In February 2016, the financial world was rocked by a cyber heist of unprecedented scale. Hackers, believed to be state-sponsored actors from North Korea, infiltrated the Bangladesh Bank’s computer systems and attempted to steal a staggering $1 billion USD from its reserves held in the Federal Reserve Bank of New York. This meticulously planned attack, dubbed the “Bangladesh Bank Heist,” exposed critical vulnerabilities in the SWIFT international payment system and served as a stark wake-up call to the ever-growing threat of cybercrime targeting financial institutions.

 

A Breach of Trust: The Attack Unfolds

 

The attackers, believed to be a group operating under the umbrella of North Korea’s Lazarus Group, launched a multi-pronged attack that exploited a combination of human error and technological shortcomings. The initial phase involved phishing emails, crafted to appear legitimate and originating from a known organization. These emails contained malicious attachments that, when opened by unsuspecting bank employees, installed malware on the bank’s network.

 

This malware, likely custom-designed for the attack, provided the attackers with a foothold within the bank’s system. Once established, they moved laterally, escalating privileges and gaining access to critical infrastructure, including the bank’s SWIFT credentials.

 

SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, is a secure messaging system used by financial institutions around the world to send and receive payment instructions. These instructions, conveyed through standardized messages, ensure the smooth flow of money across borders. Access to SWIFT credentials essentially grants the power to manipulate these messages, potentially enabling fraudulent transfers.

Orchestrating the Heist: A Symphony of Fraud

 

Armed with stolen credentials, the attackers embarked on the next phase – the fraudulent transfer of funds. Over a period of several days, they used the SWIFT network to issue a series of payment orders, attempting to siphon off nearly $1 billion from the Bangladesh Bank’s account at the Federal Reserve Bank of New York.

 

These transfer orders, masquerading as legitimate transactions, were directed towards various beneficiary accounts in different countries. However, a seemingly innocuous typographical error in one of the beneficiary names proved to be a crucial turning point. The name “Rural Development Fund” in Sri Lanka was misspelled as “Rual Development Fund,” raising red flags at the receiving bank. This single error alerted officials at the Federal Reserve Bank of New York, prompting them to scrutinize the remaining transfer requests.

 

Immediate Action and International Scramble

 

The Federal Reserve Bank of New York, upon discovering the attempted heist, quickly contacted the Bangladesh Bank and halted most of the fraudulent transfers. However, due to the time difference and the decentralized nature of the SWIFT network, some of the transfers slipped through.

 

Approximately $81 million was transferred to fictitious accounts in the Philippines, while another $20 million was mistakenly sent to a legitimate bank account in Sri Lanka. These funds, however, were quickly withdrawn and laundered through a complex web of shell companies and financial institutions, making recovery extremely difficult.

 

The Aftermath: A Complex Investigation and Lingering Questions

 

The Bangladesh Bank heist triggered a global investigation involving Bangladesh, the United States, the Philippines, and Sri Lanka. Cybersecurity experts and forensic investigators delved into the attack, piecing together the hacker’s tactics and the vulnerabilities exploited. This investigation revealed a series of concerning shortcomings on multiple fronts.

 

The Bangladesh Bank was found to have inadequate cybersecurity measures in place. The bank lacked robust network segmentation, firewalls, and intrusion detection systems – critical defenses that could have prevented the initial malware infection and alerted officials to suspicious activity. Additionally, internal controls related to SWIFT transactions were deemed lax, allowing the attackers to manipulate messages without proper authorization checks.

 

The SWIFT network itself also came under scrutiny. While SWIFT implemented security measures to authenticate users and verify messages, the Bangladesh Bank heist exposed weaknesses in its overall protocol. The reliance on simple two-factor authentication and the lack of robust anomaly detection systems allowed the hackers to operate undetected for a period of time.

 

The Long Road to Recovery

 

Bangladesh launched a multifaceted response to recover the stolen funds. Working with the Philippines and Sri Lanka, legal battles were fought to freeze suspect accounts and recover any remaining laundered money. However, the success of these efforts was limited. The Philippines managed to recover a small portion of the stolen funds, while Sri Lanka ultimately returned the full $20 million that was mistakenly deposited. Unfortunately, a significant portion of the stolen money vanished through a labyrinth of shell companies and fraudulent transactions, leaving Bangladesh with a billion-dollar loss.

 

A Documentary Spotlight: Billion Dollar Heist

 

The Bangladesh Bank heist, a story of audacious cybercrime and international intrigue, captured the attention of filmmaker Daniel Goldfarb. In 2023, his documentary “Billion Dollar Heist” premiered, providing an in-depth look at the attack, its aftermath, and the ongoing investigation. The film features interviews with key figures involved in the case