Bangladesh’s central bank has said it is withholding findings of investigations into the cyber theft of $81 million from its account at the Federal Reserve Bank of New York to avoid tipping off the “foreign perpetrators” of the hack.
Bangladesh Bank lawyer Ajmalul Hossain was responding to comments by Rizal Commercial Banking Corp (RCBC) in the Philippines – through which the stolen money was routed before disappearing into Manila’s casino industry – that the central bank in Dhaka was wary of releasing reports that could implicate its own officials.
More than six months have passed since hackers broke into the Bangladesh central bank’s computer systems in one of the biggest-ever cyber heists.
Most of the $81 million stolen is still missing and the culprits have not been identified, but Bangladesh Bank has held RCBC accountable for the loss. It has said it may sue RCBC if other efforts to recover the money are unsuccessful.
“Bangladesh Bank knows enough about what happened from the internal and external reports so far obtained by it and others,” the central bank’s lawyer Hossain told Reuters late on Saturday.
“This truth is being deliberately withheld from the public domain so as not to allow the foreign perpetrators of the hacking to have knowledge of the investigations.”
RCBC has questioned Bangladesh Bank’s June decision not to extend a contract with U.S. cyber security firm FireEye to investigate the February theft, saying the recovery of the money could be “imperilled” if someone within the central bank was found responsible for the heist.
The initial FireEye report submitted to Bangladesh Bank in March and seen by Reuters had blamed a sophisticated third party for the attack and had identified around 35 “compromised” Bangladesh Bank assets. As many as six types of malware were used to infect Bangladesh Bank computer systems.
A Bangladesh government-appointed panel said in May that Bangladesh Bank officials may have been involved in the brazen theft, but its report has also yet to be released.
“That’s why I think a report is not forthcoming,” Maria Celia Estavillo, RCBC’s legal and regulatory affairs head, told Reuters. “They should finish their investigation, they should find out what happened in Bangladesh, they should find out who is liable there, they should give a copy of that to the Philippines government. And if they are confident of the strength of their case, they should file a case in court.”
The central bank of the Philippines last week fined RCBC a record 1 billion pesos ($21 million) in connection with the heist.
RCBC had expected the fine because of some lapses within the bank, Estavillo said, but blamed a couple of rogue employees for letting the money go out of the bank despite stop-payment instructions from Bangladesh Bank. She said internal investigations by the bank showed nobody from its head office was complicit. Bangladesh Bank said RCBC had “corporate knowledge” of the money laundering.