Asia: Cyber-heist topples Bangladesh bank chief
$101 million stolen by cyber-thieves; fears of an inside job.
Atiur Rahman’s downfall began in May 2015
Atiur Rahman stepped down as head of Bangladesh’s central bank on March 15, taking the fall for one of the most daring cyber heists in history. The revelation that well-organised thieves operating from the Philippines had stolen $101 million of the south Asian nation’s foreign currency reserves shocked the world.
Yet it was the revelation that Rahman, a pugnacious economist who had run Bangladesh Bank with aplomb for seven years, had kept details of the grand theft secret for weeks, seemingly even from senior government officials, that made his position all but untenable.
Rahman’s downfall began in May 2015, when four men quietly opened US dollar bank accounts at a branch of the Rizal Commercial Banking Corporation (RCBC), in Makati, a suburb of the Philippine capital, Manila. Hackers then appear to have broken into Bangladesh Bank, planting malware, lurking in the background and studying in detail how staffers operated, communicated and placed and fulfilled orders.
On February 4, the four idle RCBC accounts were activated. Using the malware as a shield, the hackers cloned legitimate transactions and then placed 35 fake money transfer orders worth $951 million via Bangladesh Bank’s account with the Federal Reserve Bank of New York.
The Fed immediately blocked 30 of the transactions worth $850 million, but five slipped through. Of the remainder, four transactions worth $81 million, officially tagged as development capital, ostensibly to be used to fund vital infrastructure in Bangladesh, including bridges, a power station and the Dhaka Metro, were transferred through the Swift system to bank accounts in the Philippines.
From there, the cash was disbursed into the country’s lightly regulated casinos, with $50 million passing through two groups – Bloomberry Resorts and Eastern Hawaii Leisure – via a money transfer firm, Philippine Remittances. The remaining $31 million was handed in cash to an agent called Weikang Xu, who specialised in organising trips for gamblers. That capital has yet to be recovered.
A further $20 million was wired to an unnamed Sri Lankan bank, to be deposited in a Colombo-based non-governmental organization. It was here that alarm bells began to ring. The bank noticed a simple but glaring clerical error: the misspelling of the word ‘Foundation’ as ‘Fandation’. The money order was queried and then frozen once the scale of the hack became clear, allowing that slice of the funds to be recouped.
Bangladesh Bank was slow to react. When staff returned to the office on February 6, they found a series of messages from the New York Fed, yet it was two more days before Rahman’s team started to piece together what had happened. The scale of the hack did not become public for another three weeks, and it was another fortnight before Rahman finally submitted his resignation to Bangladeshi premier Sheikh Hasina. Two of his deputies, Nazneen Sultana and Mohammed Abul Quasem, were subsequently fired. The government moved quickly to assign a new central bank chief, appointing Fazli Kabir, a former chairman of state-run lender Sonali Bank.
Plenty of mud has been flung since the scale of the hack became clear. Officials in Dhaka were at pains to state that the heist itself did not precipitate Rahman’s departure from Bangladesh Bank. Cyber hackers have in recent years tried, in some cases successfully, to break into lenders and institutions, including JPMorgan Chase and the Federal Reserve. Central banks and commercial lenders have ramped up spending on security; that such break-ins remain relatively rare suggests that financial institutions have mostly spent wisely on IT and counsel.
Others have been less willing to forgive. Bangladesh finance minister Abul Maal Abdul Muhith railed publicly about the “incompetent” central bank, and threatened to file a case against the New York Fed, fuming that they “cannot avoid their responsibility in any way”.
Authorities in the Bangladeshi capital allege that the Fed originally questioned at least one of the $101 million-worth of successful transactions, yet approved them anyway, without securing a response. Dhaka itself is trying to understand how someone infiltrated the central bank, planted malware and replicated the access codes and identities of internal staff without being spotted. Some have suggested the hackers were aided and abetted by an insider.
The fallout has stretched all the way to the Philippines. RCBC sacked Maia Santos-Deguito, manager of its Makati branch, accusing her of “falsification of commercial documents” and “violating bank policies and procedures”. Grace Poe, a frontrunner in the race to become president of the Philippines, has promised to extended money-laundering legislation to cover casinos if elected to the country’s highest office in May.
This heist was planned for months; it may be many more before the full story emerges.