Bangladesh’s central bank is forming a special team to investigate the theft of U.S. $101 million from one of its overseas accounts – the largest bank heist in the country’s history – a top official said Friday.
The Bangladesh Bank (BB) has appointed Rakesh Astana, managing director and CEO of World Informatix, a U.S.-based cybersecurity firm to lead the investigation, A.F.M. Asaduzzaman, a general manager at the bank, told BenarNews.
The team headed by Astana, a former World Bank official who has worked on previous projects with the Bangladeshi central bank, “will find out whether there are any faults in the bank’s cyber system, who stole the money and how to get the money back,” Asaduzzaman said.
“They will also build up a firewall to protect the future banking system,” he added.
Such a heist could not have succeeded without some kind of “collusion” between the cyber thieves and insiders at the central bank, former BB Gov. Mohammed Farashuddin told BenarNews.
“What I can simply say that it is not possible without the help of the internal people. They had collusion with the thieves,” Farashuddin said.
He pointed to information obtained about a closed-circuit television camera being switched off in the office of the unit that manages foreign currency “when the authorization for the payments was issued to the Federal Reserve Bank,” Farashuddin added during an interview Friday.
A day earlier, the central bank’s executive director confirmed that more than $100 million had been stolen from an account with the Federal Reserve Bank of New York through an unauthorized international money transfer.
BB Executive Director Subhankar Saha also confirmed a report that hackers had intended to steal close to U.S. $1 billion in total, but an attempted wire transfer of U.S. $870 million was blocked.
“The American bank contacted us as to whether we asked for such a big payment. And we told them that we had not ordered it,” Saha told reporters in Dhaka.
For its part, the New York Fed said it was assisting Bangladesh’s central bank in figuring out how the money was stolen.
“To date, there is no evidence of any attempt to penetrate Federal Reserve systems in connection with the payments in question, and there is no evidence that any Fed systems were compromised,” a New York Fed spokesperson told BenarNews in an email earlier this week.
“The payment instructions in question were fully authenticated by the SWIFT messaging system in accordance with standard authentication protocols.”
SWIFT code leaked?
According to officials at the central bank who spoke on condition of anonymity, the hackers tried to steal up to U.S. $1 billion held in the account at the New York Fed. They were able to steal U.S. $101 million by falsifying international money transfer orders.
The $101 million was stolen on Feb. 4, with $81 million sent out in four tranches to the RCBC bank in the Philippines, while the remaining $20 million went in one tranche to a bank in Sri Lanka, the unnamed officials told BenarNews.
However, the discovery of a spelling mistake in the transfer order destined for Sri Lanka aroused the suspicion of central bank officials when they got a call from a foreign bank seeking verification of specific information.
That led to BB officials blocking thieves’ later attempts to steal another $870 million through 35 other unauthorized transfers, the officials said.
The transfers appeared to have been authorized through genuine payment orders placed by the central bank. The orders were arranged in a way that the bank usually does, using SWIFT codes and other confidential information, so that central bank and New York Fed officials would not suspected them as fake, the officials told BenarNews.
The typo that led to the theft being discovered was the misspelling of a Sri Lankan NGO’s name to which the transfer of $20 million was made. The hackers had misspelled the word “foundation” in the NGO’s English name.
According to Bangladeshi banking expert Mamunur Rashid, the money transfers could only have been executed using the central bank’s genuine SWIFT code.
“When you enter my SWIFT code, the system would assume that I am Mamunur Rashid accessing the system. But we have to see whether the Bangladesh Bank system allows someone to access the system from the outside,” Rashid, the former head of Citibank in Bangladesh, told BenarNews, suggesting that someone may have leaked information about the unique code that is used for transfers between banks.
Jesmin Papri in Dhaka contributed to this report.