Criminal logo

Unraveling the Mystery of the Bangladesh Bank Robbery: An Intriguing Cyber Odyssey

Behind the Lines of Code: The Story of the Biggest Bank Robbery in the Digital Age.

By diego michelPublished 7 months ago 13 min read


first who are Lazarus Group

Lazarus Group (also known by other nicknames such as Guardians of Peace or Whois), is a legal hacking group formed by an unknown number of individuals directed by the North Korean government. Although not much is known about the Lazarus Group, Western researchers have attributed numerous cyberattacks to them between 2010 and 2021. Originally a criminal group, the group is now designated as an advanced persistent threat by the Western collective, due to the intentional nature, and wide range of methods used when conducting an operation against enemy entities; it remains a valuable, highly skilled and respected set by non-Western entities. Names given by cybersecurity organizations include Hidden Cobra (used by the U.S. Department of Homeland Security to refer to malicious cyberactivity by the North Korean government in general

The Lazarus Group has strong ties to North Korea, The U.S. Federal Bureau of Investigation claims that the Lazarus Group is allegedly a North Korean "state-sponsored hacking organization".. according to North Korean defector Kim Kuk-song, the unit is known internally in North Korea as Liaison Office 414. North Korea benefits from conducting cyber operations because it can present an asymmetric threat with a small group of operators, especially to South Korea.

What is SWIFT?

SWIFT (legally, S.W.I.F.T. SC), is the acronym for Society for Worldwide Interbank Financial Telecommunication.

It is an international cooperative society under Belgian law, owned by some 3,500 members (all financial institutions) as shareholder members, which is responsible for an international network of financial communications between banks and other financial institutions. However, SWIFT is overseen by a board consisting of the central banks of the Group of Ten (Belgium (lead overseer), Canada, France, Germany, Italy, Japan, the Netherlands, Sweden, Switzerland, the United Kingdom, the United States and the United States) and the European Central Bank.

How did it all start?

At 8:45 in the morning on Friday, Feb. 5, 2016, Zubair Bin Huda, a director at Bangladesh’s central bank, entered the 30-story, concrete-and-glass headquarters in Dhaka. Bin Huda, slim and soft-spoken, with a thin black mustache and beard, rode an elevator to the ninth floor and eventually walked into the back office of the Accounts and Budgeting Department’s “dealing room,” the most restricted area of the building, accessible to only a handful of employees.

Until about a decade ago, Bangladesh’s central bank was stuck in the analog age: Staff members sent international payment instructions via a teleprinter, an electromechanical typewriter that sent and received messages over standard phone lines and other channels. But since a new bank governor took over in 2009, the institution had gone digital. Its international transfer orders are now dispatched via Swift, the Brussels-based electronic network used by 11,000 financial institutions in more than 200 countries and territories. Inside a 12-foot-by-8-foot glass-walled chamber, under the scrutiny of closed-circuit security cameras, staff members log into Swift and dispatch the payment orders with encrypted communications. With a few keystrokes, a complex process is set in motion that sends millions of dollars zipping across continents.

Bin Huda was the duty manager that morning, which meant he was tasked with scrutinizing printouts of transfer confirmations, routine queries and other Swift messages that had come in overnight. Friday is a bank holiday in Bangladesh, but a dedicated printer still generated hard copies of digital transfer messages. A few dozen would usually come in over the course of a day, but that morning Bin Huda didn’t see any on the printer. He assumed it was a technical glitch and decided to deal with it on Saturday.

At 9 o’clock the next morning, he returned to the office. This time, he found that the Swift software — the program that launches the messaging service — wasn’t functioning, either. Each time he tried to open it, a disconcerting error message appeared: A file is missing or changed. He and his colleagues huddled over the dedicated Swift computer, following directions on the monitor on how to get the software running again. Shortly after noon, he was able to retrieve three messages from the Federal Reserve Bank of New York and to print them out one by one. The New York Fed is, in effect, the gatekeeper of much of world banking, and hosts accounts for 250 central banks and governments with deposits of about $3 trillion. A Fed employee had written to Bangladesh, asking for clarification about 46 payment instructions received over the past 24 hours. The Fed had never seen orders like that or a total so large from the bank — nearly $1 billion.

It had to be a mistake, Bin Huda thought. Bangladesh Bank, as the central bank is known, never sent payment instructions on weekends, and even during business hours, it rarely sent more than two or three to the Fed in a day. He scrolled through the message file in search of more information. Where was the money headed? The one debit statement he could find was corrupted and unreadable. Desperate to stop the transactions from moving forward, but unsure where to turn, Bin Huda emailed a Swift case manager at the organization’s Brussels headquarters. He told bank officials that he had reported a “big accident” in the Swift system. He tried to reach the Fed in New York by telephone, but the bank was shut down for the weekend. Bin Huda emailed and faxed a demand to the Fed to stop processing all payments, including all those mentioned in the queries. Hoping that someone would get the message, Bin Huda then shut down his computer and went home to enjoy his weekend with his family.

How the bank could have been attacked

Bin Huda was in the middle of the most daring bank robbery ever attempted using Swift. And it would prove to be the most severe breach yet of a system designed to be unbreachable. Swift’s transmission process — by which money moves through the dispatching of encrypted messages to multiple operating centers and then on to the receivers — has become the standard in the banking world, flawlessly processing more than three billion payment orders a year. It uses “military grade” security systems, says Adrian Nish, the head of Threat Intelligence for BAE Systems, a cybersecurity firm in Britain that investigated the attack on Bangladesh Bank. Swift (the acronym stands for the Society for Worldwide Interbank Financial Telecommunication, a cooperative founded in 1973 and owned by its member banks) recommends that its institutions use multifactor authentication to log on and that they segregate the Swift server from the rest of their internal network.

Even for skilled and dedicated hackers, the most viable path to penetrating Swift runs through the member banks, which operate the software that lets them log into the Swift system — providing “the technical handshake that opens the secure pipe,” as one cybersecurity expert put it to me. During the past three years, a rash of smaller incidents have shown the vulnerabilities in the system, as cyberthieves broke into the computer networks of banks in Ecuador, Taiwan, Vietnam, Poland, India and Russia to send out phony payment instructions via the Swift network. Alert bank officials were able to call back some fake payments, but millions of dollars were lost. “A lot of institutions in emerging markets don’t have the same security controls that more mature banks have,” says Patrick Neighorn of FireEye, a U.S. cybersecurity firm. “In some the passwords aren’t centrally managed, or they didn’t know what all the devices connecting their network are.”

The Bangladesh job, though, was an order of magnitude more sophisticated. The hackers’ approach was masterly in its foresight and complexity, and the malware they used, or variations of it, later turned up in several of the other bank breaches. The intruders most likely entered the bank’s computer network through a single vulnerable terminal, using a contaminated website or email attachment, and planted malware that gave them total control, even a view of the screens they were manipulating. There, hiding in plain sight, they waited for months to gain an understanding of the bank’s business operations. They harvested employee passwords and worked their way to the most tightly guarded corner of the network: the Swift server. Despite Swift’s warnings, the bank had not segregated its Swift server from the rest of the computer network. “It takes a huge amount of skill to understand the target systems and to be able to subvert them the way they did,” says Nish of BAE Systems.

In contrast to off-the-shelf tools that have been used in many recent attacks — such as the “SQL injection code” deployed in 2015 to break into the database of TalkTalk, a British telecommunications firm, and access the bank information and personal details of more than 20,000 subscribers — the malware that the thieves devised was “a custom code, built for attacks on banks and configured for a specific bank,” Nish says. And because it was written from scratch, it was unfamiliar to existing virus-protection programs. After the hackers sent their counterfeit payment orders via the secure Swift messaging network, they completely erased their footprints by deleting those orders from the bank’s Swift database, wiping out the evidence from the printer statements and updating the balances in the bank’s New York Fed account to make it appear that no money had been debited. In effect, Nish says, “the thieves figured out how to make themselves disappear.”

In contrast to off-the-shelf tools that have been used in many recent attacks — such as the “SQL injection code” deployed in 2015 to break into the database of TalkTalk, a British telecommunications firm, and access the bank information and personal details of more than 20,000 subscribers — the malware that the thieves devised was “a custom code, built for attacks on banks and configured for a specific bank,” Nish says. And because it was written from scratch, it was unfamiliar to existing virus-protection programs. After the hackers sent their counterfeit payment orders via the secure Swift messaging network, they completely erased their footprints by deleting those orders from the bank’s Swift database, wiping out the evidence from the printer statements and updating the balances in the bank’s New York Fed account to make it appear that no money had been debited. In effect, Nish says, “the thieves figured out how to make themselves disappear.”

Magnitude of the theft

only a few strokes of good luck that kept the heist from being far worse. On Thursday, Feb. 4 — the day before Bin Huda noticed that the Swift software had crashed — five payment orders went through without triggering an alarm: a $20 million deposit for the Shalika Foundation, an agricultural NGO in Sri Lanka that had an account at Pan Asia Bank, and four for individual accounts at the Jupiter branch of Rizal Commercial Banking Corporation near Manila. They didn’t clear instantaneously: Fedwire, a Fed-run service for 5,300 clients, enables participants to transfer cash to one another in seconds, but neither of those banks was a member of Fedwire. So the Fed instead began steering the payments to several “correspondent banks” — typically, large commercial institutions that serve as intermediaries between the Fed and smaller banks that aren’t part of its network. In this case, Deutsche Bank had a financial relationship with the bank in Sri Lanka; and the Bank of New York Mellon, Citibank and Wells Fargo dealt regularly with R.C.B.C. When these banks’ automated systems also failed to pick up anything suspicious, the orders were processed.

But the next 30 payment orders, totaling $850 million, were held up by a fortunate coincidence. Representative Carolyn B. Maloney, a senior member of the House Financial Services Committee, says that the automated system flagged the word “Jupiter,” the name of the R.C.B.C. bank branch to which the Swift order was addressed, because it happened to match the name of a totally different business on a sanctions list: Jupiter Seaways Shipping, an Athens-based firm that was blackballed for evading sanctions against Iran. When Fed compliance officers took a close look at the orders, other irregularities became apparent. According to the former Philippine senator Sergio Osmeña III, who later examined the transactions as part of his nation’s investigation into the heist, the payments bore the addresses of the same four account holders in the R.C.B.C. Jupiter branch. “If it hadn’t been for the quick action of someone at the central bank in New York, an additional $900 million would have been lost,” Maloney says.

Then one of the first five transactions — those that had initially cleared — ran aground, too. An alert clerk at the small bank in Sri Lanka noticed something that the global players had not: The payment was unusually large for such a small NGO. The clerk held the $20 million order and went to Deutsche Bank for clarification. Deutsche Bank took a closer look and discovered that the word “Foundation” had been misspelled. Suspicious, Deutsche Bank contacted Bangladesh Bank, which sent a stop-payment order.

This left four payments, totaling $81 million, that went through — an enormous bank job by any metric (by contrast, the most recent large-scale cyberheist, when hackers hit India’s City Union Bank in February 2018, reaped about $1.5 million) and an enormous blow to the global financial system. “What struck me the most was that this action struck at trust in the international banking system,” Representative Maloney says. “And if you can’t trust international banking, then international commerce could grind to a halt.”

Yet when it came to the Bangladesh heist, transferring the cash was only the first part of the scheme. It was one thing to use malicious software to tunnel into the bank’s Swift network and send out dozens of phony transfer orders to banks around the world. It was quite another to turn that digital cash into real money and then make it disappear.

Who's to Blame?

Aside from the hackers themselves? Bangladesh Bank blames the Federal Reserve Bank of New York for allowing the money transfers to go through instead of waiting for confirmation from Bangladesh. The New York Fed counters that it contacted the bank to question and verify dozens of suspicious transfers and never got a response. Authorities at the Reserve Bank said that workers followed the correct procedures in approving the five money transfers that went through and blocking 30 others.

Bangladesh Bank says the Fed bank should have blocked all money transfers until it got a response on the ones it deemed suspicious.

Relationship with other cyber thefts

WHO HAD THE expertise and the audacity to carry out such a heist? Weeks after the crime, Bangladesh Bank hired FireEye, the U.S. cybersecurity firm, to investigate. FireEye signed a nondisclosure agreement with the bank and has declined to discuss specifics, but some of the bank’s findings have leaked out, and other cybersecurity firms have drawn their own conclusions from publicly available evidence.

The analysts compared some of the tools used with those employed in two other notorious cyberattacks: the November 2014 hack of Sony Pictures, when a group calling itself the Guardians of Peace released embarrassing emails and salaries and wiped out many of Sony’s servers; and “Dark Seoul,” a March 2013 hack that disabled internet servers at three South Korean banks and froze computers at two South Korean broadcasters. (The base code, Nish says, was also the same one used in the WannaCry ransomware attack in May 2017, in which hackers paralyzed more than 200,000 computers around the world and demanded Bitcoin payments to unfreeze them.) All these operations, the experts concluded, bore the markings of what the security firms called the Lazarus Group — a shadowy organization that U.S. intelligence experts say is most likely affiliated with North Korea. Harsh economic sanctions have left the dictatorship struggling with nationwide food shortages and inching ever closer to a nuclear confrontation. At an Aspen Institute panel last March, the National Security Agency deputy director Richard Ledgett mentioned the findings of the cybersecurity firms and said that they could indicate a new level of North Korean criminality. “If that linkage is true, that means a nation-state is robbing banks,” he said. “That’s a big deal; it’s different.”

The New York Times has reported that North Korea is believed to maintain a network of about 1,700 computer hackers around the world, aided by 5,000 trainers, supervisors and other support staff. Many operations are aimed at harvesting intelligence from South Korea; others, as in the case of Sony, are intended to avenge slights, or others to reap financial gain. North Korean hackers have become especially adept at targeting the weak links in the financial system: banks in developing nations, especially those in Southeast Asia. “They are easy prey,” says Vitaly Kamluk of Kaspersky Lab, which found Korean-language coding embedded in some Lazarus Group malware and claims it definitively linked the Lazarus Group to North Korea, through an I.P. address that the group briefly used during a wave of attacks in Europe and Central America in 2017. “These central banks often cannot afford good security, good software, or hire a proper specialist to configure their network,” Kamluk says. “They are low-hanging fruit.”

Although gambling is strictly prohibited inside the country, North Korean leadership has a well-documented interest in the casino industry. The country has been suspected of running online casinos and, according to news reports, has been seeking $20 million from foreign investors to launch a luxury liner and casino that would cruise to Vladivostok and ports in Southeast Asia.

Since the heist, Philippine authorities have managed to recover about one-fifth of the missing money for Bangladesh Bank. Wong turned over $15 million, and the Bautistas, suspected by the Senate of walking away with $17 million but still denying wrongdoing, offered to pay $200,000, but the Bangladeshis rejected the money. The rest is probably gone for good. Gone, too, are the shadowy casino-junket operators from mainland China, Ding and Gao, who in February apparently boarded charter flights from Manila to Macau. A former Portuguese colony, Macau has long been an important financial conduit between North Korea and the outside world.


About the Creator

diego michel

I am a writer and I love writing

Reader insights

Be the first to share your insights about this piece.

How does it work?

Add your insights


There are no comments for this story

Be the first to respond and start the conversation.

Sign in to comment

    Find us on social media

    Miscellaneous links

    • Explore
    • Contact
    • Privacy Policy
    • Terms of Use
    • Support

    © 2024 Creatd, Inc. All Rights Reserved.