When the words “bank heist” come up pictures of
cowboys with bandannas over their faces recklessly holding up a financial
institution may spring to mind, or even the iconic image of Bonnie and Clyde
with their guns and classic car. There’s certainly a glamorous,
romantically rebellious element to the notion of heists and bank robbers, and
the outlaws involved in these crimes have long captured our attention.
The anarchical idea of someone living outside the law, escaping the
clutches of the authorities and amassing huge fortune has made for some great
stories and legendary movies, with an element of idolization and fascination
directed towards these criminals.
These days, bank heists have progressed far beyond the put-’em-up guerilla
attacks, and are now carried out online by advanced tech-whiz hackers and
digital criminals who steal identities and break into secure systems, from some
In February 2016, US$951 million in fraudulent
transfers from the central bank of Bangladesh
Bank was requested. Of the attempted $951 million the hackers successfully
issued five transactions worth $101 million. The money was withdrawn from a
Bangladesh Bank account at the Federal Reserve Bank of New York.
The money was sent to Sri Lanka and the Philippines and $20 million was traced
to Sri Lanka.
The hackers misspelled “Foundation” in their SWIFT request to
transfer the money, spelling the word incorrectly as “Fundation”.
This error gained scrutiny from a routing bank which held the transaction in
question seeking verification from the Bangladesh Bank. Sri Lanka-based Pan Asia Bank
took notice of the transaction because the transaction is very rare for Sri
Lanka. $81 million was transferred to the Philippines,
which about only $18 million was recovered. The Federal Reserve Bank of NY
blocked the remaining thirty transactions, amounting to $850 million, at
the request of Bangladesh Bank.
The bank of
Bangladesh was definitely hacked; they were compromised about two weeks before
the theft. If there was an insider that assisted the attackers, that is
unclear. BCB may have been negligent in their Cyber Security posture. The hack
did originate outside of Bangladesh as reported by FireEye’s Mandiant division
which performed a forensic investigation. FireEye didn’t identify the hacker
group and simply described them as “FIN threat actors”, FIN standing for
Financial. Furthermore, FireEye did say that the same group is responsible for
other recent financial hacks based on digital footprints left behind. A malware
was used for the attack which captures credentials via MS office macros.
Credentials then were used to execute SWIFT transfers.
The hack may
have originated in China due to a Chinese national being tied to the crime and
that the laundered money eventually went to Hong Kong. I don’t believe that the
New York bank was hacked since the hackers already had access BCB and access to
both banks was not required to perform the fraudulent Society of Worldwide
Interbank Financial Telecommunication (SWIFT) transfers. It wouldn’t be worth
the effort/risk for the FIN threat actors to attack the BNY when they already
had essentially one billion at their fingertips.
the probability of the heist succeeding the launderers involved would have
sought out cooperation or at least felt comfortable working with the Rizal Commercial
Banking Corporation (CRBC), casinos (Solaire and
Eastern Hawaii Leisure) and the exchanger Philrem. CRBC is at the top of the
list since Maia Santos-Deguito, manager and other management of RCBC’s branch
on Jupiter Street in Makati looks pretty guilty as she is accused of forging
Go’s signature for P20mil and managed the four fraudulent accounts used in the
heist. Furthermore, the thieves would have wanted to be confident that the
branch would have enough cash in their vault that day to handle the
disbursement or they would have risked a catastrophic delay. This same logic
applies to the exchanger Philrem as well. I would be curious what the normal
day to day operating cash on hand is for these institutions.
and BCB computer forensic reports may hold more key information on the hack. If
the hackers know what they are doing, covered up their tracks, and already left
the network it is very unlikely that there will be attribution. It is not
uncommon for black hats to stay out of the money trial. Sometimes hackers will
get paid a set fee upfront or once they compromise systems/information they
sell it to a 3rd party. I do not know if that’s the case but it is a possibility.
Hackers prefer to use e-commerce currency like bitcoins for untraceable
anonymous money laundering and since they chose to do it the old fashioned way
that lends to my theory. If the hackers themselves were involved in the money
laundering they would have at least in part used bitcoin and other e-currencies
to acquire some of the money.
In closing, simple common sense and someone saying
wait something doesn’t look right is what changed a 1b heist into just 80mil.
How important speed and timing comes into play with electronic transfers is in
deep contrast to hours of loading gold, jewels and cash onto trucks. The most
manual part of this heist was exchanging gambling chips at the casino. Imagine
what heists may look like 10 years from now, gone are the days of the Wells