When the words “bank heist” come up pictures of
cowboys with bandannas over their faces recklessly holding up a financial
institution may spring to mind, or even the iconic image of Bonnie and Clyde
with their guns and classic car. There’s certainly a glamorous,
romantically rebellious element to the notion of heists and bank robbers, and
the outlaws involved in these crimes have long captured our attention.
The anarchical idea of someone living outside the law, escaping the
clutches of the authorities and amassing huge fortune has made for some great
stories and legendary movies, with an element of idolization and fascination
directed towards these criminals.
These days, bank heists have progressed far beyond the put-’em-up guerilla
attacks, and are now carried out online by advanced tech-whiz hackers and
digital criminals who steal identities and break into secure systems, from some
In February 2016, $951 million in fraudulent
transfers from the central bank of Bangladesh
Bank was requested. Of the attempted $951 million the hackers successfully
issued five transactions worth $101 million. The money was withdrawn from a
Bangladesh Bank account at the Federal Reserve Bank of New York.
The money was sent to Sri Lanka and the Philippines and twenty million was
traced to Sri Lanka.
Experts now think that North Korea was the final destination.
Where the attackers went wrong is they misspelled
“Foundation” in their fraudulent Society of Worldwide Interbank
Financial Telecommunication (SWIFT) transfers request to transfer the money,
spelling the word incorrectly as “Fundation”. This error gained scrutiny
from a routing bank which held the transaction in question seeking verification
from the Bangladesh Bank. Sri Lanka-based Pan Asia Bank
took notice of the transaction because the transaction is very rare for Sri
Lanka. $81 million was transferred to the Philippines,
which about only $18 million was recovered. The Federal Reserve Bank of NY
blocked the remaining thirty transactions, amounting to $850 million, at
the request of Bangladesh Bank.
The bank of
Bangladesh was definitely hacked; they were compromised about two weeks before
the theft. If there was an insider that assisted the attackers, that is
unclear. BCB may have been negligent in their Cyber Security posture. The hack
did originate outside of Bangladesh as reported by FireEye’s Mandiant division
which performed a forensic investigation. FireEye didn’t identify the hacker
group and simply described them as “FIN threat actors”, FIN standing for
Financial. Furthermore, FireEye did say that the same group is responsible for
other recent financial hacks based on digital footprints left behind. A malware
was used for the attack which captures credentials via MS office macros.
Credentials then were used to execute SWIFT transfers.
The hack was
thought to have originated in China due to a Chinese national being tied to the
crime and that the laundered money eventually went to Hong Kong. However as new
evidence arises it seems likely that North Korea was behind the attack. The
North Korean hacker group by Lazarus executed the hack. There is no proof that
the New York bank was hacked as well as the BCB. The hackers only needed access
to BCB to perform the SWIFT transfers.
the probability of the heist succeeding the launderers involved would have
sought out cooperation or at least felt comfortable working with the Rizal Commercial
Banking Corporation (CRBC), casinos (Solaire and
Eastern Hawaii Leisure) and the exchanger Philrem. CRBC is at the top of the
list since Maia Santos-Deguito, manager and other management of RCBC’s branch
on Jupiter Street in Makati is accused of forging a client’s signature for
P20mil and managed the four fraudulent accounts used in the heist. Furthermore,
the thieves would have wanted to be confident that the branch would have enough
cash in their vault that day to handle the disbursement or they would have
risked a catastrophic delay. This same logic applies to the exchanger Philrem
as well. I would be curious what the normal day to day operating cash on hand
is for these institutions.
and BCB computer forensic reports may hold more key information on the hack but
are not publicly available. It is not uncommon for black hats to stay out of
the money trial. Sometimes hackers will get paid a set fee upfront or once they
compromise systems/information they sell it to a 3rd party. In this instance it
appears to be a commissioned job by an advance persistent threat (APT).
In closing, simple common sense and someone saying
wait something doesn’t look right is what changed a one billion dollar heist
into an 80 million one. How important speed and timing comes into play with
electronic transfers is in deep contrast to hours of loading gold, jewels and
cash onto trucks. The most manual part of this heist was exchanging gambling
chips at the casino. Imagine what heists may look like 10 years from now, gone
are the days of the Wells Fargo stagecoach.