When North Korean hackers almost pulled off a billion-dollar heist from Bangladesh Bank
On February 5, 2016, around 8:30 PM, a printer on the 10th floor of the Bangladesh Bank started malfunctioning. When the staff discovered the malfunction at 8:45 PM, they thought it was just another IT hiccup. Glitches had happened before and the staff didn't think about it too much. However, when the printer was rebooted, it began printing messages from the Federal Reserve Bank in New York, where Bangladesh keeps a US-dollar account, saying that the Fed received instructions, apparently from Bangladesh Bank, to drain the entire account - close to a billion dollars.
It was the first sign of a compromised system that led hackers to attempt a daring billion-dollar heist from the Bangladesh Bank. The hackers ultimately made off with USD 81 million and the heist became known as The Lazarus heist, the most audacious cyber-attack ever attempted.
Two years later, the FBI traced the heist back to a group of North Korean hackers who went by the name of The Lazarus Group. And the story of the heist and the investigation comes alive now in a report by Geoff White and Jean H Lee of the BBC.
According to the BBC report, the Bangladesh Bank hack was a project that took years of planning and methodical preparation by a team of hackers trained under the direct patronage of the government of North Korea and middlemen across Asia.
The Lazarus Group had been lurking inside Bangladesh Bank's computer systems for a year before the heist. In January 2015, several Bangladesh Bank employees received a job application from one Rasel Ahlam. The application email invited the employees to download a CV and cover letter from a website. The identity of Rasel was only a ruse created by the Lazarus Group. Some employee from the inside of the bank fell for the hoax, downloaded the documents and infected the system with the virus that the email contained. This allowed the hackers to enter the bank's computers and they began to work their way through the digital vaults with a massive amount of cash in holding.
In May 2015, a few months after the hackers accessed Bangladesh Bank's systems, four accounts were set up in a branch of RCRC, one of the Philippines largest banks by the hackers' accomplices. This bank was situated next to an eco-hotel and a dental surgery in Jupiter Street, a busy thoroughfare in Manila. There were indications of suspicious activities: the driver's licences used to set up the accounts were fakes, and the applicants all claimed to have the same job title and salary, despite working at different companies, but they went unnoticed. For months the accounts were idle with their initial $500 deposit untouched while the hackers worked on other aspects of the plan.
The hackers waited for a year after the initial phishing email arrived at the bank and risked being discovered while hiding inside the bank's systems all that time to line up their escape routes for the money.
Thursday, February 4, 2016, was when the big day started for the hackers. It was Thursday morning in New York. The Fed was left with plenty of time to carry out the hackers' intentions while Bangladesh went into its weekend the following day, which extends from Friday through Saturday. The bank's Dhaka headquarters were shut down for two days, and when Bangladesh Bank authorities discovered the theft on Saturday, New York went into its weekend. This loophole resulting from the time difference delayed the discovery for almost three days.
After the initiation and transfer of money out of the Fed, the hackers transmitted it to accounts they had set up in Manila, the Philippines' capital. In 2016, the first day of the Lunar New Year, a national holiday in Asia, was Monday, February 8th. They took advantage of the timing to the fullest and devised a five-day plan to get the money out.
After having successfully hacked into Bangladesh Bank and creating conduits for the money began the next phase of the plan. There was still one obstacle- the printer on the 10th floor. Bangladesh Bank had created a paper backup system to record all transfers made from its accounts. This record of transactions risked exposing the hackers' work instantly. And so they hacked into the software controlling it and took it out of action. With their traces hidden, the hackers began making their transactions at 08:36 PM on Thursday, February 4, 2016, totalling $951 million, practically the entire contents of Bangladesh Bank's New York Fed account.
As Bangladesh Bank discovered the missing money throughout that weekend, the officials struggled to work out what had happened. The Governor of the bank asked for US-based cyber-security expert Rakesh Asthana and his company World Informatix's assistance. Asthana was instantly at it and started discovering just how deep the hack went. He found out the thieves had gained access to a key part of Bangladesh Bank's systems, called Swift. It's the system used by thousands of banks around the world to coordinate transfers of large sums between themselves. The hackers didn't need to exploit the loopholes in this system, as far as Swift's software was concerned the hackers looked like genuine bank employees.
It soon became clear to Bangladesh Bank's officials that the transactions couldn't just be reversed. Some money had already arrived in the Philippines, where the authorities told them they would need a court order to start the process to reclaim it. Court orders are public documents, and so when Bangladesh Bank finally filed its case in late February, the story that was kept confidential went public.
The RCBC bank branch in Manila to which the hackers tried to transfer USD 951 million was in Jupiter Street. There are hundreds of banks in Manila that the hackers could have used, but they chose this one - and the decision cost them hundreds of millions of dollars.
"Jupiter" set alarm bells ringing in the Fed's automated computer systems. The payments were reviewed, and most were stopped. There were five transactions worth USD 101 million. Of that, USD 20 million was transferred to a Sri Lankan charity called the Shalika Foundation, which had been lined up by the hackers' accomplices as one conduit for the stolen money. The founder, Shalika Perera, said that she believed the money was a legitimate donation. But a tiny detail that derailed the hackers' plans made it come to light. The transfer was made to the "Shalika Foundation", which came to the notice of an eagle-eyed bank employee, who spotted the spelling mistake and the transaction was reversed. However, USD 81 million still got through. By the time Bangladesh Bank began its efforts to claw the money back, the hackers had already taken steps to make sure it stayed beyond reach.
On Friday, February 5, the four accounts set up the previous year at the RCBC branch in Jupiter Street suddenly became active. The money was transferred between accounts, sent to a currency exchange firm, swapped into local currency and re-deposited at the bank. Some of it was withdrawn in cash.
The burglars initiated the next stage of their money-laundering operation on the casino floor of the Solaire, one of Asia's most exquisite casino floors and a popular destination for mainland Chinese gamblers. $50 million was deposited in accounts at the Solaire and another casino, the Midas, out of the $81 million that passed through the RCBC bank. The remaining $31 million was handed to a Chinese man named Xu Weikang, who is thought to have departed town on a private plane and has not been seen since, according to a Philippines Senate Committee set up to investigate. The purpose of employing casinos was to break the traceability chain. It would be nearly impossible for authorities to track the stolen money once it had been transformed into casino chips, bet on the tables, and then changed back into cash.
The team was thorough in securing the money as well. Instead of gambling in the casino's public areas, the thieves reserved private rooms and filled them with accomplices who would play at the tables, giving them complete control over how the money was spent. They also played Baccarat, a popular game in Asia, with the stolen funds. There are only two possibilities in this game, and a relatively experienced player can recoup 90% or more of their stake, which is considered an outstanding conclusion for money launderers, who often get a much lower return. The gamblers waited inside Manila's casinos for weeks, washing their money.
In the meantime, Bangladesh Bank was catching up. Bank authorities travelled to Manila to track down the money trail. When it came to the casinos, though, things became more tricky. At the time, money laundering legislation did not apply to gaming establishments in the Philippines. The money had been deposited by legitimate gamblers who had every right to spend it at the tables, which made it almost impossible to track the laundered money.
As money stolen from Bangladesh Bank was laundered through the Philippines, multiple connections to Macau, a Chinese enclave akin to Hong Kong that is known for gambling and home to some of the world's most prominent casinos, began to surface. Several of the men behind the Solaire gaming excursions were traced back to Macau.
Officials from the Bangladesh Bank were able to retrieve USD16 million of the stolen funds from Kim Wong, one of the guys who organized the gambling trips at the Midas casino. He was arrested, but the charges were dropped afterwards. The remaining USD 34 million, on the other hand, was evaporating. According to investigators, its next destination would bring it closer to North Korea.
Similar hacks have been carried out since the heist in 2016. In May 2017, the WannaCry ransomware outbreak scrambled victims' files and charged them a ransom of several hundred dollars to retrieve their data, paid using the virtual currency Bitcoin. The National Health Service in the United Kingdom was particularly hard struck; emergency rooms were impacted, and important cancer visits had to be rescheduled.
As detectives from the UK's National Crime Agency began working with the FBI on the investigation, they discovered remarkable parallels between the viruses used to breach Bangladesh Bank, and the FBI subsequently added this attack to Park Jin-hyok's accusations. According to the FBI's allegations, North Korea's cyber army had now embraced cryptocurrency, which largely bypasses the traditional banking system and could therefore avoid costly overheads, such as pay-offs to middlemen.
As of now, Bangladesh Bank is trying to recover the rest of the stolen money to this day. The estimates are around USD 65 million. The Bank has taken legal action against dozens of people and institutions, including the RCBC bank, which denies the allegation of breaching rules.