It became known as one of the world’s biggest cyber-heists in banking history, and last Friday the central bank of Bangladesh filed a federal lawsuit in the US District Court for the Southern District of New York, accusing a Filipino bank, its top brass and others of facilitating the theft of US$81 million from its account at the Federal Reserve Bank of New York.
The move was another step in a legal battle to recover the full amount – $101 million – which was stolen from Bangladesh’s central bank’s reserves three years ago. Hackers stole the $101 million from Bangladesh Bank’s (BB) foreign reserves account with the New York Federal Reserve. Only $20 million of the stolen money was returned by a Sri Lankan bank because the name of the recipient was wrong.
Last Thursday, a team of lawyers filed a case against the Rizal Commercial Banking Corporation (RCBC) of the Philippines, claiming in the complaint that the Manila-based bank helped North Korean hackers steal $81 million.
In September last year, the US Justice Department charged a North Korean man, Park Jin Hyok, with computer fraud, saying he was part of a government-sponsored team, known as the Lazarus Group, which were behind the hack of Sony Pictures, the Bangladesh Bank theft and global ransom attacks.
Ajmalul Hossain, the Bangladesh Bank’s counsel, told Asia Times the bank had accused RCBC and several others, including some top executives, of involvement in a “massive” and “intricately planned” multi-year conspiracy to steal $81 million of its money.
Hossain said much of the money disappeared in the Philippines’ casino industry. It was funneled through a series of complicated account transfers. The Philippines has so far returned $15 million after an order from a regional Philippine court in November 2016, while $66 million is yet to be recovered.
“The legal battle that we started will likely continue for the next three years. We hope to recover the full money by that time,” Hossain said.
Also on Thursday last week when the Bangladesh Bank filed its case, RCBC hired the US law firm Quinn Emanuel for its defense against the lawsuit, the Daily Inquirer of the Philippines reported.
The RCBC’s lead attorney on the case, Tai-Heng Cheng, said Bangladesh’s legal attempt to recover the full money was “nothing more than a thinly veiled PR campaign disguised as a lawsuit.” He added that if the Bangladesh Bank was “serious about recovering the money, they would have pursued their claims three years ago and not waited until days before the statute of limitations (expired).”
Hossain, however, returned fire. “It takes meticulous preparations to file a case like this. Besides, we needed to collect a lot of internal reports and probe reports. We wanted to be fully prepared rather than make haste.”
No update on probe
While Bangladesh launches a legal battle against the Manila-based bank in a New York court, there has been no update on its internal probe run by the country’s Criminal Investigation Department (CID).
After the heist, the Bangladesh Bank started an internal probe through a committee headed by former central bank governor Mohammed Farashuddin. The investigation by the committee found that a handful of negligent and careless bank officials inadvertently helped facilitate the heist by hackers.
“They were negligent, careless and indirect accomplices,” Farashuddin told news agency Reuters, adding that the hackers had exploited vulnerabilities in the bank’s information security defenses. “The committee came to the conclusion that the heist was essentially committed by external elements.”
Later Bangladesh Bank filed a case about the theft in Motijheel Police Station in the country’s capital Dhaka. The CID was put in charge of investigating the case filed under the country’s Money Laundering Prevention Act and the ICT Act, or Information and Communication Technology Act. The CID, however, failed to submit a report to the court for the 25th time since the case was filed, Asia Times discovered. The CID was recently asked to submit its report to the court by February 10.
When asked why there had been no update on the CID report, Bangladesh Bank Governor Fazle Kabir said: “You are asking the question in the wrong place. We have provided all sorts of help to the CID in their investigation.”
Rayhan Uddin Khan, an additional CID superintendent and the investigating officer in the bank-heist case, said they had already submitted a preliminary forensic report to the Anti-Money Laundering Council of the Philippines in July last year. The council could use the report to determine the RCBC’s role in the heist, he said.
Khan added that the CID would need to conduct further investigations to prepare a final and conclusive report.
The Philippines takes action
On January 10 this year in Manila, a Philippine court found Maia Deguito, who managed RCBC’s Makati City branch, guilty of eight counts of money laundering tied to the Bangladesh Bank heist. The court sentenced her to varying prison terms ranging from 32 years to 56 years and fined her $109 million.
In August 2016, after conducting its own investigation into the heist, the central bank of the Philippines – Bangko Sentral ng Pilipinas (BSP) – slammed RCBC, which it oversees, with a record fine of 1 billion pesos ($21.3 million). In a statement, BSP said the penalty represented “the largest amount ever approved as part of its supervisory enforcement actions on a BSP-supervised financial institution.”
The heist happened when hackers attacked the reserves of Bangladesh’s central bank and siphoned off $101 million. The bank’s money was kept in the New York Federal Reserve. The hackers had access to the SWIFT codes used by Bangladesh Bank employees and used them to send more than three dozen fraudulent money transfer requests to the NY Fed on February 4, 2016. They then requested the bank to transfer millions of dollars of the Bangladesh Bank funds to bank accounts in Sri Lanka, the Philippines and other parts of Asia.
The hackers were successful in getting $81 million transferred to RCBC in the Philippines through four different transfer requests and an additional $20 million to Pan Asia Banking in a single request.
Fortunately, Bangladesh Bank was able to stop $850 million in 30 transactions before the money disappeared. According to central bank officials, the Federal Reserve did not complete an additional 30 transfers ordered by the cyber hackers who, by some means, placed malicious software into the Bangladesh central bank’s computer systems.
If the transfer orders had been carried out, Bangladesh would have lost a further $951 million. Somewhat unsurprisingly, the cyber-crime took the then-governor of Bangladesh Bank, Atiur Rahman, by complete surprise. “It was like a terrorist attack, into the central bank,” he said. “I couldn’t believe it … because nothing like that … ever happened,” he said.