More than a year after a mysterious group of hackers infiltrated the SWIFT system for interbank payments and stole $100 million from the Central Bank of Bangladesh’s custody account at the New York Fed, Filipino authorities have been unable to recover $81 million that seemingly disappeared into the Manila air.
After being transferred to four accounts set up with fake credentials at the Jupiter Street Makati City, branch of Rizal Commercial Banking Corp (RCBC) in the Philippines, the money eventually found its way to an FX broker called Philrem, which split $50 million between two casinos and the remaining $31 million was delivered to a “Weikang Xu” in cash.
Not much is known about what happened to the $31 million after it was moved to Manila. But after receiving unreleased documents from the Philippines Senate investigation, Bloomberg has published the most comprehensive account to date explaining how two casino junket operators helped launder $50 million in the VIP rooms of Manila’s casinos by betting on games of Baccarat.
According to Bloomberg’s anonymous sources, North Korea and its “elite” hacking squad “the Lazarus Group” are believed to be behind what was the largest cyberheist in history.
The two men were Chinese nationals Ding Shizue and Gao Shuhua, who ran a business bringing high-roller clients to casino VIP rooms in Manila and Macau. Once the money was transferred into accounts at the two casinos, the two men led a group of “gamblers” whose only job was to make bets, declare their winnings, and take the newly laundered money away in a briefcase. According to the Filipino Senate report cited by Bloomberg, the men were allowed to play on for weeks even after Bangladeshi authorities had asked their counterparts in Manila for help. All the money was withdrawn before authorities could make a single arrest.
“Just a few days after the theft, Bangladesh Bank officials asked their Philippine counterparts for help. Yet the gamblers were allowed to play on for weeks, according to reports by the casino’s parent company, Bloomberry Resorts Corp., and the Philippine Senate Committee on Accountability of Public Officers and Investigations.
Even after the remaining funds were frozen, no charges were filed against Ding, Gao, or the players with them, so Philippine police didn’t make any arrests, says Sergio Osmeña III, a former senator who last year was a member of the inquiry panel. “They waited until it was too late,” he says.”
What happened next is a mystery. The Senate investigators were unable to trace the cash; and Ding and Gao reportedly left the Philippines without a trace, though Gao was later arrested by Chinese authorities.
“What Ding and Gao did with the loot remains unknown. That’s the point, of course: You want to conceal the money’s criminal origins and then stir it into the rivers of legitimate cash that course around the world every day: $60-odd million here, a few million there. It adds up. PricewaterhouseCoopers LLP says money laundering may total $2 trillion a year worldwide—an amount roughly equivalent to the market for online shopping.
Like the money, Ding and Gao left the Philippines without a trace. (Osmeña says customs authorities have no record of the duo’s departure.) Gone too, it seemed, was any chance that Bangladesh, the Philippines, or the U.S. would find the funds.”
Authorities believe the money is probably sitting in the North Korean central bank. Because the North conducts 90% of its trade with China, it frequently suffers from shortages of hard currency. US intelligence agencies believe it occasionally dabbles in cybercrime to help pad its reserves.
“Some or all of it may have found its way to North Korea. The FBI is examining the totalitarian state’s link to the hack, according to two officials with direct knowledge of the investigation.”
One plausible scenario is that Ding and Gao somehow traveled undetected to Macau and deposited the cash in accounts secretly controlled by the North Korean government.
“Ding and Gao’s familiarity with Macau would have been useful to North Korean hackers, says Steve Vickers, a former head of the Hong Kong Police Force’s Criminal Intelligence Bureau who now runs an eponymous risk consulting company. That, he says, is because Macau was traditionally one of the few locations where the Pyongyang government has managed to maintain covert bank accounts and interact with the global financial system. (Priscilla Fong, a spokeswoman for Macau’s Financial Intelligence Office, declined to comment on this case or to respond to questions about the region’s links to North Korea.)”
The documents reviewed by Bloomberg revealed that the perpetrators began planning for the cyberheist months in advance.
“Months before Ding, Gao, and their baccarat players showed up in Manila, several bank accounts that would later receive the Bangladeshi funds appeared on the books at the Jupiter Street branch of Rizal Commercial Banking Corp. in MetroManila, according to testimony at the Senate hearings. At the hearings, Kim Wong, president of Eastern Hawaii Leisure, which operates a number of VIP rooms in Manila-area casinos, including the Solaire, testified that he’d set up the RCBC accounts along with Ding’s business partner, Gao, and the Jupiter branch manager at the time, Maia Deguito.”
"According to the Senate committee report, Ding, Gao, and Deguito ginned up the accounts using fake names, fake addresses, and fake declarations that Deguito had met the account holders in person and confirmed their identities. Assuming the Senate report got the facts right - there was contradictory testimony - the stage was set for laundering what the hackers hoped would be almost $1 billion. “If you have a bank employee who is in connivance with creating these nonexistent people in the first place, it’s easy to launder,” says Vencent Salido, head of investigations at the Philippine government’s Anti-Money Laundering Council, which is leading the local investigation into the theft.”
Maia Deguito, the branch manager responsible for opening the accounts, says she was instructed to do so by her superiors. Her superiors, in turn, have sued her for defamation and accused her of willfully opening fraudulent accounts.
“For her part, Deguito said she’d been acting on instructions from RCBC bosses. That assertion netted her a libel claim by Lorenzo Tan, the former chief executive officer of RCBC, who also sued Deguito’s lawyer. “Based on our investigation, Ms. Deguito acted alone with the help of some of her co-workers and subordinates at the Jupiter Branch which she headed,” RCBC said in an emailed statement. “Her actions were inimical to her job and against RCBC’s policies, which resulted in her termination and the filing of cases against her.” The bank said it’s confident the Philippine Department of Justice investigation will find that senior executives had no knowledge of Deguito’s actions.”
The Philippines investigation into Ding and Gao is ongoing, and authorities in the US and elsewhere are investigating a “China connection” as well. Meanwhile, the Philippines justice department has indicted Deguito and the owners of FX broker Philrem for their involvement, but dropped the case against another individual who says he was tricked into helping Ding and Gao move some of the stolen funds.
But now that more than a year has passed, and the evidence trail has probably gone cold, finding definitive proof to substantiate the claims about North Korea’s involvement is unlikely – even if the operation was supervised by Kim Jong Un himself.