More Trouble For SWIFT: The Ecuadorian Cyberheist That Left $9M Lost In Hong Kong

Stealing $12 million is harder than one might think. Even if one gets the money, what do you do with it? It is not exactly an inconspicuous amount to have with no explanation.

The cybercriminals that hacked $12 million out of an Ecuadorian bank in 2015 came up with a solution for that problem: routing the funds through 23 companies registered in Hong Kong. Firms that seem to have existed for no other reason than to be a home for the stolen funds.

That information comes care of a lawsuit filed early last year by Ecuador’s Banco del Austro (BDA) in Hong Kong against the web of companies that received or handled more than $9 million in stolen funds, bank records submitted to the territory’s Court of First Instance show. According to BDA, the shell firms have been “unjustly enriched.”

Also, it wants its money back.

For those wondering about the last $3 million, that apparently went to Dubai and beyond, according to U.S.-based court papers.

So, how did the thieves manage to get $9 million of the stolen $12 million to Hong Kong?

Stop us if you’ve heard this one before — the thieves allegedly used the SWIFT global messaging system to move the funds. Yes, it is a similar trick to the one that moved $81 million out of Bangladesh Bank in February.

In the Ecuadorian heist, based on authenticated SWIFT messages, Wells Fargo was induced to move the funds ($9.139 million) into the Hong Kong accounts of four companies at HSBC and Hang Seng Bank. From there, around $3.1 million was routed to 19 “second layer” bank accounts.

Despite the recent troubles — and the fact that it looks like it is becoming every international hacker’s favorite new toy — SWIFT maintains that its core messaging system has never been breached.

BDA declined to speak with Reuters about the Hong Kong case. It also had no comment on the litigation in the United States against Wells Fargo.