Bangladesh Central Bank Sues Philippine Bank Over $101 Million Cyberheist, Alleging Collusion with North Korean Hackers

By:
Chris Gaetano
Published Date:
Feb 6, 2019
blake-connally-373084-unsplash

The Central Bank of Bangladesh has filed suit against the Philippines-based Rizal Commercial Banking Corp. (RCBC), alleging that the financial institution actively collaborated with North Korean hackers in a $101 million cyberheist that used the U.S. Federal Reserve's SWIFT system to drain its accounts, according to CFO.com

The heist, which took place in 2016, is one of the largest bank robberies in history, and entailed thieves stealing not just from a commercial institution but an entire country. Hackers had installed malware in the Bangladeshi central bank's network to steal credentials for payment transfers. Overnight, they began sending instructions through the U.S. Federal Reserve's SWIFT system—which is used by banks, governments, and other major institutions to process international transactions—to begin transferring some $900 million to various entities and accounts in south Asia. The plot was discovered when one of the requests asked that $20 million be sent to a "fandation" in Sri Lanka. The routing bank contacted Bangladesh Bank for clarification. Realizing it was being robbed, Bangladesh Bank was able to stop that transfer, but by then $101 million had already left the country (initial estimates were $80 million), though the bank was able to prevent an additional $800 million being sent out. In the aftermath, the nation pointed fingers at the U.S. Federal Reserve, saying that the Fed allowed this to happen, but the Fed noted that it wasn't its  network that got hacked, and that the transfers followed protocol. 

Now, three years later, the Bangladesh central bank says that the heist arose from a multiyear conspiracy between North Korean hackers and RCBC, which is said to have not only stored the pilfered cash for the hackers, but also actively laundered it. The defendants used "a series of intentionally complicated account transfers and foreign exchange transactions to launder the Bank’s stolen funds," mostly involving the casino industry, according to the suit, filed in the Southern District Court of New York. 

"This highly-complicated, intricately planned heist of tens of millions of dollars from New York City only worked because of the coordination of the conspiracy and enterprise established among the Defendants, each of whom, as set out in great detail below, played their parts well," said the complaint. "Each of these Defendants profited from the theft, some quite handsomely."

The suit also alleges that the hackers are the same ones responsible for the massive data breach at Sony, and that they essentially used the exact same types of techniques on the central bank that they used on the entertainment company, calling the Sony hack a dry run for the later attack. 

The complaint says that the North Korean hackers needed "a bridge between the Bank's account in New York City and the Philippines casinos," and that RCBC was a "perfect fit," as "it had correspondent back accounts at commercial banks in New York City that would serve as intermediary accounts to receive, directly from the New York Fed, the Bank's stolen funds and then transfer them out of the United States to fictitious accounts set up at one of the RCBC branches in the Philippines, from which the stolen funds could be laundered." The suit alleges that RCBC had set up a number of fictitious accounts well in advance of the theft, which then remained dormant until the plan was ready to proceed. These accounts, says the suit, were opened at the behest of senior officers and branch management, bypassing internal procedures and controls and choosing to ignore red flags so the fake accounts could "lie in wait for months to receive the Bank's stolen funds." Each of them were associated with an entire fictitious person. Because these accounts were, by RCBC's own admission, attached to fake people, the suit said the only entity that could possibly transfer funds in and out of them were RCBC itself, whose personnel had full authority and control over them. 

The complaint alleges that when the hackers began siphoning money from Bangladesh, they transferred the money first to accounts at intermediary banks with correspondent accounts linked to RCBC (it named Wells Fargo, BNY Melon and Citibank), and then to the fake accounts that the complaint alleges RCBC set up beforehand in the Philippines. 

The suit also alleges that bank leaders were actively monitoring the fictitious accounts, waiting for the money to arrive. It said they had to work quickly before the authorities discovered the heist and froze the accounts. So, within minutes of receiving the money, the hackers began immediately transferring the cash to other accounts, some of which were opened within minutes specifically to hold the stolen funds, before transferring them again to a money transmitter called Philrem (also named in the suit). Philrem then turned the money into five managers checks that listed Philrem as the payee, and these checks were then deposited into the transfer service's other accounts at two other banks, Banco de Oro Unibank and Metropolitan Bank and Trust Company. The suit said that each of these transfers generated significant fees for the bank, allowing it to profit from the scheme. 

This all happened, said the suit, in less than an hour. But that wasn't all the money. The suit also alleges that, in addition to this extremely complicated scheme, the bank also withdrew physical cash from other fictitious accounts so that a hold wouldn't affect the defendants' ability to launder the money, and the defendants took it out in cardboard boxes. Other funds, however, were still in the bank when, as predicted, a stop order came through the system telling the bank to cease the suspicious transfers until authorities could look at them. The suit alleges that the bank lifted these orders and continued transferring the money out of the fictitious accounts. Only once they were almost completely drained did the bank finally comply with the stop order. Once all the money was in the hands of the wire service, it then transferred those funds to "casinos, individuals, and questionable businesses." 

One of the casinos is said to have turned the stolen funds into chips, which were turned into a special type of "junket chip" that was then, over the course of a month, spent on various gaming sessions until all of them had been spent, at which point the casino is alleged to have stopped all sessions involving them and confiscated the chips. Another casino simply received the money in its bank account, which was then withdrawn from the casino's owner into his own personal account and eventually redeposited into the commercial account. The suit also says that the aforementioned cardboard boxes full of cash were dropped off by Philrem representatives to the casino owners for further laundering. 

The suit also noted that RCBC was fined by the Philippine Central Bank—the largest fine in its history—for its lack of action and care on the matter. The casino owners were questioned and largely pointed fingers at each other, giving contradictory accounts to authorities. The suit said that although the particulars may vary, "there is no real dispute that these stolen funds were laundered by [the casino owners] and other defendants." 

RCBC, in response to the suit, said the matter was nothing more than a political stunt to give Bangladesh political cover for its information security failings. But the suit noted that there have already been prosecutions related to the matter, such as that of RCBC bank manager Maia Santos, who was found last month to be guilty of eight counts of money laundering. Further, the New York Federal Reserve thinks there could be more to the story, too, as it is providing technical assistance to the Bangladesh bank as part of a resolution and assistance agreement. It said that the two central banks are aligned in their pursuit of recovering funds and directing litigation against those who were complicit in or benefited from the fraud. 

Click here to see more of the latest news from the NYSSCPA.