The Bangladesh Bank robbery, also known colloquially as the Bangladesh Bank heist, took place in February 2016, when instructions to steal US$951 million from Bangladesh Bank, the central bank of Bangladesh, were issued via the SWIFT network. Five transactions issued by hackers, worth $101 million and withdrawn from a Bangladesh Bank account at the Federal Reserve Bank of New York, succeeded, with $20 million traced to Sri Lanka (since recovered) and $81 million to the Philippines (about $18 million recovered). The New York Fed blocked the remaining thirty transactions, amounting to $850 million, at the request of Bangladesh Bank. It was identified later that Dridex malware was used for the attack.
The 2016 cyber-attack on the Bangladesh Central bank was not the first attack of its kind. In this "cyber heist", thieves tried to illegally transfer US$951 million to several fictitious bank accounts around the world. In 2013, the Sonali Bank of Bangladesh was also successfully targeted by hackers who were able to cart away US$250,000. In 2015, two other hacking attempts were recorded, a $12 million theft from Banco del Austro in Ecuador in January and an attack on Vietnam's Tien Phong Bank in December that was not successful. In all these cases, the perpetrators are suspected to have been aided by insiders within the targeted banks, who assisted in taking advantage of weaknesses within the SWIFT global payment network.
Capitalizing on weaknesses in the security of the Bangladesh Central Bank, including the possible involvement of some of its employees, perpetrators attempted to steal $951 million from the Bangladesh central bank's account with the Federal Reserve Bank of New York sometime between February 4–5 when Bangladesh Bank's offices were closed. The perpetrators managed to compromise Bangladesh Bank's computer network, observe how transfers are done, and gain access to the bank's credentials for payment transfers. They used these credentials to authorise about three dozen requests to the Federal Reserve Bank of New York to transfer funds from the account Bangladesh Bank held there to accounts in Sri Lanka and the Philippines.
Thirty transactions worth $851 million were flagged by the banking system for staff review, but five requests were granted; $20 million to Sri Lanka (later recovered), and $81 million lost to the Philippines, entering the Southeast Asian country's banking system on February 5, 2016. This money was laundered through casinos and some later transferred to Hong Kong.
The $20 million transfer to Sri Lanka was intended by hackers to be sent to the Shalika Foundation, a Sri Lanka-based private limited company. The hackers misspelled "Foundation" in their request to transfer the funds, spelling the word as "Fundation". This spelling error gained suspicion from Deutsche Bank, a routing bank which put a halt to the transaction in question after seeking clarifications from Bangladesh Bank.
Sri Lanka-based Pan Asia Bank initially took notice of the transaction, with one official noting the transaction as too big for a country like Sri Lanka. Pan Asia Bank was the one which referred the anomalous transaction to Deutsche Bank. The Sri Lankan funds have been recovered by Bangladesh Bank.
The money transferred to the Philippines was deposited in five separate accounts with the Rizal Commercial Banking Corporation (RCBC); the accounts were later found to be under fictitious identities. The funds were then transferred to a foreign exchange broker to be converted to Philippine pesos, returned to the RCBC and consolidated in an account of a Chinese-Filipino businessman; the conversion was made from February 5 to 13, 2016. It was also found that the four U.S. dollar accounts involved were opened at the RCBC as early as May 15, 2015, remaining untouched until February 4, 2016, the date the transfer from the Federal Reserve Bank of New York was made.
On February 8, 2016, during the Chinese New Year, Bangladesh Bank through SWIFT informed RCBC to stop the payment, refund the funds, and to "freeze and put the funds on hold" if the funds had already been transferred. Chinese New Year is a non-working holiday in the Philippines and a SWIFT message from Bangladesh Bank containing similar information was received by RCBC only a day later. By this time, a withdrawal amounting to about $58.15 million had already been processed by RCBC's Jupiter Street (in Makati City) branch.
On February 16, the Governor of Bangladesh Bank requested Bangko Sentral ng Pilipinas' assistance in the recovery of its $81 million funds, saying that the SWIFT payment instructions issued in favor of RCBC on February 4, 2016 were fraudulent.
Initially, Bangladesh Bank was uncertain if its system had been compromised. The governor of the central bank engaged World Informatix Cyber Security, a US based firm, to lead the security incident response, vulnerability assessment and remediation. World Informatix Cyber Security brought in the leading forensic investigation company Mandiant, a FireEye company, for the investigation. These cyber security experts found "footprints" and malware of hackers, which suggested that the system had been breached. The investigators also said that the hackers were based outside Bangladesh. An internal investigation has been launched by Bangladesh Bank regarding the case.
The Bangladesh Bank's forensic investigation found out that malware was installed within the bank's system sometime in January 2016, and gathered information on the bank's operational procedures for international payments and fund transfers.
The investigation also looked into an unsolved 2013 hacking incident at the Sonali Bank, wherein US$250,000 was stolen by still unidentified hackers. According to reports, just as in the 2016 Central Bank hack, the theft also used fraudulent fund transfers using the SWIFT International Payment Network. The incident was treated by Bangladeshi police authorities as a cold-case until the suspiciously similar 2016 Bangladesh Central Bank robbery.
The Philippines' National Bureau of Investigation (NBI) launched a probe and looked into a Chinese-Filipino who allegedly played a key role in the money laundering of the illicit funds. The NBI is coordinating with relevant government agencies including the country's Anti-Money Laundering Council (AMLC). The AMLC started its investigation on February 19, 2016 of bank accounts linked to a junket operator. AMLC has filed a money laundering complaint before the Department of Justice against a RCBC branch manager and five unknown persons with fictitious names in connection with the case.
A Philippine Senate hearing was held on March 15, 2016, led by Senator Teofisto Guingona III, head of the Blue Ribbon Committee and Congressional Oversight Committee on the Anti-Money Laundering Act. A closed-door hearing was later held on March 17. Philippine Amusement and Gaming Corporation (PAGCOR) has also launched its own investigation. On August 12, 2016, RCBC was reported to have paid half of the P1 billion penalty imposed by the Central Bank of the Philippines. Prior to that, the bank reorganized its board of directors by increasing the number of independent directors to 7 from the previous 4.
FireEye's Mandiant forensics division and World Informatix Cyber Security, both US-based companies, are investigating the hacking case. According to investigators, the perpetrators' familiarity with the internal procedures of Bangladesh Bank was probably gained by spying on its workers. In a separate report, the US Federal Bureau of Investigation (FBI) says that Agents have found evidence pointing to at least one bank employee acting as an accomplice, with evidence pointing to several more people as possibly assisting hackers in navigate the Bangladesh Bank’s computer system. The government of Bangladesh is considering suing the Federal Reserve Bank of New York in a bid to recover the stolen funds.
Federal prosecutors in the United States have revealed possible links between the government of North Korea and the theft. U.S. prosecutors are reportedly at work building potential cases that would accuse North Korea of directing the theft of $81 million from Bangladesh Bank's account at the Federal Reserve Bank of New York. The report also said that to be included in the charges are "alleged Chinese middlemen," who facilitated the transfer of the funds after it had been diverted to the Philippines.
Some security companies, including Symantec Corp. and BAE Systems Plc, say that the North Korea-based Lazarus, one of the world’s most active state-sponsored hacking collectives, were probably behind the attack. They cite similarities between the methods used in the Bangladesh heist and those in other cases, such as the hack of Sony Pictures Entertainment Inc. in 2014, which U.S. officials also attributed to North Korea. Cybersecurity experts say Lazarus was also behind the WannaCry ransomware attack in May that infected hundreds of thousands of computers around the world.
Some or all of the stolen funds may eventually have found its way to North Korea. The FBI is examining the totalitarian state’s link to the hack, according to two officials with direct knowledge of the investigation.
US National Security Agency Deputy Director Rick Ledgett was also quoted as saying that, “If that linkage from the Sony actors to the Bangladeshi bank actors is accurate — that means that a nation state is robbing banks."
Computer security researchers have linked the theft to as many as eleven other attacks, and alleged that North Korea had a role in the attacks, which, if true, would be the first known incident of a state actor using cyberattacks to steal funds.
The Rizal Commercial Banking Corporation said it did not tolerate the illicit activity in the RCBC branch involved in the case. Lorenzo V. Tan, RCBC's president, said that the bank cooperated with the Anti-Money Laundering Council and the Bangko Sentral ng Pilipinas regarding the matter. Tan's legal counsel has asked the RCBC Jupiter Street branch manager to explain the alleged fake bank account that was used in the money laundering scam.
The RCBC's board committee also launched a separate probe into the bank's involvement in the money laundering scam. RCBC president Lorenzo V. Tan filed an indefinite leave of absence to give way to the investigation by the authorities on the case. On May 6, 2016, despite being cleared of any wrongdoing by the bank's internal investigation, Tan resigned as President of RCBC to "take full moral responsibility" for the incident. Helen Yuchengco-Dee, daughter of RCBC founder Alfonso Yuchengco, will take over the bank's operations. The bank also apologized to the public for its involvement in the robbery.
Bangladesh Bank chief governor Atiur Rahman resigned from his post amid the current investigation of the robbery and money laundering. He submitted his resignation letter to Prime Minister Sheikh Hasina on March 15, 2016. Before the resignation was made public, Rahman stated that he would resign for the sake of his country.
On August 5, 2016, the Bangko Sentral ng Pilipinas approved a ₱1 billion (~US$52.92 million) fine against RCBC for its non-compliance with banking laws and regulations in connection with the bank robbery. This is the largest monetary fine ever approved by BSP against any institution. RCBC stated that the bank will comply with the BSP's decision, and will pay the imposed fine.
The incident shows the risks that banks connected to the SWIFT system are exposed to as a result of the security vulnerabilities of other member banks. By breaching the Bangladesh Central Bank's security firewalls, hackers were able to hack the system and transfer the funds through the established global banking networks almost undetected. The failure of the Bangladeshi government to build adequate safeguards for its financial system became the starting point for a global, multi-million money laundering scheme whose effect was felt beyond the country's borders.
The case threatens the reinstatement of the Philippines to the blacklist, by the Financial Action Task Force on Money Laundering, of countries making insufficient efforts against money laundering. Attention was given to a potential weakness of Philippine authorities' efforts against money laundering after lawmakers in 2012 managed to exclude casinos from the roster of organizations required to report to the Anti-Money Laundering Council regarding suspicious transactions.
The case also highlights the threat of cyber attacks to both government and private institutions by cyber criminals using real bank codes to make orders look genuine. SWIFT has advised banks using the SWIFT Alliance Access system to strengthen their cyber security posture and ensure they are following SWIFT security guidelines. Bangladesh is reportedly the 20th most cyber-attacked country, according to a cyber threat map developed by Kaspersky Lab, which runs in real time.