The great Bangladesh cyber heist shows truth is stranger than fiction
(From March 2016)
Being a bank robber is bad for the soul in more ways than one.
Imagine your plans are successful. How do you sleep if you believe there’s nowhere safe to stash your ill-gotten gains?
Other people’s worries, best ignored perhaps, other than as a useful plot device for novels and films.
Except that, in the case of the Philippines-based hackers who stole $100m of the Bangladesh Bank’s money from the Federal Reserve in New York last month, it turns out to be everybody’s problem.
If ever a story had international crime and globalisation running through it as a thread, this is it.
Like other central banks, Bangladesh Bank uses the Federal Reserve as part of its stewardship of Bangladesh’s $28bn foreign currency reserves.
Most of Bangladesh’s reserves can be traced to remittances sent by hard-working migrants in the Middle East and the toil of the millions of garment workers who help clothe Europe and North America, and are responsible for the bulk of the country’s export earnings.
Thanks to the Philippine Daily Inquirer breaking the story, the world knows now that $100m of Bangladesh Bank’s funds was digitally stolen from the Federal Reserve last month. And that the hackers attempted to steal a whole billion dollars, but were foiled by an elementary spelling mistake.
It all sounds like a pulp fiction that would have been rejected as implausible a year ago. But it happened.
A quartet of hackers opens accounts at a Philippines bank. Months later, they fraudulently execute transfer orders from the Bangladesh central bank’s holdings in New York to coincide with not just the usual long weekend of the combined Bangladesh and US working weeks, but also the Philippines’ special Monday closure for Chinese New Year.
This allows extra time for stolen funds to be sent to a Chinese national with casino connections and be converted into pesos and hard to trace chips.
Along the way, half a dozen global banks duly execute orders, making use where called for of the protocols set by the Society for Worldwide Interbank Financial Telecommunication (Swift) based in Belgium.
Fortuitously, one of the routing institutions, Deutsche Bank, seeks clarification of an instruction for $20m to be sent to a Sri Lankan non-profit, because the hackers misspelled “foundation” in the NGO’s name.
Alarm bells ring and Bangladesh Bank scrambles to work with its Philippines counterparts and money laundering investigators to get to the bottom of it all.
That would be a happy ending, if the stolen money turns out to be recoverable. But instead, it’s more likely to only be the start of a tangled web of inquiries and litigation. Already, there is something of a Mexican stand-off between Bangladesh, Philippines, and the US over culpability for the fraudulent transactions going through.
As the prime victim, Bangladesh Bank has a right to expect strict liability for its losses from the Federal Reserve.
But equally the Federal Reserve will want to point to possible holes in BB’s internal security measures.
Throw in the Fed’s concern about the reputational damage of having to explain to its customers (essentially all the world’s banks) how funds earned by millions of poor Bangladeshi workers, were so readily stolen, and the only happy people left in the room will be everyone’s lawyers.
It is not known yet whether there was collusion by complicit individuals which enabled the hackers to mimic BB’s security protocols and passwords, or if the gang simply used diabolical malware to steal them. Take your pick. Either way, it does not change the fact Bangladesh Bank is the victim here.
And that systems used by the world’s most secure bank were spectacularly breached.
Ah, but wait a minute, chorus a plethora of comics and commenters on newspaper websites. Hallmark and various frauds in state-owned banks were a bigger loss for Bangladeshi tax-payers, weren’t they? And didn’t leading banks bankrupt the global financial system in 2008 by gambling trillions of dollars of other people’s money on worthless derivatives?
Well yes, that’s all true. But like should be compared with like.
Bangladesh Bank’s track record on repaying multilateral debt and managing international obligations is a sound one, particularly when compared to the government’s record in controlling state-owned banks. It is self-flagellation to imply as some do, that just because Bangladesh scores poorly on Transparency International’s corruption perception index, this cyber fraud is “just another” scandal to add to the list.
It is not. It is a scarily large and almost wholly successful international robbery. The entire point of systems adopted by Bangladesh Bank, the Federal Reserve, and Swift is to prevent theft, and in this case they were short-circuited.
Little light will be shed by pointing to the crony capitalism and corruption which underlay the many scandals that have plagued Bangladesh state-owned banks. Or for that matter similar dynamics at play in the lobbying that prevents US politicians from fixing the system that gave impunity to reckless Wall Street bankers. Not to mention (but I will) prolonged attempts by successive British governments to suppress reports on corruption allegations in the $40 billion plus Al-Yamamah oil for arms deal with Saudi Arabia in 1984. All these things matter. Venality knows no boundary. But, none of this makes it easier to steal from the Federal Reserve. If it did, the Fed would be successfully robbed every day.
Of course, this sorry tale makes it imperative that Bangladesh Bank and the Federal Reserve do more to make security procedures as secure as they are meant to be. But let’s not overlook the human interest in the story of the Bangladesh cyber-heist. The greed of the cunning individuals involved does not need elaborate theories to be explained. It is the sheer size of the hackers’ ambitions that intrigues and appalls in equal measure.
To appreciate the scale of their theft, take a look at this week’s sentencing in London of the career criminals found guilty of last year’s Hatton Garden jewellery vault raid, which prosecutors called the biggest burglary in English legal history.
As an analogue “hole in the wall job,” carried out over last year’s Easter public holiday by a gang of senior citizens, the oldest of whom was 75 — it inevitably fascinated tabloids. It even earned a compliment from the sentencing judge for standing “in a class of its own” in terms of planning and organisation.
Not surprisingly, movie producers and Sir Michael Caine have already expressed interest in filming the story. What leaps out most though, is that this raid involved “only” 14 million pounds worth of jewellery, cash, and gold.
Surely an attempted billion dollar robbery, from the Federal Reserve no less, must throw up similar interest from Hollywood? After all, the story is almost tailor-made for US film companies looking to appeal to expanding markets in Asia.
Maybe. But geeks at desks sounds a harder sell then Cockney pensioners “doing one last break-in,” so it would need something of the Mission Impossible to be visually appealing.
I had to ask a colleague for the name of the pre-millennial Sean Connery vehicle about a heist at the Petronas Towers which this chain of thought inevitably led to. All I could remember about Entrapment was Catherine Zeta-Jones limboing around some laser beams for some forgotten but presumably plot germane reason.
After some discussion, we both agreed the cast of international organisations, locations, and casinos involved in the Bangladesh cyber heist, means an Ocean’s Eleven-type scenario is definitely on the cards. It even has room for a role for Sir Michael at the location of his choice.
One day perhaps, an expatriate migrant worker in a desert kingdom whose remittances to Bangladesh found their way via New York to a casino in East Asia, will see a film on a plane about the cyber heist story. And the old Fleet Street cliché will pop up in every viewer’s mind.
You couldn’t make it up.
(Published 12 March 2016 Dhaka Tribune)