. However, such incidents are happening not only in TV series or movies but also in reality. Even you might be surprised to know that, If “Bangladesh Bank Cyber Heist” were executed successfully in 2016, it would have been the largest bank robbery in the world. At this heist, initially, they have targeted $1 billion. Still, in the end, they had been able to fly away with only $81 million that is undoubtedly the world’s largest bank heist in the history of modern time. More interestingly, in the first place, without taking proper steps to recover the robbed money, Bangladesh Bank hired a US-based IT firm to erase all the traces of the incident. But if such an incident had taken place in places like  New York, London, Singapore, or Dubai, not in Bangladesh, Hollywood would have made a blockbuster movie about it.

According to a BBC report, the hackers’ initial plan was to steal $1 billion from Bangladesh Bank’s reserve. However, their plan failed and only managed to steal $81 million but in a developing country like Bangladesh, where one-third of the total population still spends a day with less than $2,  $81 million is a tremendously large amount. But according to a report of Prothom Alo, at that time former governor of Bangladesh Bank wanted to cover up such a significant theft. On the other hand, according to a report in the Daily Star, as a result of a five-year investigation, the CID identified 40 people from six countries worldwide who actively participated in the theft. The matter came up in the world media when Bangladesh Bank filed a case in the court of the Philippines for the return of the stolen money. When the domestic media was unaware of this, the international press started featuring the theft of Bangladesh Bank reserves. 

Like many other country’s central banks, Bangladesh Bank also has an account with the Federal Reserve Bank of New York in the USA. Usually, the country’s reserve money is kept in this account for additional security and maintaining international transactions. The Federal Reserve Bank deposits the reserves of Bangladesh in dollars and gold in their vaults. And the method used for money transactions in this account is called SWIFT a military-level secure system. Globally, this network system handles on average 35 million financial transactions per day. To conduct all the transactions, Bangladesh Bank uses an 8 or 11 digit SWIFT code. SWIFT primarily transact payment order from one account to another account rather than sending or receiving money. Unfortunately, despite such tight security, a group of hackers sucessfully breached the system in 2016.

How the SWIFT System Works

Although the incident occurred in 2016, the hackers were made plans and prepared for a very long time. A malicious e-mail started the whole story. In January 2015, an anonymous person named Russell Ahlam sent a job-seeking application via email to the authority of Bangladesh Bank, where a CV and a cover letter were attached. But, it was not a regular job application, a malware was linked with the file later that helped them to enter into the central bank’s computer system. During the investigation, they found out that three people fell for the trick and downloaded the attached file. After a while, the malware started installing on the computer system of the Central Bank of Bangladesh. Although hackers were able to enter the computer system for the first time, they did nothing but gaining access to the system. 

The hacker team used a bank account in the Philippines to transfer money. It was logical for them to open accounts in the Philippines because exploiting the loophole of privacy makes it very easy to conduct illegal activities such as money laundering, terrorist funding. The hackers opened four fake accounts, which they used to traffic the looted money. To open a bank account, a casino owner in the Philippine capital Manila uses his former friend Maya Digito, manager of the Jupiter Street branch of Rizal Commercial Banking Corporation, who unknowingly got involved in the world’s biggest bank robbery. According to Routes, they opened these four accounts with only $500, and these were dormant for nine months. 

The hacker team exploits the time difference of Bangladesh, New York, and the Philippines and the weekend gap to create an excellent blueprint of the complete robbery; they took 5 days to execute the whole plan. Now let’s move to Bangladesh Bank, in 2016, on the 10th floor of Bangladesh Bank. In a highly secured room, there is a printer that played a pivotal role in the heist. It is hooked to the SWIFT system and instructed to print real-time multi-billion dollar transaction records. According to an Al Jazeera documentary, on February 4, 2016, the printer started showing some technical glitch at the last minute of working hours. The bank director noticed that the printer tray was empty, which made him a little anxious. Bangladesh Bank staff noticed that some of the printer’s software files were missing or altered on the bank’s computer. The printer often had various technical glitches, so the bank director did not bother and shut down the printer. But this technical glitch was the first sign that Bangladesh Bank’s billion dollars are in danger. The hackers intentionally deleted all confirmation messages from the SWIFT database, crashing the entire program on the automatic printer. Bangladesh Bank was also closed the next day as Friday was a weekly holiday. On the other hand, although the weekly holiday in Bangladesh is Friday and Saturday, the weekly holiday in the USA is Saturday and Sunday. As a result, Bangladesh Bank authorities got to know about the hacking of their banking system after three days.

While Bangladesh was asleep, it was still morning in New York, and at that time, the hackers tried to carry out this notorious cyber heist. They entered the SWIFT system and created 35 payment requests with a total amount of about $1 billion. Fortunately, 30 payment orders went to the manual review of the Federal Bank’s automatic system in New York.

35 payment requests was created with a total amount of about $1 billion

The authorities noticed that the payment orders were huge, and the most crucial part is those were not made by any organization but by personal accounts. This large amount raises several red flags, so The authorities tried to contact the Bangladesh Bank, but they didn’t get any response because it was the weekend in Bangladesh. Due to that reason, the Federal Bank decided to hold $870 million transactions. However, the hackers made a few silly mistakes in the plan, but luck also played a significant role in this bank robbery. Using the system, hackers had made a payment order from a bank account of the Jupiter Street branch in the Philippines that luckily matched an oil tanker named Jupiter which previously violated US authorities’ sanctions against Iran. But the tanker had nothing to do with the bank robbery. The administration of the Federal Bank stopped million dollars transactions for having a similar name. Bangladesh Bank survived a major disaster due to the coincidence. However, hackers still managed to steal a large amount of money. 

Meanwhile, they wired  $20 million from the Philippines bank account to  Sri Lanka’s Pan Asia Bank in the name of the Shalika Foundation. Pan Asia Bank’s authorities were shocked to know that Bangladesh Bank authorized $20 million for a small NGO. That became suspicious to them, and they referred it to Deutsche Bank, a German-based routing bank. Deutsche Bank found a silly spelling mistake, blocked the transaction, and sent a notice to Bangladesh Bank seeking clarification. Hackers misspelled Shalika Foundation. Later found out that this account was also fake. And Bangladesh Bank was later able to recover the entire $20 million sent to Sri Lanka.

On Sunday morning, when the employees returned to the office, they rebooted the machine within the first official hour. When urgent messages and massive payment records coming out of the printer, panic ensued inside the bank. The Bangladesh Bank authorities tried to communicate to stop the transaction on an urgent basis after what had happened. Meanwhile, Bangladesh Bank did not receive any response from the Federal Reserve Bank of New York as it was a weekly holiday in the USA. That was part of the hackers’ initial plan that adds a few extra hours to wire the money from the Bangladesh Bank account to the Philipino Bank Account. 

Let’s get back to Manila, Philippines, 3516km away from Bangladesh. Monday 8th February, the hacker group deposited $81 million to the 4 RCBC bank accounts made in 2015. It was the Lunar New Year, a huge national holiday for the Chinese. Bangladesh bank tried to send messages to block the transaction, but Phillippine was in a festive mood. But that was not possible because of their national holiday.

The hackers were entirely professional con artists; they had been aware of the difficulties of communications among Bangladesh, the Philippines, and the USA. They also had a depth knowledge of the money laundering Act of the Philippines, they knew the Philippines’s money laundering act doesn’t include casinos, so they strategically used that loophole. After that, Federal Reserve Bank transferred $81 million from Bangladesh Banks account to the Kim Wanges 4 accounts. Later, they split all the money to a remittance company called Phill Ram. Then, according to an Al-Jazeera report, they converted the money into hard cash within ten days by sending them to a Philippines casino called Solair in Manali. 

When the Bangladesh Bank authority took the initiative to bring back the looted money from Philipines, it was not an easy task for them at all. Due to the Bank secrecy act of Philipines, they could not be able to trace the cash flow. They didn’t even got Kim Wang and Phill Ram’s bank statement. According to Senate Inquiries, Switzerland, Lebanon, and the Philippines maintain the world’s most strict banking secrecy. If they had provided the proper documents to the investigators, Bangladesh would not have to lose $81 million.

Al Jazeera’s documentary shows that the Philippines official senate published they have been able to recover $15 million. The anti-money laundering council of the Philippines confirmed that Phill Ram still holds $17 million, but the company denies all the allegations. And $50million directly landed on the desk of casino and gambling Junket. Bangladesh has never been able to get the remaining money. Bangladesh authority made a proper plan to catch true culprits. Who made fake accounts on RCBC bank to wire stolen money. But, before getting caught, they made their way to Macau. 

According to the BBC podcast, the FBI team of Los Angeles found that the embedded computer code was in the Korean language and IP address matched to North Korean IP addresses. FBI investigation came up with an interesting fact that the hacker group called Lazarus hacked Sony Picture in 2014 using the same email address and social media profiles. The group is patronage by the North Korean Government. A man named Park Jin Yhok leads this hacker group. But North Korea denies all the allegations and blames the United States for the defamation. It was not the first time North Korea is doing such a heinous crime; they have done it before. In 2016, North Korea tried to steal millions of dollars from Taiwan’s Far Eastern International Bank using the SWIFT payment system. In the same year, the group took control of one of the Russian Bank’s computer systems. 

According to a BBC report, in 2018, Park was charged with one count of conspiracy to commit computer fraud and one count of conspiracy to commit wire fraud. As a result, 20 years of imprisonment sentence watch given to him.  He is one of the few talents North Korea has cultivated since childhood to become a cyber warrior.

20 years of imprisonment sentence

After this incident, the Bangladesh Bank governor had to resign from his position, as he did not inform the finance minister about the gigantic cyber heist. Bangladesh Bank hired a private IT firm to erase all the traces of the massive theft. The governor at that time and high-ranking officials knew what was happening inside the bank but were silent during the whole investigation. When the CID inquiry team took the matter into their hand, they found the former governor and senior official equally responsible for removing theft data. 

The cyber heist of Bangladesh Bank was a warning to the whole world. In the future, robbers wouldn’t need to break the bank’s vault to steal money. To prevent such crimes, banks need to cope up with advanced technology and security systems. 

Leave a Comment