A billion dollars is an absurd amount of money—it’s hard for humans to wrap their heads around the significance of that many zeros. But a lot of people would be willing to do some pretty bad things to get their hands on that kind of cash.
In the 2016 heist of Bangladesh Bank, the country’s central bank, a billion dollars was at stake. However, there were no guns, no balaclavas, no getaway drivers, and no bags with dollar signs emblazoned on the side—none of the tropes that make an exhilarating heist film.
Instead, it was one of the boldest hacks of all time.
How do you steal a billion dollars?
It started by assembling an expert team backed by nation-state level resources. They had intimate knowledge of the SWIFT banking network, elite malware coding skills, the financial wizardry to launder the money and a host of other skills.
In 2015, a year before the heist, a number of bank accounts were set up in the Philippines under fake names. You can’t just steal that kind of money, drop it into your personal account and hope for the best. You need to plan an elaborate money-laundering scheme before the heist even begins so that you can quickly make the cash disappear before the authorities have a chance to stop it.
The next step was planting malware on Bangladesh Bank’s systems. According to a report from BAE Systems, the attackers created custom malware capable of initiating unauthorized SWIFT messages, which are basically just standardized messages for money transfers. The malware could also cover up traces of the requests. Normally, Bangladesh Bank prints receipts of SWIFT transfers. However, the malware was capable of doctoring these receipts to cover up the fraudulent transactions.
The heist began on Feb 4, 2016. The malware made a series of fraudulent requests asking the Federal Reserve Bank of New York to transfer a total of around $1 billion out of Bangladesh Bank’s account. It forged the receipts in Bangladesh Bank’s headquarters, allowing the transfers to go undetected by staff.
However, a spelling mistake resulted in a bunch of the transfers being held up for review. Only a handful ended up being approved, with $20 million sent to Sri Lanka and $81 million going to the various accounts in the Philippines.
One of the most cunning aspects of the attack was the timing. The Federal Reserve Bank of New York began receiving the fraudulent transfers on a Thursday, but it was already the weekend in Bangladesh, which follows a different workweek. By the time the Bangladesh bank reopened on Sunday, it was the weekend in New York. On Monday, it was Chinese New Year in the Philippines, where the majority of the cash was transferred. This gave the attackers four days of mostly skeleton crews watching over the transfers, giving them a greater chance of successfully slipping the cash through.
While the cash sent to Sri Lanka was eventually recovered, the bulk of the Filipino cash was converted into pesos, and then laundered through the country’s casinos. Once it had been gambled away, the bulk of the money could not be traced.
While the attack fell short of the $1 billion that was initiated, if not for the spelling error, the Bangladesh Bank could have faced a much more severe outcome. Still, the tens of millions that went unrecovered was a tremendous payday for the attackers, and a huge loss for the Bangladeshis.
Who did it?
While it’s hard to give a definite answer, signs point toward North Korean involvement. The attack was sophisticated, indicating that it likely had nation-state backing. There also appear to be links between the Bangladesh Bank hack and the 2014 attack on Sony, which was also attributed to North Korea. It’s always possible that another hacking group used specific tools and techniques in an attempt to frame North Korea for the crime, but this seems less likely.
Defending your organization from such a capable and well-resourced group is a huge challenge. They can develop custom tools, have a wide range of skills, and even have the money to bribe insiders to help them gain the footholds they need.
One of the few saving graces is that these attacks are relatively rare and expensive to launch, so they only tend to be aimed at high-value targets. Such organizations must take their security seriously and delegate sufficient organizational resources to defend their assets. If they don’t recognize that such sophisticated attacks are possible, they could be next.