A spelling mistake in a digital bank transfer prevented hackers from getting away with a $1 billion heist involving the central bank of Bangladesh and the New York Federal Reserve last month.
According to anonymous senior officials at the financial institution, the Bangladeshi central bank’s computer systems were successfully breached and the hackers managed to steal its credentials for payment transfers between February 4, and Feb. 5. They then spammed the Federal Reserve Bank of New York with nearly three dozen requests for large transfers from the Bangladeshi bank’s account to overseas accounts located in the Philippines and Sri Lanka.
Yet, a small typo they made in a digital transfer request prevented them from stealing almost $1 billion, Reuters reports.
“Four requests to transfer a total of about $81 million to the Philippines went through, but a fifth, for $20 million, to a Sri Lankan non-profit organization was held up because the hackers misspelled the name of the NGO, Shalika Foundation.”
One of the hackers had written “fandation” instead of “foundation” on one of the transfer requests. The typo, plus the size and frequency of the transfers to outside entities, raised red flags at routing bank Deutsche Bank, who became suspicious. Deutsche Bank promptly alerted the Bangladeshi bank, which stopped the transfer.
“The Sri Lankan bank did not disburse it immediately, and we could recover the full amount,” an official from the central bank told the Financial Times.
The unknown attackers still managed to get away with the initial request of $81 million from the Federal Reserve, making it one of the largest bank heists in history. However, the subsequent requests of between $850 to $870 million were stopped.
Careful with typos…! https://t.co/JEvUJV2gJR
— Gruffydd (@boyacense) March 12, 2016
To make this incident even more bizarre, there is no NGO named “Shalika Foundation” on the list of registered non-profits operating in Sri Lanka. Reuters was not able to obtain any contact information for the supposed organization, which is apparently entirely fictitious.
This attempted digital bank heist only reinforces the growing threat of cyber crime around the world. Though not all cyber crimes are as dramatic as this one, Reuters noted this is far from the first incident of this type.
“Last year, Russian computer security company Kaspersky Lab said a multinational gang of cyber criminals had stolen as much as $1 billion from as many as 100 financial institutions around the world in about two years.”
The Bangladesh Central Bank told the Wall Street Journal on Tuesday, March 8, that “some” of the stolen money has been recovered, though those responsible are unlikely to be found. The hackers are suspected to live outside Bangladesh and to have had deep knowledge of the internal workings of the Bangladeshi institution, possibly by spying on bank workers for information. They are working with anti-laundering organizations and authorities in the Philippines to try and recover the rest.
— Cecelia Shao (@CeceliaShao) March 11, 2016
Meanwhile, the Federal Reserve may face serious consequences for this incident. The Bangladesh Bank has several billions of dollars in an account with the Fed that it uses for international settlements. Newser reported that Bangladesh’s Finance Minister Abul Maal Abdul Muhith blames the Fed and is considering suing them for not ending the transactions sooner.
“We kept money with the Federal Reserve Bank and irregularities must be with the people who handle the funds there,” Muhith told Bloomberg. “It can’t be that they don’t have any responsibility.”
A representative from the Fed denied the accusation, telling The Washington Post that the payment instructions were fully authenticated using standard methods, and that furthermore “there is no evidence of any attempt to penetrate Federal Reserve systems in connection with the payments in question.” The spokesperson added, “The Fed has been working with the central bank since the incident occurred and will continue to provide assistance as appropriate.”
Deutsche Bank has declined to comment on the incident.
[Photo by Chip Somodevilla/Getty Images]