The 2016 cyber-attack on the Bangladesh Central bank was not the first attack of its kind. In this cyber heist, thieves tried to illegally transfer US$951 million to several fictitious bank accounts around the world. In 2013, the Sonali Bank of Bangladesh was also successfully targeted by hackers who were able to cart away US$250,000. In 2015, two other hacking attempts were recorded, a $12 million theft from Banco del Austro in Ecuador in January and an attack on Vietnam's Tien Phong Bank in December that was not successful. In all these cases, the perpetrators are suspected to have been aided by insiders within the targeted banks, who assisted in taking advantage of weaknesses within the SWIFT global payment network.
In 2012, the Philippines loosened restrictions on its gambling industry despite opposition from the Catholic Church. After the country's gambling industry benefited from Chinese paramount leader Xi Jinping's campaign against corruption, which drove gamblers further south of Macau, its casinos lobbied against a 2012 amendment by the Philippine Senate of the 2001 Anti-Money Laundering Act that required them to report suspicious transactions. Senate President Juan Ponce Enrile had lobbied for the inclusion of casinos in the scope of the law. At that time, big casino firms in the Philippines such as the City of Dreams had not yet been established.
Capitalizing on weaknesses in the security of the Bangladesh Central Bank, including the possible involvement of some of its employees, perpetrators attempted to steal $951 million from the Bangladesh central bank's account with the Federal Reserve Bank of New York sometime between February 4–5 when Bangladesh Bank's offices were closed. The perpetrators managed to compromise Bangladesh Bank's computer network, observe how transfers are done, and gain access to the bank's credentials for payment transfers. They used these credentials to authorise about three dozen requests to the Federal Reserve Bank of New York to transfer funds from the account Bangladesh Bank held there to accounts in Sri Lanka and the Philippines.
Thirty transactions worth $851 million were flagged by the banking system for staff review, but five requests were granted; $20 million to Sri Lanka (later recovered), and $81 million lost to the Philippines, entering the Southeast Asian country's banking system on February 5, 2016. This money was laundered through casinos and some later transferred to Hong Kong.
The $20 million transfer to Sri Lanka was intended by hackers to be sent to the Shalika Foundation, a Sri Lanka-based private limited company. The hackers misspelled "Foundation" in their request to transfer the funds, spelling the word as "Fundation". This spelling error gained suspicion from Deutsche Bank, a routing bank which put a halt to the transaction in question after seeking clarifications from Bangladesh Bank.
Sri Lanka-based Pan Asia Bank initially took notice of the transaction, with one official noting the transaction as too big for a country like Sri Lanka. Pan Asia Bank was the one which referred the anomalous transaction to Deutsche Bank. The Sri Lankan funds have been recovered by Bangladesh Bank.
The money transferred to the Philippines was deposited in five separate accounts with the Rizal Commercial Banking Corporation (RCBC); the accounts were later found to be under fictitious identities. The funds were then transferred to a foreign exchange broker to be converted to Philippine pesos, returned to the RCBC and consolidated in an account of a Chinese-Filipino businessman; the conversion was made from February 5 to 13, 2016. It was also found that the four U.S. dollar accounts involved were opened at the RCBC as early as May 15, 2015, remaining untouched until February 4, 2016, the date the transfer from the Federal Reserve Bank of New York was made.
In February 8, 2016, during the Chinese New Year, Bangladesh Bank through SWIFT informed RCBC to stop the payment, refund the funds, and to "freeze and put the funds on hold" if the funds had already been transferred. Chinese New Year is a non-working holiday in the Philippines and a SWIFT message from Bangladesh Bank containing similar information was received by RCBC only a day later. By this time, a withdrawal amounting to about $58.15 million had already been processed by RCBC's Jupiter Street (in Makati City) branch.
On February 16, the Governor of Bangladesh Bank requested Bangko Sentral ng Pilipinas' assistance in the recovery of its $81 million funds, saying that the SWIFT payment instructions issued in favor of RCBC on February 4, 2016 were fraudulent.
Initially, Bangladesh Bank was uncertain if its system had been compromised. The governor of the central bank engaged World Informatix Cyber Security, a US based firm, to lead the security incident response, vulnerability assessment and remediation. World Informatix Cyber Security brought in the leading forensic investigation company Mandiant, a FireEye company, for the investigation. These cyber security experts found "footprints" and malware of hackers, which suggested that the system had been breached. The investigators also said that the hackers were based outside Bangladesh. An internal investigation has been launched by Bangladesh Bank regarding the case.
The Bangladesh Bank's forensic investigation found out that malware was installed within the bank's system sometime in January 2016, and gathered information on the bank's operational procedures for international payments and fund transfers.
The investigation also looked into an unsolved 2013 hacking incident at the Sonali Bank, wherein US$250,000 was stolen by still unidentified hackers. According to reports, just as in the 2016 Central Bank hack, the theft also used fraudulent fund transfers using the SWIFT International Payment Network. The incident was treated by Bangladeshi police authorities as a cold-case until the suspiciously similar 2016 Bangladesh Central Bank heist.
The Philippines' National Bureau of Investigation (NBI) launched a probe and looked into a Chinese-Filipino who allegedly played a key role in the money laundering of the illicit funds. The NBI is coordinating with relevant government agencies including the country's Anti-Money Laundering Council (AMLC). The AMLC started its investigation on February 19, 2016 of bank accounts linked to a junket operator. AMLC has filed a money laundering complaint before the Department of Justice against a RCBC branch manager and five unknown persons with fictitious names in connection with the case.
A Philippine Senate hearing was held on March 15, 2016, led by Senator Teofisto Guingona III, head of the Blue Ribbon Committee and Congressional Oversight Committee on the Anti-Money Laundering Act. A closed-door hearing was later held on March 17. Philippine Amusement and Gaming Corporation (PAGCOR) has also launched its own investigation. In August 12, 2016, RCBC was reported to have paid half of the P1 billion penalty imposed by the Central Bank of the Philippines. Prior to that, the bank reorganized its board of directors by increasing the number of independent directors to 7 from the previous 4.
FireEye's Mandiant forensics division and World Informatix Cyber Security, both US-based companies, are investigating the hacking case. According to investigators, the perpetrators' familiarity with the internal procedures of Bangladesh Bank was probably gained by spying on its workers. In a separate report, the US Federal Bureau of Investigation (FBI) says that Agents have found evidence pointing to at least one bank employee acting as an accomplice, with evidence pointing to several more people as possibly assisting hackers in navigate the Bangladesh Bank’s computer system. The government of Bangladesh is considering suing the Federal Reserve Bank of New York in a bid to recover the stolen funds.
Computer security researchers have linked the theft to as many as eleven other attacks, and alleged that North Korea had a role in the attacks, which, if true, would be the first known incident of a state actor using cyberattacks to steal funds.
The Rizal Commercial Banking Corporation said it did not tolerate the illicit activity in the RCBC branch involved in the case. Lorenzo V. Tan, RCBC's president, said that the bank cooperated with the Anti-Money Laundering Council and the Bangko Sentral ng Pilipinas regarding the matter. Tan's legal counsel has asked the RCBC Jupiter Street branch manager to explain the alleged fake bank account that was used in the money laundering scam.
The RCBC's board committee also launched a separate probe into the bank's involvement in the money laundering scam. RCBC president Lorenzo V. Tan filed an indefinite leave of absence to give way to the investigation by the authorities on the case. On May 6, 2016, despite being cleared of any wrongdoing by the bank's internal investigation, Tan resigned as President of RCBC to "take full moral responsibility" for the incident. Helen Yuchengco-Dee, daughter of RCBC founder Alfonso Yuchengco, will take over the bank's operations. The bank also apologized to the public for its involvement in the heist.
Bangladesh Bank chief governor Atiur Rahman resigned from his post amid the current investigation of the heist and money laundering. He submitted his resignation letter to Prime Minister Sheikh Hasina on March 15, 2016. Before the resignation was made public, Rahman stated that he would resign for the sake of his country.
On August 5, 2016, the Bangko Sentral ng Pilipinas approved a ₱1 billion (~US$52.92 million) fine against RCBC for its non-compliance with banking laws and regulations in connection with the bank heist. This is the largest monetary fine ever approved by BSP against any institution. RCBC stated that the bank will comply with the BSP's decision, and will pay the imposed fine.
The incident shows the risks that banks connected to the SWIFT system are exposed to as a result of the security vulnerabilities of other member banks. By breaching the Bangladesh Central Bank's security firewalls, hackers were able to hack the system and transfer the funds through the established global banking networks almost undetected. The failure of the Bangladeshi government to build adequate safeguards for its financial system became the starting point for a global, multi-million money laundering scheme whose effect was felt beyond the country's borders.
The case threatens the reinstatement of the Philippines to the blacklist, by the Financial Action Task Force on Money Laundering, of countries making insufficient efforts against money laundering. Attention was given to a potential weakness of Philippine authorities' efforts against money laundering after lawmakers in 2012 managed to exclude casinos from the roster of organizations required to report to the Anti-Money Laundering Council regarding suspicious transactions.
The case also highlights the threat of cyber attacks to both government and private institutions by cyber criminals using real bank codes to make orders look genuine. SWIFT has advised banks using the SWIFT Alliance Access system to strengthen their cyber security posture and ensure they are following SWIFT security guidelines. Bangladesh is reportedly the 20th most cyber-attacked country, according to a cyber threat map developed by Kaspersky Lab, which runs in real time.