With the help of Federal Reserve Bank of New York, Bangladesh on February 1 launched a legal battle to recover the full amount stolen from its central bank’s reserve in what is known as the biggest cyber heist in the history. The move came nearly three years after hackers stole $81 million from a Bangladesh bank account with the NY Fed.
On that day, a lawyer team from the country’s central bank filed a case in New York’s southern district court against the Rizal Commercial Banking Corporation (RCBC) of the Philippines. Incidentally, on the same day, RCBC had hired the US law firm of Quinn Emanuel for its defense against the Bangladesh lawsuit.
This legal battle will likely to continue for the next three years, as was informed by the Ajmalul Hossain QC, Bangladesh Bank’s counsel. “We hope to recover the full money by that time,” he informed.
Bangladesh Bank accused RCBC and several others, including some top executives, of involvement in a ‘massive’ and ‘intricately planned’ multi-year conspiracy to steal its money worth $81 million, he said.
Philippine has so far returned $15 million following an order of a regional Philippine court in November 2016 while the rest $66 million still remained to be recovered.
About the cost of the legal proceedings, QC informed, as of now, Bangladesh has spent Tk 3 crore in this case. “Legal cost is usually measured in hourly basis—how many man-hours you need to carry on the legal proceedings.”
When asked whether the BB has taken “too much time” in filing the case since the cyber heist had happened two years ago, QC replied, “It takes meticulous preparation to file a case like this. Besides, we needed to collect a lot of internal reports and probe reports. We wanted to be fully prepared rather than making haste,” he said.
About the cost of the legal proceedings, QC informed, as of now, Bangladesh has spent Tk 3 crore in this case. “Legal cost usually measures in hourly basis—how many man-hours you need to carry on the legal proceedings.”
“Besdides, cost is not an issue here. The case is filed after getting nod from the highest authority. It’s matter of national prestige,” he said.
The RCBC’s lead attorney in the case, Tai-Heng Cheng, a partner at the firm’s New York office, meanwhile told the Daily Inquirer: “This is nothing more than a thinly veiled PR (public relations) campaign disguised as a lawsuit. Based on what we have heard, this suit is completely baseless. If BB was serious about recovering the money, they would have pursued their claims three years ago and not wait until days before the statute of limitations. Not only are the allegations false, they don’t have the right to file here since none of the defendants are in the US.”
The Bangladesh Bank heist
In what is known as the biggest bank robberies of recent times, the BB heist took place when hackers attacked the reserve of the central bank of Bangladesh and siphoned off $101 million. The money of Bangladesh’s central bank was kept in the Federal Reserve Bank of New York.
The unidentified hackers had access to the SWIFT codes of Bangladesh Central Bank employees and used them to send more than three dozen fraudulent money transfer requests to the Federal Reserve Bank of New York on February 4, 2016. Then they requested the bank to transfer millions of dollars of the Bangladesh Bank’s funds to bank accounts in Sri Lanka, Philippines and other parts of Asia.
The hackers were successful in getting $81 million transferred to Rizal Commercial Banking Corporation in the Philippines through four different transfer requests and an additional $20 million to Pan Asia Banking in a single request. The $81 million was deposited into four accounts at a Rizal branch in Manila on the fourth of February.
Fortunately, Bangladesh Bank was able to stop $850 million in 30 transactions before it was too late. According to Bangladesh Bank officials, the Fed in New York did not complete the additional 30 transfers ordered by the cyber hackers who by some means placed malicious software known as malware into the Bangladesh central bank’s computer systems.
In case the transfer orders were carried out by the Federal Reserve Bank of New York, Bangladesh would have lost a further $951million. The cyber crime took the then-governor of Bangladesh Bank, Atiur Rahman by utter surprise. “It was like a terrorist attack, into the central bank,” he said. “I couldn’t believe it … because nothing like that … ever happened.”
Quite astonishingly, the Bangladesh Bank found out about the heist due to a printer error. Every time a fund transfer request is made, the bank’s SWIFT system is configured to automatically print out a record. The printer works round the clock for 24 hours so when the bank officials arrive each morning, they can check the tray for transfers that were confirmed during the night.
On February 5, one director of the bank saw the printer tray was empty. The bank officials were unable to print the reports manually and discovered that the software on the terminal that connects to the SWIFT network specified that a critical system file was missing or had been altered with.
After the bank officials were able to get the software working the next day, they restarted the printer and found dozens of suspicious records of transactions. The Fed bank in New York had sent queries to Bangladesh Bank as they were unsure about dozens of the transfer orders, but no one in Bangladesh had responded yet.
The Bangladesh Bank officials were startled and desperately tried to find out if the transfers were completed. Their records system confirmed that no fund was debited to their account yet and they gave orders to stop the transfer orders that were pending. They made contact with SWIFT and New York Fed, but no one responded as it was weekend in New York. It wasn’t until Monday that bank officials in Bangladesh finally came to know that four of the transactions amounting to $101 million were in fact completed.
Immediately after the attack, the then Bangladesh Finance Minister Abul Maal Abdul Muhith blamed the NY Fed for failing to block the transaction outright.
Both the Fed and SWIFT quickly countered, however, that the transfer request had been made using valid credentials, and ultimately blamed poor information security controls at Bangladesh Bank for having failed to prevent hackers from remotely accessing the bank’s systems and deploying malware. But subsequent interviews with current and former bank officials suggested that “inertia and clumsiness” at the New York Fed didn’t help.
SWIFT launched a program aimed at ensuring that all SWIFT-using institutions maintain minimum information security policies and procedures, and it threatened to publicly name and shame any that failed to do so, which could, in effect, lead to some institutions being blacklisted from using the SWIFT messaging system. In addition, SWIFT warned that Bangladesh Bank was not the only institution to be targeted and said related attack campaigns were continuing.
The aftermath of the cyber-heist in Bangladesh
Following the incident, BB started a probe through a probe committee headed by the former BB governor Former Mohammed Farashuddin. The internal investigation into the February theft of $81 million from the central bank of Bangladesh reportedly found that a handful of negligent and careless bank officials inadvertently helped facilitate the heist by outside hackers.
Mohammed Farashuddin said that the government-appointed panel investigating the heist blamed, in part, the five low-level and mid-level officials.
“They were negligent, careless and indirect accomplices,” he told Reuters, adding that attackers had exploited vulnerabilities in the bank’s information security defenses. “The committee came to the conclusion that the heist was essentially committed by external elements.”
Meanwhile, the central bank had initiated a case with Motijheel Police Station in February, 2016 after the hacking incident. The CID was given the charge of investigating the case filed under the Money Laundering Prevention Act and the ICT Act. The police investigating the cyber heist, however, failed to submit a report to the court for the 25th time since the case was filed.
The CID recently been asked to submit its probe report on the case to the court by February 10. Metropolitan Magistrate Sadbir Yeasir Ahsan Chowdhury passed the order after the investigation officer of the case failed to submit the probe report.
What happened in Philippines?
Meanwhile, In August 2016m, after conducting its own investigation into the heist, the central bank of the Philippines, Bangko Sentral ng Pilipinas, slammed RCBC, which it oversees, with a record fine of 1 billion pesos – equivalent to $21.3 million. In a statement, BSP said that the penalty represented “the largest amount ever approved as part of its supervisory enforcement actions on a BSP-supervised financial institution.”
At the same time, BSP noted that RCBC was already taking steps “to strengthen its anti-money laundering and counter-terrorist financing risk management system and governance culture.”
Also, following an investigation by the Philippines Department of Justice, Makati City Regional Trial Court (RTC) last year convicted ex-RCBC manager Maia Deguito of money laundering over the heist and sentenced her to 4 to 7 years in prison for each of the 8 counts of money laundering. She was also ordered to pay $109 million in penalties.
Deguito is a defendant in the lawsuit filed by Bangladesh. The case is just the beginning of a long journey ahead through the American court. It appears that the lawsuit will take a long time to settle. A Bangladesh Bank official says it will take at least three years to reach the resolution of the case.
The probe definitively revealed that funds stolen from Bangladesh’s central bank were converted to Philippine pesos and distributed to junket operators and casinos. The money was deposited to foreign currency accounts of RCBC, which passed it on to Philrem Service Corporation for conversion and distribution. In 2017, the Philippines Department of Justice cleared Philrem executives, leaving Deguito to face the charges.