The Digital Bank Heist: Part 1


The joke above reminded me of the Bangladesh Bank heist which was described in this excellent DarkNet Diary podcast. We’ve heard of million-dollar heists in so many Hollywood movies. That’s a lot, but when you go for digital robbery, the sky’s the limit. The amount they tried to rob from the Bangladesh Bank? A billion dollars. No typos, that’s indeed a billion dollars.

 

You’d rightly be asking the question the podcast asks:

“Who would have a billion dollars lying around for someone to grab?”

National banks, that’s who (the equivalents of RBI). That’s why the hackers picked the Bangladesh Bank as their target:

“The plan was to hack into the Bangladesh Bank and transfer out as much money as they could before anyone could catch them.”

 

How did they get into the bank’s network? Good old phishing mails (yes, the ones we are warned not to click on) got them in. From that one computer, the hackers hopped around the bank’s network, familiarizing themselves with details of the network, how to move money etc. Banks use a system called SWIFT to transfer money. The hackers soon found the system that could do SWIFT transfers.

 

Most of the reserves of the Bangladesh Bank were with the New York Fed. So that’s where the billion dollars lay. Of course, attempting to transfer a billion dollars at one shot was risky:

“A big transfer like that might require additional authorization or something.  Why put all your eggs in one basket?  If that one-billion-dollar transfer fails, then everything fails.  The hackers decided to break up the theft into many smaller transfers.”

The hackers decided to split it into 36 different transfers.

 

The “prep work” to create accounts to receive these electronic transfers was completed. A year in advance. This was a long, patiently done heist. The time they chose to strike was pure (evil) genius. They picked a long weekend, both in Bangladesh (source) and the Philippines (destination). Why did this matter? It reduced the odds that anyone would be present at both ends of the sender-receiver banks, should anyone get suspicious and call to confirm. In addition:

“Three time zones, here; you’ve got Bangladesh Bank which is the bank that’s been hacked into where the money’s gonna be transferred from, you’ve got where the actual money is which is New York, which is obviously a different time zone, and you’ve got where the money is going which is the Philippines which is yet another time zone. What they did was played these three time zones to their advantage.”

 

But things didn’t go to plan. The New York Fed started the transfers. One of the early ones went to a Sri Lankan charity, but the spelling was wrong. It caught someone’s attention, which set off questions in the New York branch. But Friday was a holiday in Bangladesh and nobody responded. The New York Fed stopped all further transfers. But by then, 81 million dollars had already been transferred.

 

Surely there’d be some checks in Bangladesh to notice huge transfers? Indeed there were. A printer was set to print the transactions as they happened (why paper? Because digital logs can be erased). And an employee was supposed to look at the printouts immediately. But the hackers were a step ahead:

“The thieves hacked the printer to make it print blank pages of transaction records.”

 

As I said, $81 million had already been stolen before the US side stopped the transfers. But how does one take that much money out of the Philippines (and other) banks for good? Won’t it leave an electronic trail? And how do you launder it quickly? All that and more in the next blog.

Comments

Post a Comment

Popular posts from this blog

Why we Deceive Ourselves

In their book, The Elephant in the Brain , the authors describe this weird aspect of deception that we practice: deceiving ourselves! That is so weird: “If our minds contain maps of our worlds, what good comes from having an inaccurate version of these maps?” The Sigmund Freud school of thought treats self-deception as a defense mechanism, “a way for the ego to protect itself”. The mind seeks to protect itself from anxiety and other negative emotions. Many object to this reasoning: since accurate information is so critical to our survival, surely distorting information would be dangerous. Wouldn’t the goal of protecting our self-esteem have been better achieved by making the brain’s self-esteem mechanism stronger instead? The new school of thought explains self-deception as “primarily outward-facing, manipulative, and ultimately self-serving”. This is based on Thomas Schelling’s work on game theory: “In a variety of scenarios, limiting or sabotaging yourself is the winn...
Read more

Europe #3 - Innsbruck

The last city we visited in Europe was Innsbruck in the Austrian Alps. After the cold and windy experience (at times) of Paris and Netherlands, Innsbruck was a wonderful change – it didn’t feel that cold, it was not windy all of which made it easy to walk around. Something absolutely necessary given how scenic the place is.   Since the hotel check-in time was much later in the day, we left the baggage and went to the Swarovski HQ-cum-museum about an hour by bus from Innsbruck. The crystal exhibits were brilliant – colorful, bright, shiny. Jewellery aside, it was a display of what one can do with crystals. While my wife and daughter loved the jewellery, I liked the superhero themed exhibits of Batman, Spiderman, the Hulk, and Star Wars. We didn’t buy anything there, though we did buy stuff in the Swarovski store in Innsbruck – jewellery, not the superhero stuff.   Innsbruck is a major tourist attraction during the skiing season but now in summer, we saw many groups of ...
Read more

The Thrill of the Chase

So many people complain about the difficulty in making decisions while shopping. Do you buy Brand X that gives 20% extra free? Or Brand Y that has 10% off? Or Brand Z that gives something else free with it? Do you buy that flat screen TV today or wait for the sale at Diwali? Now since the customer is king, shouldn’t companies be simplifying pricing choices? Like maybe offering consistently low prices all the time? Not so fast, as the US store, JC Penney discovered to its cost. Turns out that while people do complain about pricing choices, they are irrational. Also, they enjoy the thrill of the chase. Huh? The word “sale” acts like a siren call for many people: it lures them in to make that purchase. Consistently low prices don’t do the same. Besides, if a competitor lowers their prices just one time of the year, and Poof! Suddenly that low price claim becomes suspect in shoppers’ eyes. Then there are those sites that offer coupons: have lunch at Restaurant A on Wedne...
Read more