The Digital Bank Heist: Part 1


The joke above reminded me of the Bangladesh Bank heist which was described in this excellent DarkNet Diary podcast. We’ve heard of million-dollar heists in so many Hollywood movies. That’s a lot, but when you go for digital robbery, the sky’s the limit. The amount they tried to rob from the Bangladesh Bank? A billion dollars. No typos, that’s indeed a billion dollars.

 

You’d rightly be asking the question the podcast asks:

“Who would have a billion dollars lying around for someone to grab?”

National banks, that’s who (the equivalents of RBI). That’s why the hackers picked the Bangladesh Bank as their target:

“The plan was to hack into the Bangladesh Bank and transfer out as much money as they could before anyone could catch them.”

 

How did they get into the bank’s network? Good old phishing mails (yes, the ones we are warned not to click on) got them in. From that one computer, the hackers hopped around the bank’s network, familiarizing themselves with details of the network, how to move money etc. Banks use a system called SWIFT to transfer money. The hackers soon found the system that could do SWIFT transfers.

 

Most of the reserves of the Bangladesh Bank were with the New York Fed. So that’s where the billion dollars lay. Of course, attempting to transfer a billion dollars at one shot was risky:

“A big transfer like that might require additional authorization or something.  Why put all your eggs in one basket?  If that one-billion-dollar transfer fails, then everything fails.  The hackers decided to break up the theft into many smaller transfers.”

The hackers decided to split it into 36 different transfers.

 

The “prep work” to create accounts to receive these electronic transfers was completed. A year in advance. This was a long, patiently done heist. The time they chose to strike was pure (evil) genius. They picked a long weekend, both in Bangladesh (source) and the Philippines (destination). Why did this matter? It reduced the odds that anyone would be present at both ends of the sender-receiver banks, should anyone get suspicious and call to confirm. In addition:

“Three time zones, here; you’ve got Bangladesh Bank which is the bank that’s been hacked into where the money’s gonna be transferred from, you’ve got where the actual money is which is New York, which is obviously a different time zone, and you’ve got where the money is going which is the Philippines which is yet another time zone. What they did was played these three time zones to their advantage.”

 

But things didn’t go to plan. The New York Fed started the transfers. One of the early ones went to a Sri Lankan charity, but the spelling was wrong. It caught someone’s attention, which set off questions in the New York branch. But Friday was a holiday in Bangladesh and nobody responded. The New York Fed stopped all further transfers. But by then, 81 million dollars had already been transferred.

 

Surely there’d be some checks in Bangladesh to notice huge transfers? Indeed there were. A printer was set to print the transactions as they happened (why paper? Because digital logs can be erased). And an employee was supposed to look at the printouts immediately. But the hackers were a step ahead:

“The thieves hacked the printer to make it print blank pages of transaction records.”

 

As I said, $81 million had already been stolen before the US side stopped the transfers. But how does one take that much money out of the Philippines (and other) banks for good? Won’t it leave an electronic trail? And how do you launder it quickly? All that and more in the next blog.

Comments

Post a Comment

Popular posts from this blog

Student of the Year

Image
As a toddler, my daughter loved Alia Bhatt’s songs, esp. the ones from Student of the Year . (That movie did have many good songs and well-choreographed dances). Fast forward to present day, when she is 12 yo. She rarely watches Hindi movies now, but one of the few ones she likes of late, Raja aur Rani ki Prem Kahani has, yes, Alia Bhatt.   If I had any hopes that there was anything to be read in the name of her toddler-time favorite ( Student of the Year ), they have been dashed. Our conversations come exam time are perfectly captured by this photo and its caption: In fact, the pic below captures how she and I look at her answer sheets – me intently, she with an expression of “It’s over, so why are you even looking at it?”   Of late, we pull her leg and tell her that she isn’t showing any signs of academic prowess, she’d better find a rich guy to marry. Some time later, she showed us this meme on the Internet: “Me No Study, Me No Care Me Go Marry Millionaire If He Die
Read more

Animal Senses #7: Touch and Remote Touch

Instinctively, we think touch is based on contact. Not entirely true, explains Ed Yong in Immense World – there’s a more important aspect than contact: “These incredible feats are possible through movement. If you rest a fingertip upon a surface, you can get only a limited idea of its features. But as soon you’re allowed to move, everything changes. Hardness becomes apparent with a press. Textures resolve at a stroke.” As you run your fingers over a surface, they hit the tiny peaks and troughs and set off vibrations in the mechanoreceptors at their tips.   At the tip of its snout, the star-nosed mole has many pairs of hairless appendages. It uses them to touch things around itself. Alive or dead? Food or ignore? It does these movements at an insane speed. In the time it takes to blink our eyes, the star-nosed mole can probe, identify and swallow its food. “Light may be the fastest thing in the universe, but light sensors have their limits, and the star-nosed mole’s sense of
Read more

The Retort of the "Luxury Person"

Image
Coming up with biting and witty retorts. It’s something we dream of, but rarely manage to pull off. Worse, the more we stew over the offending remark, the more likely we are to come up with that dream retort, as Calvin ruefully points out: During our last holiday at the Taj Resort, seeing my wife carrying towels to our poolside chairs, one of the kids there mistook her for a member of the staff and asked for a towel. When my wife narrated this to us, I did not imagine that my 8 yo daughter would come up with her own retort. But a day later, my daughter recapped the incident, an incident that didn’t even involve her in the first place , and said, “You know what I’d have told that kid who asked for the towel?”. And without waiting for an answer, she told us anyway: “I don’t work here. I too am a luxury person who is living at this resort. Go get your own towel.” We were highly amused by the phrase she had coined: “luxury person”. It certainly captures the kind of holid
Read more