A select team of hackers groomed from an early age. An email. A malfunctioning printer. A spelling mistake. And the might of a hermit nation.
These were the key ingredients of the story behind one of the most audacious bank heists in history.
By now it is common knowledge that the planned $1 billion heist on Bangladesh Bank, the country’s central bank, was conceived in the heart of North Korea. Now more details have emerged from the murky underbelly of the cybercrime world. And they are as gripping as one would expect from a Hollywood thriller.
North Korean hackers had plotted the $1 billion heist on Bangladesh’s central bank in 2016 and they would have succeeded if not for some strange twists of fate. While the hackers had dreamt of a billion, they came away with a tidy $81 million. And it wasn’t planned in a day. According to a BBC report which quotes the USA-based Federal Bureau of Investigation, the scheme was years in the making.
The first clue: a malfunctioning printer
At 8:45am on Friday, 5 February, 2016, staff at Bangladesh Bank noticed that a printer of a secure chamber on the 10th floor of Bangladesh Bank’s main office in the capital wasn’t working properly.
“We assumed it was a common problem just like any other day,” a BBC report quotes duty manager Zubair Bin Huda telling police after the incident.
At the time, the malfunction was chalked down to a technical glitch.
But the malfunction was meticulously planned. It was the first sign of trouble, a sign that hackers had gained access to the company’s computer networks and were launching a cyber attack the scale of which had never been seen before.
It was to be a billion-dollar heist, the blueprint of which was drawn up in one of the poorest countries in the world: North Korea.
The man behind the plan
According to the FBI, the hack had been planned over years and for its execution the hacking team would employ bogus bank accounts, charities, casinos, and a large network of helpers operating across Asia.
The key suspect was one Park Jin-hyok. A computer programmer who went to work for a North Korean corporation, Chosun Expo, in the Chinese port city of Dalian, Park was said to be designing gaming and gambling applications for clients all over the world.
An FBI investigation found that Park was in Dalian as early as 2002 and around 2014 his online activity seemed to come from Pyongyang, North Korea’s capital.
Between September 2014 and August 2017, US officials charged Park with one count of conspiracy to commit computer fraud and abuse, as well as one count of conspiracy to commit wire fraud (fraud involving mail or electronic communication), the BBC reported.
He returned to North Korea from China four years before the allegations were filed.
But Park’s foray into hacking did not come overnight. In fact, he is one of thousands of young North Koreans who have been groomed since childhood to become cyber-warriors: one time math prodigies taken out of school and given intensive education from morning to night.
But having the best hackers wasn’t enough. The whole plan hinged on timing.
The hacking group, now known as The Lazarus Group, had been inside Bangladesh Bank’s computer systems for a year, so they had plenty of time to arrange everything.
Their entry to the bank’s computer systems began with a single email, sent by a decoy job seeker named Rasel Ahlam.
Rasel’s email included a link to a website from where to download his CV and cover letter from.
While not clear, it is believed that at least one recipient of the email in Bangladesh Bank fell for a phishing scam. Once they opened the email, their computer was infected with the virus. Soon the bank’s entire network was being infiltrated.
But why did the hackers then wait for a year before making their move? The lull before the attack was also by design.
An elegant attack
The printer in Bangladesh Bank had been rebooted. Upon restarting, it immediately began spewing urgent signals from the Federal Reserve Bank of New York, the “Fed”, where Bangladesh maintains a US-dollar account.
The Fed had reportedly received instructions from Bangladesh Bank to empty the whole account.
As Bangladeshis scrambled to contact the Fed, they were thwarted by the hackers’ plans.
On Thursday, 4 February, about 10pm in Bangladesh, when the hack began.
The Bangladeshi weekend, which runs from Friday to Saturday, began the next day.
This meant that while Bangladesh Bank officials were on holiday, the money had already started moving. When Bangladesh Bank discovered the heist, New York had already gone into their weekend.
“You can see the elegance of the attack,” Rakesh Asthana, a cyber-security expert based in the United States., told the BBC. “The Thursday night date has a specific purpose. On Friday, New York is open for business, while Bangladesh Bank is closed. The Federal Reserve Bank will be offline by the time Bangladesh Bank reopens. As a result, the entire finding was delayed by over three days.”
The hackers had also accounted for another holiday in another country, which would play a role in the heist.
They sent the money to accounts they’d set up in Manila, the Philippines’ capital. And in 2016, the first day of the Lunar New Year, a national holiday in Asia, was Monday, February 8.
With this, the hackers had eked out a five-day run to get the money, by taking into account the numerous time differences.
What’s in a name?
Back in Manila, at a branch of RCBC, four accounts were set up by the hackers’ accomplices, a few months after the Lazarus Group had gained access to Bangladesh Bank’s systems.
Each account was opened using fake driving licences and $500 initial deposits.
With everything in place, the group was ready to execute their long-con. One thing remained in their way: the printer.
To record all transfers made from Bangladesh Bank’s accounts, the bank devised a paper backup system. If this log was alerted, then the plan would be exposed. Thus came about the need to control the printer and disable it.
Once done, the hack began at 20:36 on Thursday, 4 February, 2016, totalling $951 million.
Officials at Bangladesh Bank realised that the transactions could not simply be reversed. Some of the funds had already reached the Philippines, where authorities informed them that they would need a court order to begin the reclaim procedure.
Because court orders are public papers, when Bangladesh Bank filed its case in late February, the story became widely known and exploded around the world, the BBC reported.
But there was a saving grace: a spelling mistake.
A total of $20 million was transferred to the Shalika Foundation in Sri Lanka, which had been set up by the hackers’ associates as a conduit for the stolen funds. However, the hackers transferred the money to “Shalika Fundation.”
The spelling error meant the transaction was reversed.
The second oversight was using the RCBC bank branch located in Jupiter Street.
These transactions were stopped at the Fed because one of the orders’ addresses contained the word ‘Jupiter,’ which was also the name of a sanctioned Iranian transport vessel.
The term ‘Jupiter’ put the Fed on alert-mode. The payments were scruntised and the majority of it was halted.
As a result, only $81 million was approved.
By the time Bangladesh Bank attempted to reclaim the funds, the hackers had already taken steps to ensure that it remained unreachable.
The four accounts created the previous year at the RCBC branch engaged in transferring funds between them, which was then routed to a currency exchange firm. There, the money was exchanged for local currency and re-deposited, with some of the cash withdrawn.
“You have to make all of that criminally derived money look clean and look like it came from legitimate sources in order to protect whatever you do with the money later,” says Moyara Ruehsen, director of the Middlebury Institute of International Studies’ Financial Crime Management Program in Monterey, California, told the BBC. “You want to muddy and conceal the money trail as much as possible.”
Of a gambling paradise
The next stage of the heist was cleaning the money. For this, the hackers chose Manila’s casinos scene.
A total of $50 million was deposited in accounts at the Solaire and another casino, the Midas, out of the $81 million that passed through the RCBC bank.
The remaining $31 million was supposedly paid to a Chinese man named Xu Weikang, who, according to a Philippines Senate Committee set up to investigate the matter, has not been seen or heard of since.
The use of casinos made it impossible to track the money.
The robbers reserved private rooms and filled them with accomplices who would play at the tables, giving them complete control over how the money was spent.
Secondly, they used the stolen money to play Baccarat, a game with only two possible outcomes.
By then Bangladesh Bank officials began to trace the money and regain some of it. With casinos, nothing much could be done as money laundering laws did not apply to gaming establishments in Philippines at the time.
Officials from the bank, however, were able to retrieve $16 million of the stolen funds from Kim Wong, one of the men who organised the gambling trips to the Midas casino. He was arrested, but the charges were dropped afterwards.
The remainder of the stolen funds was believed to have been in Macau, a Chinese enclave with close ties to North Korea.
Kim Jong-il had included cyber in the country’s policy early on, founding the Korea Computer Centre in 1990.
When Kim Jong-un, Kim Jong-third il’s son, came to power, he launched a campaign to paint himself as a champion of science and technology.
As a result, till today, the regime dispatches the most brilliant computer programmers abroad, mostly to China, to train its cyber-warriors.
Hundreds of young men are thought to reside and work in Chinese outposts managed by North Korea.
“They are extremely efficient at covering their tracks, but they leave crumbs, evidence behind, just like any other criminal,” Kyung-jin Kim, a former FBI Korea chief who now works as a private investigator in Seoul, told the BBC.