Risk & Compliance

Bangladesh Bank Sues Over $101M Cyber Heist

The bank alleges a Philippine institution conspired with North Korean hackers to make fraudulent transfers from its account at the New York Fed.
Matthew HellerFebruary 5, 2019
Bangladesh Bank Sues Over $101M Cyber Heist

Bangladesh’s central bank has sued a Philippine bank over a massive cyber heist, claiming Rizal Commercial Banking Corp. facilitated the $101 million theft and the laundering of stolen funds through casinos in the Philippines.

Bangladesh Bank said in a lawsuit filed in New York that Rizal employees conspired with the North Korean hackers who made fraudulent transfers from Bangladesh Bank’s account at the Federal Reserve Bank of New York in February 2016 after breaking into its computer network.

Rizal “established and allowed the use of the numerous bank accounts necessary to the laundering and theft of the funds,” serving as the critical “bridge” between the New York Fed account and the Philippine casinos where stolen funds were laundered, the complaint said.

According to the suit, the “massive, multi-level conspiracy to carry out one of the largest bank heists in modern history” involved “multiple individuals up to the highest levels of RCBC.”

An attorney for RCBC said the suit was “nothing more than a political stunt” through which the Bangladesh bank was trying to shift the blame for its information security failings. Investigators have said the hackers broke into the bank’s computers and took control of credentials that were used to log into the SWIFT payment platform.

But the New York Fed said in a statement that it was “aligned in the pursuit of recovering the funds and directing litigation against those who were complicit in or benefited from the fraud.”

In August 2016, the central bank of the Philippines hit RCBC with a record fine of 1 billion pesos — at the time, equivalent to $21.3 million — after conducting its own investigation of the heist.

Bangladesh Bank said RCBC’s correspondent bank accounts in New York received the fraudulent transfers from the New York Fed via the Fed’s Fedwire system. From there, the money was quickly moved to “fictitious U.S. dollar accounts in the Philippines, which RCBC [had] created nearly a year earlier to receive the stolen funds from New York,” the suit said.

According to Bangladesh Bank, senior RCBC personnel had “full authority and control” over the fictitious accounts.