Nine years ago, on 4 February, one of the largest cyber heists in history took place. The Bangladesh Bank heist was a meticulously planned attack that exposed how vulnerable the global banking security was.
Unknown hackers infiltrated the Bangladesh Bank’s (BB) system and attempted to steal nearly $1 billion from its account at the Federal Reserve Bank of New York on 4 February 2016. Due to a combination of technical errors and last-minute interventions, they managed to successfully transfer $81 million, most of which was laundered through Philippine casinos.
The breach: months of preparation
The hackers had infiltrated the Bangladesh Bank’s systems months before executing the heist. The breach can be traced back to August 2015, when the bank connected its Real-Time Gross Settlement (RTGS) system to the SWIFT network without proper cybersecurity assessments. This connection allowed attackers to install malware into the system, giving them access to credentials and transaction details.
By January 2016, the hackers had compromised login credentials of two BB officials. Malware installed on 19-20 January captured keystrokes and login details, enabling the attackers to gain full control over SWIFT operations.
Executing the heist
On 4 February 2016, a day before the weekend in Bangladesh, the hackers used stolen SWIFT credentials to send 35 fraudulent transfer requests to the New York Federal Reserve, totalling $951 million. The money was to be routed to accounts in the Philippines and Sri Lanka.
While the NY Fed flagged many of these transactions as suspicious, five of them were processed, releasing $101 million:
- $81 million was sent to accounts at the Rizal Commercial Banking Corporation (RCBC) in Manila, Philippines.
- $20 million was directed to a bank in Sri Lanka, but this transfer was stopped due to a spelling error in the recipient’s name—”Foundation” was misspelt as “Fundation.”
Laundering the stolen money
The stolen $81 million that reached the Philippines was quickly withdrawn and laundered through Manila’s casinos, taking advantage of the country’s weak anti-money laundering laws regarding gambling transactions. The money was moved through multiple bank accounts, converted into chips, and later cashed out, making it nearly impossible to trace.
Delayed response and exposure
Bangladesh Bank officials did not immediately detect the breach. By the time they retrieved the relevant SWIFT messages in mid-March 2016, the funds had already vanished. Governor Atiur Rahman chose to keep the incident secret, fearing that publicity would hinder recovery efforts.
However, on 29 February 2016, the Philippine newspaper Inquirer published a story on the stolen funds, forcing the Bangladesh Bank to acknowledge the theft publicly. The scandal quickly became international news, leading to high-level investigations in Bangladesh, the Philippines, and the United States.
Key failures and security lapses
The official probe report, led by former BB Governor Mohammed Farashuddin, identified several security lapses:
- Weak cybersecurity: The bank’s SWIFT system was linked to local networks without sufficient security controls.
- Lack of monitoring: No real-time tracking of transactions was in place.
- Delayed response: BB officials took too long to detect and react to the breach.
- Failure of the Federal Reserve: The NY Fed approved and processed some transactions despite red flags.
- Role of RCBC: The Philippine bank ignored stop-payment requests from Bangladesh Bank and facilitated laundering.
North Korean connection
Cybersecurity firm FireEye Mandiant linked the attack to North Korean hackers, citing similarities with previous attacks, including the Sony Pictures hack in 2014. North Korean state-sponsored hackers had reportedly spent years infiltrating various financial institutions worldwide, targeting SWIFT banking networks.
Legal and diplomatic fallout
Bangladesh Bank filed a lawsuit against RCBC in a New York court, accusing it of facilitating the theft. The Philippines imposed fines on RCBC, and Maia Santos-Deguito, the branch manager who processed the transactions, was convicted of money laundering.
Despite efforts, only $15 million of the stolen funds has been recovered, with $66 million still unaccounted for.
Recommendations made by the Farashuddin report
The Farashuddin report made 70 recommendations to prevent such incidents, including:
- Stronger cybersecurity measures for SWIFT transactions.
- Improved monitoring and auditing of transactions.
- Stricter anti-money laundering laws in financial hubs.
- Greater coordination between central banks and financial regulators.
The Bangladesh Bank reserve heist remains one of the most sophisticated cybercrimes ever recorded. Despite extensive investigations, the perpetrators were never officially caught, and most of the stolen money was never recovered.