This blog post will be a story of the greatest bank heist so far in time. This story was presented by me in talk form at the 2018 Tampa Bar Camp conference.
This story starts in the Philippines in May of 2015. Where four brand new accounts were opened with the minimum of funds placed inside. These accounts will soon play a huge part in this heist. At that point in time though, these accounts are nothing out of the ordinary.
Next up we jump to January 2016 where an employee at a the Central bank of Bangladesh inadvertently opens an email that contains a malicious macro which executes code giving the hackers access to the bank. This starts the countdown until the hackers strike again - which takes about a month.
February 4, 2016 (Thursday - Bangladesh)
The day is nearing the end which is the beginning of the weekend in Bangladesh. Due to Muslim prayers on Friday, the weekend is Friday/Saturday. This means the full staff won't enter the Bank again until Sunday. Even though the bank is closing and staff are leaving, the Bangladesh is about to be very active.
February 5, 2016 (Friday morning - New York)
Due to time zones, the end of the day in Bangladesh is roughly 7-8am in New York. This is important because Bangladesh holds money at the Federal Reserves there. The first of many malicious activity from the hackers have begun. They began sending 35 transactions via the SWIFT network totaling 951 million dollars. Money moves a lot in the international scope so this isn't out of the ordinary.
Perhaps in the context of Bangladesh bank it isn't normal, but unforunately that was not realized. Fortunately all 35 transactions were denied due to not having proper information on the SWIFT form. This was a simple fix as only the field "correspondent bank" needed to be filled out. This should have been another red flag when the hackers resubmitted those 35 transactions with the necessary fields. This was at 1am local time for Bangladesh which should have alerted the New York staff that it was more than likely not legitimate.
Now we have a 2nd batch of 35 transactions at the New York reserves and while the formatting was okay, 30 transactions were blocked due to violating US Sanctions.
“Today we are lifting the veil on an intricate Iranian scheme that was designed to evade international oil sanctions,” said Treasury Under Secretary for Terrorism and Financial Intelligence David S. Cohen. “We will continue to expose deceptive Iranian practices, and to sanction those individuals and entities who participate in these schemes.”
Name: Jupiter Seaways Shipping
This was a fluke situation because the word "Jupiter" was in the SWIFT message which flagged the request. What is very strange involves the 5 remaining transactions.
- 4 sent to RCBC (Rizal Commercial Banking Corporation) in Philippines
- 1 sent to Shalika Foundation (Sri Lanka)
The 4 transactions sent to an RCBC branch were located at the address - "122 Jupiter St, Makati. 1209 Metro Manila, Philippines". While other transactions got denied for including the "Jupiter" word, these 4 transactions were unharmed. Either way, the New York office reached out to Bangladesh via the SWIFT network.
February 5, 2016 (Friday morning - Bangladesh)
The small staff available on a Friday before Muslim prayers enter the bank and notice the printer responsible for printing SWIFT related messages is not working. This happens occasionally so the staff made a note to fix the printer and left. Had the printer been working, stacks of paper would point to the messages about money moving. The hackers knew this and thus hacked the printer, rendering it useless until repair.
February 7, 2016 (Sunday morning - Bangladesh)
The start of the week for Bangladesh and fixing their printer is all the worry. Employees can't process transactions if no SWIFT messages have been printed. It takes them a few hours, but they finally fix the printer and discover what is going on. This gives a heart attack to all the staff at the bank, they immediately begin trying to contact New York and sending "STOP" orders back to the banks with funds transferred.
This proves to be useless in terms of communication with New York, as the working day on Sunday in Bangladesh is still the weekend in New York.
February 8, 2016 (Monday - Sri Lanka)
Employees show up to work in Sri Lanka and surprised to see a transaction of 20 million dollars in route to a non profit. An employee asks the referring bank (Deutsche Bank) to confirm the company. The hackers spelled Foundation - "Fundation" which led the investigation to prove that the company in question did not exist. The transaction was denied, which only left 4 transactions remaining of the 35 sent, or roughly 81 million dollars.
February 8, 2016 (Monday - Philippines)
If you remember back to the beginning of this blog post, I mentioned 4 bank accounts opened at a small branch bank of RCBC. You guessed it. The remaining 4 transactions funded those 4 accounts and that was very much intentional. Bangladesh was trying to reach this bank, but it was failing as February 8, 2016 was Chinese New Year which meant the bank was closed.
Those accounts moved 51.65 million dollars before RCBC made contact with Bangladesh the next day. At that point due to local law, the accounts could not be frozen until a criminal case was involved. Once that happened, only 65k~ remained of the 81 million dollars.
The hack was partially succesful. In the scope of the original heist for 951 million dollars, only 80.65 million was actually stolen. The money was laundered via casinos and moved to Macau. Following the money is a blog post in itself, so I want to pause there and go back.
This hack abused/benefited from the following things.
- Close times across time zones
- Holiday times in various countries
- Various countries to abuse local laws
- Hacking knowledge to disable printers
- Extreme planning
The 4 accounts created in the bank that received 81 million dollars were created roughly 10 months prior to the hack. Paired with the timing knowing Chinese New Year would prevent Bangladesh contacting the local branch bank was even more perfect timing. This was a carefully planned and organized hack that was botched from being perfect by stupid mistakes like improper formatting and misspellings.
All these pieces together paint a very scary picture for the digital world and how money moves. For this incident, even two years later the story isn't over. The money is being followed and someone is blaming someone else for this hack. We might have to revisit this topic again in a few years.