Typo spells confusion in $101m cyber bank heist
Hackers allegedly breached the Bangladesh central bank’s security system and then pretended to be Bangladeshi officials to send a series of requests for the New York Federal Reserve to transfer large tranches of money from its account there.
Bangladesh Bank told the Financial Times that a total of $101 million was “wrongly transmitted”, of which $20 million went to a Sri Lankan bank.
“The Sri Lankan bank did not disburse it immediately and we could recover the full amount. The remaining $81 million was transmitted to a few accounts of a Philippine bank,” the central bank says.
Other transfers were reportedly attempted, but were stopped before as much as $1 billion could be stolen from the account.
Bangladesh banking officials said that the cyber criminals were stopped when they made a spelling mistake in one of their transfer instructions.
The hackers misspelled the name of a Sri Lankan non-governmental organisation, writing “foundation” as “fandation”.
That prompted a routing bank to query the transaction and led to the crime being stopped.
It is understood that anti-money laundering (AML) authorities in the Philippines are co-operating with Bangladesh and had already frozen the relevant bank accounts, it adds.
A cyber expert, who had worked at the World Bank and is currently employed as an “IT governance specialist” on a Bangladesh Bank project, was investigating the case with his forensic team, the central bank says. “We have confidence the stolen funds will be recovered in full.”
The money may be recovered but the major issue at stake is over who is to blame for permitting the transfers.
Abul Maal Abdul Muhith, Bangladesh’s finance minister, told reporters in Dhaka that his government was considering filing a case against the New York Fed and that he was also surprised by the failure of his own country’s central bank to report the crime.
He says the Fed officials “cannot avoid their responsibility in any way”, and adds that he first learned of the scam from press reports. “Bangladesh Bank authorities did not inform [us] of the matter,” he says.
A spokesperson for the NY Fed says, however, that its systems were not hacked and the transfers were made after it followed protocol.
“To date, there is no evidence of any attempt to penetrate Federal Reserve systems in connection with the payments in question, and there is no evidence that any Fed systems were compromised.”
The Fed spokesperson adds: “The payment instructions in question were fully authenticated by the Swift messaging system in accordance with standard authentication protocols. The Fed has been working with the central bank since the incident occurred, and will continue to provide assistance as appropriate.”