This week, the BBC published an investigative report detailing how in 2016, North Korean hackers planned a $1 billion raid on Bangladesh’s national bank and almost entirely succeeded. The cyber heist that came to be known as the Bangladesh Bank robbery, showed how hackers navigated the global banking system, using administrative loopholes to execute a well-planned attack to transfer millions of dollars. It was one of the world’s biggest cyberheists.
The Bangladesh Bank robbery: How the heist happened
The BBC investigation says that the attack happened between February 4-7, 2016. The timing was carefully planned to take advantage of the time difference between Dhaka and New York City, and working hours in both cities, with also a weekend on different days falling on the date of the heist.
The hackers, whom American investigative agencies believe are linked to North Korea, used fraudulent orders on the SWIFT payments system to steal US$951 million, which was almost all the money in that account, from Bangladesh’s central bank account. The hackers used a Federal Reserve Bank account in New York and successfully managed to steal $81 million that was transferred to accounts at Manila-based Rizal Commercial Banking Corporation.
So how did the hackers actually infiltrate Bangladesh Bank’s systems?
The BBC reports points to an ordinary office printer located inside a “highly secure room on the 10th floor of the bank’s main office in Dhaka” that was reportedly malfunctioning. This printer was specifically used to print transaction records of the bank worth millions of dollars. On February 5, 2016, bank staff found that the printer wasn’t working but had assumed it was a technical glitch, one that occurred fairly often.
Subscriber Only Stories
Online gaming: Lens on winners to pay taxes, update ITRs
‘Afghanistan has gone back to the dark ages’: Ahmad Massoud
In Ayodhya, work underway on 252 projects for Ram temple hub
Most number of sedition cases in last 8 years came from Assam: NCRB data
Subscribe Now to get 64% OFF
The BBC report says that investigations later revealed that this malfunctioning printer was the first indication that the hackers had broken into Bangladesh Bank’s computer systems to steal US$1 billion. “When the bank’s staff rebooted the printer, they got some very worrying news. Spilling out of it were urgent messages from the Federal Reserve Bank in New York – the “Fed” – where Bangladesh keeps a US-dollar account. The Fed had received instructions, apparently from Bangladesh Bank, to drain the entire account – close to a billion dollars,” the BBC report says.
The bank staff immediately tried contacting the Federal Reserve Bank in New York for more information but couldn’t get through. That was because by the time the hackers had started their work on February 4 around 20:00 hours Bangladesh time, it was morning in New York City. The next day, February 5, was a Friday, the report says, the start of the weekend in Bangladesh, when Bangladesh Bank’s headquarters in Dhaka is officially closed. By the time the hack was discovered in Dhaka, it was already the start of the weekend in New York City when offices were closed.
The detailed planning of the hack was evident when investigations revealed that the hackers intentionally chose that specific week in February 2016 to execute their hack. That weekend also happened to be the start of the Lunar New Year in East and Southeast Asia. So, on February 8, Monday, when the money was transferred to banks in Manila, it coincided with the start of a major national holiday there.
“By exploiting time differences between Bangladesh, New York and the Philippines, the hackers had engineered a clear five-day run to get the money away,” the BBC report explains.
The report also delved into how the hackers had managed to access the printer in Bangladesh Bank’s secure room. That happened almost a year before the actual hack, the report says. “They had had plenty of time to plan all of this, because it turns out the Lazarus Group had been lurking inside Bangladesh Bank’s computer systems for a year.”
“In January 2015, an innocuous-looking email had been sent to several Bangladesh Bank employees. It came from a job seeker calling himself Rasel Ahlam. His polite enquiry included an invitation to download his CV and cover letter from a website. In reality, Rasel did not exist – he was simply a cover name being used by the Lazarus Group, according to FBI investigators,” the report says.
“At least one person inside the bank fell for the trick, downloaded the documents, and got infected with the viruses hidden inside. Once inside the bank’s systems, the Lazarus Group began stealthily hopping from computer to computer, working their way towards the digital vaults and the billions of dollars they contained.”
The actual draining of the accounts happened only a year later, the report says, because the hackers were lining up the next stages, planning how to remove the money in such a way that it would not be possible to retrieve it.
The BBC investigation attempted to piece together the sequence of events after the money was wired to the Manila banks and just before they were withdrawn. “The RCBC Bank branch in Manila to which the hackers tried to transfer $951m was in Jupiter Street. There are hundreds of banks in Manila that the hackers could have used, but they chose this one — and the decision cost them hundreds of millions of dollars,” the BBC investigation says.
“The transactions…were held up at the Fed because the address used in one of the orders included the word ‘Jupiter’, which is also the name of a sanctioned Iranian shipping vessel.”
This led to an automatic reviewing of payment transfers which were stopped because of the imposed sanctions. But the BBC investigation explains that not all transfers were automatically stopped: “Five transactions, worth $101m, crossed this hurdle.” The hackers would have had access to the entire $101 million, that wasn’t a small amount, even if it wasn’t what they had originally planned.
As the investigation explains, of the $101 million, “$20m was transferred to a Sri Lankan charity called the Shalika Foundation, which had been lined up by the hackers’ accomplices as one conduit for the stolen money.” But this transfer was also stopped because the hackers had inadvertently made a spelling error — they spelt Foundation as Fundation — when filling out the Sri Lankan charity’s name. That means, the hackers only successfully managed to transfer $81 million.
Newsletter | Click to get the day’s best explainers in your inbox
Bangladesh Bank’s attempts at retrieval
Even prior to the BBC investigation, by 2019, investigating agencies had confirmed that the money was removed from the Manila banks, after which it disappeared into the casino industry in the Philippines. The report delves into the complex process of money laundering that was used by the hackers to break the chain of traceability, for which the destination was Manila’s casinos.
“The idea of using casinos was to break the chain of traceability. Once the stolen money had been converted into casino chips, gambled over the tables, and changed back into cash, it would be almost impossible for investigators to trace it,” the report says.
Bangladesh Bank had realised hours after the money was stolen that the massive heist had happened and began taking steps to retrieve it, a process that was going to be very challenging.
They managed to trace the money to Manila’s casinos and managed to recover $16 million from one man, the BBC report says. But the remaining $34 million was still disappearing quickly. Investigators found that much of the remaining money was sent to Macau, another gambling hotspot, from where it was transferred to North Korea. Investigators found that most of the hackers involved in the cyber heist and other similar actions that the US regards as cyber crimes, were based in Chinese border towns near the China-North Korea border.
Retrieving the money
In 2018, the FBI filed a criminal complaint charging Park Jin Hyok, a North Korean citizen, “for his involvement in a conspiracy to conduct multiple destructive cyberattacks around the world resulting in damage to massive amounts of computer hardware, and the extensive loss of data, money and other resource”, according to public documents published by the US Department of Justice.
The complaint accused Park of working for the North Korean government and of engaging in “malicious activities” that “include the creation of the malware used in the 2017 WannaCry 2.0 global ransomware attack; the 2016 theft of $81 million from Bangladesh Bank; the 2014 attack on Sony Pictures Entertainment (SPE); and numerous other attacks or intrusions on the entertainment, financial services, defense, technology, and virtual currency industries, academia, and electric utilities.”
At that time, the First Assistant United States Attorney Tracy Wilkison, had said that “the complaint charges members of this North Korean-based conspiracy with being responsible for cyberattacks that caused unprecedented economic damage and disruption to businesses in the United States and around the globe.”
In 2019, Bangladesh filed a lawsuit in a US court against the Rizal Commercial Banking Corp (RCBC) over the Philippines bank’s alleged role in the biggest cyber-heist. The RCBC counter-filed a lawsuit against Bangladesh Bank claiming that its reputation had come under a sustained “vicious and public attack” by the bank and is seeking at least $1.9 million in damages. The New York Federal Reserve pledged to help Bangladesh with retrieval of the money but that process is ongoing with little progress.
Days after the heist occurred, Bangladesh’s then finance minister A.M.A Muhith, asked Atiur Rahman, who had been governor of Bangladesh Bank under whose watch the heist had occurred, to resign. The cyber heist had hugely embarrassed the Bangladesh government.
Bangladesh and North Korea share bilateral relations, and North Korea has an embassy in Dhaka. Bangaldesh’s embassy in China represents the country in Beijing and in Pyongyang.
The hackers, whom American investigative agencies believe are linked to North Korea, used fraudulent orders on the SWIFT payments system to steal US$951 million, which was almost all the money in that account, from Bangladesh's central bank account.
The theft happened sometime between 4–5 February 2016, when Bangladesh Bank's offices were closed for the weekend. The perpetrators managed to compromise Bangladesh Bank's computer network, observe how transfers are done, and gain access to the bank's credentials for payment transfers.
When one hacker broke into the system and stole $610 million, it became the biggest crypto theft ever. Naturally Poly Network was hugely embarrassed, sending out a desperate plea on Twitter: “The amount of money you hacked is the biggest one in the defi history.
What program did the hackers install in Bangladesh central bank's computer in order to get access to the bank's passwords account numbers and internal workings? ›
The software update and warning from Brussels-based SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, come after researchers at BAE, which has a large cyber-security business, told Reuters they believe they discovered malware that the Bangladesh Bank attackers used to manipulate SWIFT client ...
How did the hackers hack into Bangladesh Bank's system and how did they manage to steal the money? ›
Bangladesh Bank had created a paper back-up system to record all transfers made from its accounts. This record of transactions risked exposing the hackers' work instantly. And so they hacked into the software controlling it and took it out of action.
Bangladesh has a GDP per capita of $4,200 as of 2017, while in South Korea, the GDP per capita is $39,500 as of 2017.
MANILA -- A Philippine court found former bank manager Maia Santos-Deguito guilty of money laundering offenses on Thursday, in the first criminal conviction related to the 2016 heist of Bangladesh's central bank.
The film is in part based on historical facts about the Baker Street robbery. A gang tunnelled into a branch of Lloyds Bank at the junction of Baker Street and Marylebone Road in London on the night of 11 September 1971 and robbed the safe deposit boxes that were stored in the vault.
Currently, the most significant reasons for crime in Bangladesh are economic factors such as violence, unemployment, injustice, etc. A part of the population in Bangladesh, as citizens of a developing country, lives below the poverty line.
Poor, isolated and heavily sanctioned, North Korea has long resorted to illicit activities to gin up badly needed cash. It has trafficked in weapons, illegal drugs and counterfeit American hundred-dollar bills.
North Korea is likely culprit behind $100 million crypto heist, researchers say. Hackers targeted Horizon, a so-called blockchain bridge that lets users swap tokens between different networks.
Bangladesh and the Republic of Korea established diplomatic relations on December 18, 1973. We attach great importance to our relations with the Republic of Korea, our tested and trusted friend and an important development partner.
North Korea's ideology of Juche has resulted in the country pursuing autarky in an environment of international sanctions. While the current North Korean economy is still dominated by state-owned industry and collective farms, foreign investment and corporate autonomy have increased.