Hackers Steal $101M From Central Bank

The story behind the massive $101 million bank hacking that hit Bangladesh’s central bank last week just got even juicier.

It turns out those funds were stolen from Bangladesh’s account at the New York Fed through the use of official government codes. This has left officials across four countries digging for answers, and one top bank chief has turned in his resignation.

The details of the breach that have been reported indicate that $81 million was taken from the New York Fed and stashed into a Philippines personal bank account. The remaining $20 million was routed to a Sri Lanka bank. Details released from a  Bangladesh Bank official and an official of the Ministry of Finance say that unknown cybercriminals were involved in 35 transfer requests through the interbank SWIFT messaging system in February, which was then used to gain access to the funds using the codes. SWIFT uses a multilayered authentication process for financial institutions, which involves sending and receiving millions of messages each day between one another.

The government officials said whoever used the SWIFT transfer codes had the codes necessary to put in the request for payments during a weekend. As a result, Bangladesh’s finance minister has posed questions about the security standards in the country for their banking officials. He also questioned the Fed’s ability to detect an incident as irregular as this from occurring over the weekend.

As a result of this massive attack, Prime Minister Sheikh Hasina’s spokesman Ihsanul Karim said he has accepted Bangladesh Bank Governor Atiur Rahman’s resignation. Rahman claims to have made the decision on his own.

“I submitted my resignation to Prime Minister Sheikh Hasina … tears rolled out from her two eyes,” he said, according to The New York Times. He was quoted earlier in the week saying: “If my resignation is better for the Bangladesh Bank, I have no hesitation.”

He also shared his thoughts on leaving the post, commenting: “Such cyber attacks are happening across the world. We have to be careful, very careful. It’s like an earthquake, when it will come, very difficult to predict. We are new in facing such attacks. We lack experience.”

He also said before his resignation that he implemented some fixes to the loopholes that were in the system in order to ensure the country was safe from the same incident occurring again.

The Fed announced it is working with Bangladesh to investigate the matter, but did confirm that its security systems have not been compromised. No one from the New York Fed has publicly commented on the matter, nor would anyone provide comment about if an event like this had occurred before.

The news of this breach officially broke late last Friday after the New York Fed was alerted with a series of payments instructions for a $1 billion transfer from the Bangladeshi account. That amount, of course, set off red flags. Those requests also asked to send funds into private accounts in the Philippines and Sri Lanka, and the Fed believes they also came from the Bangladeshi central bank’s servers in the country’s capital.

Because the bank was closed by then, the hacker was able to move around $100 million through the account, but the other $850 million was blocked as it set off a money laundering alert from the Fed. This was, of course, because the money was being requested into personal accounts and to the Philippines, nonetheless.

But then again, there was also the typo.

Officials told Reuters late last week the spelling mistake put a stop to the online bank transfer. While the above mentioned four requests, which totaled nearly $81 million, were successfully transferred to entities in the Philippines, a typo held up a fifth request for a transfer of $20 million to a Sri Lankan nonprofit organization.

And that’s what stopped what could have been a billion dollar hack.

The misspelling of “foundation” as “fandation” raised a red flag for routing bank Deutsche Bank, causing it to reach out to the Bangladesh central bank for clarification and then stop the transaction.

The bank also confirmed that it has since recovered some of the money stolen and continues to work with anti-money laundering authorities in the Philippines. Officials estimate that the value of the attempted transactions that were actually stopped totaled anywhere between $850 million and $870 million.

Bangladesh’s Finance Ministry officials have pegged this incident as an international cyber heist that has impacted four countries.