Bangladesh Sues Philippine Bank, Staff Over $81M Cyber Heist

By John Bechtel, Roni Toldanes, Kamran Reza Chowdhury, Karl Romano and Luis Liwanag

Philippine bankers conspired with North Korean hackers to steal U.S. $81 million from Bangladesh’s central bank in a daring cyber heist that spanned the globe three years ago, Bangladeshi government officials allege in a lawsuit filed in New York.

The Rizal Commercial Banking Corp. (RCBC) of the Philippines along with eight of its officers conspired with casino operators, Chinese citizens and the hackers to rob Bangladesh Bank funds kept in an account at the U.S. Federal Reserve Bank in New York, according to the suit filed late Thursday (Washington time).

The lawsuit over the February 2016 heist, whose tentacles stretched from the American financial capital to South and Southeast Asia, does not name any North Koreans but includes 25 “John Does” who may have been involved in money laundering as defendants.

“This litigation involves a massive, multi-year conspiracy to carry out one of the largest bank heists in modern history right here in New York City,” according to the 103-page complaint filed at the U.S. District Court in the Southern District of New York. “The conspiracy was seamless, with every complicated step plotted out in advance.”

The suit said “the conspirators included North Korean hackers” who had infiltrated the computers of Sony Pictures Entertainment, in California in 2014.

“Just like they did with Sony and tried to do with other banks, the North Korean hackers broke into Bangladesh Bank’s computer system,” the suit said, using the official name for the Bangladesh central bank.

“Before the North Korean hackers executed their fraudulent transfer of funds from the bank’s New York Fed account, they first used the same or similar tools and techniques to accomplish the well-publicized attack on Sony,” the lawsuit said.

And, to pull off the bank heist, “the North Korean hackers aligned with co-conspirators in the Philippines, most importantly, RCBC. … The conspirators used RCBC’s New York City correspondent accounts to receive the fraudulent transfers from the New York Fed,” it said.

A Bangladeshi official said U.S. officials cooperated in filing the lawsuit.

“As the money was stolen from the Federal Reserve Bank office in New York, we had to file the case in New York,” Abu Hena Mohd. Razee Hassan, chief of a Bangladeshi government financial intelligence unit tied to the central bank, told BenarNews. “We have signed an agreement with the Federal Reserve Bank for suing the RCBC and other people involved in the hacking.”

Bangladesh Bank seeks the return of the $81 million along with court costs and other unspecified damages.

The New York Fed and Bangladesh Bank officials issued a joint statement Friday afternoon.

“To further the recovery effort, the New York Fed and Bangladesh Bank have entered into a Resolution and Assistance Agreement where the New York Fed will provide technical assistance to Bangladesh Bank in its litigation against those who were complicit in the fraud to recover the stolen funds,” the statement said.

“That technical assistance includes, among other things, the New York Fed and Bangladesh Bank meeting jointly with the relevant agencies or parties in the Philippines to strongly encourage them to assist in the recovery of stolen funds.”

Bangladesh Bank conducts about 85 percent of its international transactions through the New York Fed. The lawsuit noted the Fed’s importance internationally.

“[T]he defendants struck at the heart of the global financial system by forming and carrying out a conspiracy and criminal enterprise that reached into the United States and robbed assets of the plaintiff that had been located in New York for decades and attacked the New York Fed, the very hub of the United States’ participation in financial markets and community,” the court document said.

Heist details

On Feb. 4, 2016, thieves hacked into the central bank’s computers and placed payment orders through its account at the New York Federal Reserve Bank, using an exclusive SWIFT code that allowed international wire transfers between banks. Slightly more than $81 million (6.77 billion taka) was sent to the RCBC in the Philippines while another $20 million (1.6 billion taka) went to a bank in Sri Lanka but was returned.

A spelling error cost the thieves millions more, according to Bangladeshi bank officials. The thieves had placed 35 payment orders in an attempt to steal up to $1 billion (83.6 billion taka). The world learned about the theft more than three weeks later, through a Philippine newspaper report on Feb. 29.

The lawsuit alleged that a conspiracy hatched over several months among the North Koreans, Philippine bankers and others to hack into the Federal Bank and to set up fake accounts to transfer the money. Ultimately, the money was laundered through Asian casinos and gambling junkets.

Kam Sin Wong (also known as Kim Wong) was among those tied to casinos named in the lawsuit. He returned a little less than $10 million (837.6 million taka) to the Philippines Anti-Money Laundering Council in March and April 2016.

In Dhaka, a Bangladesh Criminal Investigation Department (CID) official, who requested anonymity, said officials in the Philippines and other countries had not cooperated adequately with Bangladeshi authorities in investigating the robbery.

“Getting information from other countries is time consuming and difficult to some extent. But we have been in touch with the authorities of other countries. We get some evidence from the FBI,” he said. “We will try to finish the investigation soon so we can file a criminal case against the offenders.”

‘A virtual fireworks show of red flags’

The bank cyber heist occurred on a Thursday night (Bangladesh time) when the hackers placed payment orders to the fake accounts, the lawsuit alleges. The timing was important because the weekend in Bangladesh falls on Friday and Saturday, so the bank would be closed and the theft would go unnoticed.

The Bangladesh Bank alleges that the money ended up in four fictitious RCBC accounts, which had been opened nine months earlier with deposits of $500 each, and had no transactions prior to the theft. The first account received $6 million, the second $30 million, the third almost $20 million and the fourth $25 million. Within four days, all the money disappeared into other accounts.

A fifth account had been set up and was to receive $170 million but those payment orders did not go through.

The lawsuit alleged that RCBC had admitted that all accounts were fake and the bank and its senior personnel had full control of them.

“The details of the opening of these fictitious accounts and their operations set off a virtual fireworks show of red flags and alarms that would have warned the newest of banks, much less an experienced bank like RCBC with over five decades of operations, that the accounts involved serious improprieties, as any such bank with anti-money laundering and the related ‘Know Your Client’ procedures would have flagged,” the lawsuit said.

“But RCBC wasn’t looking for red flags. It was working with its co-conspirators.”

Earlier this month, Maia Santos Deguito, a former RCBC branch manager, was sentenced to up to 56 years and ordered to pay a fine of $109 million (9.1 billion taka) following her conviction on eight counts of money laundering. Deguito, the first person convicted of charges linked to the Bangladeshi cyber heist, was being used as a scapegoat by the Philippine judicial system, her lawyer said.

None of the other seven bankers named in the lawsuit have been charged. One defendant, former president and CEO Lorenzo V. Tan, resigned in May 2016.

Sharp rebuttal from RCBC

On Friday, RCBC’s lead attorney challenged the lawsuit, claiming the Bangladesh Bank should be liable for its errors and lapses in security protocols.

“RCBC had nothing to do with the theft of the funds and has cooperated fully with every investigation into the matter,” attorney Tai-Heng Cheng said. “This suit is nothing more than a blatant attempt by Bangladesh Bank to shift blame and cover up their own liability.”

“If the Bank of Bangladesh was serious about recovering the money, they would have pursued their claims three years ago and not wait until days before the statute of limitations,” Cheng added, stressing that the Bangladesh Bank was simply trying to shift the blame away from itself.

“We believe it is telling that they have concealed information from their own investigation and despite admitting their own culpability, continue to try to blame others,” he said.

Meanwhile, Mohammed Farashuddin, a former central bank governor and head of the Bangladesh government’s civil investigation on the cyber heist, welcomed the lawsuit.

“In my report I suggested filing lawsuit against the RCBC who are primarily responsible for the heist. The central bank of the Philippines has fined the RCBC for their proven complicity with the heist,” Farashuddin said. “Also, the RCBC manager was jailed.”

“The RCBC in no way can shrug off its responsibilities,” Farashuddin said.