In February of 2016 thirty five fraudulent orders were sent over the SWIFT network, a telecommunications system linking financial institutions used to exchange information on transactions, to transfer a total of US $1 billion from the Bangladesh Bank’s account with the New York Federal Reserve Bank. Thirty of those orders were stopped for review and cancelled, but five orders totaling US $101 million were completed. US $20 million was transferred to a company in Sri Lanka while US $81 million was routed to the Rizal Commercial Banking Corporation (RCBC) in the Philippines. The attack was attributed to members of North Korea’s Bureau 121, also known as Lazarus Group, Bluenoroff, APT38, and several other names.
The attackers may have begun planning the February 2016 heist in October of 2014 when, according to FireEye, the North Korean hackers first began conducting online research on banks in Bangladesh. By January 2015 attention was turned to the Bangladesh Bank and the first phishing emails were sent the next month. A series of phishing email campaigns and escalations were conducted targeting the Bangladesh Bank with malware resulting in access to the SWIFTLIVE system by January 2016, paving the way for the next month’s attack.
(Technical details of the attack are contained not only in cyber threat intelligence reporting but also in the Department of Justice’s indictment of North Korean hacker Park Jin Hyok.)
Simultaneous with the cyber campaign, actions were being taken to pave the way for the exfiltration and laundering of the stolen funds. A possibly fraudulent account was opened with the RCBC possibly in July 2014 followed by five more clearly fictitious accounts ten months later. On the day of the attack, stolen funds were routed through RCBC accounts with Wells Fargo, the Bank of New York Mellon, and Citibank before being transferred to the Philippines. The details of how the money was laundered upon arriving in the Philippines were contained in the Bangladesh Bank’s lawsuit against RCBC for their involvement in the heist.
The money, which arrived as US dollars, was rapidly transferred from the initial accounts before requests to lock the accounts by Bank of Bangladesh were received by RCBC. The funds were used to purchase Filipino Pesos to hamper tracking efforts before an RCBC branch manager, named in the complaint filed by Bangladesh Bank, finally reported a suspicious transfer on February 11th. According to the complaint, the stolen funds were then used to purchase chips in casinos, a time-proven money laundering technique.
Given the multitude of cyber-enabled money laundering techniques available, including cryptocurrencies and online game economies (which would function similarly to purchasing casino chips), the comparatively analogue manner in which the spoils of one of the largest cyber-heists to date was laundered is remarkable. An additional point of interest is the lawsuit brought by Bank of Bangladesh against RCBC for their role in the laundering operation, a case which has the potential to impact how liability could be applied to those who operate mediums used for cyber-enabled money laundering.
February 2014: First known activity by the group of DPRK hackers known as APT 38 (also called the Lazarus Group or TEMP.Hermit), the group which included Park Jin Hyok and to which most of the SWIFT system attacks has been attributed. (Source: FireEye.)
July 2014 – RCBC opens a Philippine peso account in the name of William So Go. The legitimacy of the account is questionable (it was used normally prior to the heist, though Go denies having opened the account. A fraudulent U.S. dollar account was later made under his name as a part of the heist). (Source: Bangladesh complaint.)
October 7-8, 2014 – DPRK hackers begins online reconnaissance regarding specific banks in Bangladesh. (Source: Park Jin Hyok indictment.)
January 12, 2015 – Unidentified hackers use the SWIFT system to transfer money from the Banco del Austro in Ecuador to bank accounts in Hong Kong. While the attack has not been attributed, FireEye has linked it to the DPRK and the Lazarus Group. (Source: FireEye.)
January 27, 2015 – DPRK hackers conduct online research about a specific Bangladesh Bank email address and employee (who was subsequently targeted in the Feb. 23, 2015 spear phishing attacks), along with general research about the Bangladesh Bank and bankers in Bangladesh. (Source: Park Jin Hyok indictment.)
January 29, 2015 – DPRK hackers conduct online research about cover letters and hacking-related topics such as PDF exploits and certain CVEs (Source: Park Jin Hyok indictment.)
- firstname.lastname@example.org, an email address controlled by the DPRK hackers, sent 10 messages to 16 different employees of the Bangladesh Bank, purportedly seeking employment opportunities with links to malware.
February 23, 2015 – email@example.com sent two email messages to 10 recipients at Bangladesh Bank with links to malware. (Source: Park Jin Hyok indictment.)
March 2015 – DPRK hackers moved within the Bangladesh Bank network and saved a backdoor that communicated over a custom binary protocol designed to look like TLS traffic. The malware was capable of performing file transfers, creating .zip archives, and executing certain files. (Source: Park Jin Hyok indictment.)
May 15, 2015 – Five fictitious accounts are created at Rizal Commercial Banking Corporation (RCBC) (collectively, the “fictitious accounts” and “fictitious beneficiaries”): (Source: Bangladesh complaint.)
- U.S. dollar account in the name of Michael Francisco Cruz, with a deposit of $500
- U.S. dollar account in the name of Jessie Christopher M. Lagrosas with a deposit of $500
- U.S. dollar account in the name of Alfred Santos Vergara, with a deposit of $500
- U.S. dollar account in the name of Enrico Teodoro Vasquez, with a deposit of $500
- U.S. dollar account in the name of Ralph Campo Picache, with a deposit of $500
June 24, 2015 – By this date, firstname.lastname@example.org, an email address used by the DPRK hackers, had 37 emails of personnel at the Bangladesh Bank saved in its address book. (Source: Park Jin Hyok indictment.)
August 11-12, 2015 – email@example.com, another email address used by the DPRK hackers, sends spear phishing emails to multiple banks in Bangladesh. (Source: Park Jin Hyok indictment.)
October 2015 – DPRK hackers conduct online research regarding the Bangladesh Bank and another bank in Bangladesh targeted with spear phishing attacks. (Source: Park Jin Hyok indictment.)
December 8, 2015 – RCBC opens accounts denominated in the Philippine peso for the fictitious beneficiaries (Source: Bangladesh complaint.)
- These accounts lacked initial deposits and were never used in the heist.
December 8, 2015 – A failed hacking attempt on Tien Phong Bank (TPBank) in Vietnam using the SWIFT messaging system occurs. The attack was later attributed to the DPRK. (Source: Reuters.)
January 29, 2016 – DPRK hackers engage in a number of lateral movements within the Bangladesh Bank’s system, including to the SWIFTLIVE system. (Source: Park Jin Hyok complaint).
February 4, 2016 – The Bangladesh Bank heist occurs: following the close of business of the Bangladesh Bank on Thursday (i.e., the beginning of the weekend for the bank), from 8:36pm through 10:30pm local time (9:55am to 11:30am EST), DPRK hackers send 36 fraudulent payment orders for nearly $1 billion to the New York Fed.
Only 1 order included intermediary bank routing information (a payment for $20 million routed to the “Shalika Fundation” in Sri Lanka, which was flagged). The other 34 were rejected by the New York Fed for missing this information, prompting the hackers to update and resend the instructions between 11:30pm and 1am (Feb. 5) local time (12:30pm to 2pm EST). One instruction was omitted from this second batch. (Source: Bangladesh complaint.)
February 5, 2016 –The Bangladesh Bank heist continues in Philippine local time. The DPRK hackers logged out of the SWIFT system at 3:59am, prompting malware to begin deleting files to hide evidence of the heist. (Source: Park Jin Hyok indictment.)
The New York Fed executed four of the payment orders (on Feb. 4 EST). The funds were routed to correspondent accounts held by the RCBC at Wells Fargo, the Bank of New York Mellon, and Citibank using the Fedwire system. The Fedwire system allowed for an immediate transfer from the New York Fed to the correspondent accounts, enabling RCBC to transfer the funds to the Philippines on the same business day. (Source: Bangladesh complaint.)
Between 11:30pm and 12:00pm: Kam Sin Wong (the owner of Eastern Hawaii Leisure) calls Maia Santos Deguito (the branch manager of RCBC’s Jupiter branch) to ask whether a deposit had been transferred into the Cruz account. Wong implied during the call that he had been told to expect the funds by Lorenzo Tan, the President and CEO of RCBC.
- Cruz account receives $6,000,029.12
- Lagrosas account receives $30,000,028.79
- Vergara account receives $30,000,028.79
- Vasquez account receives $19,999,990.00
- Picache account does not receive money ($170 million in fraudulent payment instructions were intended for the account, but the instructions were not executed by the New York Fed.)
2:51pm: Michael Bautista (co-owner of Philrem) initiates the process of purchasing $13,500,000 pesos from RCBC’s Treasury. Philrem’s involvement was to make it difficult to trace the source and flow of the funds, and to act as a “clearing house” for the funds. (Source: Bangladesh complaint.)
3:00pm: Deguito opens a fraudulent U.S. dollar account in the name of William So Go, doing business as Centurytex Trading; at 3:13pm, $22,735,000 is withdrawn from the Lagrosas account through a “cash withdrawal” (despite the branch not having that much cash on hand) and deposited into the Centurytex account. The Centurytex account then made two transfers of $14,200,000 and $500,000 to Philrem’s dollar account at RCBC’s Unimart branch, which subsequently made two transfers of $13,500,000 and $500,000 to its peso account. (Source: Bangladesh complaint.)
By 7:00pm: RCBC requests a delivery of 20 million pesos in cash (approximately $380,000) to be delivered to the Jupiter branch from the Makati Cash Center. The cash is then withdrawn from the Centurytex account and hand-delivered to someone identified as “William So Go.” The CCTV system at RCBC’s Jupiter Branch was not working during this time, making it impossible to identify to whom this money was actually given. (Source: Bangladesh complaint.)
6:45pm-7:04pm: A hold is briefly placed on the Centurytex account but is lifted within 45 minutes (around 7:29pm) by RCBC management. (Source: Bangladesh complaint.)
At some point on February 5, Bangladesh bank personnel shut down their server. (Source: Park Jin Hyok indictment.)
February 6, 2016 – Lazarus Group malware is intended to delete the stored records of messages on the SWIFT server; due to the server shutdown the previous day, the malware fails to execute. (Source: Park Jin Hyok indictment.)
February 7, 2016 – Someone, likely from RCBC’s Head Office, logs RCBC out of the SWIFT system. (Source: Bangladesh complaint.)
February 8, 2016 – Due to the Chinese New Year, a Philippine holiday, RCBC remained closed over a long weekend. The Bangladesh Bank sends SWIFT messages to RCBC requesting stop payments to the Vazquez, Vergara, and Lagrosas accounts and for RCBC to freeze the three accounts. (Source: Bangladesh complaint.)
February 9, 2016 – RCBC logs back into the SWIFT system and reviews the stop payment and hold messages, which RCBC claims were forwarded to the Jupiter Branch at 10:59am. Throughout the day on Feb. 9:
- $58.2 million are withdrawn from the fictitious accounts, draining them.
- $42.9 million is deposited into the Centurytex account
- $15.2 million is deposited in the Philrem account.
Also throughout the day, Bautista begins the process of converting the money into the Philippine peso. RCBC initiated a series of transactions to move portions of the money into different accounts. (Source: Bangladesh complaint.)
3:31pm: RCBC places a hold on the fictitious accounts and sends a SWIFT message to the Bangladesh Bank, withholding the fact that the money had already been transferred from the accounts. (Source: Bangladesh complaint.)
February 10, 2016 – The Bangladesh Bank sends a stop payment for the fourth fictitious account (the Cruz account). RCBC continued with the process of transferring money and converting it into Philippine pesos. (Source: Bangladesh complaint.)
- Philrem transfers approximately 500 million pesos to Wong’s Eastern Hawaii leisure account
- Wong withdraws the funds and begins a complicated series of transactions using the funds.
February 11, 2016 – By 3:14pm, all the money from the fictitious accounts had been deposited into the Philrem account. Of the $81,001,617.12 stolen, $80,880,000 made its way into Philrem’s dollar account. $80,691,772 was converted into Philippine pesos and transferred to Philrem’s peso account, and then subsequently transferred to accounts at other banks. (Source: Bangladesh complaint.)
- Philrem transfers another 500 million pesos to the Eastern Hawaii Leisure account. Collectively, these transfers account for approximately $21,052,631.58 of the original funds.
6:35pm: Deguito finally files a suspicious transaction report, which is approved by RCBC’s Anti Money Laundering Department. No further action was taken by the AML Department. (Source: Bangladesh complaint.)
From February 5-March 10, 2016 – Philrem uses stolen funds to purchase $29,000,000 worth of non-negotiable Solaire Casino chips. The chips remained in play for multiple gaming sessions for over a month. (Source: Bangladesh complaint.)
- On March 10, Solaire Casino ends all the gaming sessions traceable to the original purchase. The casino confiscates 107,250,602 pesos worth of chips, along with 1,347,069 pesos worth of cash (approximately $2 million).
From February 5-13, 2016 – Philrem delivers a total of $30,639,141.63 to Weikang Xu (a Chinese national) through cash deliveries at the Solaire casino. (Source: Bangladesh complaint.)
- 100 million pesos of this cash was allegedly deposited at the Solaire Casino, while another 300 million was deposited at the Midas Casino (run by Wong), but it is unclear whether the money was converted to chips and played.
From February 11-26, 2016 – Eastern Hawaii Leisure begins a series of withdrawals to take and launder the funds. (Source: Bangladesh complaint.)
- 550 million pesos are transferred to a junket in Midas Casino and played until March 2, 2016, at which point only 40 million pesos remained.
October 2016: DPRK hackers begin watering hole attacks on government and media sites. (Source: FireEye.)
October 2017: Lazarus Group attacks the Taiwanese Far Eastern International Bank. (Source: Bloomberg.)
January-May 2018: Lazarus Group attacks the Mexican Bancomext. (Source: Bloomberg.)
May 2018: Lazarus Group attacks the Bank of Chile, siphoning funds to accounts in Hong Kong. (Source: Reuters.)