How do you cram a million banknotes into the back of a Lexus family car? For one bank branch manager, the solution was simple: she loaded the cash into boxes, and she made several trips.
A career woman in her early 40s, Maia Deguito’s job at the Rizal bank near Manila airport in the Philippines depended on keeping her customers happy, however extravagant their demands.
So when four Chinese clients opened new accounts, she did everything she could to accommodate them. That included driving boxes of Filipino pesos totalling $22million to a nearby casino where security guards used wheelbarrows to cart the cash inside.
Little did she know that she was taking part in an astonishing billion dollar heist, the biggest bank job of all time, in which cyber thieves had all but emptied the coffers of a national lender. How is that possible? If you thought that a bank’s defences against attacks like these were as sturdy as their vault walls, then think again. Institutions the world over are vulnerable to State-sponsored cyber-crime, not least in the UK, as we have seen this week, where two hacks of almost unimaginable severity were reported in the Daily Mail.
In one, the name of every Northern Ireland police officer was published in a data breach, putting thousands of families in danger.
In the other, believed to be orchestrated by Russia, more than 40 million names and addresses on the UK electoral register were open to access by hackers for 14 months.
Maia Deguito, employed at the Rizal bank near Manila airport in the Philippines, became a cash mule in an astonishing billion dollar heist
Sadly, this doesn’t surprise me. I have been investigating the rise of organised cyber crime for decades and wrote McMafia: Seriously Organised Crime – upon which the BBC based the eponymous underworld drama – and I fear that co-ordinated attacks of this kind pose the same existential threat to humanity at large as pandemics, weapons of mass destruction and climate change.
Criminals who can hack into police files, might also shut down electricity grids, disrupt satellite systems, infect hundreds of millions of computers with viruses or bring down the mobile phone network.
The billion dollar attack on the bank, in which branch manager Maia Deguito played a minor but crucial role, occurred in Bangladesh, though its tentacles had spread to the Philippines, Germany and the U.S.
It combined ingenuity, phenomenal patience, methodical computer skills, cunning psychology and a surprising element of human clumsiness. It was an almost perfect plan that, but for one astonishing coincidence and one piece of sheer carelessness, could have netted the thieves ten times more money.
I tell the story of the Billion Dollar Heist in a new documentary, also featuring many of those involved in the investigation.
It begins with one email, a prospective job application in 2015 from a man calling himself Rasul Alam, sent with a CV to three dozen employees at the Bangladesh Central Bank.
Despite the bank’s protocol that staff should never click on an attachment unless they were certain it was safe, at least three people did take a look at the Alam resume.
Bangladesh Central Bank, located in the Motijheel financial district of Dhaka, the capital city of Bangladesh, lost a billion dollars in the complex money laundering scheme
That’s all it took. Embedded in that apparently innocuous file was an invisible piece of malware, or invasive code, that gave the hackers a window into the bank’s internal computer network.
None of the three employees who opened the attachment were remotely high-ranking. But their desktop machines had access to sections of other computers, which had access to others, and so on. The malware hopped from one hard drive to another like a flu virus spreading throughout an office building.
Because the hackers could now reach into infected machines, they were able to tweak the malware as it travelled, to upgrade its powers. And they were also able to wipe all traces of the code off the machines they left behind, to minimise the chances that a security sweep would ever spot the attack.
The most common form of commercial virus is ransomware. It locks up files and won’t release them until a fee is paid. But this was not ransomware. The hackers had a much more lucrative goal: the SWIFT system.
SWIFT is the messaging platform that banks use to communicate with each other, a sort of WhatsApp for finance. On January 29 2016, the gang cracked it open.
Now they had the capability to make transactions – to send money from the bank’s own reserves into accounts of their own that were ready and waiting for transfers. But the thieves did not act at once. They waited five days, timing their move for maximum effect.
To date, only one person has ever been prosecuted: Maia Deguito. In April this year, her appeal was rejected against eight convictions for money laundering
When they struck late on February 4, it was a Thursday, the last day of the working week in Bangladesh. Friday is a holy day in Islam. Late that afternoon, an employee logged off and three hours later, at 8.36pm when the building was deserted, a thief logged on.
In the next few hours, the hackers made 35 separate wire transactions from that terminal, totalling $951 million (worth, with inflation, £949m today).
And a few hours after that, the Federal Reserve Bank in New York opened for business on Friday morning and saw the 35 transactions – totalling almost the entire holdings of the Bangladesh bank. The hackers were attempting to clean out the whole nation.
One transaction was passed to Deutsche Bank to be actioned. The rest went to the Philippines. And here the hackers ran into two obstacles. One was unforeseeable, a completely random coincidence that set alarm bells ringing. The other was a plain blunder – a spelling mistake.
The order going via Germany was for $20million to the Shalika Foundation in Sri Lanka. But ‘foundation’ was misspelled – as ‘fandation’. That struck a Deutsche Bank employee as fishy, and the transaction was held… one of the most expensive spelling mistakes in history.
Meanwhile, four transactions went through to Maia Deguito’s bank on Jupiter Street near Manila airport. After she had dropped $22million at the Solaire Casino, five minutes’ drive away, her four mystery Chinese clients arrived and collected the money in casino chips, before heading for the tables where they played against each other. This was the beginning of the Chinese New Year, when it isn’t unusual for high rollers to bet colossal sums on the turn of a single card.
Observers noticed something unusual: the men didn’t seem to care whether they won or lost. They were losing towering stacks of chips in every game to each other, without any show of excitement. The games appeared to be little more than a ritual, though an expensive one, since the casino took about 2 per cent of the total stakes: around $440,000 (£345,000).
After a little while, the four collected their chips and took them back to the cashiers, who returned their cash – this time in U.S. dollars. The men loaded it into suitcases, and headed for the airport where they boarded a private jet, never to be seen again.
Meanwhile, the Jupiter Street address of Maia Deguito’s bank was flagged by the Fed as suspicious. Once again, it wasn’t the amount of money involved that triggered an alert: In an unrelated case two years earlier, a shipping company called Jupiter Seaways was put on the banking watchlist because it was suspected of breaching U.S. sanctions against Iran. The company, owned by a Greek magnate, purchased eight oil tankers with money that, American intelligence agents believed, could be traced back to the regime in Tehran.
That was enough to delay the remaining 30 transactions the thieves had made, while officials at the Fed ensured there was no breach of sanctions involved. This couldn’t be done by a computer – it had to be signed off by a human being. And when staff in New York looked at those 30 outstanding transfers, they finally noticed what huge sums were involved.
They contacted the Bangladesh bank to ask for confirmation… and by then, the hackers had logged off to avoid detection. It was Saturday morning in the capital Dhaka and staff were about to arrive for work.
When they did, they should have noticed immediately that $81m was missing, and that puzzled Fed bankers in New York were making enquiries about another $860m.
But the hackers had played a simple trick. They had knocked a vital printer out of action. The custom with all international transfers was to have the system automatically print out the requests… and if the printer wasn’t working, the staff wouldn’t see the transactions.
It was Sunday morning before an engineer rebooted the printer, and out scrolled dozens of requests from the Fed, amounting to almost all the country’s currency reserves. That caused frantic panic, since no one in New York was available to cancel their transfers.
By Tuesday, the banks could communicate freely and so put a stop to the $900million transfers. But the delay had given the thieves enough time to make off with the $81million, which is thought to have been funnelled through Filipino banks.
In the Bangladeshi capital Dhaka, the governor of the bank was so aghast at the breach that he didn’t dare warn the government. Instead, he contacted a friend in the U.S., an expert in banking computer fraud, and begged him to fly over to solve the crisis.
At first, the assumption was that this must be an inside job. Rogue employees had either robbed their own bank, or had allowed hackers into the building. Only after the investigators had watched 18 hours of CCTV footage did they believe the impossible: the crooks were inside the bank’s computers.
To date, only one person has ever been prosecuted: Maia Deguito. In April this year, her appeal was rejected against eight convictions for money laundering. The court in Manila dismissed her plea that gangsters had threatened to kill her family if she didn’t comply.
Her 2019 sentence was upheld: four to seven years on each charge, meaning she will spend between 32 and 56 years in prison… with a $109 million fine. She might not be freed until 2075.
How willing she really was to commit crime, and how much coercion she endured, is impossible to know. What’s certain is that Deguito’s part was tiny, compared to the scale of the scam.
The attack was eventually traced back to an organised crime gang dubbed the Lazarus Network. They were responsible for attacks on the White House, on the South Korean government and on Sony Pictures in Hollywood, where documents including salacious emails between A-list stars were stolen in 2014.
The Lazarus Group is not a bunch of mavericks. It is highly trained and hugely well resourced. Most cyber security experts believe the gang is backed by North Korea, though Russia, China and Iran also have State hacking programmes.
In a world where every social system relies on computers – not just banking but energy, communications, transport, food supplies and everything else – the chaos that hackers can create is unlimited.
In the UK, Europe and America, there is a dearth of cyber security engineers: the U.S. estimates it lacks about 40 per cent of the talent it needs to defend itself. And with the emergence of artificial intelligence, the dangers become even more urgent.
Already, A.I. programmes that write malware, such as WormGPT, are available on the dark web. As these become more sophisticated, we will see viruses that are effectively invisible, able to hide their traces as they burrow through networks.
This kind of software is not vulnerable to the kind of human error that both made the Bangladesh bank heist possible and prevented it from being even more catastrophic.
Artificial intelligence doesn’t make spelling mistakes or leave out crucial information on transaction requests. Meanwhile, human beings continue to click on files out of curiosity, and unleash viruses in their workplace.
It’s an increasingly unequal battle. And the consequences for us if we lose are unimaginable.
- Misha Glenny is an expert on global organised crime and cybersecurity, and the author of McMafia. Billion Dollar Heist is available to rent and own on digital platforms.