A group of daring masters of deception hacked into Bangladesh's central bank and used stolen credentials to transfer $81 million from the country's account at the New York Federal Reserve to the Philippines, then disappeared with the loot.
The heist occurred over a month ago but wasn't disclosed until last week. On Tuesday, Bangladesh Bank Governor Atiur Rahman resigned amid ever-expanding fallout from the theft. The federal reserve here has denied any responsibility, saying that the security breach happened on the South Asian nation's end.
The purse could have been much bigger—the thieves had initiated transfer requests for $950 million—had someone not misspelled a word in one request, causing intermediary Deutsche Bank to call Bangladesh to make sure the money movement was legit.
The heist was set in motion over a weekend in early February, when Bangladesh Bank was closed. Hackers breached the bank's systems and stole payment transfer logins, then used the information to send nearly three dozen transfer requests to the Federal Reserve Bank of New York, seeking to send the nearly $1 billion to various entities in the Philippines and Sri Lanka.
We're not clear on how one withdraws $81 million from a bank of this size, but it probably helps when the security cameras are disabled. (Google Maps)
Four of those requests went through, all to the Philippines, but a fifth, seeking $20 million for a Sri Lankan nonprofit called the Shalika Foundation, was flagged because whoever filled out the form misspelled "foundation" as "fandation." (Reuters reports that there is no Shalika Foundation registered in Sri Lanka.) The Federal Reserve, meanwhile, said that it flagged the transfers for Bangladesh due to the unusual number of transfers to private organizations, but apparently not in time to stop the haul from flowing out of a bank branch in the Philippines.
The money was consolidated into one account at the Philippines' RCBC bank, and on February 9th, four people went to a branch in Makati City, just outside of Manila, and withdrew the whole $81 million. Conveniently, as a bank official told the Philippine senate on Monday, the bank's camera's were "not functioning" at the time. Subsequent investigation revealed that the bank accounts had been opened using fake driver's licenses, and visits to the employers and addresses listed on the account documents showed those were also bogus.
From there, the money made its way to a money changer, who sent $30 million in dollars and Philippine pesos to a Chinese man who runs junkets for big-money casino patrons, $29 million to an account of a nearby casino resort called Solaire, and $21 million to the account of a Philippine gambling company called Eastern Hawaii Leisure co. A spokesperson for Solaire's parent company told Reuters that the $29 million was transferred at the request of the junket operator, Weikang Xu, and exchanged for chips.
Teofisto Guingona, head of the Philippines Senate anti-corruption committee said they have hit a wall at the casinos.
"The paper trail ends there. That is the problem," he told the newswire service. "Right now we are at a dead end."
Presumably Xu has been a hard guy to track down.
The head of the money-changing company that helped convert the ill-gotten lucre to cash apologized and said she would give the commission for the job, the equivalent of $226,356, to Bangladesh.
An anti-money-laundering agency in the Philippines told the Philippine Senate it has frozen 44 accounts in connection with the investigation. Silicon Valley tech companies are consulting on the probe.