Printer error triggered Bangladesh race to halt cyber heist

[DHAKA] A printer error first tipped off Bangladesh's central bank to one of the biggest cyber heists in recent history, according to a complaint filed to police that provided new details on the attempted theft of nearly US$1 billion.

Zubair Bin Huda, a joint director of Bangladesh Bank, found the printer tray empty when he looked on the morning of Feb 5 for confirmations of Swift financial transactions that are normally printed automatically overnight.

He then tried and failed to print out the messages manually from the Swift system, according to his complaint to police, the first step needed to start an official investigation.

"We thought it was a common problem just like any other day," Mr Huda said in the complaint.

Because it was a Friday - a weekend in Muslim-majority Bangladesh - Mr Huda left the office around 11.15 am and asked his colleagues to help fix the problem. It took them more than 24 hours before they could manually print the receipts, which revealed dozens of questionable transactions that sent the bank racing to stop cash from leaving its account with the Federal Reserve Bank of New York to the Philippines, Sri Lanka and beyond.

The case has prompted central banks around the globe to examine cyber security measures. It has also led to the resignation of Bangladesh's central bank governor and put money laundering in the Philippines under scrutiny.

FILE IS MISSING

Proloy Kumar Saha, an inspector of Motijheel Police Station where the complaint was filed, confirmed the details and said it was being transferred to the Criminal Investigation Department. Mr Huda is not a suspect in the case and didn't accuse anyone of wrongdoing in the document, known as a First Information Report. He didn't respond to multiple phone calls.

On Saturday, Feb 6, Mr Huda noticed that the software on the terminal connecting to the Swift system wasn't responding. When an attempt was made to restart the terminal, a message flashed: "A file is missing or changed," according to the complaint.

By 12.30 pm, Mr Huda and his team had managed to get the terminal started. While the automatic printing system still didn't work, they managed to print them manually.

What they found surprised them: The receipts show the Federal Reserve Bank of New York sent back queries to Bangladesh Bank against 46 payment orders in different messages, according to the complaint.  

WEEKEND PHONE CALLS

"At our end, we did not find any debit confirmation in our system against those payment orders," Mr Huda said. 

Sensing a much bigger problem than a computer glitch, Bangladesh Bank contacted Swift to help them analyse the transactions.

It also e-mailed and faxed the Federal Reserve Bank of New York, where it kept an account, with a stop order for all unauthorised payments until further notice, Mr Huda told police. 

Over Saturday and Sunday, Bangladesh Bank failed to reach officials in New York by phone. But by that time it was also a weekend in the US, and nobody was available.

By Monday, Feb 8, the central bank's connection to the Swift system was back up and running. Bank officials then discovered that four unauthorised Swift messages were sent indicating that US$101 million was transferred to the Philippines and Sri Lanka.

FRANTIC MESSAGES

Bangladesh Bank then frantically sent stop payment orders via the SWIFT system to the Federal Reserve Bank of New York, Rizal Commercial Banking Corp, Bank of New York Mellon, Citigroup Inc, Wells Fargo & Co and Pan Asian Banking Corp in Sri Lanka.  

Mr Huda said in the complaint that US$81 million was sent to Rizal Bank via four messages and US$20 million was sent to Pan Asia Banking via one message - all from the Federal Reserve Bank of New York. Another US$850 million in transactions were halted.

On request from Bangladesh Bank, Pan Asia Banking canceled the payment of US$20 million to its beneficiary and routed the funds back to Bangladesh's account with the Fed in New York. But the US$81 million that entered the Philippine banking system was credited to beneficiary accounts with Rizal Bank and eventually withdrawn.

The US$20 million transfer to Pan Asia Banking raised alarms because of its size and a typo in the beneficiary's name, according to Nalaka Wijayawardana, deputy general manager of marketing at the bank. Pan Asia Banking then remitted the funds back to Bangladesh Bank's account in New York via Deutsche Bank around Feb 17, he said.

PHILIPPINE SUSPECT

"We cannot divulge the beneficiary due to confidentiality policy, but we will support any investigation," Mr Wijayawardana said.

Most of the US$81 million in the Philippines is missing. Maia Santos Deguito, the manager at Rizal Bank's branch in the Philippine financial district accused of allowing the withdrawal of the funds, invoked her right against self-incrimination in a hearing on Tuesday.

The Philippine anti-money laundering agency said Ms Deguito allowed the funds to be withdrawn on Feb 5 and 9 despite requests from Bangladesh to stop the transfers. Only US$68,305 of the funds remained when Rizal Bank put the accounts on hold, according to the complaint.

SWIFT RESPONSE

Ms Deguito's lawyer, Ferdinand Topacio, who was with her at the hearing, declined to comment, saying he hasn't seen a copy of the complaint.

Swift said it was working with Bangladesh "to resolve an internal operational issue at the central bank," according to a statement last week. "Swift's core messaging services were not impacted by the issue and continued to work as normal."

A Citigroup spokesman in Hong Kong had no immediate comment. Amy Chang, a spokeswoman at Deutsche Bank, declined to comment. Calls and e-mails to BNY Mellon and Wells Fargo weren't immediately returned.

MALWARE INSTALLED

Malicious software code, known as malware, had been introduced into Bangladesh Bank's systems in January without the knowledge of the bank's information systems staff, according to an official familiar with the Bangladesh Bank investigation. The hackers struck the systems on Feb 4, said the official, who asked not to be named because he's not authorised to speak about the probe.

Atiur Rahman resigned as Bangladesh's central bank governor on Tuesday, saying he took moral responsibility after failing to immediately inform the Finance Ministry of the theft. He denied any wrongdoing, and said he had notified intelligence agencies of the crime. Two of his deputies were also removed.

Mohammed Farashuddin, former governor of Bangladesh Bank, will lead a three-member team to investigate the heist, Bangladesh's Finance Ministry says in a notice on Tuesday. It will investigate how the funds where stolen, who received the cash and why the central bank waited to inform the government. They will have to submit an interim report in 30 days and a full report in 75 days, it said.

BLOOMBERG