Someone using official codes stole $100 million from Bangladesh’s account at the New York Fed over a recent weekend. Authorities in four countries are still piecing together what happened.
The breach funneled $81 million from the country’s account at the New York Federal Reserve to personal bank accounts in the Philippines. Another $20 million was directed to a bank in Sri Lanka.
In scenes that would be right at home in Hollywood, the unknown criminals sent 35 transfer requests through the Swift interbank messaging system, a Bangladesh Bank official and an official of the Ministry of Finance have said. Whoever made the requests had the necessary codes to authorize Swift transfers and put in the payment requests on a weekend, the officials said.
The incident has led to recriminations, with Bangladesh’s finance minister accusing the Fed of irregularities, and questions being raised about the quality of security in the South Asian country. In an early sign of fallout from the breach, Bangladesh’s central-bank governor, Atiur Rahman, resigned Tuesday.
Mr. Rahman had come under fire from senior ministers who said he didn’t tell the government about the theft fast enough. Although the theft took place Feb. 5, Bangladesh Bank, the central bank, didn’t make a public announcement until last week. The country’s finance minister, Abul Maal Abdul Muhith, said he learned of the heist from news reports.
On Tuesday, Mr. Rahman, who had been the governor of Bangladesh Bank for nearly seven years, said he was taking moral responsibility for the loss of the money. Two deputy governors of Bangladesh Bank were relieved of their duties, Mr Muhith said. He didn’t clarify why they were removed. The officials couldn’t be reached for comment Tuesday.
The Fed declined to comment Tuesday. It has said it is working with Bangladesh to investigate the incident and said none of its systems were compromised.
Interviews with several officials at Bangladesh’s Finance Ministry and its central bank depict a well-planned international caper spanning at least four countries.
The breach began on a quiet Friday last month, when a series of payment instructions arrived at the New York Fed seeking the transfer of nearly $1 billion out of the Bangladeshi account.
The transfer requests, which the Fed says were fully authenticated with the correct bank codes, asked to move the money to private accounts in the Philippines and Sri Lanka and appeared to come from the Bangladeshi central bank’s servers in the capital, Dhaka.
But Friday is the weekend in Bangladesh and the central bank’s offices were closed. By the time officials at Bangladesh Bank returned to work, five requests moving about $100 million had gone through. Further transfers totaling roughly $850 million were blocked after the Fed raised a money-laundering alert, a spokesman for Bangladesh Bank said. The fact that the money was being wired to personal bank accounts in the Philippines rang alarm bells.
The $81 million that did leave the bank for the Philippines ended up in the account of a local businessman before making its way to at least two local casinos, the executive director of the country’s Anti-Money Laundering Council, a government task force, said at a hearing at the Philippine Senate on Tuesday.
Julia Bacay-Abad, executive director of the Anti-Money Laundering Council, said the money had apparently been used to buy gambling chips. The council’s investigation ended at the casino’s doors, however. Gambling facilities aren’t covered by the Philippines’ Anti-Money Laundering Law.
“Manila has returned only $68,000 of the money which was left in the bank accounts,” said a Bangladesh Bank official close to the investigation. “Whoever planned it had thought well ahead.”
The $20 million transferred to Sri Lanka went to the account of a newly formed nongovernmental organization, according to the officials in Dhaka. The Sri Lankan bank handling the account reported the unusual transaction to the country’s central bank under that country’s money-laundering laws, and authorities reversed the transfer.
Swift uses a multilayered process to authenticate the financial institutions that are sending and receiving millions of messages each day between one another. A spokeswoman said the messaging system’s core services hadn’t been affected, and said Swift was working with Bangladesh Bank “to resolve an internal operational issue at the central bank.”
Cybersecurity experts say the theft of money from the New York Fed shows the vulnerability of emerging economies like Bangladesh, where the rapid growth of the banking system has outpaced regulations and security systems.
Bangladesh foreign-currency reserves touched a record $28 billion in February. Nearly a third of those are held in liquid form in bank accounts at the Fed and the Bank of England, according to Bangladesh Bank officials. (WSJ)