This week, the BBC published an investigative report detailing how in 2016, North Korean hackers planned a $1 billion raid on Bangladesh’s national bank and almost entirely succeeded. The cyber heist that came to be known as the Bangladesh Bank robbery, showed how hackers navigated the global banking system, using administrative loopholes to execute a well-planned attack to transfer millions of dollars. It was one of the world’s biggest cyberheists.
The BBC investigation says that the attack happened between February 4-7, 2016. The timing was carefully planned to take advantage of the time difference between Dhaka and New York City, and working hours in both cities, with also a weekend on different days falling on the date of the heist.
The hackers, whom American investigative agencies believe are linked to North Korea, used fraudulent orders on the SWIFT payments system to steal US$951 million, which was almost all the money in that account, from Bangladesh’s central bank account. The hackers used a Federal Reserve Bank account in New York and successfully managed to steal $81 million that was transferred to accounts at Manila-based Rizal Commercial Banking Corporation.
The BBC reports points to an ordinary office printer located inside a “highly secure room on the 10th floor of the bank’s main office in Dhaka” that was reportedly malfunctioning. This printer was specifically used to print transaction records of the bank worth millions of dollars. On February 5, 2016, bank staff found that the printer wasn’t working but had assumed it was a technical glitch, one that occurred fairly often.
The BBC report says that investigations later revealed that this malfunctioning printer was the first indication that the hackers had broken into Bangladesh Bank’s computer systems to steal US$1 billion. “When the bank’s staff rebooted the printer, they got some very worrying news. Spilling out of it were urgent messages from the Federal Reserve Bank in New York – the “Fed” – where Bangladesh keeps a US-dollar account. The Fed had received instructions, apparently from Bangladesh Bank, to drain the entire account – close to a billion dollars,” the BBC report says.
The bank staff immediately tried contacting the Federal Reserve Bank in New York for more information but couldn’t get through. That was because by the time the hackers had started their work on February 4 around 20:00 hours Bangladesh time, it was morning in New York City. The next day, February 5, was a Friday, the report says, the start of the weekend in Bangladesh, when Bangladesh Bank’s headquarters in Dhaka is officially closed. By the time the hack was discovered in Dhaka, it was already the start of the weekend in New York City when offices were closed.
The detailed planning of the hack was evident when investigations revealed that the hackers intentionally chose that specific week in February 2016 to execute their hack. That weekend also happened to be the start of the Lunar New Year in East and Southeast Asia. So, on February 8, Monday, when the money was transferred to banks in Manila, it coincided with the start of a major national holiday there.
“By exploiting time differences between Bangladesh, New York and the Philippines, the hackers had engineered a clear five-day run to get the money away,” the BBC report explains.
The report also delved into how the hackers had managed to access the printer in Bangladesh Bank’s secure room. That happened almost a year before the actual hack, the report says. “They had had plenty of time to plan all of this, because it turns out the Lazarus Group had been lurking inside Bangladesh Bank’s computer systems for a year.”
“In January 2015, an innocuous-looking email had been sent to several Bangladesh Bank employees. It came from a job seeker calling himself Rasel Ahlam. His polite enquiry included an invitation to download his CV and cover letter from a website. In reality, Rasel did not exist – he was simply a cover name being used by the Lazarus Group, according to FBI investigators,” the report says.
“At least one person inside the bank fell for the trick, downloaded the documents, and got infected with the viruses hidden inside. Once inside the bank’s systems, the Lazarus Group began stealthily hopping from computer to computer, working their way towards the digital vaults and the billions of dollars they contained.”
The actual draining of the accounts happened only a year later, the report says, because the hackers were lining up the next stages, planning how to remove the money in such a way that it would not be possible to retrieve it.
The BBC investigation attempted to piece together the sequence of events after the money was wired to the Manila banks and just before they were withdrawn. “The RCBC Bank branch in Manila to which the hackers tried to transfer $951m was in Jupiter Street. There are hundreds of banks in Manila that the hackers could have used, but they chose this one — and the decision cost them hundreds of millions of dollars,” the BBC investigation says.
“The transactions…were held up at the Fed because the address used in one of the orders included the word ‘Jupiter’, which is also the name of a sanctioned Iranian shipping vessel.”
This led to an automatic reviewing of payment transfers which were stopped because of the imposed sanctions. But the BBC investigation explains that not all transfers were automatically stopped: “Five transactions, worth $101m, crossed this hurdle.” The hackers would have had access to the entire $101 million, that wasn’t a small amount, even if it wasn’t what they had originally planned.
As the investigation explains, of the $101 million, “$20m was transferred to a Sri Lankan charity called the Shalika Foundation, which had been lined up by the hackers’ accomplices as one conduit for the stolen money.” But this transfer was also stopped because the hackers had inadvertently made a spelling error — they spelt Foundation as Fundation — when filling out the Sri Lankan charity’s name. That means, the hackers only successfully managed to transfer $81 million.
Newsletter | Click to get the day’s best explainers in your inbox
Even prior to the BBC investigation, by 2019, investigating agencies had confirmed that the money was removed from the Manila banks, after which it disappeared into the casino industry in the Philippines. The report delves into the complex process of money laundering that was used by the hackers to break the chain of traceability, for which the destination was Manila’s casinos.
“The idea of using casinos was to break the chain of traceability. Once the stolen money had been converted into casino chips, gambled over the tables, and changed back into cash, it would be almost impossible for investigators to trace it,” the report says.
Bangladesh Bank had realised hours after the money was stolen that the massive heist had happened and began taking steps to retrieve it, a process that was going to be very challenging.
They managed to trace the money to Manila’s casinos and managed to recover $16 million from one man, the BBC report says. But the remaining $34 million was still disappearing quickly. Investigators found that much of the remaining money was sent to Macau, another gambling hotspot, from where it was transferred to North Korea. Investigators found that most of the hackers involved in the cyber heist and other similar actions that the US regards as cyber crimes, were based in Chinese border towns near the China-North Korea border.
In 2018, the FBI filed a criminal complaint charging Park Jin Hyok, a North Korean citizen, “for his involvement in a conspiracy to conduct multiple destructive cyberattacks around the world resulting in damage to massive amounts of computer hardware, and the extensive loss of data, money and other resource”, according to public documents published by the US Department of Justice.
The complaint accused Park of working for the North Korean government and of engaging in “malicious activities” that “include the creation of the malware used in the 2017 WannaCry 2.0 global ransomware attack; the 2016 theft of $81 million from Bangladesh Bank; the 2014 attack on Sony Pictures Entertainment (SPE); and numerous other attacks or intrusions on the entertainment, financial services, defense, technology, and virtual currency industries, academia, and electric utilities.”
At that time, the First Assistant United States Attorney Tracy Wilkison, had said that “the complaint charges members of this North Korean-based conspiracy with being responsible for cyberattacks that caused unprecedented economic damage and disruption to businesses in the United States and around the globe.”
In 2019, Bangladesh filed a lawsuit in a US court against the Rizal Commercial Banking Corp (RCBC) over the Philippines bank’s alleged role in the biggest cyber-heist. The RCBC counter-filed a lawsuit against Bangladesh Bank claiming that its reputation had come under a sustained “vicious and public attack” by the bank and is seeking at least $1.9 million in damages. The New York Federal Reserve pledged to help Bangladesh with retrieval of the money but that process is ongoing with little progress.
Days after the heist occurred, Bangladesh’s then finance minister A.M.A Muhith, asked Atiur Rahman, who had been governor of Bangladesh Bank under whose watch the heist had occurred, to resign. The cyber heist had hugely embarrassed the Bangladesh government.
Bangladesh and North Korea share bilateral relations, and North Korea has an embassy in Dhaka. Bangaldesh’s embassy in China represents the country in Beijing and in Pyongyang.