An unsuspecting CV under the name of Rasak Alam found its way into the inboxes of 36 employees of Bangladesh’s central bank. Remarkably, three of them accessed the email and its attached PDF, unknowingly triggering a catastrophic compromise of Bangladesh’s entire financial reserve.
In a short span, a staggering $101 million was siphoned away by hackers. The documentary titled “Billion Dollar Heist,” features this event of one of the biggest cybercrimes and unveils a narrative of organised crime, negligence, and the fragile underpinnings of the worldwide financial framework.
The documentary’s title choice, “Billion Dollar Heist,” is aptly emblematic of the hackers’ initial demand of $956 million spread across 36 transactions. However, due to serendipitous circumstances and some typographical errors, these cybercriminals could only lay their hands on $81 million.
“Billion Dollar Heist” is directed by Daniel Gordon and it attempts the task by leaning on a stable of cyber security experts to walk viewers through the operation. It commences on 6 February 2016, the day of the cyber-attack. An employee, investigating a printer malfunction, inadvertently unearths a printer responsible for generating transaction records via the Swift system – a global platform employed by Bangladesh Bank for fund management with the Federal Reserve in New York. The prior night witnessed 34 transactions in the name of Bangladesh Bank, among which 4 transactions were approved, funnelling $81 million to a Philippine bank and $20 million to Sri Lanka.
The heist’s execution mirrors a typical movie plot: a group of expert hackers, each fulfilling a specific role, devises a meticulous strategy. The previously mentioned CV serves as the initial step, embodying a tactic termed “Social Engineering.” This term derives from the necessity of creating an avenue for the malware to infiltrate, much like constructing a pathway for a bug. In this scenario, the counterfeit CV functioned as this conduit. Experts in the documentary estimate that 36 employees reportedly received the email carrying the CV, and three individuals accessed the attached PDF. Thus, the malware swiftly found its nesting place.
Thereafter, the hackers embarked on the digging process – locating the requisite data and the specific computer linked to the Federal Reserve via Swift. This phase represented their vulnerability, as they spent nearly a year navigating from one computer to another, seeking the targeted computer. Throughout this process, it was highly possible for them to get located if only the cyber security measures were up to the mark. A key reason for targeting the central bank of Bangladesh was also this faulty security system. The central bank’s susceptibility was amplified by its interconnected IT system, comprising inexpensive $10 switches. This facilitated the hackers’ unhindered traversal between desktops without leaving traces.
The hackers’ eureka moment arrived on 29 February 2016, when they finally pinpointed the computer interacting with the Swift banking system. They very cleverly chose a special weekend of Chinese New Year’s, that fell on the following Monday. They did their homework, they knew Friday was the weekend for the Muslim majority Bangladesh, New York would also be unavailable on Saturday and Sunday and Monday would be a holiday for the employees of RCBC Bank in Manila, where before the heist, four fraudulent bank accounts in the name of Chinese officials had been made by the corrupted branch manager. A perfect four-day holiday where all the parties involved were working in different time zones and even if the transaction was discovered midway, there was no effective way to stop the process and communicate with anyone involved.
At 8:34 pm Bangladesh time on a Thursday, the hackers breached the Swift system. The initial attempt to transfer $22 million to the Federal Reserve was marred by formatting errors, resulting in disapproval. They again filed another request with proper formatting and after 4 hours, they had done it, $22 million had been transferred to the RCBC Bank of Manilla that moment. A whole range of requests were being made at hourly intervals but in most cases, spelling errors, random naming issues, and documentation mismatches resulted in them not completely able to extract what they wanted. Furthermore, all transaction printing devices were disabled, erasing transaction trails.
Before dawn on Saturday, a total of $101 million had been illicitly obtained, with $84 million directed to RCBC Bank, where the branch manager was also involved in the heist. As Saturday dawned, the Bangladesh Bank employees discovered printer malfunctions and swiftly called in a technician. Upon rectifying the issue, transaction records began printing automatically, unveiling the overnight transactions. Perplexity transformed into realisation, as the puzzle unravelled piece by piece.
Monday brought more revelations: Bangladesh Bank scrutinised 8 hours of CCTV footage and conducted an internal audit. Simultaneously, the Manila bank converted dollars to pesos, with the branch manager directly handling the cash transfer. The funds were destined for a VIP casino lounge, where they were laundered over two days through fixed blackjack games and poker tables.
By the time Bangladesh Bank grasped the gravity of the situation, the money had vanished, the culprits remained concealed, and the sole conviction was of the tainted branch manager, Maia Santos Deguito. This individual faced multiple counts of money laundering and received sentences ranging from 4 to 7 years for each count. In a surprising turn, RCBC counter-sued Bangladesh Bank on 12 March 2019, asserting extortion, defamation, harassment, and threat-based schemes, although the case was later dropped.
The documentary experts attribute the hack to the “Lazarus” hacking group, purportedly operating on behalf of nations grappling with economic sanctions and embargoes. This group’s distinct coding patterns were also detected in the 2014 cyber-attack on Sony Pictures Entertainment, indicating their involvement.
The documentary’s message is clear: the audacious robbery exposes vulnerabilities in supposedly secure global financial systems. Cyber warfare now reigns supreme, with countries like Bangladesh, lacking expertise and resources, enduring daily cyber threats. From local banks to national central banks, vulnerable servers underpin every facet of the financial apparatus. Bangladesh was targeted due to its susceptibility, and this trend shows no signs of abating. The world must address these matters robustly, as delicate handling is inadequate. Collaborative efforts by global institutions are imperative, extending vital resources to partners to fortify their security.
The writer Nazmul Haque is an Edge Associate of TBS Graduates from National Institute of Textile Engineering and Research (NITER). You can contact him at [email protected]