In 2016, the world witnessed one of the most audacious cybercrimes in history—the Bangladesh Bank Heist. Using sophisticated malware and exploiting the SWIFT banking system, unknown hackers attempted to steal nearly $1 billion, successfully withdrawing $81 million. This article reveals the full story behind the 2016 cyber heist, uncovering how a weekend holiday led to one of the largest digital bank thefts ever recorded.
In 2016, during the weekend holiday which falls on Friday and Saturday, employees at the Central Bank of Bangladesh were surprised that the printer printing international transfer transactions printed papers confirming the execution of a billion-dollar transfer from the bank's accounts. The employees at that moment did not realize that they were currently facing the largest digital theft operation in history, as their systems had been infiltrated by the most dangerous hacker team in the world, a team capable of penetrating and destroying the most complex digital security systems.
The SWIFT Global System for Bank Transfers
Bangladesh is a Muslim country, and their weekend holiday is Friday and Saturday. During these two days, only essential employees work at the Central Bank of Bangladesh, especially those responsible for managing transfers. The SWIFT system is the global system for international transfers used by most banks around the world. SWIFT is actually a Belgian company whose mission is to provide a network that allows banks around the world to communicate with each other. The entire process is digital; no physical money is transferred. To ensure the accuracy of these transactions and prevent manipulation, there must be a reliable network managing them, such as the SWIFT network. The SWIFT system is highly impregnable and extremely fortified.
Weekend at the Central Bank
On Friday and Saturday, which are weekend holidays, all employees of the Central Bank of Bangladesh are off, except for some essential employees, most notably those responsible for managing the SWIFT system in the bank. When international transfers occur through the SWIFT system, these transfers are recorded in a digital log on the computer and are also printed via a printer located in the bank to have a printed copy of the transfer log. The SWIFT system and international transfers operate 24 hours a day.
Printer Malfunction and Transaction Mystery
On the morning of Friday, February 5, 2016, when the employee went to the printer to check the transfers that had occurred overnight on Thursday, he found no printed papers. He was surprised by this, as it was impossible for no transfers to have occurred during the previous night. In addition to the papers, there was a digital log of transfers on the computer, and this log was normal; transfers appeared to have occurred last night, and there was nothing suspicious about these transfers. It seemed that the malfunction was only with the printer, as it was not responding and was not even working. They spent the entire Friday trying to fix the printer, but it did not respond.
The Appearance of Unrecorded Transfers
On Saturday morning, the employees tried again to operate the printer, and after several hours of attempts, the printer suddenly started working. Immediately after, it began printing the transfer papers that had occurred from Thursday night to Saturday morning, all the accumulated transfers. The employees expected the printer to print the same transfers that were in the digital log on the computer, but the shock was that among the transfer transactions printed by the printer, there were 35 transactions that were not in the digital log on the computer. The total value of these transactions reached 951 million dollars, almost a billion dollars.
Transfer Requests to the Philippines and the US Federal Reserve
These transfer requests were sent to the U.S. Federal Reserve Bank in New York. The Central Bank of Bangladesh has an account with the U.S. Federal Reserve, and this account contains billions of dollars, which are part of the national reserves of the Central Bank of Bangladesh. Formal transfer requests were sent from the bank's SWIFT system to the U.S. Federal Reserve in New York to transfer a billion dollars to various accounts, all of which are located in the Philippines. The bank's employees were in a state of panic.
Attempts to Stop Transfers and Time Obstacles
Before answering questions about who was responsible for these transfers, they had to stop the damage. They quickly reviewed the transfer requests and discovered that four transfers worth 81 million dollars had already been made to the Philippines. However, 31 transfer operations were still pending and had not yet been transferred, making up the largest portion of the billion. Their mission now was to save the remaining amount and prevent it from leaving their accounts with the U.S. Federal Reserve. They tried to contact the U.S. Federal Reserve, but no one answered because they were on weekend holiday.
Communication Delays Due to International Holidays
The Bank of Bangladesh could not contact the US Federal Reserve until Monday, as they were still on holiday. The biggest problem was the 81 million dollars that had already been transferred to accounts in the Philippines. They tried to contact the Philippine bank to which these transfers were made, but received no reply because they were on holiday, their holiday being Saturday and Sunday, and they would also be on holiday on Monday due to the Chinese New Year.
Hackers' Smart Exploitation of Holiday Timing
The timing of the theft operation was a very clever part of the hackers' plan. They executed the theft on Thursday night, which was followed by the weekend holiday in Bangladesh (Friday and Saturday), and they stole from the US Reserve, which is closed on Saturday and Sunday, and transferred the money to a bank in the Philippines, which is closed on Saturday, Sunday, and Monday. The goal was to disable communication between banks for as long as possible, giving them a larger window to successfully carry out their operation.
Hacking the Central Bank of Bangladesh
The hackers' initial target was the U.S. Federal Reserve, but its systems are highly impregnable, making a breach almost impossible. The same applies to the SWIFT network system, which is also very secure. The weakest link in the network proved to be the banks themselves, as each bank is responsible for its internal security system. The weakest security system the hackers could likely penetrate was in a poor country like Bangladesh, which might not have the expertise or budget to strengthen its security systems. The hacking operation did not happen overnight; the hackers had infiltrated the bank more than a year before the operation, meticulously monitoring its network and studying its internal systems in stealth.
Stages of Infiltration: Social Engineering and Covert Penetration
The first step in the infiltration process is known as social engineering. This involves studying and understanding the human target, their social behaviors, and their general actions. In this era, the best tool for hackers to conduct social engineering is to search social media. The hackers gathered information on approximately 40 bank employees, then sent them emails under the names of people they knew, containing job applications with attachments. These files contained viruses that would install themselves on the computer once opened.
Infiltrating Sensitive Transfer Systems
The virus placed by the hackers spread throughout the bank's network and computers completely stealthily. The employees who opened the files did not suspect anything, as the files appeared to them as ordinary resumes. This means that the initial breach was more human than technical. After the virus reached the employees' computers, the technical breach began. The virus was able to capture screenshots and record every keystroke made by the employees, and it could even allow the hackers to control the computer remotely. Their goal was to reach the critical computers in the bank, which are used for international transfer operations.
Timing the Attack and Initiating Transfers
The SWIFT devices in the Central Bank of Bangladesh, which connect computers to each other, were cheap and weak from a security perspective. This allowed the hackers to move from one computer to another in the bank with relative ease, until they reached the computer responsible for international transfers and connected to the SWIFT network. The hackers were careful to ensure that all their movements were covert. They managed to access one of the employees' computers and obtained their account details, through which they were able to access the SWIFT computer.
The Strange Coincidence That Saved $870 Million
After the work day ended in Bangladesh on Thursday, the hackers remotely accessed the bank's computers. They submitted 35 transfer requests via the SWIFT system to the US Federal Reserve to transfer $951 million to the Philippines. The US Federal Reserve relies entirely on the SWIFT system, and if they receive a valid request through the SWIFT network with all correct data, they have no reason to reject the request. However, for some reason, only four transfers totaling $81 million were accepted, while the remaining 31 transfers were put on hold and placed under review. The reason was a strange coincidence that saved the Central Bank of Bangladesh from an additional $870 million theft.
The Role of "Jupiter" in Halting Transfers
Upon tracking the accounts in the Philippines, it was discovered that they were registered under the names of Chinese individuals. One of the Philippine bank branches where the accounts were opened was located on a street named "Jupiter." Coincidentally, there was another company in a different country, a marine oil tanker company, with the same name "Jupiter," but this company was dealing with Iran, and Iran is under US sanctions. Any company dealing with Iran falls under the US blacklist, including this "Jupiter" company. When the US Federal Reserve's system saw the word "Jupiter" in the address of the Philippine bank branch where the money was to be transferred, it placed these transfers under review, even though "Jupiter" the street had no relation to the company.
Money Laundering in Philippine Casinos
The hackers managed to convert $22 million of the $81 million into cash in their hands, with $59 million remaining in the bank. After receiving the money, they had to undertake a money laundering operation to convert it into legitimate, untraceable funds. This was an additional reason for choosing the Philippines, where there are huge casinos that handle hundreds of millions daily and are not subject to financial oversight. The hackers distributed the money to a group of 10 to 15 individuals, all Chinese. These individuals converted the cash into casino chips, and when they returned the chips to the casino and exchanged them for money again, they received different, untraceable cash, distinct from the cash they took from the bank.
Identifying the Hacker Group: "Lazarus" and North Korea
Investigations into the case continued for a long time, involving several security agencies from Bangladesh, the US, and the Philippines. Initially, they had no idea about the hackers' identity, despite the hackers erasing their tracks. After security and technical experts examined the bank's computers and were able to extract some traces of the virus and malicious software installed by the hackers, they discovered a strong resemblance between these malicious programs and those used in a previous hack against Sony Corporation in 2014. This hack against Sony was the largest in their history, disabling their networks, devices, and systems. The group responsible for this hack was called "Lazarus."
The "WannaCry" Attack and "Lazarus" Classification as Most Dangerous Hacker Group
Many Western countries, especially the United States, classify the "Lazarus" group as the most dangerous hacker group in the world. This classification did not come about due to the Bangladesh bank robbery or the Sony hack, but rather after the "Lazarus" group carried out their largest and most famous attack in 2017, the "WannaCry" attack. This malicious program spread worldwide, encrypted computer files, and demanded a ransom in Bitcoin to restore the files. The problem was that the virus did not always restore files even if the ransom was paid. The virus spread to over 150 countries and infected more than 300,000 computers, affecting many sensitive companies and institutions such as hospitals, transportation authorities, railways, banks, and telecommunications companies.
Consequences of the Theft and the Governor's Resignation
There were significant resignations after the theft, led by the governor of the Central Bank of Bangladesh and a group of directors and officials. None of the hackers or those involved in money laundering were apprehended. In the Philippines, the only person arrested and prosecuted was the branch manager who facilitated the withdrawal of funds for the hackers, Maya Deguito. The manager was accused of money laundering and sentenced to 59 years in prison, in addition to a fine of $109 million. She was the only person prosecuted in this entire theft.
The Largest Digital Heist in History
This theft remains the largest digital heist in history to this day, and one of the largest bank robberies in general throughout history. It could have been by far the largest theft, by a massive margin, if all the transfers sent by the hackers had been approved. This did not happen due to a very strange coincidence. The world is increasingly moving towards a digital direction, and it is expected that we will see even larger digital thefts in the future. The upcoming wars will most likely be cyber wars.
Sources:
-
Wikipedia – Bangladesh Bank Robbery: A comprehensive overview of the 2016 heist, including the SWIFT system exploitation and investigation outcomes.
Read on Wikipedia -
Reuters – How the New York Fed fumbled over the Bangladesh Bank cyber-heist: An in-depth investigation into how the Federal Reserve Bank in New York handled the attack.
Read the Reuters report -
BBC – The Lazarus Heist: This feature links the cyberattack to North Korea's Lazarus Group and explores the geopolitical implications.
Read the BBC article -
Wired – That Insane, $81M Bangladesh Bank Heist? Here's What We Know: Details how the hackers used malware and fake SWIFT messages to carry out the theft.
Read on Wired -
Darknet Diaries – Bangladesh Bank Heist Episode: A podcast transcript providing a gripping narrative of the hack with technical insights.
Read the transcript