Typo trips the alarm in $101M cyber bank heist

Kara Scannell and Victor Mallet
Typo prevents a $101M cyber bank heist
Typo prevents a $101M cyber bank heist

A $101 million cyber heist has left central bank officials from Bangladesh to New York arguing over what may be one of the largest and most audacious bank raids in history.

Hackers allegedly breached the Bangladesh central bank's security system and then masqueraded as Bangladeshi officials to submit a series of requests for the New York Federal Reserve to transfer large tranches of money from its account there.

Bangladesh Bank told the Financial Times last night that a total of $101 million was wrongly transmitted, of which $20 million went to a Sri Lankan bank. It was this last payment that raised suspicions over the authenticity of the transfers.

"The Sri Lankan bank did not disburse it immediately and we could recover the full amount. The remaining $81m was transmitted to a few accounts of a Philippine bank," the central bank said. Anti-money laundering authorities in the Philippines were co-operating with Bangladesh and had already frozen the relevant bank accounts, it added.

More from

Health care sector warned against hack attacks
One in four companies hit by cyber attack
How companies are hit by email scams

An experienced cyber expert, who had worked at the World Bank and is currently employed as an "IT governance specialist" on a Bangladesh Bank project, was investigating the case with his forensic team, the central bank said. "We have confidence the stolen funds will be recovered in full."

Central banks are ripe targets for criminal groups given the potential windfall they can make if just one of their attempts succeeds.

While the money may ultimately be recovered there is a growing dispute over who is to blame for allowing the transfers.

Abul Maal Abdul Muhith, Bangladesh's finance minister, told reporters in Dhaka this week that his government was considering filing a case against the New York Fed and that he was also surprised by the failure of his own country's central bank to report the crime.

He said that the Fed officials "cannot avoid their responsibility in any way", and added that he first learned of the scam from press reports. "Bangladesh Bank authorities did not inform [us] of the matter," he said.

A spokesperson for the NY Fed said, however, that its systems were not hacked and the transfers were made after it followed protocol.

Bangladesh central bank says U.S. account hacked; Fed denies breach

"To date, there is no evidence of any attempt to penetrate Federal Reserve systems in connection with the payments in question, and there is no evidence that any Fed systems were compromised."

The Fed spokesperson added, "The payment instructions in question were fully authenticated by the SWIFT messaging system in accordance with standard authentication protocols. The Fed has been working with the central bank since the incident occurred, and will continue to provide assistance as appropriate."

Other transfers were reportedly attempted, but were ultimately stopped before $1bn could be stolen from the account.

Bangladesh banking officials told Reuters that the cyber criminals were ultimately stopped when they made a spelling mistake in one of their transfer instructions. The hackers misspelled the name of a Sri Lankan non-governmental organisation, writing "foundation" as "fandation". That prompted a routing bank to query the transaction and led to the crime being stopped, Reuters reported.

Criminal organisations have made a business of "spoofing" email accounts and impersonating individuals, company executives and others into transferring money offshore. Cyber criminals have targeted the US financial sector in the past.

JPMorgan Chase was hacked in 2014 and last year US authorities announced charges against several individuals who were allegedly involved in a securities fraud scheme. US prosecutors have also charged a UK citizen for hacking into the Federal Reserve and stealing sensitive personal information and other US government agencies. Those charges are still pending.