When the words “bank heist” come up pictures ofcowboys with bandannas over their faces recklessly holding up a financialinstitution may spring to mind, or even the iconic image of Bonnie and Clydewith their guns and classic car. There’s certainly a glamorous,romantically rebellious element to the notion of heists and bank robbers, andthe outlaws involved in these crimes have long captured our attention. The anarchical idea of someone living outside the law, escaping theclutches of the authorities and amassing huge fortune has made for some greatstories and legendary movies, with an element of idolization and fascinationdirected towards these criminals.These days, bank heists have progressed far beyond the put-’em-up guerillaattacks, and are now carried out online by advanced tech-whiz hackers anddigital criminals who steal identities and break into secure systems, from someremote headquarters.In February 2016, instructions to steal US$951 million from BangladeshBank, the central bank of Bangladesh, were issued via the SWIFT network.
The hackers successfully issued five transactions, worth $101 million werewithdrawn from a Bangladesh Bank account at the Federal Reserve Bank of New York.The money was sent to Sri Lanka and the Philippines. $20 million traced toSri Lanka(The hackers misspelled “Foundation” in their request to transfer thefunds, spelling the word as “Fundation”. This spelling error gainedsuspicion from a routing bank which held the transaction in question seeking verificationfrom the Bangladesh Bank.
Sri Lanka-based Pan Asia Bankinitially took notice of the transaction because the transaction is very rarefor a country like Sri Lanka. $81 million to the Philippines(about $18 million recovered). The Federal Reserve Bank of NY blocked theremaining thirty transactions, amounting to $850 million, at the requestof Bangladesh Bank.
The bank ofBangladesh was definitely hacked; they were compromised about two weeks beforethe theft. If there was an insider that assisted the attackers, that isunclear. BCB may have been negligent in their Cyber Security posture.
The hackdid originate outside of Bangladesh as reported by FireEye’s Mandiant divisionwhich performed a forensic investigation. FireEye didn’t identify the hackergroup and simply described them as “FIN threat actors”, FIN standing forFinancial. Furthermore, FireEye did say that the same group is responsible forother recent financial hacks based on digital footprints left behind.
A malwarecalled Dridexwas used for the attack which captures credentials via MS office macros.Credentials then were used to execute SWIFT transfers.The hack mayhave originated in China due to a Chinese national being tied to the crime andthat the laundered money eventually went to Hong Kong. I don’t believe that theNew York bank was hacked since the hackers already had access BCB and access toboth banks was not required to perform the fraudulent Society of WorldwideInterbank Financial Telecommunication (SWIFT) transfers.
It wouldn’t be worththe effort/risk for the FIN threat actors to attack the BNY when they alreadyhad essentially one billion at their fingertips. To increasethe probability of the heist succeeding the launderers involved would havesought out cooperation or at least felt comfortable working with the Rizal CommercialBanking Corporation (CRBC), casinos (Solaire andEastern Hawaii Leisure) and the exchanger Philrem. CRBC is at the top of thelist since Maia Santos-Deguito, manager and other management of RCBC’s branchon Jupiter Street in Makati looks pretty guilty as she is accused of forgingGo’s signature for P20mil and managed the four fraudulent accounts used in theheist.
Furthermore, the thieves would have wanted to be confident that thebranch would have enough cash in their vault that day to handle thedisbursement or they would have risked a catastrophic delay. This same logicapplies to the exchanger Philrem as well. I would be curious what the normalday to day operating cash on hand is for these institutions. The FireEyeand BCB computer forensic reports may hold more key information on the hack. Ifthe hackers know what they are doing, covered up their tracks, and already leftthe network it is very unlikely that there will be attribution. It is notuncommon for black hats to stay out of the money trial. Sometimes hackers willget paid a set fee upfront or once they compromise systems/information theysell it to a 3rd party.
I do not know if that’s the case but it is a possibility.Hackers prefer to use e-commerce currency like bitcoins for untraceableanonymous money laundering and since they chose to do it the old fashioned waythat lends to my theory. If the hackers themselves were involved in the moneylaundering they would have at least in part used bitcoin and other e-currenciesto acquire some of the money. In closing, simple common sense and someone sayingwait something doesn’t look right is what changed a 1b heist into just 80mil.How important speed and timing comes into play with electronic transfers is indeep contrast to hours of loading gold, jewels and cash onto trucks. The mostmanual part of this heist was exchanging gambling chips at the casino.
Imaginewhat heists may look like 10 years from now, gone are the days of the WellsFargo stagecoach.