In the financial world, Bangladesh Bank (BB) cyber heist, happened in February, 2016 is considered as a landmark event; for all the wrong reasons though.
Never had been in the history of financial transactions— be it digital or manual—robbers have attempted stealing a billion USD; in case of BB heist, they did and successfully amassed $81 million. The robbers—hackers to be precise— stole that $81 million via an account with the New York Federal Reserve AKA Fed which holds the accounts of some 250 foreign central banks and governments.
A hacking group called Lazarus that is believed to have connections to North Korea has been linked to the Bangladesh cyber heist and some U.S. officials said earlier this year that prosecutors were building a case against Pyongyang.
The fund was wired to four accounts with false names at a Manila branch of the Philippines’s Rizal Commercial Banking Corp (RCBC) before vanishing. Most of the money was later laundered through Philippine casinos.
About $15 million recovered from a gaming junket operator has so far been returned to Bangladesh, but the country is yet to recover $66.37 million.
The $15 million that Bangladesh has been able to recover is part of $35 million that Manila casino boss Kim Wong had told a Philippines Senate inquiry he received from two Chinese gamblers without knowing it was stolen.
Reuters reported on December 8 that BB has recently asked the Fed to join a lawsuit it plans to file against the RCBC for its role in one of the world’s biggest cyber-heists.
Besides, BB wants SWIFT— the Belgium-based cooperative of 3,000 organizations that maintains a messaging platform used by banks, mostly in Europe, to transfer money across borders—to be a joint petitioner of the civil suit.
According to the agency report, the Fed as well as the SWIFT authority is yet to respond formally, but there is no indication it would join the suit.
RCBC has already been fined a record one billion pesos ($19.54 million), about one fifth of its profit in 2016, by the Philippine central bank for its failure to prevent the movement of the stolen money through its bank.
In November, 2016, RCBC however said, it is not liable to compensate Bangladesh for the bank heist money deposited in its accounts and instead blamed the central bank in Dhaka for being “negligent.”
A BB spokesperson meanwhile said “halt payment” instructions were sent to RCBC both by Bangladesh Bank and the Federal Reserve Bank of New York but that RCBC did not comply.
MUHIT’S COMMENT AND RCBC’S BACKLASH
Finance Minister Abul Maal A. Muhith, known for delivering impromptu comments in front of media, said on December 9 that “We want to wipe out Rizal bank from the world.”
Muhit was responding to questions from reporters about the Reuters story. He said, “The Bangladesh Bank has taken a decision (on filing a suit). They will let me know. We haven’t so far taken any steps as the Philippines government was taking care of it (investigating the heist).”
“But it seems Rizal bank has been playing delinquent,” he said.
In response, RCBC on December 12 accused BB of covering-up its faults in the cyberheist, responding to Muhit’s remark to “wipe out” the Philippine lender, as reported by The Manila Times.
In a statement the RCBC claimed the theft was an inside job and that Bangladesh was attempting to redirect attention by maligning the Yuchengco-owned bank.
RCBC, which insists that it was also a victim, was slapped with a P1-billion fine last year by the Bangko Sentral ng Pilipinas for failing to comply with banking laws and regulations.
RCBC called Muhit’s statement “extremely irresponsible” and said Bangladesh should be compelled to disclose findings that would be crucial in the global fight against cybercrime.
“At least from five reports — SWIFT; FireEye, an international cyber security outfit; Bangladesh’s own finance minister; its government-appointed panel; and a Bangladeshi expert — point to a conclusion that somebody inside BB (Bangladesh Bank) would have made the heist possible,” RCBC said.
It also claimed that Bangladesh Bank had no firewall to protect its system and used second-hand $10 switches, making the bank vulnerable to hackers. Hackers conducted trial runs in January last year but apparently the monetary authority did nothing to protect its system, RCBC added.
The lender added that based on reports, Bangladesh Bank had terminated its contract with FireEye. The Bangladeshi expert also disappeared.
“Bangladesh police investigated some BB people but only for negligence. Up to now, we do not know if anybody has been taken to court,” RCBC said.
“BB should stop making RCBC its scapegoat. RCBC has revealed everything it legally could to the Senate and to the Bangko Sentral ng Pilipinas; BB, however, has concealed everything it could. The contrast is telling,” it added.
On the issue that Bangladesh Bank wants RCBC to return the missing money, the lender replied: “If it was stolen by your own people, why ask us? We are actually a victim of BB’s negligence.”
RCBC said it received the funds in good faith because the transactions were cleared and authenticated by the New York Fed and SWIFT, whose secure communications system is used by banks all over the world. Three global banks — Citibank, New York Mellon and Wells Fargo — remitted the funds to RCBC.
“These organizations are among the most sophisticated in the world and their remittances are accepted as a matter of course”,” it said. RCBC said Bangladesh Bank belatedly requested that the funds be frozen via an ordinary email, not the Code Red message banks use to raise an alarm.
“This resulted in their message being bunched with thousands of ordinary messages RCBC receives from all other banks all over the world each day. Had they sent a Code Red, we would have caught it,” RCBC said, adding that Bangladesh Bank did not reach out in any other way. ■