2016 Bangladesh Bank heist

In February 2016, instructions to steal US$951 million from Bangladesh Bank, the central bank
of Bangladesh, were issued via the SWIFT network. Five transactions issued by hackers, worth
$101 million and withdrawn from a Bangladesh Bank account at the Federal Reserve Bank of
New York, succeeded, with $20 million traced to Sri Lanka (since recovered) and $81 million to
the Philippines. The Federal Reserve Bank of NY blocked the remaining thirty transactions,
amounting to $850 million, at the request of Bangladesh Bank.

Background
The 2016 cyber-attack on the Bangladesh Central bank, where thieves tried to illegally transfer
US$1 billion to several fictitious bank accounts around the world was not the first time of its
kind. In 2013, the Sonali Bank of Bangladesh was also successfully targeted by hackers who
were able to cart away US$250,000. In 2015, two other hacking attempts were recorded, a $12
million theft from Banco del Austro in Ecuador in January and an attack on Vietnam's Tien
Phong Bank in December that was not successful. In all these cases, the perpetrators are
suspected to have been aided by insiders within the targeted banks, who assisted in taking
advantage of weaknesses within the SWIFT global payment network.
In 2012, the Philippines loosened restrictions on its gambling industry despite opposition from
the Catholic Church. After the country's gambling industry benefited from Chineseparamount
leader Xi Jinping's campaign against corruption, which drove gamblers further south of Macau,
its casinos lobbied against a 2012 amendment by the Philippine Senate of the 2001 Anti-Money
Laundering Act that required them to report suspicious transactions. Senate President Juan Ponce
Enrile had lobbied for the inclusion of casinos in the scope of the law. At that time, big casino
firms in the Philippines such as the City of Dreams had not yet been established.

Events
Capitalizing on weaknesses in the security of the Bangladesh Central Bank, including the
possible involvement of some of its employees, perpetrators attempted to steal $951 million from

the Bangladesh central bank's account with the Federal Reserve Bank of New York sometime
between February 45 when Bangladesh Bank's offices were closed. The perpetrators managed
to compromise Bangladesh Bank's computer network, observe how transfers are done, and gain
access to the bank's credentials for payment transfers. They used these credentials to authorise
about three dozen requests to the Federal Reserve Bank of New York to transfer funds from the
account Bangladesh Bank held there to accounts in Sri Lanka and the Philippines.
Thirty transactions worth $851 million were flagged by the banking system for staff review, but
five requests were granted; $20 million to Sri Lanka (later recovered, and $81 million lost to the
Philippines, entering the Southeast Asian country's banking system on February 5, 2016. This
money was laundered through casinos and some later transferred to Hong Kong.

Attempted fund diversion to Sri Lanka

The $20 million transfer to Sri Lanka was intended by hackers to be sent to the Shalika
Foundation, a Sri Lanka-based private limited company. The hackers misspelled "Foundation" in
their request to transfer the funds, spelling the word as "Fundation". This spelling error gained
suspicion from Deutsche Bank, a routing bank which put a halt to the transaction in question
after seeking clarifications from Bangladesh Bank.
Sri Lanka-based Pan Asia Bank initially took notice of the transaction, with one official noting
the transaction as too big for a country like Sri Lanka. Pan Asia Bank was the one which referred
the anomalous transaction to Deutsche Bank. The Sri Lankan funds have been recovered by
Bangladesh Bank.[7]

Funds diverted to the Philippines

The money transferred to the Philippines was deposited in five separate accounts with the Rizal
Commercial Banking Corporation (RCBC); the accounts were later found to be under fictitious
identities. The funds were then transferred to a foreign exchange broker to be converted to
Philippine pesos, returned to the RCBC and consolidated in an account of a Chinese-Filipino

businessman; the conversion was made from February 5 to 13, 2016. It was also found that the
four U.S. dollar accounts involved were opened at the RCBC as early as May 15, 2015,
remaining untouched until February 4, 2016, the date the transfer from the Federal Reserve Bank
of New York was made.
In February 8, 2016, during the Chinese New Year, Bangladesh Bank through SWIFT informed
RCBC to stop the payment, refund the funds, and to "freeze and put the funds on hold" if the
funds had already been transferred. Chinese New Year is a non-working holiday in the
Philippines and a SWIFT message from Bangladesh Bank containing similar information was
received by RCBC only a day later. By this time, a withdrawal amounting to about $58.15
million had already been processed by RCBC's Jupiter Street (in Makati City) branch.
On February 16, the Governor of Bangladesh Bank requested Bangko Sentral ng Pilipinas'
assistance in the recovery of its $81 million funds, saying that the SWIFT payment instructions
issued in favor of RCBC on February 4, 2016 were fraudulent.

Investigation
Bangladesh
Initially, Bangladesh Bank was uncertain if its system had been compromised. The governor of
the central bank engaged World Informatix Cyber Security, a US based firm, to lead the security
incident response, vulnerability assessment and remediation. World Informatix Cyber Security
brought in the leading forensic investigation company Mandiant, a FireEye company, for the
investigation. These cyber security experts found "footprints" and malware of hackers, which
suggested that the system had been breached. The investigators also said that the hackers were
based outside Bangladesh. An internal investigation has been launched by Bangladesh Bank
regarding the case.
The Bangladesh Bank's forensic investigation found out that malware was installed within the
bank's system sometime in January 2016, and gathered information on the bank's operational
procedures for international payments and fund transfers.

The investigation also looked into an unsolved 2013 hacking incident at the Sonali Bank,
wherein US$250,000 was stolen by still unidentified hackers. According to reports, just as in the
2016 Central Bank hack, the theft also used fraudulent fund transfers using the Swift
International Payment Network. The incident was treated by Bangladeshi police authorities as a
cold-case until the suspiciously similar 2016 Bangladesh Central Bank heist.

Philippines
The Philippines' National Bureau of Investigation (NBI) launched a probe and looked into a
Chinese-Filipino who allegedly played a key role in the money laundering of the illicit funds.
The NBI is coordinating with relevant government agencies including the country's Anti-Money
Laundering Council (AMLC). The AMLC started its investigation on February 19, 2016 of bank
accounts linked to a junket operator. AMLC has filed a money laundering complaint before
the Department of Justice against a RCBC branch manager and five unknown persons with
fictitious names in connection with the case.
A Philippine Senate hearing was held on March 15, 2016, led by Senator Teofisto Guingona III,
head of the Blue Ribbon Committee and Congressional Oversight Committee on the Anti-Money
Laundering Act. A closed-door hearing was later held on March 17. Philippine Amusement and
Gaming Corporation (PAGCOR) has also launched its own investigation.

United States
FireEye's Mandiant forensics division and World Informatix Cyber Security, both US-based
companies, are investigating the hacking case. According to investigators, the perpetrators'
familiarity with the internal procedures of Bangladesh Bank was probably gained by spying on
its workers. In a separate report, the US Federal Bureau of Investigation (FBI) says that Agents
with have found evidence pointing to at least one bank employee acting as an accomplice, with
evidence pointing to several more people as possibly assisting hackers in navigate the
Bangladesh Banks computer system. The government of Bangladesh is considering suing the
Federal Reserve Bank of New York in a bid to recover the stolen funds.

Other attacks
Computer security researchers have linked the theft to as many as eleven other attacks, and
alleged that North Korea had a role in the attacks, which, if true, would be the first known
incident of a state actor using cyber-attacks to steal funds.

Response from linked organizations

The Rizal Commercial Banking Corporation said it did not tolerate the illicit activity in the
RCBC branch involved in the case. Lorenzo V. Tan, RCBC's president, said that the bank
cooperated with the Anti-Money Laundering Council and the Bangko Sentral ng Pilipinas
regarding the matter. Tan's legal counsel has asked the RCBC Jupiter Street branch manager to
explain the alleged fake bank account that was used in the money laundering scam.
The RCBC's board committee also launched a separate probe into the bank's involvement in the
money laundering scam. RCBC president Lorenzo V. Tan filed an indefinite leave of absence to
give way to the investigation by the authorities on the case. On May 6, 2016, despite being
cleared of any wrongdoing by the bank's internal investigation, Tan resigned as President of
RCBC to "take full moral responsibility" for the incident. Helen Yuchengco-Dee, daughter of
RCBC founder Alfonso Yuchengco, will take over the bank's operations. The bank also
apologized to the public for its involvement in the heist.
Bangladesh Bank chief governor Atiur Rahman resigned from his post amid the current
investigation of the heist and money laundering. He submitted his resignation letter to Prime
Minister Sheikh Hasina on March 15, 2016. Before the resignation was made public, Rahman
stated that he would resign for the sake of his country.
On August 5, 2016, the Bangko Sentral ng Pilipinas approved a PhP1 billion (~US$52.92
million) fine against RCBC for its non-compliance with banking laws and regulations in
connection with the bank heist. This is the largest monetary fine ever approved by BSP against
any institution. RCBC stated that the bank will comply with the BSP's decision, and will pay the
imposed fine.

Ramifications

The incident shows the risks that banks connected to the SWIFT system are exposed to as a
result of the security vulnerabilities of other member banks. By breaching the Bangladesh
Central Bank's security firewalls, hackers were able to hack the system and transfer the funds
through the established global banking networks almost undetected. The failure of the
Bangladeshi government to build adequate safeguards for its financial system became the
starting point for a global, multi-million money laundering scheme whose effect was felt beyond
the country's borders.
The case threatens the reinstatement of the Philippines to the blacklist, by the Financial Action
Task Force on Money Laundering, of countries making insufficient efforts against money
laundering. Attention was given to a potential weakness of Philippine authorities' efforts against
money laundering after lawmakers in 2012 managed to exclude casinos from the roster of
organizations required to report to the Anti-Money Laundering Council regarding suspicious
transactions.
The case also highlights the threat of cyber-attacks to both government and private institutions
by cyber criminals using real bank codes to make orders look genuine. SWIFT has advised banks
using the SWIFT Alliance Access system to strengthen their cyber security posture and ensure
they are following SWIFT security guidelines. Bangladesh is reportedly the 20th most cyberattacked country, according to a cyber-threat map developed by Kaspersky Lab, which runs in
real time.

Anatomy

The suspected perpetrators of the $100 million heist of Bangladesh Bank funds deposited at the
Federal Reserve Bank of New York this February opened dollar-denominated accounts last May.

And then they sat and waited.

For what? A long weekend.
On May 15, 2015, Enrico Teodoro Vasquez, Alfred Santos Vergara, Michael Francisco Cruz and
Jessie Christopher Lagrosas opened US dollar bank accounts at Rizal Commercial Banking
Corporation (RCBC), a Philippine bank.

The accounts remained untouched until February 4, 2016, the Philippine Daily Inquirer (PDI)
reports.
The fraudulent transfer orders were timed for February 4 this year, a Thursday, so that the next
day Bangladesh Bank would be closed for the weekend.
Saturday is a common weekend for Bangladesh and the Philippines, Sunday is a weekend there
and Monday, February 8, fell on Chinese New Year, a non-working holiday in the Philippines.
It mostly went according to plan.
The perpetrators of the robbery certainly had deep knowledge of [Bangladesh Banks] internal
workings, likely gained by spying on bank workers, Reuters quoted security experts as saying.
They managed to steal payment transfer credentials which were used to order transfers out of a
New York Fed account held by Bangladesh Bank, Reuters reports.

The heist
On February 4, a Thursday, $81m from the account of Bangladesh Bank at the New York Fed
was ordered to be transferred to the four RCBC accounts $30m was transferred to Lagrosas,
$19.99m to Vergara, $25m to Vasquez and $6m to Cruz.
The funds were credited to the accounts via straight-through process after the transactions passed
internal validation criteria. The funds were cleared through US-based correspondent banks
Citibank, The Bank of New York Mellon and Wells Fargo.

The same day, Lagrosas withdrew $22.73m and deposited it in the US dollar account of William
Go DBA Centurytex Trading, an account which was opened that day, PDI reports.
Between February 5 and 13, remittance company Philrem remitted the funds, now converted into
Philippine pesos, to the bank accounts of Chinese national Weikang Xu, Eastern Hawaii Leisure
Co and Bloomberry Hotels Inc (Solaire Resorts).
By the time Dhaka sent off frantic messages to halt the transaction, there was nobody in the
office in Manila to respond.
On February 9, RCBC received a Swift message from BB requesting payment to be stopped and
the accounts to be frozen for investigation. But withdrawals from the accounts totalling $58.15m
had already been processed by RCBC.
Some $15.2m was deposited in the account of Philrem, $42.93m in Gos dollar account and
another $20m in Philrem, PDI reports.
On February 16, BB Governor Atiur Rahman sought the assistance of Philippine counterpart,
Governor Amando Tetangco Jr of Bangko Sentral ng Pilipinas, PDI reports.
Three days later, the Philippines Anti-Money Laundering Council (AMLC) began a probe of
bank accounts relating to Weikang Xu (believed to be a junket operator), Eastern Hawaii Leisure
Co and Solaire Resorts.
The Philippine Daily Inquirer broke the story of a possible $100m digital bank robbery of BB
funds on February 29.
The next day, the Court of Appeals in the Philippines, acting on an urgent petition from the
AMLC, ordered four Philippine banks RCBC, East West Bank, Banco de Oro and Philippine
National Bank to freeze for six months the bank accounts of Michael Francisco Cruz, Jessie
Christopher Lagrosas, Alfred Santos Vergara, Enrico Teodoro Vasquez, William So Go,
Centurytex Trading, Kam Sin Wong (aka Kim Wong) and all related accounts.
Over a month after the fraudulent transfer was made, BB issued a press statement saying its
Financial Intelligence Unit had been working with the AMLC to retrieve the money.
Finance Minister Muhith said he had been unaware of the lost funds.

In the end, the fraudsters successfully got their hands on $81m and pulled off one of the biggest
bank heists in history.

Spelling mistake
About $20m was retrieved from Sri Lanka, Bangladesh Bank Executive Director Subhankar
Saha recently said.
But a Reuters report filed yesterday suggests the Sri Lankan story could have a twist to it.
A spelling mistake on one fraudulent bank transfer instruction for $20m to be sent to a Sri
Lankan non-profit organisation was held up because the hackers misspelled the name of the
NGO.
The full name of the non-profit could not be learned.
But one of the officials said the hackers misspelled foundation in the NGOs name as
fandation, prompting a routing bank, Deutsche Bank, to seek clarification from the Bangladesh
central bank, which stopped the transaction.
The Reuters report said the recovered amount referred to by BB officials was the halted payment.
The resulting halt in transfers totalled funds worth $850m and $870m, one of the officials said.
Approximately $81m was successfully transferred to the Philippines and has still not been
retrieved.
The scale of the crime and the involvement of so many business entities in the scam has so
alarmed the financial services industry that the Philippine Senate is scheduled to hold a public
hearing on the matter on March 14.

Deep knowledge
The fraudulent transfer orders made by the electronic swindlers who looted $81m of Bangladesh
Bank money show that the fraudsters evidently did their homework.

Every one of the false payment instructions was made in the name of big-ticket Bangladeshi
development projects, the PDI reported.
For example, one transaction for $25m was supposedly ordered by Bangladesh Bank on behalf
of the governments The Kanchpur, Meghna and Gumti 2nd Bridges Construction project.
The amount was remitted to the account of Vasquez purportedly for the payment of a loan
from Japan International Cooperation Agency (Jica).
A payment for $30m to Lagrosas, an IT professional, likewise under a Jica loan, was
supposedly ordered on behalf of Dhaka Mass Rapid Trans Dev project.
A $6m payment order on behalf of an IPFF project cell was supposedly to pay for Cruzs
consultancy fees.
Another payment worth $19m was supposedly from Bheramara Combined Cycle Power Plant
Development Project with Vergara as a beneficiary, citing engineering consulting fees.
It remains to be seen how the fraudulent orders slipped past the US financial system.
The transactions involved the New York Fed, where BB is an account holder, and US
correspondent banks Citibank, The Bank of New York Mellon and Wells Fargo Bank.
A minor tit for tat between the New York Fed and BB ensued, with Finance Minister AMA
Muhith saying on March 8 that a case would be filed against the Federal Reserve, a day after the
US institution denied its systems had been breached.
The Fed said it followed normal procedures when responding to requests that appeared to be
from Bangladesh Bank, which were made and authenticated over Swift, Reuters reported.
Belgian-based Swift, a member-owned cooperative that banks use for account transfer requests
and other secure messages, declined to comment on specifics of the case, the report added.
Security experts said the cyber criminals had to gather information about Bangladesh Banks
transfer order procedures so that their actions would go unnoticed.
They had to have stolen credentials for processing transfers and probably spied on BB staff to
get a deep understanding of the central banks operations, according to experts in banking fraud.

Kayvan Alikhani, a senior director with security firm RSA, told Reuters that in addition to user
names and passwords for accessing Swift, the hackers likely needed to obtain cryptographic keys
that authenticated the senders.
Such certificates can be copied and used by impostors if they are not properly secured, he said.
And this is not the first time such a crime has been attempted.
In a round of robberies disclosed last year, a group dubbed the Carbanak gang hacked into a
number of banks around the world, seized control of computers that access Swift, then ordered
fraudulent transfers.
The genius of the attacker in the Carbanak case is taking the time to learn directly from the
victim and thus bypass fraud prevention measures through sheer mimicry, Juan Guerrero, a
researcher with Kaspersky Lab which studied the campaign, told Reuters.

How was Bangladesh Banks account with New York Federal

Reserve

Malwares were installed into the computer of the Federal Reserve Bank of New York, according
to the Hacker News.
Any transfer from the bank requires a confirmation but the hackers, still unknown, were able to
perk the large sums of money at multiple fake accounts in Philippines and Sri Lanka.
The thieves planned to steal more than $80 million, which they did by several attempts, but a
lucky spelling error stopped the transfer of another $850 million.
Security researchers from FireEye's Mandiant have been assisting investigators in Dhaka in the
wake of the worst cyber-attack faced by Bangladesh.
The detectives believe special malwares were installed in Bangladesh Banks computer system

several weeks prior to the attack and the hackers watched how money is transferred from its
account at Fed Reserve, reports Reuters.
The nature of the malware is still unknown but the malicious software likely included spying
programs that let the group learn how money was processed, sent and received.
It could have been a Remote Access Trojan (RAT) or a similar spyware that allowed the thieves
remote access to the banks computer.
Investigators also suspect that the hackers might have used the systems zero-day vulnerability,
which is a flaw within a software that remains unknown to the vendor until it is exploited.
The hackers then stole credentials used by Bangladesh Bank for the SWIFT messaging system,
which banks use to communicate with each other.
Society for Worldwide Interbank Financial Telecommunications or SWIFT is a highly secure
messaging network that uses a standardised system of codes to transmit information and
instructions between financial institutions.
SWIFT and the Central Bank of Bangladesh are working together to resolve an internal
operational issue at the central bank," Belgium-based SWIFT said in a statement on Mar 11.
"SWIFT's core messaging services were not impacted by the issue and continued to work as
normal."
Those investigating the incident said a sample of the malware will soon be handed to security
researchers to see if it is truly advanced or if the Bangladesh Banks system was not strong
enough to prevent the attack.
The Federal Reserve continues to deny its system was breached while the Bangladesh Bank said
it discovered weaknesses that could take years to repair.

REPORT
The investigation team, headed by former Bangladesh bank governor Mohammed Farashuddin,
had hinted at the involvement of bank insiders in its report.

It was handed in to Muhith on May 30. The minister at the time had said that he would be able to
make public the contents of the report after going through it.
On Monday, he told reporters at his ministry, They have finalized the report. Action is also
being taken according to that. In a few days time, I shall release the report.
In an audacious bank heist using information technology, hackers tried to swindle $1 billion
belonging to Bangladesh from the Federal Reserve Bank of New York using forged commands
through Swift Messaging system.
The hackers siphoned off $81 million to an account in the Philippines using five messages.
Another $20 million were moved to Sri Lanka through another command.
Though the Sri Lankan transfer was stopped successfully, the Philippines transfer was successful
and after conversion into the local currency, the money made its way to gambling dens, making it
impossible to be recovered.
People in Bangladesh could learn about the largest cyber heist in the world through reports
published in a Filipino newspaper a month after the incident.
Atiur Rahman had to quit the position of governor of Bangladesh Bank after drawing flak for
keeping the theft under wraps. It was followed by a major overhaul of the top brass of
Bangladesh Bank.
On Mar 25, the government appointed a three member probe team headed by former governor of
Bangladesh Bank Mohammed Farashuddin.
The committee has been entrusted to look into various angles related to the theft including
tracing the ones at whose behest the forged messages to transfer the funds were sent, to ascertain
the logic behind keeping the incident under wraps for up to a month by Bangladesh Bank

authorities, to see if the personnel of the bank were negligent in their duty and other vital areas.
The interim report was submitted to the minister on Apr 20 and the final report was handed in on
May 30.
Having received the report just ahead of the budget for the 2016-17 fiscal, the finance minister
expressed confidence that he could make the report public within the next 15 to 20 days.
After submitting the report Committee head Farashuddin said that the committee had deviated
slightly from their initial stand declaring that no bank employee was involved in the incident.
Neither the Finance Minister nor Farashuddin divulged details as to who was involved in the
theft or what punitive actions would be taken.
Replying to queries from journalists Farashuddin merely said, SWIFT cannot evade
responsibility. Whether SWIFT is mainly responsible or not is mentioned in the report. However,
our future problems can be solved only in collaboration with Swift.
He also said that the report contains an assessment on how much money could be recovered from
the theft.
We have given a much optimistic picture, Farashuddin said.