Card Not Present Fraud , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Bangladesh Bank Sues to Recover Funds After Cyber Heist

New York Fed Provides Technical Assistance Aimed at Recovering Lost $81 Million

Bangladesh Bank headquarters in Dhaka (via Google Street View)

Bangladesh Bank has filed suit in New York federal court in an attempt to recover $81 million stolen via one of the biggest online bank heists in history. The New York Federal Reserve is supporting the lawsuit, including providing technical assistance. But the Philippine bank the lawsuit targets has dismissed the case as a "political stunt" designed to shift blame.

See Also: Live Webinar | Leveraging AI in Next Generation Cybersecurity

The central bank of Bangladesh's lawsuit accuses Rizal Commercial Banking Corporation in the Philippines, as well as various other organizations and dozens of individuals, with being part of a conspiracy aimed at stealing nearly $1 billion from its New York Federal Reserve account.

Attackers planted malware on Bangladesh Bank's systems, using it to issue fraudulent messages via the SWIFT inter-bank messaging system in February 2016. The attack resulted in the theft of $101 million, of which $81 million remains missing.

An investigation conducted by the U.S. Department of Justice concluded that the funds were moved to four accounts controlled by Manila-based RCBC before they were dispersed into the country's casinos. All of the accounts appeared to have been registered using fictitious names (see: Report: DOJ Sees Bangladesh Heist Tie to North Korea).

Bangladesh Bank's lawsuit

Bangladesh Bank has blamed North Korean hackers for helping to steal the money and move it abroad, including to the Philippines.

"The conspiracy was seamless, with every complicated step plotted out in advance," according to Bangladesh Bank's lawsuit, filed Thursday in the U.S. District Court for the Southern District of New York. "The hackers that broke into the bank's systems and caused the fraudulent payment instructions to be delivered to the New York Fed used malicious computer malware to access necessary servers; retrieve files and data; create files; change file names; steal credentials and login information, including to the SWIFT system; erase key files and histories; and digitally cover their tracks."

Hackers Used Fedwire

The New York Fed's Fedwire system, which is designed to instantaneously transfer large-dollar amounts, was allegedly a key part of the attackers' scheme.

"Use of the Fedwire system in New York was critical to the conspiracy, as it allowed the thieves to quickly transfer the funds to the intermediary banks," according to the lawsuit. "From there, the intermediary banks, through RCBC's correspondent accounts, quickly transferred the stolen funds out of New York City and the United States to fictitious U.S. dollar accounts in the Philippines, which RCBC created nearly a year earlier to receive the stolen funds from New York."

The New York Fed is providing technical assistance to Bangladesh Bank as part of a resolution and assistance agreement.

"This agreement demonstrates that the New York Fed and Bangladesh Bank are aligned in the pursuit of recovering the funds and directing litigation against those who were complicit in or benefited from the fraud," the organizations say in a joint statement. The agreement includes the Fed committing to "meeting jointly with the relevant agencies or parties in the Philippines to strongly encourage them to assist in the recovery of stolen funds."

But RCBC's attorney, Tai-Heng Cheng of the law firm Quinn Emanuel Urquhart & Sullivan, has dismissed the lawsuit as being "nothing more than a political stunt" via which the bank is attempting to shift the blame for its information security failings to RCBC.

"This is nothing more than a thinly veiled PR campaign disguised as a lawsuit," said the New York-based attorney, adding that the lawsuit was "completely baseless" and shouldn't be allowed to stand. "Not only are the allegations false, they don't have the right to file here since none of the defendants are in the United States."

Jurisdiction Question

Indeed, it's unclear whether the court has jurisdiction over this case or if U.S. law can be applied (see: Fighting U.S. Card Data Fraud Overseas).

The suit "emphasizes how the New York Fed and the Fedwire system fit into the hackers' scheme, and [their] importance to the United States financial system. But otherwise, much of the conduct alleged in the complaint took place overseas," Peter Jaffe, a senior associate at Washington-based law firm Freshfields Bruckhaus Deringer US LLP, tells Reuters. "The hack is alleged to have occurred between North Korea and Bangladesh; much of the subsequent money laundering occurred outside the United States."

After Heist, Regulator Fined RCBC

But the central bank of the Philippines, Bangko Sentral ng Pilipinas, or BSP, has found that RCBC was not blameless.

In August 2016, after concluding its own investigation into the heist, the central bank hit RCBC with a record fine of 1 billion pesos - at the time, equivalent to $21.3 million. It noted that the penalty represented "the largest amount ever approved as part of its supervisory enforcement actions on a BSP-supervised financial institution."

In December 2016, former Bangladesh central bank governor Mohammed Farashuddin told Reuters that a government-appointed panel investigating the heist blamed, in part, five low-level and mid-level officials at RCBC (see: Bangladesh Bank Heist Probe Finds 'Negligent' Insiders).

RCBC Bank Manager Found Guilty

On Jan. 10, a trial court in the Philippines found former RCBC bank manager Maia Santos Deguito guilty of eight counts of money laundering and fined her $109 million. She faces a prison sentence of up to 56 years.

Investigators in the Philippines had quickly focused on Deguito, who was the manager of the RCBC branch into which the stolen money was deposited, shortly after the $81 million theft came to light. She has continued to deny any wrongdoing.

But one of Deguito's former colleagues, testifying before a March 2016 Senate hearing in Manila, reported seeing her driving off in her car with 20 million pesos ($380,000) in cash, which came from one of the accounts into which the stolen bank funds were transferred, Reuters reported (see: Bangladesh Bank Attackers Hacked SWIFT Software).

Deguito's attorney, Demetrio Custodio, said his client plans to appeal.

"We were pointing out to the court that Maia could not have acted on this because her position at the bank was one of customer care and therefore she had no function that will relate to the operation of banking transactions," Custodio told Philippine news outlet ABS-CBN last month.

TINGNAN: Bahagi ng pasya ng Makati RTC 149 sa kasong money laundering laban kay dating RCBC-Jupiter branch Mgr. Maia Deguito, https://t.co/L2LPKDI3lo., kaugnay ng 2016 Bangladesh Bank cyber heist @DZMMTeleRadyo pic.twitter.com/YwR8PNMCsY — Dexter Ganibe (@dzmmRP45) January 10, 2019

"There should be more people who should be liable to this other than a very lowly bank officer who had nothing to do with operational matters," Custodio said.

Attack Exploited Fed Weaknesses

The Bangladesh Bank heist also highlighted operational weaknesses at the New York Fed, a 2016 investigation by Reuters found (see: Report: New York Fed Fumbled Cyber-Heist Response).

Notably, attackers timed their attack to occur on the evening of Feb. 4, 2016, a Thursday, which was the day before the weekend begins in Bangladesh. They also used malware that suppressed printouts of concerned messages sent by New York Fed officials after they saw suspicious transactions. When Bangladesh Bank officials spotted the activity on Saturday, Feb. 6, they attempted to contact the Fed via email, sending a message that read: "Our system has been hacked. Please stop all payment (debit) instructions immediately," according to the report.

But the New York Fed reportedly apparently didn't receive the message until the start of its workday on Monday morning, and it didn't inform Bangladesh Bank that it had alerted correspondent banks to the fraud until Monday evening, New York time.

In the wake of the attack, The New York Fed reportedly set up a 24x7 telephone hotline for the roughly 250 foreign and central banks and governments for which it holds about $3 trillion in dollar-denominated assets.