BB reserve heist: Nearly $1b could have been stolen

Hacking
Symbolic image

The Bangladesh Bank (BB) lost a whopping USD 81 million from its foreign exchange reserve to unidentified hackers on 4 February 2016. The theft was initially kept under wraps for 24 days.

After it came to light, the government formed a three-member committee, with former BB governor Mohammed Farashuddin as chief, to investigate the incident on 15 March.

The committee diligently delved into the incident and submitted an exhaustive report on 30 May. At the same time, a case was filed at Motijheel police station and later the Criminal Investigation Department (CID) was entrusted with its investigation.

Beyond the border, the United States’ (US) Federal Bureau of Investigation (FBI) also conducted a separate investigation. Their findings were mentioned in a criminal case filed with a US district court in California in 2018.

All investigations revealed detailed information about the money heist.

The remaining 30 transaction requests were being processed, but the hackers exited the computer system at 3:59 pm, presuming that the Federal Reserve’s operations for the day had ended.

Recently, a Hollywood documentary titled "Billion Dollar Heist," released on 14 August, has provided a comprehensive insight into the incident. It expounds on the meticulous planning of the cyber robbery, along with presenting some fresh points.

The documentary has repeatedly asserted that the heist was not a spur-of-the-moment attempt, but the culmination of over a year of planning. The heist took place on the night of 4 February, but the hackers had infiltrated the network of Bangladesh Bank long before.

Long planning

According to the FBI, the hackers had been targeting various banks in Bangladesh since 7 October 2014. They used four email accounts to breach the central bank’s security protocols and access the forex reserves.

The documentary revealed that a certain Razal Alam emailed a job application to 36 BB officials in January 2015, with a zip malware disguised as a curriculum vitae (CV).

Three officials clicked on the CV and unknowingly activated the malware, paving the way for hackers to infiltrate the bank’s network.

The plot took a more sinister turn in the Philippines. A Chinese national opened four bank accounts with Rizal Commercial Banking Corporation (RCBC) in Manila in May 2015. The hackers remained silent for the following nine months, but maintained undetected access to all computers connected to the BB network for a full year.

However, cracking into the SWIFT (Society for Worldwide Interbank Financial Telecommunications) terminal was not as easy as infiltrating the BB network. It took exactly one year, and the hackers eventually succeeded on 29 January 2016.

There are numerous computers connected to the BB network, but only a few are used for transactions. The hackers monitored the transaction process for one year. They cracked into the SWIFT terminal on 29 January but waited for five more days for the right time on 4 February.

Also Read

How the heist unfolded

The 4 February 2016 presented the much-sought opportunity. As the evening fell, the concerned BB official switched off the SWIFT terminal. Three hours later, the hackers entered the terminal and sent a total of 35 requests to the Federal Reserve Bank in New York to release USD 951 million in total. This was unusual, as Bangladesh generally requests to release USD 300,000 to 500,000.

It was a fine morning in New York when the Federal Reserve noticed the requests. Since fund transfers require involvement of an intermediary bank, and the hackers did not comply with the protocol while making requests, the Federal Reserve operator considered the requests incomplete and turned them down.

Later, the hackers made the necessary corrections and managed to resend 34 of the requests error-free. In the remaining request, the Deutsche Bank of Germany was mentioned as the intermediary bank, with a foundation in Sri Lanka as the transaction destination. The hackers made a spelling mistake while writing the Sri Lankan foundation’s name, prompting the Deutsche Bank to halt the transaction.

The other 34 requests were granted, and an amount of USD 81 million was transferred to Manila in the Philippines against four of the requests. Immediately after the deposition, the hackers initiated the process of erasing all traces associated with their illicit activities.

The hackers were aware that transaction details are usually printed out in banks. To counter this, they systematically prevented the printers from producing any output.

The remaining 30 transaction requests were being processed, but the hackers exited the computer system at 3:59 pm, presuming that the Federal Reserve’s operations for the day had ended.

When approached for comment, the then BB governor, Atiur Rahman, through his office, said he is not interested in talking over the issue.

Scope to rob more money

The documentary showed that the hackers had the opportunity to steal USD 951 million in total. However, the Federal Reserve halted the remaining 30 transfer requests, due to some other issues.

One of the RCBC branches was addressed on Jupiter Street in the Philippines. Two years earlier, Greek businessman Dimitris Cambis and his company, Jupiter Seaways, had come under US sanctions due to his financial linkage with Iran.

Ironically, the hackers used RCBC’s Jupiter Street branch to transfer the remaining funds. But the Federal Reserve’s computer system tracked the name "Jupiter" and halted the fund transfer process.

In further developments, the Federal Reserve analysed the requests and sent a message to the Bangladesh Bank to verify the transactions’ authenticity. But the hackers had already left the system. The entire sum could have been stolen if the hackers had waited for another hour.

Their total presence within the Swift terminal spanned 7 hours and 24 minutes. The documentary noted that a little more patience would have earned the hackers the remaining funds.

Also Read

How the heist came to light

After restoration, the printers at Bangladesh Bank printed out the 30 messages from the Federal Reserve regarding the verification of the transactions. Officials sensed that something significant had happened. They couldn't immediately contact the Fed. They found a representative of the SWIFT system, but he did not halt the transaction as requested.

Reaching the office on 6 February, a deputy governor realised that a substantial sum of money had already been sent to Manila. It was followed by desperate attempts to intercept the funds, but they were hindered by the coincidental holiday for the Chinese New Year, spanning four days at a stretch from Friday to Monday. No officials responded to the repeated messages from Dhaka to halt the transactions.

This meticulous synchronisation allowed the hackers to execute their plan without any hassle. Misha Glenny, narrator of the documentary, said, “It was really a brilliant plan. The whole plan was executed with great intelligence.”

The Philippines and casinos

There is no mechanism to monitor casinos and transactions associated with gambling in the Philippines. Taking the advantage, representatives of the hackers withdrew USD 22 million in the local currency and took it to a casino named Solar.

The money was first converted to casino chips for gambling. Later, they gambled among themselves and converted the chips to USD to take abroad. It was a classic example of money laundering. Their unusually lengthy gambling activities remained unnoticed, as it seemed normal on the day of the Chinese New Year.

The holiday ended on 9 February, and the Bangladesh Bank was still trying to halt the transactions involving the remaining USD 59 million in RCBC.

However, their repeated messages went unresponded, as the RCBC had received a flurry of messages during the holidays. They eventually noticed the message after the manager approved the transaction. The remaining money also went to the casino coffer.

Updates

Of the total amount, USD 66.4 million still remains unrecovered. The central bank filed a case with the United States Federal Court in 2020, seeking restitution of the stolen money. Besides, the Philippine government filed a case in the local court regarding the reserve heist.

Later, Philippine authorities recovered USD 15 million from a casino owner and handed it over to Bangladesh.

In Bangladesh, the CID is still looking into the incident and had the investigation period extended for 73 times. Recently, a Dhaka court set 20 September as the deadline to submit the probe report.

Regarding the documentary, Bangladesh Bank spokesperson Mejbaul Haque said a case was filed with the US court over the reserve heist and it is still underway.

When approached for comment, the then BB governor, Atiur Rahman, through his office, said he is not interested in talking over the issue.

*This story first appeared in the print version of Prothom Alo and has been rewritten in English by Misbahul Haque