Fraud , Governance , Incident Response

Bangladesh Bank Hackers Steal $100 Million

Attackers Reportedly Targeted $1 Billion in Bank's New York Fed Account
Bangladesh Bank Hackers Steal $100 Million

Hackers stole $100 million from the central bank of Bangladesh after apparently obtaining payment-transfer codes and moving the money overseas in what Information security experts say appears to be one of the largest bank heists in history. But the bank reportedly managed to block a further transfer of $870 million initiated by attackers.

See Also: Secrets to a Simpler Security Incident Response

Bangladesh Bank, based in Dhaka, which serves as the central bank and apex regulatory body for the country's monetary and financial system, says the missing funds were being held in an account at the Federal Reserve Bank of New York. The Bangladesh government has not confirmed the amount that was stolen or which has been recovered.

But Bangladesh Finance Minister Abul Maal Abdul Muhith says his government holds the New York Fed responsible for any unrecovered losses. "The Federal Reserve is liable for all this. Those who handle this account, they made error," he said in a statement. "What we have gathered is that the Federal Reserve had sent a message to Bangladesh Bank, saying, 'We have got an instruction of this nature from you, please confirm' [and] Bangladesh Bank replied that it was false. But the transaction had taken place before Bangladesh Bank's response reached them. So, the Federal Reserve in no way can deny its responsibility."

The New York Fed on March 7, however, denied those allegations, later noting in a March 9 statement that there is "no evidence that any Fed systems were compromised." It added that the transfers were correctly authorized. "The payment instructions in question were fully authenticated ... in accordance with standard authentication protocols."

Multiple security experts have suggested that the attackers - potentially working with insiders - studied the bank's internal working procedures and were able to steal and employ legitimate credentials for moving the money. Officials at Bangladesh Bank could not be immediately reached for comment.

Money Transferred via SWIFT

The stolen money appears to have been moved using SWIFT, a Belgium-based cooperative banking messaging platform that banks use to move money internationally. In total, 30 SWIFT requests were made on Feb. 5 using Bangladesh Bank's SWIFT code, of which five were successful, Bangladesh's Bengali-language newspaper Prothom Alo reported.

The Philippine Daily Inquirer reports that hackers appeared to have stolen $951 million in total and moved some of it to five accounts held at Rizal Commercial Banking Corporation in the Philippines via SWIFT, after which the bank released $81 million of the funds to clients. But the bank was reportedly able to halt an additional $951 million that attackers transferred into RCBC accounts after the bank received an "MT103" SWIFT alert. The bank says it's working with authorities to investigate the matter.

A SWIFT spokesman tells Information Security Media Group that his organization is aware of the investigation and its network does not appear to have been hacked. "SWIFT does not comment on individual users or messages, but has already confirmed it is in contact with the parties concerned and that there is no indication that its network has been compromised," he says.

Kayvan Alikhani, a senior director with security firm RSA, tells Reuters that to employ SWIFT, the attackers likely needed not just related usernames and passwords, but also cryptographic authentication keys, which could have been accessed and stolen in advance of the attack. "You are only as good as your weakest link when getting access to the SWIFT network and doing a transfer," he said.

Alleged Money Laundering in Philippines

To date, investigators have traced $81 million of the missing money to deposits into bank accounts at RCBC, according to a March 9 report in the Philippine Daily Inquirer. The newspaper reports that the stolen $81 million was first transferred on Feb. 5 to three U.S. banks - Bank of New York, Citibank and Wells Fargo - before being moved via international wire transfers into five RCBC accounts that had been opened a few months previously, using fake identities. It adds that the funds were then converted to Philippine pesos using the foreign exchange broker Philippine Remittances, a.k.a. Philrem, transferred back to the RCBC accounts, used to buy gaming tokens at three casinos, then re-deposited as winnings. Government officials have said that the funds were then moved to a bank account controlled by an unnamed Chinese-Filipino businessman and ultimately moved overseas, including to one or more accounts in Hong Kong.

RCBC's management team denies any knowledge of the alleged money-laundering activities. "RCBC is investigating the deposit of $81 million in its Jupiter branch and the subsequent transactions thereon," RCBC's corporate vice chairman Cesar Virata says in a statement.

"RCBC and its principal shareholders - the Yuchengco family, Cathay Life, the largest life insurance company in Taiwan, and IFC, the investment arm of the World Bank - are fully committed to comply with all banking laws and regulations, in particular those on money laundering," Virata said. "The bank has timely submitted the required reports to the AMLC [Anti-Money Laundering Council] and will cooperate with government regulators."

Meanwhile, another $20 million stolen by attackers has been recovered, Reuters reports, after hackers misspelled the name of the Sri Lankan non-profit organization - Shalika Foundation - to which they were attempting to transfer the money. The hackers reportedly typed "fandation," thus prompting one of the routing banks, Deutsche Bank, to flag the transaction for further review by Bangladesh Bank, ultimately resulting in the transfer being stopped.

More Push for Blockchains?

The scale of this heist will no doubt lead to further research into systems that might help augment or replace existing money-transfer measures, such as SWIFT, for example, by using cryptocurrency-style public ledgers - blockchains - to maintain definitive records of all transactions (see Could Blockchain Play Broader Role in Payments?).

"If you talk to bankers, they would love to get rid of some parts of the banking system, especially SWIFT," renowned cryptographer Adi Shamir said last week at the RSA Conference in San Francisco, speaking on a panel devoted to bitcoins and blockchains.

Shamir is the "S" in the RSA cryptosystem, which was the world's first practical public-key cryptosystem, and he noted that financial services firms continue to seek new ways to secure and track payments, especially internationally.

"SWIFT is responsible for a large fraction of all of the money transfers between banks," he said. "It uses fairly old technology, it charges high fees, money transfer is relatively slow. There are all kinds of reasons why banks hate SWIFT, and they would love to replace it with a mechanism that costs nothing, that leads to agreement about whether the money was moved or not."

As the details of the Bangladesh Bank heist suggest, SWIFT is not immune to being used by criminals. For example, the gang behind the notorious Carbanak - a.k.a. Anunak - campaign worked in part by infecting bank systems with malware, then used SWIFT transfers to move money out of the hacked financial services firms, after studying how the firms crafted their related messages and emulating them, according to researchers at security firm Kaspersky Lab. Carbanak has been tied to $1 billion in losses (see Sophisticated Carbanak Banking Malware Returns, With Upgrades).

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Around the Network