More than $4.5mn of tens of millions recently stolen from Bangladesh and funnelled into Philippine casinos was recovered yesterday, as a lawmaker in Manila said almost half the haul could still be salvaged.
On February 5, unidentified hackers shifted $81mn from the Bangladesh central bank’s account with the US Federal Reserve to a nondescript bank in Manila, and then to the casinos where the trail went cold.
Representatives for casino agent Kim Wong, who is under criminal investigation after a portion of the stolen money was traced to his account, surrendered $4.63mn in cash to the Philippine central bank on Thursday.
“He kept his promise to return the money,” Wong’s lawyer Innocencio Ferrer said in a statement.
Wong testified at a marathon parliament hearing Tuesday that two high-rollers from Beijing and Macau shifted the $81mn to dollar accounts in Manila’s Rizal Commercial Banking Corp (RCBC).
Wong said he did not know the money was stolen from Bangladesh and that he merely helped the two men — who are also his casino clients — open bank accounts.
He offered to return the money, which he said remained in his account in Solaire, one of the Philippine capital’s gleaming billion-dollar casinos.
Earlier yesterday, Filipino senator Ralph Recto said as much as $34mn — almost half of the sum stolen — could be recovered from two casinos and a foreign exchange brokerage based on testimonies from the hearing.
By Recto’s own calculations, this would include $17mn that Wong claimed was still with exchange brokerage Philrem and $10mn from a destitute casino in the north.
There was also $5.5mn that Wong picked up from the house of Philrem’s owner and a further $2.3mn in the Solaire casino account of the Macau man who allegedly brought the $81mn to the Philippines.
“Our law enforcement agencies must act swiftly to recover any portion of the loot that is still within Philippine soil,” Recto said in a statement.
“It is very important to recover as much of the money and return it to Bangladesh. The money was stolen from a poor country,” he added.
The brazen heist highlighted how the Philippine’s banking loopholes and anti-money laundering laws have made the impoverished and corruption-weary Southeast Asian nation a dirty money destination.
Philippine law exempts casino transactions from scrutiny by the country’s anti-money laundering council without a case filed in court.
The senate is scheduled to resume its investigation next week.
l The unprecedented heist of $81mn from the US account of Bangladesh’s central bank is the latest among increasingly large thefts by criminals who have leveraged the speed and anonymity of hacking to revolutionise burgling banks.
Hundreds of millions of dollars, and perhaps much more, have been stolen from banks and financial services companies in recent years because of this alliance of traditional and digital criminals, with many victims not reporting the thefts for fear of reputational damage.
Typically, security and cyber-crime experts say, hackers break into the computer systems of financial institutions and make, or incite others to make, fraudulent transactions to pliant accounts. Organised crime then uses techniques developed over decades to launder the money, giving the alliance much higher rewards than a hold-up or bank vault robbery, with much less risk.
“The Internet has made it easier for criminals to get inside banks,” said Shane Shook, an independent security consultant. “Criminals are moving away from consumer-targeted attacks to much more substantial bank hacks because it takes less effort to get more money.”
Last year, researchers at Russian security software maker Kaspersky Lab publicised the activities of the prolific Carbanak gang, which it says hacked into banks, then ordered fraudulent money transfers and also forced ATMs to spit out cash. Kaspersky estimates the group hit as many as 100 banks, with losses averaging from $2.5mn to $10mn per heist.
A Turkish computer hacker pleaded guilty in a US court in March to one of the most astonishing crimes in this category: “Cashing crews” pulled $40mn out of automated teller machines in 24 countries over a 10-hour period. The 2013 heist was accomplished with the precision of a Hollywood drama, thanks to hackers who breached financial networks, then inflated balances on prepaid debit cards.
In another case, Russian banks lost more than $25mn over the past six months to a hacker group infecting their computers using tainted phishing emails, according to Russian security firm Group IB.
The malware gave the hackers access to the bank’s inner network, allowing them to craft seemingly authentic transfer requests via networks including the same SWIFT messaging system used in the Bangladesh Bank attack.
“It (the malware) provides remote access to the attacker. Then the attacker manually orders fraudulent transfers over SWIFT or other payment systems,” said Dmitry Volkov, head of cyber intelligence for Group IB.
“The fact is that most of the breaches that happen don’t get reported,” said Bryce Boland, chief Asia Pacific security officer of computer security company FireEye.
One senior banking security executive, who declined to be identified because he was not authorised to speak to the media, said he had worked on three cases of cyber thefts that his bank clients had not reported to regulatory authorities. He said the largest involved about $20mn.
In many jurisdictions, banks and financial services companies were not required to report breaches unless there’s a material impact, Boland said. The definition is left vague enough so that many are not reported at all.
Boland said that while 20% of his banking customers had been targeted in the second half of last year, FireEye had also found cases of financial services companies not realising they had been breached, in one case leaving the attackers inside their computers for five years.