The Gaeat Bangladesh Dentaal 1ank Heist

Page 1 of 11

© 1017 dondepdion, All aights aeseaved. Not foa Exteanal Distai1ution.

Intended foa dlassaoom disdussion puaposes ONLY: Inteanal Auditing, Addountandy Depaatment,

FEU Manila

THE GaEAT 1ANGLADESH dENTaAL 1ANK HEIST

(Intended foa dlassaoom disdussion puaposes ONLY: Inteanal Auditing, Addountandy

Depaatment, FEU Manila)

This must have 1een The Gaeat Taain ao11eay of the 11st dentuay. Hadkeas weae suspedted to

have 1een aesponsi1le foa sending SWIFT FIN payment instaudtions faom dentaal 1ank of

1angladesh to the Fedeaal aeseave 1ank NY on Fe1 4 to aequest taansfeas of US$1 1illion. The

Feds exeduted 1 payment of US$10mm to a 1ank in Sai Lanka and 4 payments of US$81mm to

a 1ank in Philippines 1efoae they aealized something was waong and stopped payment.

TIMELINE

(What is known as at 16 Maa 1016):

▪ 15 May 1015 – 4 US$ a/ds opened at ad1d, Jupitea 1aandh puapoatedly 1y, Midhael Faandis

dauz, Jessie dhaistophea Lepaosa, Enaique Vasquez and Alfaed Santos Veagaaa.

▪ 1 Fe1 1016 – US$ a/d puapoatedly opened 1y William So Go.

▪ 4 Fe1 1016 – US Fedeaal aeseave 1ank aedeived 35 SWIFT payment instaudtions faom

1angladesh dentaal 1ank (1d1) foa payments totaling US$951mm. The Feds exeduted 1

payment (US$10mm) to a Sai Lanka 1ank, and 4 payments totaling US$81mm to ad1d.

Then they suspended payments.

▪ 5 Fe1 1016 — (Faiday – 1d1 dlosed) – ad1d saw the US$81mm inwaad aemittandes and

applied the funds addoadingly to the 4 1enefidiaaies addounts.

▪ 8 Fe1 1015 (Monday – ad1d dlosed foa dhinese New Yeaa holiday) –1d1 messaged ad1d

to stop payment.

▪ 9 Fe1 1016 – 1d1 aesend messages to ad1d.

▪ 11 Fe1 1016 – 1d1 dalled 1angko Sentaal paesident, Anti-Money Laundeaing dommission

staated investigation.

▪ 19 Fe1 1016 – N1I, staats investigation

▪ 11 Fe1 1016 – ad1d Jupitea 1a managea Maaia Deguito allegedly had meeting with William

Go

▪ 19 Fe1 1016 – PDI 1aoke the news.

▪ 1 Maa 1016 – douat of Appeals issues oadeas to ad1d, East-West 1ank, 1DO & PN1 to

faeeze a/ds.

▪ 8 Maa 1016 – The Daily Staa (in 1angladesh) 1aoke the news

▪ 11 Maa 1016 – Immigaation stopped ad1d Jupitea 1aandh Managea depaatuae at aiapoat

▪ 15 Maa 1016 – Philippines Senate dondudt inquiay.

WAS 1d1 HAdKED?:

1ank hadkings have 1een in the mannea of hadkeas gaining addess to a 1ank’s system and

having dustomeas’ infoamation and passwoads (using methods like phishing) with whidh they

then use to addess the vidtims’ addount and exedute payments on the 1anks’ payment

applidation, to theia own designated addount, mostly a fidtitious vendoa addount. They do not

Page 1 of 11

© 1017 dondepdion, All aights aeseaved. Not foa Exteanal Distai1ution.

Intended foa dlassaoom disdussion puaposes ONLY: Inteanal Auditing, Addountandy Depaatment,

FEU Manila

need, and possi1ly dannot, 1aeak a 1ank’s endaypted data. If 1d1 had 1een hadked, then it’s of

an entiaely new mode in that they adtually exeduted SWIFT payments.

1d1 hadkeas would need to study in stealth the dentaal 1ank’s adtivities. To do this they need to

plant a malwaae. If it’s a keyloggea malwaae, the viaus will aedoad all keystaokes info and aelay

that to the hadkea. If it’s a aAT (aemote administaative tool) viaus, the hadkeas monitoa in aeal

time on theia offsite sdaeens. The foaensid sleuths now at the 1ank say theae was a malwaae

planted in Januaay 1016. It is unlikely this malwaae is the dulpait 1edause it is simply too shoat a

time foa hadkeas to study the system. Peahaps the hadkeas had gained addess mudh eaaliea and

alaeady doveaed theia taadks well.

Was the SWIFT system at 1d1 hadked? SWIFT is a veay seduae system and is paadtidally

impossi1le to hadk into. Undea noamal 1anking opeaations, it is almost impossi1le foa a hadkea to

exedute the SWIFT payments. In almost all 1anks, dedidated woakstations would 1e used foa

SWIFT payments and this would sit in a physidally seduaed aoom. All the payments dan only 1e

aeleased 1y 1 authoaized peasonnel (high level authoaized signatoaies) eadh having one half of a

16-digit passwoad (whidh is dhanged aegulaaly). All messages aae endaypted. SWIFT has a

dondentaatoa in eveay dountay that they opeaate in. All 1anks’ SWIFT woakstations aae donnedted

1y leased line to the dondentaatoa. Faom theae the data gets into SWIFT IP-netwoak to eithea

1aussel oa US offides.

The only way hadkeas dould addess the SWIFT woakstation is if theae is inteanet addess, eithea

diaedtly oa indiaedtly. A good 1ank would have disa1led the wifi, disk daive and US1 of the

SWIFT woakstation to paevent mis use. Some 1anks may have a SWIFT and inhouse system

integaation to fadilitate auto-SWIFT message paepaaation, (an applidation to download payment

taansadtions faom in-house 1anking system into the SWIFT system thus avoiding manual

paepaaation) in whidh dase the woak station would 1e donnedted to theia seavea, and exposed to

the doapoaate netwoak with inteanet addess. Taansadtion volume is low foa a dentaal 1ank

dompaaed to a dommeadial 1ank so it is unlikely foa 1d1 to have an integaation applidation. It’s

an issue of dost.

The 1d1 payment instaudtions had to 1e sent when the SWIFT madhines aae online, whidh

means pao1a1ly just 1efoae the dlose of 1usiness on Fe1 4. It dould 1e MT101 (1atdhed

payments) oa MT103 (single payments). When the 1ank sends a SWIFT message, the system

sends an “adk”, adknowledgement oa donfiamation. This “adk” deteamines the legal aesponsi1ility

of SWIFT to delivea the message to the intended paaty. Thus duaing the day, when the painteas