Bangladesh has learned a valuable lesson over the past two months: Do. Not. Trust. The. New. York. Fed.
On a quiet Friday morning in early February, a series of instructions using authenticated SWIFT codes was sent to 33 Liberty allegedly from the Bangladesh central bank requesting the transfer of nearly $1 billion from the country’s FX reserves.
Now, the first thing that should jump out at you there is that Friday is a weekend in Bangladesh, a fact which probably should have set off alarm bells. But alas, it didn’t and by the time the hackers who sent the transfer instructions screwed the pooch by spelling “foundation” wrong in one of the requests, more than $80 million was sent to the Philippines where it landed in four accounts and eventually ended up transferred to at least two casinos and one unidentified man “of Chinese origin" who has since been named as a Weikang Xu. For those who might have missed the story, here are our three previous accounts of what is truly a Hollywood-esque plot line:
- Plot Thickens In New York Fed Heist As $30 Million In Cash Said Delivered To Mystery Chinese Man
- The Incredible Story Of How Hackers Stole $100 Million From The New York Fed
- Chinese Hackers Break Into NY Fed, Steal $100 Million From Bangladesh Central Bank
You’re reminded that the stolen funds ended up in the Jupiter Street, Makati City, branch of Rizal Commercial Banking Corp where the branch manager is one Maia Santos Deguito. Here she is:
According to testimony from a Rizal executive heard at a Senate hearing in the Philippines late last week, some $427,000 in cash was withdrawn from one of four accounts that received the illicit funds. That money was promptly deposited - into the back of Deguito’s car.
"On February 5 - the day when RCBC said $22 million was put into [the accounts] - Deguito's assistant, Angela Torres, requested P20 million from the bank's cash center, which was delivered by armored car," PhilStar reports. "The teller then put the money in a box, which was brought to Deguito's office. The branch messenger, a certain Jovy Morales, then looked for a paper bag to put the money in and then brought it to the branch manager's car."
Deguito then ignored a direct order from the Bangladesh central bank and the Rizal head office to freeze the accounts. “Instead, she moved the money to a foreign-currency account opened Feb. 5 under the name of Centurytex Trading, a local brokerage firm owned by businessman William Go,” WSJ writes. “$15 million of the stolen money on Feb. 5 was remitted from the account to a local money-transfer company called Philrem [and] then, about another $66 million was transferred to Philrem on Feb. 9.” From there, it found its way to the casinos and to Weikang. Here's a diagram from FT:
Mr. Go is apparently innocent according to a private investigation conducted by Truth Verifier Systems Inc who says the accounts were forged. However, Torres (Deguito's assisstant) insists that Go picked up cash in a "Lexus SUV" and that he signed the withdrawal slip personally.
Go is now suing both Torres and Deguito.
Apparently, the hackers used malware to infiltrate the central bank's computers and monitor daily activity. “They were counting on the likelihood that there wouldn’t be any direct communication between the banks over the weekend,” an official who spoke to WSJ said. And they were correct. As we documented earlier this week, Bangladesh was unable to contact the New York Fed on Saturday and Sunday.
Bangladesh hired FireEye to investigate the incident. According to what Bloomberg describes as an "interim report," the hackers "sought to cover their tracks by deleting computer logs as they went [and] before making transfers they sneaked through the network, inserting software that would allow re-entry."
The report allegedly describes the operation as something that would normally be the purview of nation-state hackers. "Malware was specifically designed for a targeted attack on Bangladesh Bank to operate on SWIFT Alliance Access servers," Bloomberg quotes the report as saying. "The security breach of the SWIFT environment is part of a much larger breach that is currently under investigation."
Suspect log-ins at Bangladesh central bank began on January 24 and ran through at least February 6, two days after the illicit transfers. "The report," Bloomberg says, indicates that the "hackers have already hit other FireEye clients, though it’s unclear if those include other central banks."
Meanwhile, Bangladesh's finance minister AMA Muhith told the Bengali-language daily Prothom Alo that this was 100% an inside job involving officials at the central bank. He later claimed the daily published off the record comments without his permission. “It has come to light through this interview that I cannot always remain alert because of my age," he said. Muhith has called the central bank "very incompetent" for their handling of the incident.
"Bangladesh, including its government institutions and its banking system, is notoriously corrupt and prone to bank frauds, and neither the Bangladeshis nor the Fed have ruled out the possibility the hackers were assisted by someone on the inside," FT wrote this week. "But there is so far no evidence of an insider, nor do cyber security experts think such a person would have been essential for a crime that could have been committed from outside by sophisticated criminal hackers from eastern Europe or elsewhere."
Bangladesh at least in part blames the Fed. “Since they have asked for your opinion, they should have waited for that," one official told FT, referencing the fact that the Fed asked for clarification on some of the transactions but ok'd them before getting a response. "They could have been patient," the same official said.
"[The Fed] cannot avoid their responsibility in any way," Muhith says.
We imagine the well meaning FinMin may be surprised what the NY Fed can and can't do.
As indicated by the diagram shown above, there's no telling where the money went after the casinos. "It was Chinese new year,” Bloomberry's Silverio Benny Tan said. “So the expectation was for more play, so it was not unusual.” As we mentioned on Wednesday, casinos are not subject to the Philippines anti-money laundering laws (because who would think of laundering money through a casino).
But don't worry, the culprits will soon be ferreted out. How do we know? Because Bangladesh has enlisted the help of the FBI. "We sought the FBI's assistance when a group of FBI met with me for investigating the central bank heist last month," Interior Minister Asaduzzaman Khan told Reuters.
What seems likely here is that this is part of something far larger and it could very well be that none of the people along the paper trail (Deguito, Go, whoever was or wasn't involved at the Bangladesh Bank, etc.) actually knows who is ultimately pulling the strings. The fact that the total request was for nearly $1 billion suggests that whoever is at the end of the rabbit hole here either, i) has their sights set far higher than $80 million, or ii) swung for the fences to ensure they at least got to first base. If it's the former, then we may see more inadvertent experiments with helicopter money in the very near future - and on a much larger scale.
Now if only physical cash were banned, then the "culprits" wouldn't be able to launder their illicit proceeds. Hey, wait a minute...