As money laundering scams go, the Bangladesh Bank heist wasn't that sophisticated

Every fraud is preceded by an information compromise, and the Bangladesh Bank heist demonstrated the power of a cyber attack once a perimeter is breached. It’s unlikely to have been the first or last incident of its kind; a successful cyber attack that compromises a major user of a piece of market infrastructure like the SWIFT system enables fraud on a massive scale.

 

As one of the few organisations that defends financial institutions and other businesses against cyber attack and financial crime, BAE Systems understands the nature of this dual threat.

 

 

Our Threat Intelligence team uncovered malware samples on the internet, and linked it to the attack, in the process uncovered several of the techniques used by the attackers. But there’s still the matter of the $81 million that got away. From a financial crime perspective, I’m looking at a laundering process that could have been a lot more hidden from view than it was.

 

The gang behind the heist was able to send money to the Philippines and Sri Lanka, and this is interesting from the perspective that there are other jurisdictions where the money could have even more easily disappeared almost without trace. People with the right skills and organisation could have moved the money between a dozen countries within an hour of it leaving New York, leaving freeze and asset forfeiture orders struggling to keep up.

 

The trail can go cold at the point where money reaches casinos and hotels and is turned into currency or chips a small physical asset is harder to trace. But up to this point there is a clear audit trail with some of these funds, and other funds of their beneficial owners, already subject to freeze and forfeiture order.

 

A transfer of $10m into a casino account would trigger an alert for investigation in most jurisdictions, but that’s not yet a legal requirement in the Philippines. This was hardly the perfect crime, and neither was it the perfect, anonymous, getaway: the people and institutions involved in this process, unwittingly or otherwise, now have their names aired in public.

 

Criminals don’t respect the borders that financial organisations draw between fraud and cyber security; in fact, they exploit them. There is much that is novel in this case, but it’s clear the perpetrators had not figured out how to make the heist run seamlessly. We should see this event as a warning shot to every institution to check and ensure its borders – internal and external - are properly defended against both cyber and financial crime.