The Incredible Story Of How Hackers Stole $100 Million From The New York Fed
The story of the theft of $100 million from the Bangladesh central bank - by way of the New York Federal Reserve - is getting more fascinating by the day.
As we reported previously, on February 5, Bill Dudley's New York Fed was allegedly “penetrated” when “hackers” (of supposed Chinese origin) stole $100 million from accounts belonging to the Bangladesh central bank. The money was then channeled to the Philippines where it was sold on the black market and funneled to “local casinos” (to quote AFP). After the casino laundering, it was sent back to the same black market FX broker who promptly moved it to “overseas accounts within days.”
That was the fund flow in a nutshell.
As we explained, the whole situation was quite embarrassing for the NY Fed, because what happened is that someone in the Philippines requested $100 million through SWIFT from Bangladesh's FX reserves, and the Fed complied, without any alarm bells going off at the NY Fed's middle or back office.
"Some 250 central banks, governments, and other institutions have foreign accounts at the New York Fed, which is near the centre of the global financial system," Reuters notes. "The accounts hold mostly U.S. Treasuries and agency debt, and requests for funds arrive and are authenticated by a so-called SWIFT network that connects banks."
Well, as it turns out, Bangladesh doesn't agree that the Fed isn't ultimately culpable. "We kept money with the Federal Reserve Bank and irregularities must be with the people who handle the funds there," Finance Minister Abul Maal Abdul Muhith said on Wednesday. “It can’t be that they don’t have any responsibility," he said, incredulous.
Actually, Muhith, the New York Fed under former Goldmanite Bill Dudley taking zero responsibility for enabling domestic and global crime is precisely what it excels at.
Commuters pass by the front of the Bangladesh central bank building in Dhaka March 8, 2016.
* * *
But what really happened?
As it turns out there is much more to the story, and as Bloomberg reports today now that this incredible story is finally making the mainstream, there is everything from casinos, to money laundering and ultimately a scheme to steal $1 billion from the Bangladeshi central bank. In fact, the story is shaping up to be "one of the biggest documented cases of potential money laundering in the Philippines. It risks setting back the Southeast Asian nation’s efforts to stamp out the use of the country to clean cash, and tarnishing the legacy of President Benigno Aquino as elections loom in May."
And yes, it does appear that hackers managed to bypass the Fed's firewall:
“Even as banks continue to harden their defenses against such sabotage, hackers too have upped their game to breach servers by utilizing both technical skills and rogue elements within the financial institutions,” said Sameer Patil, an associate fellow at Gateway House in Mumbai who specializes in terrorism and national security.
* * *
The story begins in Bangladesh, a country of about 170 million people that’s recently found itself with record foreign reserves thanks to a low wage-fueled export boom and inward remittances. Some of those reserves were held in an account at the Federal Reserve Bank of New York.
Finance Minister Abul Maal Abdul Muhith this week accused the Fed of “irregularities” that led to the unauthorized transfer of $100 million from the account. The Bangladesh central bank said the funds had been stolen by hackers and that some had been traced to the Philippines.
As reported previously, a Bangladesh central bank official who is part of a panel investigating the disappearance of the funds said Wednesday that a separate transfer of $870 million had been blocked by the Fed, something the Fed refused to comment on. It does not, however, explain why $100 million was released.
Essentially the dispute is about whether the Fed went through the right procedure when it received transfer orders.
Naturally, the Fed's story is that it did nothing wrong. Bloomberg writes that according to a Fed spokeswoman, instructions to make the payments from the central bank’s account followed protocol and were authenticated by the SWIFT codes system. There were no signs the Fed’s systems were hacked, she said.
The problem is that the counterparty on the other side of the SWIFT order was not who the Fed thought, and what should have set off red lights is that the recipients was not the government of the Philippines but three casinos!
On the other hand, Bangladesh is quite - understandably - furious: a local official said the Fed should’ve checked the payment orders with the central bank to ensure they were authentic, even if they used the correct SWIFT codes. The official also said there are plans to take legal action against the Fed to retrieve missing funds.
Aquino spokesman Sonny Coloma said he had no information on reports that funds from the Bangladesh central bank reached the Philippines. The case is being handled by the AMLC, an independent body, Coloma said. Bangko Sentral ng Pilipinas Governor Amando Tetangco, who heads the AMLC, did not reply to mobile-phone messages seeking comment.
If at this point flashing light bulbs are going off above the heads of some of our more industrious readers, we can understand why: after all if a fake SWIFT money order is all it takes to have the Fed send you $100 million dollars then...
* * *
Separately, a Reuters report digs into the details of the SWIFT wire requests: it notes that the hackers breached Bangladesh Bank's systems and stole its credentials for payment transfers, two senior officials at the bank said. They then bombarded the Federal Reserve Bank of New York with nearly three dozen requests to move money from the Bangladesh Bank's account there to entities in the Philippines and Sri Lanka, entities which as will be revealed shortly were... casinos.
Four requests to transfer a total of about $81 million to the Philippines went through, but a fifth, for $20 million, to a Sri Lankan non-profit organization was held up because the hackers misspelled the name of the NGO, Shalika Foundation.
Hackers misspelled "foundation" in the NGO's name as "fandation", prompting a routing bank, Deutsche Bank, to seek clarification from the Bangladesh central bank, which stopped the transaction, one of the officials said.
There is no NGO under the name of Shalika Foundation in the list of registered Sri Lankan non-profits. Reuters could not immediately find contact information for the organization.
Luckily, the Fed stopped some of the $1 billion in total requested funds. The unusually high number of payment instructions and the transfer requests to private entities - as opposed to other banks - raised suspicions at the Fed, which also alerted the Bangladeshis, the officials said. The details of how the hacking came to light and was stopped before it did more damage have not been previously reported. Bangladesh Bank has billions of dollars in a current account with the Fed, which it uses for international settlements.
The transactions that were stopped totaled $850-$870 million, one of the officials said. At least$80 million made it through without a glitch.
* * *
Meanwhile, back in the Philippines, the gaming regulator said it is investigating reports that as much as $100 million in suspicious funds were remitted to the bank accounts of three casinos it didn’t identify.
The Philippine Daily Inquirer has led reporting on the theft. It wrote last month that cash may have entered the Philippines via the Jupiter Street, Makati City, branch of Rizal Commercial Banking Corp. The money was converted into pesos and deposited in the account of an unidentified Chinese-Filipino businessman who runs a business flying high net worth gamblers to the Philippines.
The funds were used to buy casino chips or pay for losses at venues including Bloomberry Resorts Corp.’s Solaire Resort & Casino and Melco Crown Philippines Resort Corp.’s City of Dreams Manila, according to the paper. There was no suggestion in the report the banks or casinos named were complicit with any improper movement of funds.
In other words, the Fed was funding gamblers, only these were located in Philippine casinos, not in the financial district. Ironically, that's precisely what the Fed does, only it normally operates with gamblers operating out of Manhattan's financial district.
Bloomberry Resorts investor relations director Leo Venezuela and City of Dreams Manila Vice President Charisse Chuidian didn’t reply to calls and phone messages.
And then, once the "gamblers" were done having their fun laundering freshly received Fed money, they moved the cash offshore: funds were later dispatched into accounts outside the Philippines, the paper said, including to Hong Kong. The Hong Kong Monetary Authority declined to comment, as did the Hong Kong police. The Inquirer separately reported the head of the Rizal branch where the transactions occurred had made a statement that top bank officials were aware of the transactions “at every stage."
Were the banks in on this unprecedented theft? Probably, although it will be nearly impossible to prove.
Rizal’s shareholders “are fully committed to comply with all banking laws and regulations, in particular those on money laundering,” Vice Chairman Cesar E.A. Virata said in a statement Wednesday. In a separate statement, the bank’s Chief Executive Officer Lorenzo Tan condemned “any insinuations that the top management of the bank knew of and tolerated alleged money laundering activities in one branch.”
* * *
The exact amount stolen from Bangladesh is still not exactly clear, as is what happens next in the dispute with the Fed.
While Muhith said the Fed was responsible for at least $100 million, another Bangladeshi central bank official who asked not to be identified said $20 million of a $101 million total had been recovered from an account held in Sri Lanka, leaving $81 million unaccounted for. That figure matches the amount Rizal’s Virata said the bank was investigating.
What we would like to know, is whether this is merely the Fed's way of testing its level of preparedness for the moment it has to wire helicopter money around the globe, in lieu of using drone delivery of cash, especially if cash has been banned previously as so many "famous economists" demand, clearly unaware that cash has to be present when in the last ditch step to boost inflation, the Fed has no choice but to hand out physical money to every willing recipient.
For a few lucky recipients in the Philippines, it already worked out.
- advertisements -