Billion Dollar Heist: How a cybercrime organization rattled the global financial system
One day a CV in the name of Rasak Alam was sent to 36 employees working at the Central Bank of Bangladesh, of which 3 employees opened the email and the pdf, little did they know that they had just compromised the whole financial reserve of Bangladesh and not after long the hacking of 101 million dollars would take place. A story of organized crime, negligence and the vulnerability of the global financial system have been told in this documentary Billion Dollar Heist.
Let’s start with the name, the reason for calling it the “Billion Dollar Heist” was for the fact that the hackers initially requested a total sum of 956 million in over 36 transactions, but due to random luck and some misspellings the hackers could only cater 81 million. The documentary starts at the day of the hacking, February 6th 2016, an employee checked to see why the printer was not working, the same printer that printed out transactions automatically whenever any Swift (Swift is a global system that Bangladesh Bank uses to manage funds with the Federal Reserve in New York) transaction happened.
The previous night there had been 34 transactions made in the name of Bangladesh Bank of which 4 transactions were approved and 81 million dollars were transferred to a bank in Manila, Philippines and another 20 million was transferred to Sri Lanka. The entire heist was just like your typical movie, a group of expert hackers, all experienced in their required role, planned a detailed roadmap, the CV mentioned earlier was the first step, the approach of getting the malware onto the server of the Bangladesh Bank computers was known as “Social Engineering”. The reason for calling it by this name is because in order for the bug to be installed. People intentionally have to somehow create a pathway for the bug to enter, and this fake CV was just right.
Experts in the documentary estimates that more than 36 employees got the email containing the CV and 3 people opened the PDF. And this is it, instantly the bug found a home. After that, the digging process commenced. “Digging” refers to finding the computer and locating the data necessary for hacking, in this case there was only one computer that communicated with the Federal Reserve using Swift. And this is where the hackers were most vulnerable, it took them almost a full year, jumping from one desktop to another just to locate the main computer. Throughout this process it was highly possible for them to get located if only the cyber security measures were up to the mark.
A key reason for targeting the central bank of Bangladesh was also this faulty security system. It was revealed that the IT system was interconnected by cheap 10 dollar Switches (a hub-like device connects all computers through wire networks) which made it very easy for the hackers to jump from one desktop to another without revealing any trace. The eureka moment for the hackers happened on February 29th 2016, they had finally found the computer that used the swift banking system. They very cleverly chose a special weekend of Chinese New Years, that fell on the following Monday. They did their homework, they knew friday was the weekend for the muslim majority Bangladesh, New York will also be unavailable on saturday and Sunday and Monday will be a holiday for the employed of RCBC Bank in Manila, where prior to the heist 4 fraudulent bank accounts in the name of Chinese officials had been made by the corrupted branch manager.
A perfect four day holiday where all the parties involved were working in different time zones and thus even if the transaction was discovered midway, there was no effective way to stop the process and communicate with anyone involved. At 8:34 pm Bangladesh time on Thursday, the hackers logged in to the Swift system. It took them about 2 hours to file the first transaction of 22 million dollars to the Federal Reserve. But they faced a challenge, as they didn’t format the banking documents and the Fed disapproved their request. They again filed another request with proper formatting and after 4 hours, they had done it, 22 million dollars had been transferred to the RCBC Bank of Manilla that moment. A whole range of requests were being made at hour intervals but in most cases, spelling errors, random naming issues, documentation mismatches resulted in them not completely able to extract what they wanted. They also left no trail of these transactions as they jammed any other printing device that would normally print the transactions from working at all. Before Saturday morning, they had hacked a total sum of 101 million dollars where 84 million went only to RCBC Bank in Manila, where the branch manager was also in with the heist.
As Saturday morning approached, the employees of the Bangladesh Bank immediately saw that the printers were not working and brought in a technician to solve the issue. Just as the printer was fixed all the transactions of last night started to be printed out automatically. At first sight, the employee was baffled, not knowing what these transactions and how they could occur over the weekend, then piece by piece it was obvious. Bangladesh Bank desperately tried to contact the RCBC Bank in Manila and Swift in New York, Swift immediately froze all accounts linked to Bangladesh Bank, but RCBC didn’t respond, as it were, all the employees there were celebrating a three day weekend. On Monday, as Bangladesh was still trying to piece together how the money was stolen by re watching 8 hours of CCTV footage and conducting an internal audit, the bank in Manila was busy cashing the dollars into pesos, as the Branch Manager herself loaded the cash in boxes into her card herself. They were headed to a VIP lounge in a casino in Manila, where millionaires from China would obviously come to spend their money gambling on the Chinese New Year.
A group of gamblers were set to wash this money and over 2 days all of the money hacked were dealt over a fixed game of blackjack and were laundered over the poker table. By the time Bangladesh Bank could learn of the heist, there was nothing to do, the money was untraceable, the criminals could never be identified, the only person held accountable was the corrupted branch manager, Maia Santos Deguito, who was convicted on 8 counts of money laundering and sentenced to 4 to 7 years imprisonment for each count at a Makati City Regional Trial Court. On 12 March 2019, RCBC reverse sued Bangladesh Bank for embarking “on a massive plot and scheme to extort money from plaintiff RCBC by resorting to public defamation, harassment and threats geared towards destroying RCBC’s good name, reputation, and image. The case was later dropped. The experts in the documentary blame the hacking group “Lazarus’’. They allege that these crime organizations work on behalf of Nation States who mainly can not function due to economic sanctions and embargoes. These same patterns of code could be identified from the cyber attacks on The Sony Pictures Entertainment back in 2014 and this leads the experts to believe that the same group was responsible for this matter. The message of the documentary was clear in that they portrayed this whole robbery as a slap in the face of every global financial institution that prides itself for its security. The global criminal warfare has fully shifted to cyberspace which leaves countries like Bangladesh, who have poor expertise and resources susceptible to cybercrimes on a daily basis. From the local banks all the way to the central bank of Bangladesh, every system runs on vulnerable servers.
The key reason for targeting a country like Bangladesh was for this vulnerability and this will probably not stop here, we have seen cases like this in the global financial market also, the only reason for them not stealing more was because of faulty paperwork and misspellings, nothing else. The world today can not rely on the tender handling of such sensitive matters. And it is high time the global institutions provide necessary resources to its less fortunate partners such as ourselves in order to ensure their own securities.
