In 2016, hackers from North Korea almost succeeded in stealing $1 billion from Bangladesh’s central bank – but $81 million of the transactions were stopped by a fluke. But how did one of the world’s poorest and most isolated nations (north Korea) develop an elite group of cybercriminals?
1. THE FAULTY PRINTER
Bangladesh Feb 7, 2016. The director of the Bangladesh Central Bank stepped into the elevator on the 9th floor and went to the accounting and budgeting department’s back office. It was the most restricted area of the tower. The problem began with a faulty printer. The Bangladesh Bank employees simply thought of it as another day, another technical problem. However, this was no ordinary printer or bank.
The Bangladesh Bank manages the country’s foreign exchange reserves. The printer played a critical role in all of this. It was kept on the 10th floor of the bank’s main headquarters in Dhaka, Bangladesh’s capital, in a high-security room. Its duty was to keep records of multi-million-dollar transactions that passed through the bank.
The automatic printer is linked to the bank’s software and prints out the bank’s transaction reports in real time, 24 hours a day. The printer tray remained empty due to a technical issue at 08:45 on Friday, February 5, 2016. Zubair Bin Huda, the duty manager, later told authorities, “We thought it was just another day like every other Such glitches have occurred previously.”
2. UNKNOWN TRANSACTION WORTH OF 1 BILLION DOLLAR
The printer was successfully started. In response, the queue of transaction reports began to be delivered one by one.
When they looked closer, they discovered 35 suspicious payment requests for insanely large amounts of money. The money is alleged to have moved from the Bangladesh Bank’s own account to several other accounts in other countries.
No one from their bank could have approved it, and the SWIFT security system was unbreakable. As the director sifted through the suspicious transfer requests, a problem became apparent. Over a billion dollars were involved in the transactions.
3. STARTING OF THE CRIME
The incident occurred in February 2016, although the events leading up to it began nine months earlier.
Jupiter Street in Manila, Philippines, is a busy street in May 2015. A few months before they gained access to Bangladesh Bank’s systems, the hacker’s associates created four accounts here. A number of warning signs were present: the driver’s licenses used to open the accounts were fake. Despite working for separate businesses, all applicants claimed to have the same job title and income. The hacker accounts remained inactive for months as they worked on other parts of the scheme. The original $500 deposit was not affected.
Bangladesh is now one of the fastest-growing economies in the world. Bangladesh’s central bank was located in the chaotic capital city of Dhaka, home to almost 20 million people. Despite its rapid development, it could not afford to lose a billion dollars of public funds.
4. HOW THE ROBBERS ENTERED INTO THE SYSTEM
In January 2015, numerous Bangladesh Bank employees received a harmless email. It came from a job applicant named Rasel Ahlam. In his polite inquiry, he included a link to a website where they could download his CV and cover letter. Rasel was a cover name used by the Lazarus Group – he did not exist according to FBI investigators. At least one bank employee fell for the scam, downloaded the documents, and became infected with the viruses contained within. In the bank’s networks, the Lazarus Group quietly hopped from computer to computer, making their way up to the digital vaults and the billions of dollars they held.
On a Thursday a month later, the bank closed for the weekend, which in Muslim-majority nations like Bangladesh is Friday and Saturday rather than Sunday and Monday.
5. THE MASTERCLASS PLANNING OF ROBBERS
Why is New York so special? Bangladesh Bank has billions of dollars in foreign settlement deposits in that account. According to Bangladesh, money was to be transferred from New York to various accounts set up in Asia.
New York City the following day, Friday. Bangladesh’s payment orders were handled by the Federal Reserve Bank of New York.
Fed, known for its security, had no grounds to halt the transactions since SWIFT instructions are legal and trusted. Unaware of the scam, they began processing the requests. On Sunday morning, Bangladesh Bank workers had returned from the weekend and were attempting to fix their printer issue.
6. THE PROCESS OF TRANSFERRING FUNDS
The Federal Reserve Bank of New York transferred $20 million to the Shalika Foundation Pan Asia Bank account in Sri Lanka. It was one of 35 transfers to Asia. The employees in Bangladesh had finally been able to use the printer and were working through the transfer requests.
When they discovered 35 payment orders totaling almost one billion dollars had been issued, panic broke out. They immediately submitted a stop payment order to the New York Fed. However, it was a Sunday, so nobody was available. By the time the New York staff returns on Monday, it will most likely be too late. A lucky break came their way when the automatic system in New York marked 30 of the transactions for manual review.
One of the words on the SWIFT order happened to match the name of a shipping company that had been banned for violating US sanctions against Iran. Transfers totaling $870 million were now halted. Upon closer inspection, the team discovered numerous red flags.
There were an unusually large number of payment instructions and significant transfers to private companies instead of banks. Bangladesh had to be contacted for clarification at this point. After they learned about the stop payment order, the transactions were stopped. The gig was over.
7. OTHER REMAINING MONEY
There were still five transactions worth $870 million that hackers would never be able to see. The remaining 101 million were missed by the Fed’s automated system.
Where are these five now? Sri Lanka received the first transfer. The $20 million was sent to Pan Asia Bank through Deutsche Bank, which served as the routing bank. The Shalika Foundation is the intended recipient.
The organization was intended to be a Sri Lankan non-profit. An observant employee of Pan Asia Bank noticed something odd: $20 million was a huge sum for such a small NGO.
The employee then returned the transaction to Deutsche Bank for review. In Frankfurt, Germany. The payment order was evaluated in the same way as in New York. There were red flags, just as in New York.
As in this case, which misreads foundation as fandation. There was no surprise that this Shalika Fandation was a forgery when these suspicions were confirmed. Afterwards, the funds were transferred back to Bangladesh Bank’s New York account. Four 81 million dollar transactions followed.
8. DID THE ROBBERS CAN GET THIS MONEY?
I won’t go on since these four were all sent to the same country, not just the same bank, but also the same branch. The Jupiter Street branch of RCBC Bank in the Philippines, just outside of Manila. With just $500 left in four accounts, they had been inactive for nine months.
The rapid bursts should have triggered a RCBC warning before an unexpected $81 million cash inflow. However, they flew under the radar. The accounts were later found to be fake. The funds were then laundered through casinos.
In Manila’s glittering casino scene, the Bangladesh Bank robbers completed the next step of their money-laundering scheme. 81 million dollars were received by the RCBC bank, 50 million of which were placed in accounts at the Solaire and the Midas casino. Xu Weikang, a Chinese guy who left town on a private aircraft and hasn’t been seen or heard from since, was paid $31 million by a Committee set up to investigate.
9. PROCESS TO MAKE THIS MONEY LEGAL
Casinos were used to disrupt the chain of evidence. Investigators would have a hard time finding stolen money after it had been turned into casino chips, bet on, and then turned back into cash. But what about the risks? Is it not possible that the robbers would lose their wealth at the casino tables? Certainly not.
- Robbers reserved private rooms and filled them with accomplices who played at the tables, giving them control over how the money was spent.
- They also used the stolen money to play Baccarat, a hugely popular game in Asia.
- There are only three outcomes to choose from. A skilled player may recover 90% or more of their investment.
- The thieves could now launder the stolen money and expect to make a healthy recovery, but this required careful manipulation of the players and their bets, which took time.
- The gamblers stayed in Manila’s casinos for weeks, washing their money.
In the meantime, Bangladesh Bank was catching up. Its officers had been to Manila and found the trail of money. However, they ran into a brick wall when it came to casinos. Gambling establishments in the Philippines were not subject to money laundering laws at the time. Casinos believed the money had been placed by legitimate players.
The bank was able to recover $16 million of the stolen funds from Kim Wong. He is one of the individuals who organized the gambling excursions at the Midas casino. His charges were later dropped. However, the remainder of the money – $34 million – was disappearing. Investigators say its next trip could bring it closer to North Korea.
Physical, untraceable cash was created from electronic funds transfers. The Bangladesh Bank attempted to stop the transactions. Unfortunately, time was not on their side. Since it was Chinese New Year, RCBC Bank did not receive the stop order on the expected Monday.
10. LAZARUS FOOLPROOF PLAN
“You can see the beauty of the attack,” says Rakesh Asthana, a cyber-security specialist based in the United States. “The Thursday night date has a specific function. On Friday, New York is open, but Bangladesh Bank is closed. The Federal Reserve Bank will be down by the time Bangladesh Bank reopens. As a result, the whole finding was delayed by almost three days.”
The hackers had another plan in mind to buy even more time. Once the money had been transferred out of the Fed, it needed to be sent somewhere. They wired money to accounts they had established in Manila, the capital of the Philippines. In 2016, the first day of the Lunar New Year, a national holiday in Asia, was Monday, February 8.
By taking advantage of time differences between Bangladesh, New York, and the Philippines, the hackers had created a five-day run to steal the money. Since the Lazarus Group had been hiding within Bangladesh Bank’s computer systems for over a year, they had plenty of time to arrange everything.
11. THE MIDDLE MAN FOR LAZARUS GROUP
Two Chinese men, Ding and Gao, have now been identified as the perpetrators of the bogus RCBC accounts in the Philippines. In reality, they were little more than middlemen. Nevertheless, they were an important part of the operation. Detectives believed that interrogating them would lead them to the real culprits.
Before the Bangladeshi police could arrest them, they boarded a plane for Macau and fled the country. There, they could no longer be tracked. The hackers could profit by $81 million through the other four transactions.
It’s not the exact amount, but enough, according to some measures, to be called the largest bank robbery in history. Although the attackers attempted to wipe evidence from the bank’s computers, cybersecurity specialists were able to examine the virus. Cyber attacks on financial institutions around the world use similar methods and equipment as the Bangladesh Bank robbery.
12. WHAT ROLE DID NORTH KOREA PLAYED IN THIS?
In the end, one gang was most likely responsible for a series of worldwide attacks. Its name was Lazarus. Further investigation, looking through server records from previous attacks, revealed something even more surprising. Lazarus is connected to a specific country via its IP address.
For a moment, they were unable to hide their tracks. Additionally, the data showed that the assault servers were visited at least once from a North Korean IP address. Korean was also encoded in the code. Remember that North Korea may have been framed. The attackers apparently left behind strong evidence to mislead investigators.
North Korea denied any involvement. However, it was clear that this group targeted recognized opponents of the state aggressively. Now, in terms of Lazarus’ financial exploits, as with the Bangladesh incident, the assaults were just the beginning. The money had to be delivered to the correct address. The stolen money was transferred through Macau, which is known as North Korea’s financial hub with the rest of the world.
13. THE MAN BEHIND THIS LARGEST BANK HEIST IN THE WORLD
Cyber security experts refer to North Korea’s state hackers as the Lazarus Group. Following the example of a biblical character who rose from the dead, computer viruses attack the system. One suspect has been identified by the FBI: Park Jin-hook, also known as Pak Jin-hek and Park Kwang-jin.
His cyber-footprints place him in Dalian as early as 2002 and on and off until 2013 or 2014, when his online activity seems to originate in Pyongyang, the capital of North Korea. He received training at one of the country’s top colleges before working for the North Korean regime at Chosun Expo in Dalian.
Chosun Expo has revealed a photo taken from an email received by a manager in 2011 presenting Park to an outside customer. The picture shows a well-dressed Korean man in his late twenties or early thirties wearing a pin-striped black shirt and a chocolate-brown suit. Except for a drained expression on his face, he seems as expected.
Even though he worked as a programmer during the day, the FBI claims he was a hacker at night. US officials charged Park in September 2014 and August 2017 with conspiracy to commit computer fraud and abuse and wire fraud (fraud via mail or electronic communication). He faces a sentence of up to 20 years in prison if he is ever caught. (He returned to North Korea from China four years before the charges were brought.)
Park, assuming that’s his real name, did not become a state hacker overnight. As young as 12, he is one of hundreds of young North Koreans who have been groomed since childhood to become cyber-warriors – brilliant mathematicians who are removed from their schools and brought to the capital for different teachings.
14. HOW NORTH KOREA MAKE CYBER WARRIORS
North Korea has produced some of the world’s most dangerous and talented hackers. In order to understand how and why North Korea has developed superior cyber-warfare units, one must examine the Kim dynasty, which has ruled North Korea since 1948.
As a result, the government transfers its most skilled computer programmers overseas, mainly to China, in order to train its cyber-warriors on the North Korean intranet. They learn how the rest of the world uses computers and the internet to make purchases, to gamble, to network, and to have fun. Specialists claim that it is there that they are transformed from mathematical geniuses to hackers.
Hundreds of these young men are reportedly working at North Korean outposts in China. “They are very skilled at hiding their tracks, but like any criminal, they leave crumbs behind,” says Kyung-jin Kim, a former FBI Korea official who now works as a private investigator in Seoul. We can also trace their IP addresses to their location.”