Lazarus Group's Attempt to Steal $ 1 billion from the Central Bank of Bangladesh

In 2016, North Korean hackers from the Lazarus Group launched an attack on the national bank of Bangladesh to steal $ 1 billion and found themselves on the brink of success. It was only by sheer luck that all transfers, except for the $ 81 million transaction, were stopped.

According to the BBC, the incident began with a malfunction of an office printer, which played a decisive role in the attack. The device was located in a secure room on the 10th floor of the bank's headquarters in Dhaka, the country's capital. His task was to print the records of the multimillion-dollar transfers entering and leaving the bank.

Bank employees rebooted the printer and received very disturbing news. The device printed urgent messages from the Federal Reserve System (FED) of New York, where Bangladesh holds a US dollar account. The FED received instructions from the Central Bank of Bangladesh to empty the entire account - about a billion dollars.

Bank employees tried to ask the FED for clarification, but, thanks to the very careful calculation of the hackers, they failed. The hacking started around 8:00 pm Bangladeshi time on Thursday, February 4th. But it was Thursday morning in New York, which gave the FED plenty of time to follow the hackers' orders while the Bangladesh Central Bank employees slept.

The next day, Friday, the weekend began in Bangladesh - from Friday to Saturday. And when Bangladesh began investigating the theft on Saturday, New York was already having its weekend. To buy even more time, the hackers transferred money from the FED to accounts in Manila, the capital of the Philippines. And in 2016, Monday 8 February was the first day of Lunar New Year, a national holiday in Asia. Using the time difference between Bangladesh, New York, and the Philippines, the hackers devised an accurate five-day attack.

The Lazarus Group has been hiding in the bank's systems for a year. In January 2015, a seemingly innocuous e-mail from a job seeker named Russel Ahlam was sent to several Bangladesh bank employees inviting them to download Ahlam's resume and cover letter from the website. At least one bank employee fell for the trick, downloaded documents and installed malware on the system. Once on the bank's network, the Lazarus Group began to quietly navigate the network towards digital vaults and billions of dollars. Soon, hackers gained access to a key part of the Bangladesh National Bank's system - Swift.

It soon became clear to bank officials that some of the money had already arrived in accounts in the Philippines, where authorities demanded a court order to effect a refund. However, the FED has managed to prevent most of the criminals' transfers. The RCBC branch in Manila, where the hackers tried to transfer $ 951 million, was located on Jupiter Street.

“The transactions were rejected by the FED because the address used by the hackers contained the word Jupiter, which is also the name of a sanctioned Iranian shipping vessel,” the experts explained.

The mere mention of the word Jupiter was enough to trigger an alarm in FED automated computer systems. Payments have been revised and most of them have been stopped. However, five transactions worth $ 101 million were verified.

Of this, $ 20 million was transferred to the Shalika Foundation, a charitable organization in Sri Lanka, which the hackers' accomplices used as one of the channels for the removal of the stolen money. For the next phase of the money laundering operation, the thieves used the Solaire Hotel in Manila. Of the $ 81 million in cash, $ 50 million was deposited in accounts at Solaire and Midas casinos. Once the stolen money has been converted into casino chips, played at the tables and exchanged back for cash, it will be nearly impossible for investigators to trace it. For several weeks, players sat in Manila casinos and laundered money. The bank's employees managed to return only $ 16 million of the stolen money from one of the organizers of gambling at the Midas casino.

As money stolen from the Central Bank of Bangladesh was laundered through the Philippines, numerous links began to emerge with the Macao Special Administrative Region of China. Some of the men who organized Solaire gambling have been traced back to Macau. The two companies that booked private gambling rooms were also based in Macau. Investigators believe that most of the stolen money went to this small Chinese territory and then was redirected to North Korea.