How millions from the Bangladesh Bank heist disappeared

The cyber bank robbery

How millions from the Bangladesh Bank heist disappeared

When the Federal Reserve Bank of New York cleared five transactions made by the Bangladesh Bank hackers, the money went in two directions. On Thursday, Feb. 4, the Fed's system sent $20 million to Sri Lanka and $81 million to the Philippines.

The Sri Lankan transaction contained a small but crucial error: The money was being sent to a bank account in the name of a nonprofit foundation, but the electronic message spelled it "fundation." That prompted Deutsche Bank, an intermediary in the transaction, and a Sri Lankan bank to contact Bangladesh Bank, which led to the payment being canceled and the money returned.

That Thursday, over the space of a few minutes, the New York Fed also cleared four transactions to accounts with Rizal Commercial Banking Corp (RCBC) in the Philippines - for $6 million, $30 million, $20 million and $25 million. Each account was in the name of an individual, according to RCBC lawyer Maria Cecilla Estavillo, who testified at a Philippine Senate committee examining the heist. All the names were false.

The accounts were at a branch of RCBC in Jupiter Street, on the edge of Manila's business district. According to testimony by Estavillo and bank officials, $22.7 million was withdrawn from one of the RCBC accounts during the afternoon of Friday, Feb 5. But the rest of the money stayed in RCBC.

Over that weekend Bangladesh Bank was struggling to understand what had happened and to cancel the hackers' fraudulent payment requests; meanwhile, the Fed had raised concerns over some of the requests but did little more.

Late on Monday, according to Bangladesh Bank sources and the Philippine senate testimony, Bangladesh Bank sent messages via the SWIFT bank messaging system to RCBC asking it to freeze the money that had arrived in the four individuals' accounts. It was a holiday in the Philippines for Chinese New Year celebrations.

The following morning nearly $58 million was moved out of those accounts. That evening, RCBC told Bangladesh Bank that it had frozen the four suspect accounts - but that only $68,305 was left in them.

RCBC officials told the Senate committee that the SWIFT messages from Bangladesh Bank had been wrongly formatted and were not marked as urgent, so they had gone into a large pile of unread messages for almost the whole day. Staff had only got to them in the evening, RCBC said.

Under Philippine banking laws, the stolen funds could not be frozen until a criminal case was lodged, even though they were still in the banking system. And over the next few days, most of the $81 million disappeared into the country's casino industry, which is exempted from anti-money laundering laws. Though $18 million was recovered, otherwise the trail went cold.

At the Senate hearing, bank officials pinned the blame for the disappearance of the money on the manager of the Jupiter Street branch, accusing her of allowing accounts to be opened under false names. The manager, who was sacked in March, said she had acted on instructions from senior officials and was being made a scapegoat. RCBC and the branch manager declined to comment.

Last month, in an annual report given to shareholders, RCBC said it had begun instituting reforms to prevent such events from happening again.

(Additional reporting by Sanjeev Miglani, Serajul Quadir and Ruma Paul in Dhaka, Karen Lema and Manny Mogao in Manila and Shihar Aneez in Colombo, Tom Bergin in London and Jim Finkle in Boston. Editing By Richard Woods and Raju Gopalakrishnan)

Bangladesh Probe Blames Swift for Cyber Heist