The Billion Dollar Bank Job
Source: New York Times Magazine
By Joshua Hammer
At 8:45 in the morning on Friday, Feb. 5, 2016, Zubair Bin Huda, a director at Bangladesh’s central bank, entered the 30-story, concrete-and-glass headquarters in Dhaka. Bin Huda, slim and soft-spoken, with a thin black mustache and beard, rode an elevator to the ninth floor and eventually walked into the back office of the Accounts and Budgeting Department’s “dealing room,” the most restricted area of the building, accessible to only a handful of employees.
Until about a decade ago, Bangladesh’s central bank was stuck in the analog age: Staff members sent international payment instructions via a teleprinter, an electromechanical typewriter that sent and received messages over standard phone lines and other channels. But since a new bank governor took over in 2009, the institution had gone digital. Its international transfer orders are now dispatched via Swift, the Brussels-based electronic network used by 11,000 financial institutions in more than 200 countries and territories. Inside a 12-foot-by-8-foot glass-walled chamber, under the scrutiny of closed-circuit security cameras, staff members log into Swift and dispatch the payment orders with encrypted communications. With a few keystrokes, a complex process is set in motion that sends millions of dollars zipping across continents.
Bin Huda was the duty manager that morning, which meant he was tasked with scrutinizing printouts of transfer confirmations, routine queries and other Swift messages that had come in overnight. Friday is a bank holiday in Bangladesh, but a dedicated printer still generated hard copies of digital transfer messages. A few dozen would usually come in over the course of a day, but that morning Bin Huda didn’t see any on the printer. He assumed it was a technical glitch and decided to deal with it on Saturday.
At 9 o’clock the next morning, he returned to the office. This time, he found that the Swift software — the program that launches the messaging service — wasn’t functioning, either. Each time he tried to open it, a disconcerting error message appeared: A file is missing or changed. He and his colleagues huddled over the dedicated Swift computer, following directions on the monitor on how to get the software running again. Shortly after noon, he was able to retrieve three messages from the Federal Reserve Bank of New York and to print them out one by one. The New York Fed is, in effect, the gatekeeper of much of world banking, and hosts accounts for 250 central banks and governments with deposits of about $3 trillion. A Fed employee had written to Bangladesh, asking for clarification about 46 payment instructions received over the past 24 hours. The Fed had never seen orders like that or a total so large from the bank — nearly $1 billion.
It had to be a mistake, Bin Huda thought. Bangladesh Bank, as the central bank is known, never sent payment instructions on weekends, and even during business hours, it rarely sent more than two or three to the Fed in a day. He scrolled through the message file in search of more information. Where was the money headed? The one debit statement he could find was corrupted and unreadable. Desperate to stop the transactions from moving forward, but unsure where to turn, Bin Huda emailed a Swift case manager at the organization’s Brussels headquarters. He told bank officials that he had reported a “big accident” in the Swift system. He tried to reach the Fed in New York by telephone, but the bank was shut down for the weekend. Bin Huda emailed and faxed a demand to the Fed to stop processing all payments, including all those mentioned in the queries. Hoping that someone would get the message, Bin Huda then shut down his computer and went home to enjoy his weekend with his family.
ALTHOUGH NO ONE KNEW THIS YET, Bin Huda was in the middle of the most daring bank robbery ever attempted using Swift. And it would prove to be the most severe breach yet of a system designed to be unbreachable. Swift’s transmission process — by which money moves through the dispatching of encrypted messages to multiple operating centers and then on to the receivers — has become the standard in the banking world, flawlessly processing more than three billion payment orders a year. It uses “military grade” security systems, says Adrian Nish, the head of Threat Intelligence for BAE Systems, a cybersecurity firm in Britain that investigated the attack on Bangladesh Bank. Swift (the acronym stands for the Society for Worldwide Interbank Financial Telecommunication, a cooperative founded in 1973 and owned by its member banks) recommends that its institutions use multifactor authentication to log on and that they segregate the Swift server from the rest of their internal network.
Even for skilled and dedicated hackers, the most viable path to penetrating Swift runs through the member banks, which operate the software that lets them log into the Swift system — providing “the technical handshake that opens the secure pipe,” as one cybersecurity expert put it to me. During the past three years, a rash of smaller incidents have shown the vulnerabilities in the system, as cyberthieves broke into the computer networks of banks in Ecuador, Taiwan, Vietnam, Poland, India and Russia to send out phony payment instructions via the Swift network. Alert bank officials were able to call back some fake payments, but millions of dollars were lost. “A lot of institutions in emerging markets don’t have the same security controls that more mature banks have,” says Patrick Neighorn of FireEye, a U.S. cybersecurity firm. “In some the passwords aren’t centrally managed, or they didn’t know what all the devices connecting their network are.”
The Bangladesh job, though, was an order of magnitude more sophisticated. The hackers’ approach was masterly in its foresight and complexity, and the malware they used, or variations of it, later turned up in several of the other bank breaches. The intruders most likely entered the bank’s computer network through a single vulnerable terminal, using a contaminated website or email attachment, and planted malware that gave them total control, even a view of the screens they were manipulating. There, hiding in plain sight, they waited for months to gain an understanding of the bank’s business operations. They harvested employee passwords and worked their way to the most tightly guarded corner of the network: the Swift server. Despite Swift’s warnings, the bank had not segregated its Swift server from the rest of the computer network. “It takes a huge amount of skill to understand the target systems and to be able to subvert them the way they did,” says Nish of BAE Systems.
In contrast to off-the-shelf tools that have been used in many recent attacks — such as the “SQL injection code” deployed in 2015 to break into the database of TalkTalk, a British telecommunications firm, and access the bank information and personal details of more than 20,000 subscribers — the malware that the thieves devised was “a custom code, built for attacks on banks and configured for a specific bank,” Nish says. And because it was written from scratch, it was unfamiliar to existing virus-protection programs. After the hackers sent their counterfeit payment orders via the secure Swift messaging network, they completely erased their footprints by deleting those orders from the bank’s Swift database, wiping out the evidence from the printer statements and updating the balances in the bank’s New York Fed account to make it appear that no money had been debited. In effect, Nish says, “the thieves figured out how to make themselves disappear.”
The hackers also succeeded in turning one of Swift’s defining features — its global reach — into a vulnerability. After months of lurking in the system, they planned their attack for a moment when the banks were unable to communicate effectively. Beginning on Thursday afternoon, New York time, when the Fed had received a total of 70 fraudulent payment orders to four bank accounts in the Philippines and one in Sri Lanka, totaling $1 billion, Bangladesh Bank was closed for the weekend. On Sunday, when the bank reopened and discovered the error, it was unable to reach the Fed. Bin Huda sent a stop-payment order to the Philippines central bank, which was closed for the Chinese New Year. “There was no hotline between the Bangladesh Bank and the Fed in New York,” says Atiur Rahman, the governor of Bangladesh Bank at the time of the heist. “Essentially, I think this was a flaw of the global payment system.”
Late on Monday afternoon, Dhaka time, as the Fed was opening for business, Bangladesh Bank asked officials in New York to block the money transfer to the Philippines but were told it was too late and that the money was with recipient banks. On Tuesday morning, more than four days after the theft, Rahman finally reached his Philippine counterpart via a landline from his office and begged him to intervene. The Philippine bank governor asked him to file a written complaint, a Bangladesh Bank official says, and to send it through the diplomatic pouch. Rahman says he was told to keep the matter quiet until it was fully clear what happened.
In early March, according to a bank official, an elite police unit was given permission to inspect the back office. Investigators seized passports to see if anyone had traveled to the Philippines, slapped one employee with a travel ban and questioned the others for hours. Rahman resigned a few days later.
ULTIMATELY, IT WAS only a few strokes of good luck that kept the heist from being far worse. On Thursday, Feb. 4 — the day before Bin Huda noticed that the Swift software had crashed — five payment orders went through without triggering an alarm: a $20 million deposit for the Shalika Foundation, an agricultural NGO in Sri Lanka that had an account at Pan Asia Bank, and four for individual accounts at the Jupiter branch of Rizal Commercial Banking Corporation near Manila. They didn’t clear instantaneously: Fedwire, a Fed-run service for 5,300 clients, enables participants to transfer cash to one another in seconds, but neither of those banks was a member of Fedwire. So the Fed instead began steering the payments to several “correspondent banks” — typically, large commercial institutions that serve as intermediaries between the Fed and smaller banks that aren’t part of its network. In this case, Deutsche Bank had a financial relationship with the bank in Sri Lanka; and the Bank of New York Mellon, Citibank and Wells Fargo dealt regularly with R.C.B.C. When these banks’ automated systems also failed to pick up anything suspicious, the orders were processed.
But the next 30 payment orders, totaling $850 million, were held up by a fortunate coincidence. Representative Carolyn B. Maloney, a senior member of the House Financial Services Committee, says that the automated system flagged the word “Jupiter,” the name of the R.C.B.C. bank branch to which the Swift order was addressed, because it happened to match the name of a totally different business on a sanctions list: Jupiter Seaways Shipping, an Athens-based firm that was blackballed for evading sanctions against Iran. When Fed compliance officers took a close look at the orders, other irregularities became apparent. According to the former Philippine senator Sergio Osmeña III, who later examined the transactions as part of his nation’s investigation into the heist, the payments bore the addresses of the same four account holders in the R.C.B.C. Jupiter branch. “If it hadn’t been for the quick action of someone at the central bank in New York, an additional $900 million would have been lost,” Maloney says.
Then one of the first five transactions — those that had initially cleared — ran aground, too. An alert clerk at the small bank in Sri Lanka noticed something that the global players had not: The payment was unusually large for such a small NGO. The clerk held the $20 million order and went to Deutsche Bank for clarification. Deutsche Bank took a closer look and discovered that the word “Foundation” had been misspelled. Suspicious, Deutsche Bank contacted Bangladesh Bank, which sent a stop-payment order.
This left four payments, totaling $81 million, that went through — an enormous bank job by any metric (by contrast, the most recent large-scale cyberheist, when hackers hit India’s City Union Bank in February 2018, reaped about $1.5 million) and an enormous blow to the global financial system. “What struck me the most was that this action struck at trust in the international banking system,” Representative Maloney says. “And if you can’t trust international banking, then international commerce could grind to a halt.”
Yet when it came to the Bangladesh heist, transferring the cash was only the first part of the scheme. It was one thing to use malicious software to tunnel into the bank’s Swift network and send out dozens of phony transfer orders to banks around the world. It was quite another to turn that digital cash into real money and then make it disappear.
PHILIPPINE AUTHORITIES HAVE focused on Maia Santos-Deguito, a career banker in her early 40s, as the linchpin of the heist’s second phase. At the time of the transfers, she was working as the manager of the Rizal Commercial Banking Corporation’s Jupiter branch. Santos-Deguito worked at several smaller banks before earning her prized position at R.C.B.C., a branch that primarily serves the residents of Bel-Air Village, an affluent neighborhood of tree-shaded residential streets and busy commercial boulevards lined with yoga salons, boutiques and expensive cafes.
In May 2015, nine months before Bin Huda of Bangladesh Bank was baffled by the Swift breakdown, Santos-Deguito met with a longtime client, Kam Sin (Kim) Wong, according to her lawyer. A Hong Kong-born restaurateur and president of Eastern Hawaii Leisure Company, Wong ran “casino junkets” in Manila and northern Luzon, bringing in Chinese high rollers on charter flights, operating V.I.P. rooms in casinos, providing them chips on credit and then taking a cut of the house profit. Wong had experience moving money in and out of an industry where it was nearly impossible to keep track of it. The U.S. State Department’s 2017 International Narcotics Control Strategy Report described the Philippines as a “major” money-laundering site, noting that “criminal groups use the Philippine banking system, commercial enterprises and particularly casinos to transfer drug and other illicit proceeds from the Philippines to offshore accounts.”
In 2001, the Philippines passed an Anti-Money Laundering Act, and by 2016 the Legislature had amended it three times to evade a blacklist designation by the Financial Action Task Force, an international watchdog. But Juan Ponce Enrile, a powerful ex-secretary of national defense, used his position as Senate president to persuade his colleagues to shield casinos from the law — keeping their operations secret and their customers anonymous. In the mid-1990s, Enrile started the Cagayan Economic Zone, a free port near northern Luzon that has attracted casinos and reportedly become a money-laundering hub. The secrecy seems to have been very good for business. In 2016 Bloomberry Resorts, one of the region’s biggest casino operators, posted a net income of $46 million. Melco Crown Philippines Resorts, the operator of City of Dreams Manila, another major gambling resort, had the best-performing casino stock in the world in 2017. “There are no controls, none whatsoever,” Osmeña told me.
According to Santos-Deguito’s attorney, Wong introduced her to a few Filipino associates and asked her to open accounts for them at the Jupiter branch. R.C.B.C. colleagues claimed at a Senate hearing that these “clients” never existed, and they accused Santos-Deguito of using forged signatures and a driver’s-license photo from a former colleague to manufacture their identities. Santos-Deguito’s attorney maintains that his client is innocent and says that she trusted Wong. The prospect of lining up wealthy new clients was enticing for her. It was a potential win for her employer, R.C.B.C., as well. Santos-Deguito kept the accounts open — and nearly empty — for eight months. Then on Friday morning, Feb. 5, 2016, they suddenly became active.
That morning, R.C.B.C. headquarters received Swift instructions from its correspondent banks in the United States to transfer the $81 million into the accounts. Santos-Deguito had already vouched for the integrity of her clients, and she again confirmed that they were legitimate. A colleague at the Jupiter branch testified at the Senate hearings that, on the same day the cash arrived, he watched Santos-Deguito stuff $400,000 into a paper bag and carry it to her car. A three-day weekend, including the Chinese New Year, followed. Then on the morning of Tuesday, Feb. 9, Santos-Deguito arrived at her storefront branch office in Bel-Air Village and began moving the $81 million out of the accounts.
By that point, at the R.C.B.C. headquarters in downtown Manila, employees in the payments department were working through a backlog of nearly 800 Swift messages that had accumulated during the holiday weekend. Among them was a stop-payment order marked “urgent” from Bangladesh Bank. The message went unread until 11 a.m. — by which time Santos-Deguito was in the midst of transferring the $81 million into a fifth account, and from there to a remittance firm called PhilRem, owned by a married couple, Michael and Salud Bautista. Santos-Deguito, who claims she was just following her clients’ orders, finished transferring the funds by 11:30 a.m. The Bautistas converted at least $61 million into Philippine pesos — more than three billion of them.
Around 7:30 that evening, a courier from PhilRem testified, he picked up a suitcase, a traveling bag and a shoulder bag at the company’s office. The luggage was stuffed with 90 million pesos, worth $1.8 million, and $500,000 in U.S. cash. The courier placed the cash into the back of a van, and with a company driver, his uncle, at the wheel, set out for the Bloomberry-owned Solaire Resort and Casino. There, at the lobby entrance, the pair dragged out the luggage and placed it onto a casino trolley. The courier wheeled the money across the lobby, past rows of digital slot machines and a section of tables for Sabong, a card game based on Philippine-style cock fighting. He took an elevator at the far end of the lobby to the second floor V.I.P. room, where, he testified, Kim Wong, Salud Bautista and one of Wong’s associates were waiting.
The Bautistas claimed in Senate testimony that this delivery was the first of many that his firm would make: It delivered $30 million in cash to Wong’s associate and wired $29 million to the Solaire Casino and another $21 million to Wong’s company, Eastern Hawaii. (Through their lawyers, Wong and the Bautistas declined to comment; they have maintained their innocence.) In his Senate testimony, Wong claimed that he received only $13.5 million and that the Bautistas pocketed the rest. Two of Wong’s fellow gambling promoters, Gao Shuhua and Ding Zhize, also received large amounts of cash.
In the V.I.P. room at Solaire, a plush lounge with butterscotch carpets, brass chandeliers and about a dozen round baccarat tables, junket players crowded around in a haze of cigarette smoke, drinking Chinese tea and fruit juice while placing their bets. The minimum bet at the table was 10,000 Philippine pesos, or roughly $200 in U.S. cash, and millions of pesos could move into the house or into the player’s pockets in a single evening. At the end of each night, during a spree that seems to have lasted a week or more, the gamblers turned their chips back into untraceable cash. Their names remained unregistered, their winnings unreported: It was, Philippine officials say, the ultimate money-laundering operation. “All we know is that the cash was delivered to certain gamblers at the casinos,” Osmeña says, “and then, after that, the gamblers weren’t here anymore, and the money was gone.”
WHO HAD THE expertise and the audacity to carry out such a heist? Weeks after the crime, Bangladesh Bank hired FireEye, the U.S. cybersecurity firm, to investigate. FireEye signed a nondisclosure agreement with the bank and has declined to discuss specifics, but some of the bank’s findings have leaked out, and other cybersecurity firms have drawn their own conclusions from publicly available evidence.
The analysts compared some of the tools used with those employed in two other notorious cyberattacks: the November 2014 hack of Sony Pictures, when a group calling itself the Guardians of Peace released embarrassing emails and salaries and wiped out many of Sony’s servers; and “Dark Seoul,” a March 2013 hack that disabled internet servers at three South Korean banks and froze computers at two South Korean broadcasters. (The base code, Nish says, was also the same one used in the WannaCry ransomware attack in May 2017, in which hackers paralyzed more than 200,000 computers around the world and demanded Bitcoin payments to unfreeze them.) All these operations, the experts concluded, bore the markings of what the security firms called the Lazarus Group — a shadowy organization that U.S. intelligence experts say is most likely affiliated with North Korea. Harsh economic sanctions have left the dictatorship struggling with nationwide food shortages and inching ever closer to a nuclear confrontation. At an Aspen Institute panel last March, the National Security Agency deputy director Richard Ledgett mentioned the findings of the cybersecurity firms and said that they could indicate a new level of North Korean criminality. “If that linkage is true, that means a nation-state is robbing banks,” he said. “That’s a big deal; it’s different.”
The New York Times has reported that North Korea is believed to maintain a network of about 1,700 computer hackers around the world, aided by 5,000 trainers, supervisors and other support staff. Many operations are aimed at harvesting intelligence from South Korea; others, as in the case of Sony, are intended to avenge slights, or others to reap financial gain. North Korean hackers have become especially adept at targeting the weak links in the financial system: banks in developing nations, especially those in Southeast Asia. “They are easy prey,” says Vitaly Kamluk of Kaspersky Lab, which found Korean-language coding embedded in some Lazarus Group malware and claims it definitively linked the Lazarus Group to North Korea, through an I.P. address that the group briefly used during a wave of attacks in Europe and Central America in 2017. “These central banks often cannot afford good security, good software, or hire a proper specialist to configure their network,” Kamluk says. “They are low-hanging fruit.”
Although gambling is strictly prohibited inside the country, North Korean leadership has a well-documented interest in the casino industry. The country has been suspected of running online casinos and, according to news reports, has been seeking $20 million from foreign investors to launch a luxury liner and casino that would cruise to Vladivostok and ports in Southeast Asia.
Since the heist, Philippine authorities have managed to recover about one-fifth of the missing money for Bangladesh Bank. Wong turned over $15 million, and the Bautistas, suspected by the Senate of walking away with $17 million but still denying wrongdoing, offered to pay $200,000, but the Bangladeshis rejected the money. The rest is probably gone for good. Gone, too, are the shadowy casino-junket operators from mainland China, Ding and Gao, who in February apparently boarded charter flights from Manila to Macau. A former Portuguese colony, Macau has long been an important financial conduit between North Korea and the outside world.
Bangladesh Bank is still trying to recoup as much as it can. In February, its deputy governor announced that the bank was filing a lawsuit against R.C.B.C., charging that its employees had doubts about the Swift payment instructions but executed the orders anyway. R.C.B.C., which has been fined a record $1 billion pesos by the Philippine central bank over the incident, threatened a countersuit against Bangladesh Bank for defamation. One bank that did authorize the payments, Wells Fargo, just reached an out-of-court settlement with Ecuador’s Banco del Austro, which had filed a lawsuit seeking to hold the bank responsible for approving the transfer of $12 million from its account in a 2015 cyberheist. The undisclosed settlement could give a boost to Bangladesh Bank’s attempts to recover its losses.
In the United States, thanks to Representative Maloney’s prodding, the Fed has instituted a 24/7 hotline to deal with such emergencies. And in the Philippines, the Senate hearings about the crime prompted Congress to impose the first set of transparency rules on the casinos, requiring that every bet over five million pesos, or $100,000, be reported to the Anti-Money Laundering Council. But there was no indication, Osmeña told me, “that anything had changed.” Indeed, Gabriel Lingan, the head of marketing and business development at the Cagayan Economic Zone Authority, which oversees the Eastern Hawaii Casino and Resort in Santa Ana, said that nearly a year after the law was passed, the exact policies regarding when and how casinos will file reports were still being negotiated. “We are still working on the details,” he said.
Of the many people believed to be involved in the Bangladesh Bank heist, only one faces charges: Maia Santos-Deguito, who was indicted on multiple counts of money laundering and faces a possible 14-year prison term. Kim Wong, the Bautistas and others suspected of helping Santos-Deguito have all walked away. “Santos-Deguito was guilty, and PhilRem was guilty, and to a certain extent Kim Wong was guilty,” Osmeña said one day at his home as servants prepared lunch in his palm-filled garden. “The Department of Justice is very crooked, very crooked, and you would do us a favor if you would point that out,” he went on. “It’s a joke, I’m frustrated by it all, but what can I do?”
Officials assume that once the junketeers stepped off the plane in Macau, it would have been easy for them to send the money, via wire or courier, to Pyongyang. But the junket operators’ precise ties to North Korea — or the exact route taken by the cash from Macau — remain a mystery. “We never got to find out who was really behind it,” Osmeña told me, shaking his head in frustration. “And what the ultimate destination is, we don’t know.”