North Korean lazarus hackers attempted a $1 billion heist on Bangladesh’s central bank and its people in 2016 and came within an inch of success – all but $81 million of the transactions were stopped by a fluke. But how could one of the world’s poorest and most isolated nations develop an elite squad of cybercriminals?
1)THE FAULTY PRINTER
Bangladesh, February 7, 2016. The director of the Bangladesh Central Bank entered the elevator on the 9th level and went to the accounting and budgeting department’s back office. This was the most restricted area of the tower. It all began with a faulty printer. It’s simply a part of modern-day life, so when it occurred to Bangladesh Bank employees they thought of another day, another technical problem. It didn’t seem to be a huge issue. But this wasn’t any ordinary printer and it wasn’t any regular bank.
Bangladesh Bank is the country’s central bank in charge of a country’s valuable currency reserves. And the printer played a critical role in all of this. It was kept in a high-security room on the 10th floor of the bank’s main headquarters in Dhaka, Bangladesh’s capital. Its duty was to produce records of the multi-million-dollar transactions that came and went via the bank.
The automatic printer linked to the bank’s software meant to operate around the clock, 24*7 printing out the bank’s transaction reports in real-time. However, due to a technical issue the printer tray remained empty at 08:45 on Friday, February 5, 2016. “We thought it was a regular problem just like every other day,” duty manager Zubair Bin Huda later told authorities. “Such glitches had previously occurred.”
2)UNKNOWN TRANSACTION WORTH OF 1 BILLION DOLLAR
They were successful in starting the printer. As a result, the queue of transaction reports began to be delivered one by one. Something wasn’t quite right now. There were a more significant number of statements than imagined.
When they looked more closely they discovered 35 suspicious payment requests for insanely vast amounts of money. Having allegedly been moved from the Bangladesh Bank’s own account to several other accounts in other countries.
No one from their bank had surely approved it and the SWIFT security system in place was unbreakable. The problem began to emerge on the director as he sifted through the suspicious transfer requests. The transactions totaled almost a billion US dollars.
3)STARTING OF THE CRIME
This occurred in February 2016 although the actions brought up to this point began nine months before.
May 2015, Philippines Jupiter Street in Manila is a busy street. Four accounts were put up here by the hacker’s associates a few months before they gained access to Bangladesh Bank’s systems. There were several warning signs: the driver’s licenses used to open the accounts were fake. The applicants all claimed to have the same job title and income while working for separate businesses. However, no one appeared to notice. While the hackers worked on other parts of the scheme the accounts remained inactive for months. Their original $500 deposit remained undisturbed.
Now, returning to Bangladesh the country is becoming one of the fastest-growing economies in the world. Their central bank sat in the capital’s financial district Dhaka a chaotic city with almost 20 million people. Despite its fast development it was a country that couldn’t afford to lose a billion dollars of public money.
4)HOW THE ROBBERS ENTERED INTO THE SYSTEM
A seemingly harmless email was sent to numerous Bangladesh Bank employees in January 2015. It came from a job applicant going by the name Rasel Ahlam. His polite inquiry included a link to a website where they could download his CV and cover letter. According to FBI investigators, Rasel did not exist – he was merely a cover name used by the Lazarus Group. At least one bank employee fell for the trick, downloaded the documents and became infected with the viruses contained inside. Once within the bank’s networks, the Lazarus Group started quietly jumping from computer to computer making their way up to the digital vaults and the billions of dollars they held.
That’s precisely what they did. It was just a matter of time now. A month later, on a Thursday, the bank was closing for the weekend, which in Muslim-majority nations like Bangladesh is on Friday and Saturday rather than Saturday and Sunday.
5)BREAKING THE UNBREAKABLE SWIFT
The intruders broke into the system once again. But that was the final time since this was the end result of everything. They were now in the system but influencing international money transfers was a whole other scenario.
As you may be aware, SWIFT is a worldwide payment network that enables financial transactions to be transmitted safely and dependably using military-grade security that is designed to be unbreakable. To be clear, SWIFT does not allow the movement of real money; instead, it transmits trusted payment instructions between accounts on which banks act.
This is the accepted practice in international banking. This is one of the reasons why bank hackers prefer to obtain the login credentials of individual bank account users rather than the banks themselves. But that wasn’t the case here at least not for this gang.
The institution was their goal. They were able to control the SWIFT computers as if they were genuine bank personnel by using the bank’s legitimate SWIFT credentials obtained via the virus. Yes, SWIFT is safe and secure in and of itself. Still, the banks that operate it must first be accountable for their own unique cyber security.
If their security is insufficient, as it is in many poor countries, SWIFT may be used against them. That’s precisely what was going on here. 35 fake transfer requests totaling $951 million were now submitted to the Federal Reserve Bank of New York through SWIFT.
6)THE MASTERCLASS PLANNING OF ROBBERS
But Why New York? Because the Bangladesh Bank has an account there with billions of dollars in foreign settlement deposits. The demands made from Bangladesh were for money to be transferred from New York to different accounts established throughout Asia. I’ll get to it later.
That was the end of it for them in and out in a matter of hours. The next day, Friday, New York City. One of the world’s most important financial centers. Bangladesh’s payment orders, or so-called payment orders, were processed by the Federal Reserve Bank of New York.
The Fed, known for its security had no reason to halt the transactions since SWIFT instructions are legal and trusted. So, unaware of the scam, they started processing their requests. The Bangladesh Bank workers who had returned from the weekend were attempting to resolve their printer issue on Sunday morning.
7)THE PROCESS OF TRANSFERRING FUNDS
In Sri Lanka, $20 million was transferred from the Federal Reserve Bank of New York to the Shalika Foundation Pan Asia Bank account. Of all, this was only one of 35 transfers heading to Asia. In Bangladesh, the employees had finally gotten the printer to function and were going through the transfer requests.
Panic erupted as they discovered 35 payment orders totaling almost one billion dollars had been issued. They attempted to submit a stop payment order to the New York Fed immediately. Still, it was a Sunday, and no one was available to respond. It would very certainly be too late by the time the New York staff returned on Monday. They had little they knew, and got a lucky break since the automatic system in New York had marked 30 of the transactions for manual review.
By pure coincidence, one of the words on the SWIFT order occurred to match the name of a shipping firm that had been banned for violating US sanctions on Iran. This would be disastrous for the hackers. Transfers totaling $870 million were now stopped. When the team examined the situation more closely, they discovered numerous red flags.
The unusually vast number of payment instructions and the significant transfers to private companies rather than banks. They had to seek clarification from Bangladesh at this point. And, after they learned of the stop payment order, the transactions were stopped. It was the end of the gig.
8)OTHER REMAINING MONEY
Yes, 30 of the $870 million transactions would never be seen by hackers, but there were still five transactions. The remaining 101 million, which the Fed’s automatic system missed.
What happened to these five? Sri Lanka received the first transfer. As previously stated, $20 million was sent to a Pan Asia Bank account through Deutsche Bank, which served as the routing bank. The Shalika Foundation is the intended recipient of this work.
This was intended to be a Sri Lankan non-profit. Now, an observant Pan Asia Bank employee saw something odd: $20 million was a huge sum for such a small NGO.
This employee then returned the transaction to Deutsche Bank for review. So, in Frankfurt, Germany. The payment order was being evaluated in the same way that it was in New York. There were also red flags, precisely as in New York.
Such as this one, which misreads foundation as fandation. These suspicions were quickly confirmed, and it came as no surprise that this Shalika Fandation was a forgery. The funds were subsequently transferred back to Bangladesh Bank’s New York account. Then there were four 81 million dollar transactions.
9.DID THE ROBBERS CAN GET THIS MONEY?
But we won’t go on since these four were all sent to the same nation, not only the same bank but the same branch. RCBC Bank’s Jupiter Street branch in the Philippines, just outside Manila. Four accounts had been inactive for nine months, with just $500 left in them.
Until an unexpected cash inflow of $81 million, these rapid bursts should have generated an RCBC warning. For whatever reason, they flew under the radar. The accounts were subsequently discovered to be under fake names. The funds were immediately taken and laundered via casinos.
The Bangladesh Bank robbers carried out the next step of their money-laundering scheme in Manila’s glittering casino scene. The RCBC bank received $81 million, $50 million of which was placed in accounts at the Solaire and another casino, the Midas. (What happened to the remaining $31 million?) A Committee set up to investigate, money was paid to a Chinese guy named Xu Weikang, who is said to have left town on a private aircraft and hasn’t been seen or heard from since.
10.PROCESS TO MAKE THIS MONEY LEGAL
The goal of using casinos was to disrupt the chain of evidence. It would be almost difficult for investigators to track down stolen money after it had been turned into casino chips, bet on then changed back into cash. But what about the dangers? Isn’t it possible that the robbers would lose their riches at the casino tables? No, not at all.
The robbers reserved private rooms and filled them with accomplices who would play at the tables, giving them control over how the money was spent. Second, they used the stolen money to play Baccarat, a hugely popular yet essential game in Asia. There are just three outcomes to gamble on. A reasonably skilled player may recover 90% or more of their investment (excellent work-for-money launderers, who often get a far smaller return). The thieves could now launder the stolen money and expect a good recovery, but doing so required careful manipulation of the players and their bets, which took time. The gamblers stayed inside Manila’s casinos for weeks, washing their money.
Meanwhile, Bangladesh Bank was catching up. Its officers had been to Manila and discovered the money trail. When it came to casinos, though, they ran against a brick wall. At the time, gaming establishments in the Philippines were not subject to money laundering laws. In the eyes of casinos, money had been placed by legal players.
who had every right to spend it on the tables. (The Solaire casino claims it had no clue it was dealing with stolen money and is helping police. Officials from the bank were able to retrieve $16 million of the stolen funds from Kim Wong, one of the individuals who organized the gambling excursions at the Midas casino. He was arrested and charged but the accusations were subsequently dismissed. The remainder of the money, though – $34 million – was vanishing. According to investigators, its next trip would bring it one step closer to North Korea.
Electronic funds transfers were turned into physical, untraceable cash. The Bangladesh Bank attempted to halt the transactions. Still, time was just not on their side. RCBC Bank did not get the stop order on the expected Monday since it was Chinese New Year.
11.LAZARUS FOOLPROOF PLAN
“You can see the beauty of the attack,” says Rakesh Asthana, a cyber-security specialist based in the United States. “The Thursday night date has a specific function. On Friday, New York is open, but Bangladesh Bank is closed. The Federal Reserve Bank will be down by the time Bangladesh Bank reopens. As a result, the whole finding was delayed by almost three days.”
And the hackers had another plan in the works to buy even more time. They needed to transmit the money someplace after they had moved it out of the Fed. So they wired money to accounts they’d established in Manila, the Philippines’ capital. Throughout 2016, the first day of the Lunar New Year a national holiday in Asia was Monday, February 8.
The hackers had created a clear five-day run to get the money away by taking advantage of time variations between Bangladesh, New York, and the Philippines. They had plenty of time to arrange everything since the Lazarus Group had been hiding within Bangladesh Bank’s computer systems for over a year.
They entered the system on Thursday evening when the bank was closed at the start of the Bangladesh weekend. On Friday, the New York Fed attempts to explain the requests with Bangladesh, but no one is there. On Sunday, Bangladesh employees return from the weekend. Still, they cannot contact New York since it is now the weekend in the United States.
The Fed eventually receives instructions to halt the transfers on Monday, but not in the Philippines since it is Chinese New Year there. And it is only on Tuesday, five days after the theft, RCBC employees learn of the illegal transactions. But it was too late by then.
12.THE MIDDLE MAN FOR LAZARUS GROUP
Now, two Chinese men, Ding and Gao, have been identified as the culprits of the bogus RCBC accounts in the Philippines. They turned out to be little more than middlemen. They were, nevertheless, an essential element of the operation. And detectives believed that interrogating them would lead them to the real culprits.
Unfortunately, before Bangladeshi police could arrest them they left the country boarding planes to Macau. In this particular Chinese administrative area they could no longer be tracked. As a result of the other four transactions the hackers could profit by $81 million.
Not exactly the original amount but enough according to some measures, to be called the single largest bank robbery in history. Despite the attackers’ best attempts to wipe evidence from the bank’s computers cybersecurity specialists were able to examine the virus. They discovered similarities in the methods and equipment employed in the Bangladesh Bank robbery and numerous other cyber assaults on financial institutions worldwide.
13.WHAT ROLE DID NORTH KOREA PLAYED IN THIS?
This means that this one gang was most likely responsible for a series of worldwide assaults. Lazarus was the name given to this group. But there was more to it. As experts dug further, looking through server records from previous assaults, they discovered something even more surprising. An IP address that connects Lazarus to a particular country state.
They had been unable to cover their tracks for a brief moment. The data also showed that the assault servers were visited from a North Korean IP address at least once. The Korean language was also discovered encoded in the computer code. It is essential to remember that North Korea may have been framed. The assailants left behind apparently strong evidence to mislead investigators.
North Korea, predictably denied any involvement. However, it was clear that this organization was aggressively targeting recognized opponents of the state. Now, in terms of Lazarus financial exploits, like with the Bangladesh incident the assaults were just the beginning. They had to guarantee that the money was delivered to the correct place. And they did it by having the stolen money transferred via locations like Macau, which is known to be North Korea’s financial point of contact with the rest of the world.
14.HOW THEY GONNA SPEND THIS MONEY
We know that’s where the Bangladesh money ended up due to the two Chinese middlemen. It wouldn’t have been difficult to transfer the funds straight to Pyongyang from there. Proceeds would have most certainly been used to further their nuclear program fund the lifestyles of the privileged and prop up their economy.
All of this may account for a significant portion of the country’s current GDP. If all of this is true, and North Korea is really behind these assaults, the worldwide implications would be enormous. Especially in light of recent events. Because this would be the first known instance of a nation-state stealing a bank.
Everything is possible from there. Weapons systems, civilian bank accounts, or even YouTube users have created material that they may find objectionable.
15.THE MAN BEHIND THIS LARGEST BANK HEIST IN THE WORLD
North Korean state hackers are known as the Lazarus Group in the cyber sector. After a biblical character who rose from the dead, specialists who attacked the computer system by viruses. Little is known about the gang, but the FBI has drawn a comprehensive picture of one suspect: Park Jin-hook, also known as Pak Jin-hek and Park Kwang-jin.
He is a computer programmer who graduated from one of the country’s top colleges before working for a North Korean regime Chosun Expo the Chinese city of Dalian developing online gaming for customers all over the globe.His cyber-footprints place him in Dalian as early as 2002 and on and off until 2013 or 2014, when his online activity seems to originate in Pyongyang, North Korea’s capital.
The agency has revealed a photograph taken from an email received by a Chosun Expo manager in 2011 presenting Park to an outside customer. It depicts a well-dressed Korean guy in his late twenties or early thirties wearing a pin-striped black shirt and a chocolate-brown suit. At first sight, he seems to be expected, except for a drained expression on his face.
However, the FBI claims that although he worked as a programmer during the day, he was a hacker at night. Between September 2014 and August 2017, US officials charged Park with conspiracy to conduct computer fraud and abuse and wire fraud (fraud using mail or electronic communication). If he is ever caught, he faces up to 20 years in jail. (He returned to North Korea from China four years before the accusations were brought.)
But Park, assuming that’s his actual name, didn’t become a state hacker overnight. He is one of the hundreds of young North Koreans who have groomed from childhood to become cyber-warriors – brilliant mathematicians as young as 12 who are removed from their schools and brought to the capital for different teaching techniques.
16.HOW NORTH KOREA MAKE CYBER WARRIORS
Nonetheless, it seems that North Korea has created some of the world’s most dangerous and talented hackers. Understanding how and why North Korea has developed superior cyber-warfare units requires a study of the Kim dynasty, which has governed North Korea since its establishment as a modern country in 1948.
Students use the North Korean intranet in the Grand People’s Study House in Pyongyang.As a result, the government transfers the most skilled computer programmers overseas, mainly to China, to train its cyber-warriors. They discover how the rest of the world utilizes computers and the internet to buy, gamble, network, and entertain themselves. According to specialists, it is there that they are converted from mathematical geniuses to hackers.
Hundreds of these young men are said to be living and working at North Korean-run outposts in China.”They are very good at hiding their tracks, but like any other criminal, they leave crumbs, proof behind,” says Kyung-jin Kim, a former FBI Korea head who now works as a private investigator in Seoul. “We can also trace their IP addresses back to their location.”