Darknet Diaries - 72: Bangladesh Bank Heist
Episode Date: August 18, 2020A bank robbery with the objective to steal 1 billion dollars. This is the story of the largest bank robbery in history. And it was all done over a computer.Our guest this episode was Geoff W...hite. Learn more about him at geoffwhite.tech.Check out Geoff’s new book Crime Dot Com. Affiliate link: https://www.amazon.com/gp/product/1789142857/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1789142857&linkCode=as2&tag=darknet04-20&linkId=bb5a6aa7ba980183e0ce7cee1939ea05SponsorsThis episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25.Support for this episode comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.
Transcript
Discussion (0)
I've heard a few stories of people robbing banks just to get a few hundred dollars.
I heard this one story of a guy who walked into a bank.
He acted like he had a gun under his jacket.
He placed a note on the bank teller counter, and the note quietly said,
This is a robbery. Give me some money.
The teller straightened up and handed
over some cash and the guy ran out. He risked it all just for a few hundred or a thousand dollars.
And then there are people who rob banks with bigger goals, like they want to score a hundred
thousand dollars. To do this, you might have to hold up the whole bank, not just one teller,
which causes total panic. You need to jump behind the
counter and empty all the tills and maybe bring a real gun this time. It's intense and crazy.
But for some people, that still isn't enough. They have even bigger bank robbery ambitions.
They want to score a million dollars. And that kind of bank robbery is not easy. You have to
time it just right, like just after someone makes a big deposit,
or maybe you plan to knock over a few of those armored bank trucks all at once. But some people
have done it, and it usually takes a lot more resources and skill to pull off a million dollar
bank robbery. But still, that's not good enough for everyone. This is a story about how a group of people
with some very interesting ties
tried to rob a bank for $1 billion.
These are true stories from the dark side of the internet.
I'm Jack Recider. This is Dark by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to's not a fair fight. But I realized
I don't need to be fighting this alone anymore. Now I use the help of Delete.me. Delete.me is a
subscription service that finds and removes personal information from hundreds of data
brokers' websites and continuously works to keep it off. Data brokers hate them because Delete.me
makes sure your personal profile is no longer theirs to sell. I tried it and they immediately
got busy scouring the internet for my name and gave me reports on what they found. And then they Thank you. Today, get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and use promo code darknet at checkout.
The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries. use code Darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing,
incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher.
And he's made it a mission to make Black Hills Information Security world-class in security training.
You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive, and they are trying to break down barriers to get more
people into the security field. And if you decide to pay over $195, you get six months access to the
MetaCTF cyber range, which is great for practicing your skills and showing them off to potential
employers. Head on over to blackhillsinfosec.com to learn more
about what services they offer and find links to their webcasts to get some world-class training.
That's blackhillsinfosec.com. Blackhillsinfosec.com.
This is a big story. And to help tell it, I brought in Jeff White.
So I'm Jeff White.
I'm an investigative journalist,
and I cover technology for, among others, BBC News, Channel 4 News,
and my own podcast, Cybercrime Investigations.
Jeff has had his head in this case for over a year,
trying to unravel, understand, and crack this case.
He knows more about this case than anyone else I could find.
So let's get into it. A billion dollar bank robbery. That's the goal here. But that's like
impossible. Where would how who would have a billion dollars lying around for someone to grab?
A billion is a lot of money. Your average consumer bank, like your local Chase or Wells Fargo bank
branch, is not going to have this much money anywhere,
probably not even in their bank headquarters.
So your typical bank is out.
So we have to aim higher, possibly like a Federal Reserve Bank or something,
some bigger place that has a lot of money.
The robbers knew that national banks would have a large amount of money like this,
like a country's reserve bank.
So they started looking around for what national banks might be a good target.
And they chose the Bangladesh Bank.
This was an interesting target to choose as far as central banks go.
Bangladesh has a growing economy and is starting to really flourish.
But it's still a developing nation.
And its central bank, hmm, does it have the best security?
I don't know.
Which might make this an easier target than a more developed nation's national bank,
like the U.S. Federal Reserve Bank.
So the Bangladesh Bank became the target.
Which is the National Bank of Bangladesh.
It's like the Federal Reserve Bank or the Bank of England.
It's, you know, it's like the country's bank. Billions of dollars of reserve currency is sitting in there.
All right. So the target is set. Now, this group has a special weapon. They're pretty good hackers.
So their plan isn't to bust down the door, draw their weapons and shout,
everyone on the floor, give me a billion dollars. No, that's not an option here.
Instead, the plan was to hack into the Bangladesh bank and transfer out as much money as they could before anyone could catch them.
It starts a full year before.
I think it was January 2015, the first emails started popping up inside Bangladesh Bank.
A few employees get the classic phishing email.
It's a zip file.
It contains a CV for somebody who looks like a job applicant.
It opens a zip file, has a look at the CV, or perhaps doesn't ever get the CV, but nonetheless, they get infected.
Three people opened the email in Bangladesh Bank, and at least one of them got infected.
Okay, so the hackers, or in this case, the bank robbers, infiltrate the network.
Now, when they get in using a phishing email like this,
they only get into one person's computer,
whoever that person was who opened the email, and that's it.
They just have access to that one computer.
From there, they have to try to hop around
to other computers in the network.
And once they get in, they use three types of malware
to set up for the next part.
And as far as I'm aware, one of them created the backdoor into Bangladesh Bank.
Another of them created the encrypted channel
so that you could pull stuff out of that backdoor without being spotted.
And the third piece of software was used to scan and navigate across the network.
So they spend some time mapping out the network of the Bangladesh Bank,
moving around, establishing persistence,
and learning about how to transfer
money around. One of the first things to do is they work out where Bangladesh Bank's got its
money. So it's not all sitting in Dhaka, the capital of Bangladesh, the money that
Bangladesh Bank has a foreign currency reserve account in New York at the New York Fed. And so
there's a billion dollars sitting there. So the criminal's like, OK, there's a billion dollars.
That would be good if we can get that. In order to transfer money, banks have this
system called SWIFT. SWIFT is the International Bank Transfer System. There's an international
bank version of that which transfers millions, billions of dollars around the world.
So SWIFT is a banking network used to send payment orders between banks. There are over
11,000 members, financial institutions,
in over 200 countries around the world
who use Swift to send payment orders to each other.
So anyway...
The thieves realize, okay, to transfer that billion dollars out of the New York Fed,
we're going to have to get to the Swift software
and do a series of transfers using Swift.
That's exactly what they're doing.
When they get into Bangladesh Bank,
they're trying to navigate their way around the network
and find the computer that's got Swift on it
so that they can then manipulate that computer
and transfer the money out of New York
and out of the New York account of Bangladesh Bank.
So the thing about Swift is that it's pretty secure.
It is secure.
It has to be because it's handling
this very sensitive financial communications. It's practically secure. It is secure. It has to be. Because it's handling this very sensitive financial communications.
It's practically impossible to hack.
But, as with all computers, there is a weakness.
And one of the biggest weaknesses is human error.
Hackers rooted around the Bangladesh Bank Network looking for the right computer that can authorize bank transfers.
And, of course, they find it.
The computer authorized to make Swift transfers.
Bingo.
So instead of trying to hack into the Swift system,
they got to the human users of the computer terminals
that ran Swift,
and they watched how the users interacted with it,
and they learned how to impersonate those human users,
and then tricked the Swift network into thinking
that they were authorized users making real transaction requests.
But first, the Swift terminal.
I mean, I don't know about you, if I was confronted with the Swift terminal, I would have no idea where to start.
I'd probably make some mistakes.
It did not take these guys very long at all to make the transfers to transfer out the money.
Hmm. This makes me think that these hackers are probably already familiar with the Swift
bank system. Perhaps this was someone who had done work for Swift before or someone who hacked
into a bank and did some Swift transfers already. Since they knew how to use it right away without
having to sit and watch how a typical bank operator does it. It's very
interesting. So they got that piece sorted, but now they needed to figure out how to hide their
tracks to blend in. To do this, they obtained a bank transfer record and used them to learn what
a typical large transfer would look like. They studied the bank's high dollar value transfers.
What kind of transactions were they? When were they made? And to who? They used these
insights to plan their theft. They would use transactions that looked like the bank's typical
large transactions to steal their billion dollars without raising suspicions. So transactions they
lined up, not only did they know how to run SWIFT, but they knew what to type into SWIFT to make the
transfers look legit. And they had all this almost in advance. It was almost
like they knew how Swift ran. With the right keystrokes on this computer, they can move that
$1 billion to another bank account, an account owned by the hackers. But hold up. Even if they
now had access and a plan for making their transfer blend in, making one giant transfer to themselves
still might not be the best idea.
Using this strategy might have raised a flag
somewhere in the system.
A big transfer like that
might require additional authorization or something.
And why put all your eggs in one basket?
If that $1 billion transfer fails,
then everything fails.
So the hackers decided to break up the theft
into many smaller transfers.
This is classic money laundering technique.
So in May 2015, five bank accounts were opened in the RCBC Bank on Jupiter Street in Manila,
the capital of the Philippines.
Each of these accounts were opened with an initial $500 deposit.
These accounts sat untouched for nearly a year until the weekend of February 5th, 2016. By that point,
the bank robbers had everything set up. They launched a successful spear phishing operation
on Bangladesh Bank employees, which allowed them to get access to the bank's computer network and
the SWIFT terminals. And they figured out how to impersonate Bangladesh Bank's credentials on SWIFT.
And now they have bank accounts set up around the world
waiting to receive the stolen money.
And we know about those five accounts in the Philippines and...
At least one account set up in Sri Lanka.
I don't know where the other accounts are.
Despite efforts, I have not managed to find out.
But this was a worldwide operation.
And now they're ready to roll.
On February 3rd, 2016, the hackers entered the Bangladesh Bank network one more time.
It was a Thursday.
They waited for the bank to close that night.
And as soon as it did, they made the keystrokes needed to get into the Swift terminal.
See, the Bangladesh Bank actually has a lot of money in the U.S. Federal Reserve Bank.
So they accessed the Bangladesh bank account in the
New York Federal Reserve Bank and started making transfers to 36 of the hackers' bank accounts
all over the world. And the 36 transactions totaled $951 million. Now, the timing of this
transaction was perfect. A Thursday night in Bangladesh. In classic heist movie tradition,
you know, you try and pick up a weekend
to do your bank break-in.
And what you're ideally looking for is a long weekend.
You know, a bank holiday weekend,
public holiday weekend, which will give you three days.
In an already really well thought out elaborate plan,
the timing was a stroke of genius.
Because it meant that not only are the hackers
dealing with a long weekend, but they're also taking advantage of...
Three time zones here. You've got Bangladesh Bank, which is the bank that's been hacked into where the money's going to be transferred from.
You've got where the actual money is, which is New York, which is obviously a different time zone.
And you've got where the money is going, which is the Philippines, which is yet another time zone.
So what they did was play these three time zones to their advantage.
Now, besides the time zones being to their advantage,
in Bangladesh, the weekend starts Thursday night.
And because this was Thursday night,
nobody was going to be in on the weekend to see anything suspicious happening.
However, it's not the weekend in New York.
It's Friday in New York, which means the funds can be transferred properly there.
So by that time, a lot of the bank workers would have gone home.
They know they've got a good long weekend, a weekend of two days to work with.
But of course, it's 9.36 a.m. in New York where the actual money is.
So when they start issuing the commands to transfer out the money,
in New York, they've got an entire day of New York working on it,
knowing that the people in Bangladesh who might be keeping an eye on it
or most of them aren't at work over the weekend.
And there's another detail of timing that also helped them out.
The attack started on Thursday, February 4th.
And on that following Monday, February 8th, was the Chinese New Year,
which is a bank holiday in the Philippines,
which is where those RCBC bank accounts were sitting.
So you've got all of Thursday, Friday, Saturday, Sunday, and Monday
with these three time zones working to your advantage.
So on Friday morning in New York, the Federal Reserve receives all these swift transaction requests that look like they're coming from the Bangladesh Bank.
And the New York Federal Reserve Bank proceeds to process the transactions.
Money starts being sent to the hackers' bank accounts one by one.
Millions here, millions there.
One of the transactions is for $20 million
to one of the hackers' bank accounts in Sri Lanka.
$20 million was going to go to Sri Lanka,
which is a huge amount of money for the charity concerned that it was going to.
So the New York Federal Reserve approves the request,
and the $20 million starts making its way to the intermediary bank,
which happens to be in Germany.
But it gets stopped there because of a pretty basic human error.
The money was trying to be sent to the Schalika Foundation,
but the transfer request spelled it as Schalika Fundation.
It was missing an O.
And when a human looked at this transfer, it rang some alarm bells.
So the bank in Sri Lanka flagged it back to a bank in Germany
that had done the transfer. They in turn transferred it back to New York and said,
we think something's wrong with this. And New York, you can imagine, had some
pretty hairy moments looking at these transactions and going, oh shit, something's wrong here.
So this raises the alarm. And the New York Federal Reserve is now scrambling to try to
figure out what's going on. They tried calling the Bangladesh bank, but it's Friday. And Friday is a weekend in Bangladesh, so they have trouble getting through.
By this point, the hack is done. They hacked into the Bangladesh bank, sent money to the New York
Federal Reserve, and then told the New York Federal Reserve to send it to 36 accounts.
By Friday at 3.59 a.m. local time in the Philippines, the hackers log out of the
Bangladesh bank's Swift network. The malware that they had installed on the machines began deleting evidence of their crime. But hold up,
you'd think that the bank's security systems would have some kind of failsafe to protect
against this kind of robbery, right? There's a printer, an HP LaserJet printer, in the corner
of the office in Bangladesh Bank, and its job is partly to print out records of Swift's transactions
when they're made. And so every day, including on Bangladeshi weekends,
that printer is automatically printing out all the transactions that are coming in.
And normally that's not that many, maybe a dozen.
So the paper printouts are one safeguard.
And another safeguard is that there's employees who are on duty
and it's their job to scrutinize the transactions on these records.
On the Friday of the hack, that employee was named Zubir, and he was a director of the bank. The hackers had a plan
for this too. Now the hackers, one of the smart things they did when they did their heist was to
realize that if the printer kept going, it would immediately expose what they'd done. To deal with
this failsafe, the thieves hacked the printer to make it print blank pages of transaction records. Then
they installed malware on the computers running the printer that would delete evidence of the
messages. So Zabir was in the office on Friday, but the printer was just printing out blank pages.
He assumed it was just some technical glitch and he could deal with it on Saturday. But then on
Saturday, there was an even bigger problem.
When the Bangladesh Bank employees tried to log into the SWIFT terminal,
they were seeing errors and couldn't log in.
When they finally were able to log into the system,
they saw three messages from the New York Federal Reserve asking about the large quantity of payment instructions
that they had received over the Bangladeshi weekend,
which altogether totaled almost $1 billion. So at this point, on Saturday, Zabir was pretty panicked. He tried to
call the New York Federal Reserve Bank. But of course, it's now Saturday where the banks are
closed in the US. He starts emailing and faxing in requests to the Federal Reserve to stop all
transactions and payments for this. At some point, the Bangladesh Bank employees also shut down their server
in an attempt to stop even more fraudulent transactions from executing.
They then start making a series of appeals.
They're obviously contacting the New York Federal Reserve to try and get the money back.
I never realized this about the international banking system,
but there's a lot of intermediaries.
So it's not just from the New York Fed that the money goes straight to the Philippines
or straight to Sri Lanka. It goes to a number of intermediary
banks. So get a sense of a kind of sense of panic, one bank contacting another and saying,
well, hang on, what's happened here? Well, we transferred the money to you. Where's the money
gone now? So you've got multiple different banks to go through. I'm going to pause for a quick
break here while I add up how much money successfully got through. Stay with us. This episode is sponsored by Shopify.
The new year is a great time to ask yourself,
what if?
When I was thinking, what if I start a podcast?
My focus was on finding a catchy name,
some cool stories,
and working out the best way to record.
But oh, so much more goes into making a podcast than that.
If you're thinking, what if I start my own business?
Don't be scared off. Because with Shopify, you can make it a reality. Shopify makes it simple to
create your brand, open for business and get your first sale. Get your store online easily with
thousands of customizable drag and drop templates. And Shopify helps you manage your growing business.
Shipping, taxes and payments are all visible from one dashboard, allowing you to focus on
the important stuff. So what happens if you don't act now and someone beats you to the idea the best time to
start your new business is now with shopify your first sale is closer than you think established
in 2025 that has a nice ring to it doesn't it sign up for your one dollar per month trial period at
shopify.com slash darknet go to shopify.com slash Darknet and start selling with Shopify today.
Shopify.com slash Darknet.
So while 36 transactions were attempted, which totaled almost a billion dollars,
only four transactions actually went through. The bank robbers successfully
transferred 81 million dollars to their five RCBC bank accounts in the Philippines, which they had
set up nearly a year before using fake IDs. One reason the money made it to their accounts in
the Philippines was that the transfers occurred during the Chinese New Year, so RCBC bank was
closed when the Bangladesh bank tried to call up and stop the transfer. But that's not the only reason. There's some allegations that there might have been an
insider at the RCBC Bank too. The timeline is pretty suspicious. On February 9th, RCBC logs
into the SWIFT system and sees the stop payment messages that Bangladesh Bank has now sent them.
And yet, even after seeing those stopped payments that same day,
the hackers were able to completely empty their bank accounts.
Huge sums of money.
And once they're withdrawn...
That money was programmed to disappear.
There was a whole system in place to take that money
and speed it through the system
so that no one could ever find it again.
A large percentage of the $81 million went to a single person.
From the investigation out in the Philippines, that $30 million was given to a bloke,
a Chinese national, who just disappeared with it and he's never been heard of again.
Perhaps this Chinese man was in on it somehow, a middleman or something,
and he required a cut of the money to do his job.
But yeah, we don't know what happened to him or his money.
He just vanished. But that's still $50 million for the rest. So the next part of the plan was
for the hackers to make it so that this money couldn't be traced back to the bank heist.
They needed to come up with a plan to launder $50 million. And to do that, they sent it directly
to a casino. One's called the Midas Casino and one's called the Soler Casino.
I think it was 30 million in the Soler and 20 million in the Midas.
Now, it's not clear how the money got to the casino.
But from what I understand, when high rollers come into town,
they don't stroll in through the front door with like a million dollars in a briefcase.
No, they link up their bank account to the casino's bank account
and initiate transfers to the casino that way.
So my guess is that on Friday, the funds were transferred into these bank accounts in the Philippines. And then on Monday, those funds were cleared. However, Monday was a Chinese New Year,
so those banks were closed. But my theory was that the hackers had prearranged with the casino to
make these huge transfers on Monday. So they were done online or through the casino somehow
without having to go into the bank.
But now that the money was in the casino,
they couldn't just grab their money and go.
They needed to gamble for a while
to not look suspicious.
The way it might work for you and I
is we'd go and we'd say,
OK, I want to bet a million dollars this weekend.
And the casino would say,
OK, pay your million dollars into,
you know, our account numbered X. And that way, when you go, there's a record of that transaction.
You turn up the casino and say, hey, I've got a million dollars kind of, you know,
in your bank account. I'd like to bet my money now. A few Chinese men who were working with
these hackers took the money from the heist, went into the casino and requested a junket.
A junket is a private room for high rollers who can gamble without being bothered.
Basically, you tell the casino, I want a room for a certain number of gamblers and we're going to spend $10 million here.
And what's most important about this, certainly from a money launderer point of view, is the chips that are issued, the casino chips that are issued, only work in that room.
They're like branded casino chips, you know, that they only work in that room. They're like branded casino chips, you know, that they only work in that room. So what that
means is if you're a money launderer and you've paid, you know, your 50 million to these casinos,
you hire out a room, you've got your guys in there to gamble, you know that those chips are only
going to be spent and gambled in that room. So you've got a controllable situation. These guys
can't wander off somewhere with your chips and spend them elsewhere. They've got to spend them
in that room. And you can keep an eye on what they're spending. The other important
detail about these junket rooms is that they were playing Baccarat. Baccarat is interesting because
there's only two things to bet on in Baccarat. You bet on the banker or you bet on the player.
And they say that if you keep playing Baccarat over a long period of time, odds are pretty good
that you'll get about 90% of your money back.
So the casino will end up with 10% of your money after you play for a long period of time,
which is sort of a safe way to gamble
without losing too much.
This will allow the hackers to gamble
without causing suspicion,
like they're just cashing out and laundering money.
So the hackers sat there in a private junket
in the two casinos in the Philippines,
gambling their loot that they just stole,
just trying to buy enough time to cash out without raising suspicion.
And because at this point, everyone involved,
the Bangladesh Bank, the New York Federal Reserve, the RCBC,
and the law enforcement agencies,
they know that $81 million has been stolen.
The authorities were able to follow the money to the casino,
which raises a question. If we know all this money passed through two casinos to be laundered,
are the casinos responsible at all? Well, as it turns out, just days after the bank heist,
Bangladesh Bank asked the Philippines authorities for help, and the authorities shut down those fake
bank accounts, and they knew where the men went with the money, and they knew what casinos they were in,
but the country's law enforcement
let them play without making any arrests.
The casinos, for their part,
had some plausible deniability.
To us, this just sounds crazy.
A bunch of Chinese guys turn up and bet
tens of millions of dollars.
If you're a casino in the Philippines,
that happens a lot.
So it isn't unfeasible that the casino
could have looked at this and thought,
well, hey, here's some high rollers in town, you know, big spenders.
It's worth pointing out that in the Philippines at that time,
casinos didn't have good money laundering regulations.
So it's possible that's why these casinos were targeted for this.
The robbers finished their gambling, which was actually money laundering,
quietly cashed out their chips, walked out of the casino and promptly left the country flying to China.
In total, the hackers were able to successfully steal $81 million from the Bangladesh bank.
So who exactly were these hackers?
Well, it turns out it was the North Korean government. North Korea starts getting into
computer hacking from what the experts say. In about 2009, there's the creation of a thing called
the Reconnaissance General Bureau, which pulls together a lot of their hacking kind of people
into one unit. Security researchers dubbed this North Korean hacking group the Lazarus Group,
which also is known as the Reconnaissance General Bureau or APT38.
And researchers found traces of Lazarus Group on other attacks too.
And it's really interesting to see a nation state getting into the game of bank robberies.
Because nation state hackers don't rob banks.
They never hack for financial gains.
I seriously can't find any other story of a nation-state hack
where their goal was to steal money.
North Korea seems to be the only one hacking for financial gains,
which is so weird.
But according to Jeff,
this actually kind of makes sense from a geopolitical standpoint.
2013, the sanctions are passed,
restricting North Korea from bulk transfers of money,
which is a response to North Korea launching missile tests that the world does not want it to do.
That's 2013. It stopped from getting access to international money. Two years later, 2015,
they start hacking into Bangladesh Bank, according to the FBI. So you can see a progression where
it's like, oh, we can't get any money. How are we going to do that? Oh, well, let's just try and hack our way around that. So that's where
Lazarus Group and these bank robberies come in. It wasn't just Bangladesh Bank that they targeted.
Lazarus Group has been tied to almost all of the world's swift attacks to date. Banks in Ecuador,
Vietnam, Poland, India, Taiwan and Russia have all been hacked and had attempted bank robberies,
which can be attributed to hackers within the North Korean government being the main culprits.
They've been hitting bank after bank, attempting to steal millions of dollars.
All in, Jeff estimates that the Lazarus Group has tried to steal roughly $1.2 billion,
but has only ended up with $122 million.
And some say that this $81 million bank heist from the Bangladesh Bank was the largest bank
robbery in history.
And if it is North Korea, that's $1.2 billion going to a country that's under international
financial sanctions.
So I've discovered, you know, for the ones I've added up, they've tried to get 1.2 billion. What they ended up with was 122 million. So roughly a tenth of
what they tried to get is what they actually managed to pull out. So if Lazarus Group has
stolen 122 million, that would be a significant portion of North Korea's GDP. And since it's been
so successful, I see no reason why they can't continue to do this
for years into the future. And typically what we've seen is the money is taken to Macau in China,
which is where the money went after they cashed out on this casino. And from Macau, it can then
be wired directly into North Korea because North Korea does business with companies in China. And
so this transaction could easily be hidden.
So yeah, $122 million stolen.
This looks like North Korea got away with it.
But don't just take my word for it.
The U.S. Department of Justice investigated this.
A lot. The FBI wanted to know more,
and spent two years tracking down who hacked the Bangladesh bank,
and came to a conclusion.
In late 2018, the U.S. Department of Justice gave
this announcement. We have unsealed criminal charges against a North Korean computer programmer
for participating in a conspiracy that conducted sophisticated cyber attacks around the world
on behalf of the North Korean government. Members of the conspiracy are responsible for some of the most damaging
and most well-known cyber intrusions in history,
including the cyber attack targeting Sony Pictures
and the cyber heist of Bangladesh Bank.
The criminal complaint unsealed today specifically charges Park Jin-hyuk.
But the complaint also alleges a wide-ranging conspiracy
and describes in minute detail how we were able to link the North Korean subjects, backed by their government, were responsible for these crimes.
Oh, whoa. The same group did the Sony hack, too?
I'm sure you've heard of this. There was this movie that Sony Pictures was producing called The Interview, a comedy with Seth Rogen and James Franco where they were to travel to North Korea to interview Kim Jong-un.
The CIA would love it if you could take him out.
Hmm?
Take him out.
Like for drinks?
Like to dinner?
Take him out of the town?
No, uh, take him out.
You want us to kill the leader of North Korea?
Yes.
Well, as it turns out, North Korea did not find this funny and hacked into Sony Pictures,
getting access to emails, personal information, unreleased movies, scripts, and salaries.
They published all this to WikiLeaks and at the same time demanded that Sony not release
the interview.
And if that wasn't enough, they were destroying computers inside Sony using a wiper virus.
Of course, this sparked a major debate over in Washington, D.C. as President
Obama was trying to figure out what to do. An enemy nation just attacked an American company.
If this had been a kinetic attack, like with a bomb or fire, this would certainly be an act of
war. And some people were urging Obama to consider this to be the same. But someone else said,
are we really going to go to war every time a company gets hacked?
President Obama had this to say. We cannot have a society in which some dictator someplace can start imposing censorship here in the United States.
Because if somebody is able to intimidate folks out of releasing a satirical movie,
imagine what they start doing when they see a documentary that they don't like
or news reports that they don't like.
Strangely enough, Trump, who was not president at the time,
was interviewed on The Wendy Williams Show and was asked about this.
Here's what he said.
Look, I hear the movie is terrible.
And if somebody did that to our president,
whether you love your president or don't love your president if they start talking about assassination and i heard they did some really
vile things it wasn't just like assassination it was yeah really terrible terrible things to him
uh you know that's pretty bad stuff right so i can see both sides of it that that's not... I'm not even going to comment on that.
Sony backed out of releasing the film,
but Washington, D.C. urged them to publish it anyway
to send a message that Kim Jong-un
cannot suppress free speech whenever he wants.
So Sony did a limited release
and made the film available directly for download.
But yeah, it's fascinating to see the U.S. has enough evidence
to blame the same North Korean hacker
for the hack on Sony and the Bangladesh bank heist.
The DOJ has an indictment for the hacker's arrest, but they'll likely never be caught because there's no way to go into North Korea and arrest him.
And they probably aren't traveling anywhere anytime soon.
But if the guy listed in the indictment were to travel to a country which has an extradition treaty with the U.S.,
the FBI would probably find out and try to arrest them.
Jeff, being the curious person he is and good journalist,
decided to go to the North Korean embassy in England to get some answers.
The embassy is in West London, in a suburb of West London called Ealing.
And look, all the embassies,
there's certain areas of London where the embassies are based,
like big, posh houses, security outside,
you know, the Canadian flag waves outside the Canadian embassy and so on.
North Korea really does look like a semi-detached house in a suburb.
And it was actually a converted family house. And so I went up. I thought, look, I tried to email them. I tried to call them. I got no
response. So I went to the embassy to knock on the door. So it's really disappointing. There's a
sort of electric gate that sits across the driveway. Two very expensive Mercedes, by the way,
parked in the driveway. And so the
electric gate is on a sort of remote control from inside the place. And the front door of the actual
embassy itself is behind that electric gate. And it was, I'll be honest with you, it wasn't
unfeasible. I could have jumped the gate to get to the front door. But I just thought at that point,
you know, you're kind of trespassing on the North Korean embassy. I didn't want to kind of end up in the Evening Standard as, you know, technology journalist tasered as he tries to, I don't know.
There was no bell or anything to push? accessible on the outside. In order to get to the bell, I would have had to have jumped the gate, and jumping the gate just felt a step too far, you know. Yeah. So I sent them a letter by recorded
delivery, and I got a little confirmation back from the post office saying that my letter had
been received by Mr. Kim at a particular time. Mr. Kim still hasn't got back to me to answer my
questions, and I suspect I won't hear back, but worth the trip.
I want to take a minute to emphasize that this $81 million was stolen because someone clicked a link on a phishing email. This goes to show that humans are still the weakest link in the network,
but the other $900 million in transfers was stopped because of a human. Somebody spotted
these transactions and was able to take action, which protected most
of the $1 billion payload from the hackers. So yeah, while humans are the weakest link,
they're also the strongest link at the same time. And a well-trained and educated employee can do
wonders for a company by protecting their systems from hackers. In 2018, the Bangladesh Bank brought
a lawsuit against RCBC, the bank in the Philippines
where the money was sent to, for failing to quickly put a freeze on the fraudulent accounts.
They alleged there was corruption or collusion which allowed the hackers to get away with it.
But RCBC responded with a defamation lawsuit. They were saying it was an inside job from the
Bangladesh Bank. But check this out. In January 2019, the bank manager at RCBC was arrested and found guilty of money laundering.
She was sentenced to four to seven years in prison.
And as it turns out, she was the one who opened the bank accounts that the stolen money was sent to.
Now, she handles things related to customer care,
and I don't know enough about the RCBC policies to
know if it's normal for a bank manager to open accounts for customers. So I'm not sure how
suspicious this is. But so far, she's the only one to have been arrested in connection with this
bank robbery. In the meantime, the Lazarus Group continues to attack the Swift banking system.
In October 2017, they hit the Taiwanese Far Eastern International Bank. Between January
and May of 2018, they targeted Mexico's Banco Mex. And in May 2018, it was the Bank of Chile.
You know, it used to be governments hacked into other governments for secrets,
cyber criminal groups hacked into banks for money, you know, and hacktivist groups caused chaos,
you know, to get profile. And it's just so strange to me to see a government conducting cybercrime
and just out there stealing wads of money. But there it is, plain as day. And that just scares
me. When you've got the kind of time and money that governments have, suddenly you're in a whole
different ballgame. If those guys are getting involved in cybercrime operations, you know,
we are in a whole different ballgame. That's not to say this is suddenly going to be
a common thing, that governments are going to be turning to international crime sprees to fund
their activities. North Korea, of course, does not follow the norm on many levels. But still,
it's pretty concerning that three years later, even though we know exactly who was behind the Bangladesh bank heist, the hackers are still at large and are continuing to attack banks all over
the world and developing new attacks. In fact, North Korea is responsible for another huge cyber
attack, an attack that was so big that cost the world $4 billion. But that story is going to have
to wait until the next episode. So join me in two
weeks, will you? A big thank you to journalist Jeff White for sharing his research and insights
with us. Jeff has just published a new book. It's called
Crime.com, From Viruses to Vote Rigging, How Hacking Went Global. And I highly recommend it.
Jeff is a great investigator and writer. And trust me, this book is right up your alley.
There's an affiliate link to Crime.com in the show notes, so check it out. Jeff also has a
pretty good podcast called Cybercrime Investigations, where he goes super in-depth on stories he investigated.
I also highly recommend that podcast.
This show was made by me, the gold coder, Jack Recider, and this episode was produced by the Sandy Surfer, Eileen Guo.
The original score for this episode was done by Garrett Tiedemann, and our theme music is by the bobbling Breakmaster Cylinder. And even though cyber actors are working on new cyber pathogens to wage cyber attacks on cyber bullies who have too much cyber sex, this is Darknet Diaries.