Hacker’s spelling mistake helped prevent $1bn heist
Bangladesh Bank and the New York Fed were targeted in major online theft
A spelling mistake in an online bank transfer instruction helped prevent a $1 billion heist last month involving the Bangladesh central bank and the New York Fed. File photograph: Getty Images
A spelling mistake in an online bank transfer instruction helped prevent a $1 billion (about €890 million) heist last month involving the Bangladesh central bank and the New York Fed, banking officials said.
Unknown hackers still managed to get away with about $80 million (€71 million), making it one of the largest known bank thefts in history.
The hackers breached Bangladesh Bank’s systems and stole its credentials for payment transfers, two senior officials at the bank said.
They then bombarded the Federal Reserve Bank of New York with nearly three dozen requests to move money from the Bangladesh Bank’s account there to entities in the Philippines and Sri Lanka, the officials said.
Four requests to transfer a total of about $81 million (about €72 million) to the Philippines went through, but a fifth, to transfer $20 million (about €18 million) to a Sri Lankan non-profit organisation, was held up because the hackers misspelled the name of the NGO.
Hackers misspelled the “foundation” in Shalika Foundation’s name as “fandation”, prompting a routing bank, Deutsche Bank, to seek clarification from the Bangladesh central bank, which stopped the transaction.
There is no NGO under the name of Shalika Foundation in the list of registered Sri Lankan non-profits.
At the same time, the unusually high number of payment instructions and the transfer requests to private entities - as opposed to other banks - raised suspicions at the Fed, which also alerted the Bangladesh Bank, the officials said.
The details of how the hacking came to light and was stopped before it did more damage have not been previously reported.
Bangladesh Bank has billions of dollars in a current account with the Fed, which it uses for international settlements.
The transactions that were stopped totalled $850-$870 million (about €759-€777 million), one of the officials said.
Bangladesh Bank has said it has recovered some of the money that was stolen, and is working with anti-money laundering authorities in the Philippines to try to recover the rest.
The recovered funds refer to the Sri Lanka transfer, which was stopped, one of the officials said.
The dizzying, global reach of the heist underscores the growing threat of cyber crime and how hackers can find weak links in even the most secure computer networks.
More than a month after the attack, Bangladeshi officials are scrambling to shore up security and identify weaknesses in their systems.
They said there is little hope of ever catching the hackers, and it could take months before the money is recovered, if at all.
Security experts said the perpetrators had deep knowledge of the Bangladeshi institution’s internal workings, likely gained by spying on bank workers.
The hacking of Bangladesh Bank happened sometime between February 4th-5th, during the Bangladeshi weekend, officials said.
Initially, the central bank was not sure if its system had been breached, but cyber security experts brought in to investigate found hacker “footprints” that suggested the system had been compromised, the officials said.
These experts could also tell that the attack originated from outside Bangladesh, they said.
Officials said the bank is looking into how they got into the system and an internal investigation is ongoing.