Explained: How North Korean Hackers Stole $ 81 Million From Bangladesh Bank In 2016

This week, the BBC released an investigative report detailing how in 2016 North Korean hackers planned a billion dollar raid on Bangladesh’s national bank and was almost entirely successful. The cyber-robbery, known as the Bangladesh Bank Heist, showed how hackers navigate the global banking system, using administrative loopholes to execute a well-planned attack aimed at transferring millions of dollars. He was one of the greatest cyberheists in the world.

The bank robbery in Bangladesh: how the robbery happened

The BBC investigation indicates that the attack occurred between February 4 and 7, 2016. The timing has been carefully planned to take advantage of the time difference between Dhaka and New York, and working hours in both. cities, also with a weekend on different days. on the date of the breakage.

The hackers, who U.S. investigative agencies believe to be linked to North Korea, used fraudulent orders on the SWIFT payment system to steal $ 951 million, almost all of the money in that account, from the account. from the central bank of Bangladesh. The hackers used an account at the Federal Reserve Bank in New York and managed to steal $ 81 million which was transferred to accounts at the Manila-based Rizal Commercial Banking Corporation.

So how did hackers actually infiltrate Bangladesh Bank’s systems?

BBC reports point to an ordinary office printer located in a “highly secure room on the 10th floor of the bank’s main office in Dhaka” that is said to have malfunctioned. This printer was specifically used to print out multi-million dollar bank transaction reports. On February 5, 2016, bank staff discovered that the printer was not working but assumed it was a technical issue, which happened quite often.

The BBC report says investigations later revealed that this faulty printer was the first indication that hackers had broken into Bangladesh Bank’s computer systems to steal $ 1 billion. “When the bank staff restarted the printer, they received some very disturbing news. Urgent messages from the Federal Reserve Bank of New York – the “Fed” – where Bangladesh maintains an account in US dollars, resulted. The Fed had received instructions, apparently from the Bangladesh Bank, to empty the entire account – nearly $ 1 billion, ”the BBC report said.

Bank staff immediately tried to contact the Federal Reserve Bank in New York for more information, but were unable to come through. Indeed, by the time the hackers started their work on February 4 at around 8:00 p.m. Bangladesh time, it was morning in New York City. The next day, February 5, was a Friday, according to the report, the start of the weekend in Bangladesh, when the Bangladesh Bank headquarters in Dhaka were officially closed. By the time the hack was discovered in Dhaka, it was already the start of the weekend in New York when the offices were closed.

The detailed planning of the hack was evident when investigations revealed that the hackers had intentionally chosen that specific week in February 2016 to perform their hack. This weekend also marked the start of the Lunar New Year in East and Southeast Asia. So, on Monday February 8, when the money was transferred to banks in Manila, it coincided with the start of a big national holiday there.

“By exploiting the time differences between Bangladesh, New York and the Philippines, the hackers had designed a clear five-day race to recover the money,” the BBC report explains.

The report also looked at how hackers managed to gain access to the printer in the secure room at Bangladesh Bank. This happened almost a year before the actual hack, according to the report. “They had plenty of time to plan all of this, as it turns out that the Lazarus group had been hiding in the computer systems of Bangladesh Bank for a year. “

“In January 2015, an apparently innocuous email was sent to several employees of the Bank of Bangladesh. It came from a job seeker calling himself Rasel Ahlam. Her polite request included an invitation to upload her resume and cover letter from a website. In reality, Rasel did not exist – he was simply a cover name used by the Lazarus Group, according to FBI investigators, ”the report said.

“At least one person inside the bank fell into the trap, downloaded the documents and was infected with the viruses hidden inside. Once inside the bank’s systems, the Lazarus Group began to stealthily jump from computer to computer, heading for digital safes and the billions of dollars they held.

The actual emptying of accounts did not take place until a year later, according to the report, as hackers prepared the next steps, planning how to withdraw the money in such a way that it was not possible to get it back. .

The BBC investigation attempted to piece together the sequence of events after the money was transferred to Manila banks and just before they were withdrawn. “The RCBC Bank branch in Manila to which the hackers attempted to transfer $ 951 million was on Jupiter Street. There are hundreds of banks in Manila that the hackers could have used, but they chose this one – and the decision cost them hundreds of millions of dollars, ”the BBC investigation says.

“Transactions… were blocked at the Fed because the address used in one of the orders included the word ‘Jupiter’, which is also the name of a sanctioned Iranian transport vessel.”

This led to an automatic review of payment transfers which were interrupted due to the penalties imposed. But the BBC investigation explains that not all transfers were automatically stopped: “Five deals, worth $ 101 million, cleared this hurdle.” The hackers would have had access to the full $ 101 million, it wasn’t a small amount, even if it wasn’t what they originally planned.

As the survey explains, of the $ 101 million, “$ 20 million was transferred to a Sri Lankan charity called the Shalika Foundation, which had been lined up by the hackers’ accomplices as a channel for the stolen money “. But that transfer was also halted because the hackers inadvertently made a spelling mistake – they spelled Foundation as a Foundation – when filling in the name of the Sri Lankan charity. This means that the hackers only managed to transfer $ 81 million.

Newsletter | Click for the best explanations of the day to your inbox

Bangladesh Bank Recovery Attempts

Even before the BBC’s 2019 investigation, investigative agencies confirmed that the money had been withdrawn from Manila banks, after which it had disappeared into the Philippines casino industry. The report takes a look at the complex money laundering process used by hackers to break the chain of custody, whose destination was Manila casinos.

“The idea of ​​using the casinos was to break the chain of custody. Once the stolen money was converted into casino chips, played on the tables and turned back into cash, it would be nearly impossible for investigators to find it, ”the report said.

The Bangladesh Bank realized within hours of the theft of the money that the massive theft had taken place and began to take steps to recover it, a process that was going to be very difficult.

They were able to trace the money to the Manila casinos and were able to recover $ 16 million from a single man, according to the BBC report. But the remaining $ 34 million was still disappearing quickly. Investigators found that much of the remaining money was sent to Macau, another gambling hotspot, from where it was transferred to North Korea. Investigators found that most of the hackers involved in the cyber-burglary and other similar actions that the United States considers to be cybercrimes were based in Chinese border towns near the China-Korea border.

Collect the money

In 2018, the FBI filed a criminal complaint accusing Park Jin Hyok, a North Korean citizen, “for his involvement in a conspiracy to carry out multiple destructive cyber attacks around the world, resulting in damage to massive amounts of computer hardware and significant data loss. , money and other resources, ”according to public documents released by the US Department of Justice.

The lawsuit accused Park of working for the North Korean government and engaging in “malicious activity” which “includes the creation of the malware used in the WannaCry 2.0 global ransomware attack in 2017; the theft of $ 81 million in 2016 from the Bangladesh Bank; the 2014 attack on Sony Pictures Entertainment (SPE); and numerous other attacks or intrusions in the entertainment, financial services, defense, technology and virtual currency industries, universities and electric utilities.

At that time, the first assistant to the United States attorney, Tracy Wilkison, said that “the complaint accuses the members of this North Korean conspiracy of being responsible for cyber attacks which have caused unprecedented economic damage and disruption to the United States. companies in the United States and around the world. . “

In 2019, Bangladesh filed a lawsuit in US court against Rizal Commercial Banking Corp (RCBC) over the Philippine bank’s alleged role in the biggest cyber-burglary. The RCBC has counter-filed a lawsuit against Bangladesh Bank, claiming its reputation has been the subject of a “vicious and public attack” backed by the bank and is seeking at least $ 1.9 million in damages. . The New York Federal Reserve has pledged to help Bangladesh recover the money, but this process continues with little progress.

Days after the heist, Bangladesh Finance Minister AMA Muhith asked Atiur Rahman, who had served as governor of the Bangladesh Bank under whose leadership the heist took place, to resign. The cyber-burglary had greatly embarrassed the government of Bangladesh.

Bangladesh and North Korea share bilateral relations, and North Korea has an embassy in Dhaka. The Bangaldesh Embassy in China represents the country in Beijing and Pyongyang.