Hacker’s typo trips the alarm on billion-dollar cyber bank heist

spelling mistake

Cyber bank robbers have drained $101 million from Bangladesh’s central bank – an enormous heist as it is, but one that could have netted the crooks $1 billion if they didn’t get caught when they misspelled the name of one of the places they were trying to transfer money to.

After they slipped past the bank’s security systems, the crooks allegedly masqueraded as Bangladeshi officials to submit a series of requests for the New York Federal Reserve to transfer large sums of money from its account in the country.

Bangladesh Bank told the Financial Times that it was defrauded for a total of $101 million in bogus transfers.

The last payment request was for $20 million, with the hackers instructing Bangladesh Bank to send it to a Sri Lankan bank.

That last payment was the one that raised the red alert.

Bangladesh banking officials told Reuters that the hackers goofed, making a spelling mistake in one of their transfer instructions.

They misspelled the name of a Sri Lankan non-governmental organization named Shalika Foundation, writing “fandation” instead of “foundation.”

Four requests to transfer a total of about $81 million to the Philippines had already gone through.

But this fifth, misspelled request, for $20 million, gave a routing bank – Deutsche Bank – pause.

It reached out to Bangladesh Bank for clarification. That’s when Bangladesh Bank stopped the transfer, Reuters reported.

Bangladesh Bank told the Financial Times that it’s already gotten the $20 million payment back:

The Sri Lankan bank did not disburse it immediately and we could recover the full amount. The remaining $81m was transmitted to a few accounts of a Philippine bank.

Bank officials told Reuters that the crooks stole credentials for payment transfers when they breached Bangladesh Bank’s systems.

They used the credentials to pepper the Federal Reserve Bank of New York with almost three dozen transfer requests to move money to entities in the Philippines and Sri Lanka.

The transactions that were stopped came to a total of $850-$870 million, officials said.

The bank officials said that anti-money laundering authorities in the Philippines have frozen the relevant bank accounts there.

Bangladesh has blamed the New York Federal Reserve for getting hacked. Its finance minister, Abul Maal Abdul Muhith, told Bloomberg on Tuesday that the bank’s got to be culpable:

We kept money with the Federal Reserve Bank and irregularities must be with the people who handle the funds there.

It can’t be that they don’t have any responsibility.

He also told reporters last week that his government was considering filing a case against the New York Federal Reserve and that he was also surprised by the failure of his own country’s central bank to report the crime.

Nope, the Fed said, it wasn’t us.

Last Monday, 7 March, the New York Federal Reserve Bank tweeted that its systems hadn’t been breached and it hadn’t detected any evidence of attempts to penetrate them.

A spokeswoman for the Fed told Bloomberg that the instructions to make the payments from the account of Bangladesh’s central bank followed standard protocols and were authenticated by the SWIFT message system used by financial institutions.

She also said that the Fed has been assisting Bangladesh since the heist was revealed.

Image of Spelling mistake courtesy of Shutterstock.com