Ep 3. The Bangladesh Bank Heist – Anatomy of a Billion Dollar Cyber Robbery
The untold story behind the $81 million cyber theft from Bangladesh’s central bank.
🔹 Also available on 🎙 Spotify
🔹 Want to see the story unfold? 🎧 Watch the full YouTube episode ↓
It wasn’t just about stealing money. It was a message: your systems, your sovereignty, your trust — are all vulnerable.
— The Exploit Files
Full Transcript The full, unfiltered story as heard in this episode.
February 2016. Imagine the quiet hum of servers in a central bank. Then silence, but it’s a deceptive silence because hundreds of millions of dollars are just vanishing, not grabbed from vaults, but siphoned through the network.
Yeah, this is the real story of the Bangladesh bank cyber heist. It’s uh almost unbelievable when you first hear it.
It really is. Nearly a billion dollars targeted. Over a hundred million successfully stolen.
And the target wasn’t some, you know, commercial bank focused nonprofit. It was the Central Bank of Bangladesh. They hold the country’s reserves. We’re talking about money vital to a nation where well, where poverty is a major issue. The stakes were just incredibly high.
Absolutely. And the very first hint that something was terribly wrong, it sounds like something out of an office comedy.
It does, doesn’t it? A printer. Just a malfunctioning printer on the fritz.
A printer jam. But that little glitch, that was the first thread pulled revealing this enormous audacious digital robbery. So, in this deep dive, We’re gonna unpack exactly how this happened, how did they pull it off, who do investigators think was behind it, and what was the fallout. It’s a journey into well, the darker side of online crime and high finance.
It really is. And the story starts months before the actual theft back in late 2015 around November.
The preparation phase.
Exactly. This wasn’t impulsive. The attacker started with spear fishing emails. These weren’t your typical Nigerian prince scams, you know. These are tailored, right? They look legitimate.
Highly tailored. Designed to look like internal bank communications, maybe referencing real projects, real people. Very convincing. The goal was simple. Get just one person inside the bank to click on a malicious attachment or link.
And someone did.
Someone did. At least one employee clicked. And that clicked. That was the open door. It likely installed the first piece of malware, like setting up a beach head inside the bank’s network.
Okay, so they’re in. What happens next? They don’t just grab the money then.
No, no, they were patient. They move laterally, meaning they explored the network from that initial entry point, quietly mapping things out, looking for their main target, the bank’s swift system.
Swift, that’s the backbone of international money transfers, isn’t it?
It is the society for worldwide interbank financial telecommunication. Basically, it’s a secure messaging network banks use to send instructions for transferring funds across borders. Billions flow through it daily.
So, if you control a bank’s swift connection,
you can tell other banks to send money and it looks like a legitimate instruction from the originating bank. Crucially, they weren’t hacking the central Swiss network itself. They were compromising Bangladesh bank’s specific terminal, their connection to Swift,
right? Like stealing the keys to the messaging system, not breaking the whole system.
Precisely. They installed more malware, things like RATS, remote access Trojans, which let them control computers remotely, and key loggers to capture passwords and credentials. They burrowed deep
and they were watch learning Oh, absolutely. By January 2016, they knew the bank’s internal processes. When did large transactions usually happen? What were the approval workflows? They learned the rhythm of the bank. Digital spies essentially
just waiting.
Waiting for the right moment. And that moment came on February 4th, 2016. They logged into the Bangladesh bank’s swift terminals.
And the timing was key here, wasn’t it?
Deliberate. It was the start of the weekend in Bangladesh. Thursday night bleeding into Friday morning. Fewer staff monitoring systems in DACA. But in New York, where the Fed is, it was still the business day.
Clever. Exploiting the time difference
extremely. So overnight, Bangladesh time, their malware went to work preparing these fraudulent payment orders. 35 of them.
- Aiming for how much again?
Nearly a billion dollars, just shy of it. It’s staggering.
Unbelievable.
Then on February 5th, those orders were fired off through Swift, sent to the Federal Reserve Bank of New York. That’s where Bangladesh Bank kept a large chunk of its foreign reserves, something like $20 billion.
And the Fed, they processed some of these.
They did. Despite the huge sums and well, maybe some unusual patterns if you looked closely, five transfers were approved. Five out of the 35.
How much got through?
$101 million in total. $81 million was routed to accounts in the Philippines. Another $20 million was sent towards Sri Lanka.
Okay, hold on. How does a central bank not notice $1 million walking out the door. Even with the weekend timing.
Ah, well, this is where the attackers showed real sophistication beyond just getting access. They actively covered their tracks inside the Bangladesh bank systems. Remember that broken printer?
Yeah, the initial glitch.
That wasn’t an accident. The attackers deliberately disabled the specific printer that would have printed confirmations of these outgoing Swift messages. Standard procedure would involve matching those printouts. No printouts, no immediate red flag.
Wow. So, they disabled the physical check
and the digital one too to an extent. They used malware to actually alter the Swift software running on the bank’s local terminals. It essentially hid the records of those fraudulent transactions from routine internal checks.
A ghost in the machine, literally erasing its own footprints in real time.
You could say that. So, for a little while, the bank was blind to the outgoing transfers, but you know that silent printer, it was still nagging people,
right? So, February 5th, Friday in Bangladesh, People come in to work, the printer’s still not working. Just an IT ticket at first, maybe.
Probably frustrating, but maybe not panicinducing initially, but it dragged on. By Saturday, February 6th, it was clear something more serious was wrong with the Swift connection itself. They couldn’t just reboot the printer.
So, they started digging deeper.
They had to start manually searching through the Swift system messages. Imagine waiting through all that data, looking for anomalies. It would have been slow, painstaking work.
And when did the horrifying truth emerge.
It really crystallized on Monday, February 8th. That’s when they definitively found the fraudulent transfers, days after the money had already been wired out by the New York Fed.
Days late.
Oh man.
They immediately contacted the New York Fed, sent urgent messages, stop all payments we send on February 4th, but it was too late for most of it. The $101 million was already well on its way.
So where did it go? Let’s follow the money. The $81 million to the Philippines first,
right? This chunk landed in four separate personal accounts at a bank called RCBC Risal Commercial Banking Corporation.
Personal accounts for $81 million. That sounds suspicious itself.
It absolutely should have been. And what’s more telling is that these accounts weren’t active business accounts. They were open months earlier under false names with just tiny initial deposits. They were basically sleeper accounts activated specifically for this operation.
Set up well in advance.
Waiting.
Exactly. Clear pre-planning. And the money didn’t sit there. It was moved out fast. consolidated and transferred to a company called Fillroom Service Corporation which deals in remittances and foreign exchange.
Okay, so from the bank to a remittance company then where then it plunges into the casino world. Phil removed the funds and they were used to buy casino chips primarily at the Salair Resort and Casino and Midas Hotel and Casino in Manila. High roller chips.
Casinos. Why casinos? Is that a common way to launder money?
It can be. Yeah. Especially in jurisdiction where maybe the anti-moneyaundering regulations for casinos aren’t as tight as for banks. You buy chips with the dirty money. You gamble a bit, maybe just minimally to make it look legitimate, and then you cash the chips out
and suddenly the money looks like winnings cleaned.
That’s the idea. It creates a break in the money trail, makes it harder to trace back to the original crime. At that time, Philippine law had loopholes regarding casinos and anti-moneylaundering rules, which the attackers clearly exploited.
A known vulnerability do that. Yeah.
Who were the names that surfaced in this Philippine connection?
Several key figures got pulled into the investigation. There was Maya Santestigito. She was the manager of the RCBC branch where the fake accounts were opened. She was later convicted for money laundering. Then a businessman named William Go whose name was apparently forged to open one of the accounts. He denied involvement. There was also Kim Wong, a casino junket operator who eventually returned millions, claiming he thought the money was a legitimate investment, but later learned it was stolen. And another name, Wang Shu, a Chinese gambler or agent who allegedly took a large chunk out in cash.
A real cast of characters.
Yeah,
a very messy trail.
Extremely messy. Designed to be messy to obscure the final destination of the funds, which largely seemed to be outside the Philippines, possibly China or Hong Kong.
Okay, that’s the $81 million. What about the other $20 million sent to Sri Lanka? You said that was different.
It was. That transfer actually got stopped. It hit a well a very Very fortunate snag for Bangladesh Bank.
What happened?
A typo. Simple as that. The money was intended for an entity called the Shalikica Foundation, but whoever typed the instruction misspelled foundation.
Seriously, how do they spell it?
Reports vary slightly. Either foundation or foundation. Close, but not quite right. That misspelling raised a red flag at Deutsche Bank, which was acting as a routing bank, an intermediary in the transfer process. They saw this huge amount going to a Shalikica Foundation. and paused it. They sent a query back to Bangladesh Bank asking for clarification.
A multi-million dollar typo save
pretty much. Around the same time, Pan Asia Bank and Sri Lanka, the intended recipient bank, also thought the transfer looked suspicious. Just the sheer size of it going to a relatively unknown foundation. This combination of the typo and the local bank suspicion stopped the $20 million in its tracks.
So, that money was recovered.
Yes. Thankfully for Bangladesh Bank, that $20 million was eventually returned. The Shellica Foundation, who was behind that, was it a real entity?
It was a registered private company run by a woman named Shalikica Pereira. When questioned, her initial story was quite elaborate. She claimed the money was a legitimate payment from Jika, the Japan International Cooperation Agency for development projects.
Take it.
Not at all. Ji quickly came out and publicly stated they had absolutely no connection to this transaction or the Shellica Foundation. Her story crumbled pretty fast.
So, what was really going on there?
The Sri Lankan Police investigation suggested she knew the money was coming and had apparently instructed her bank to transfer large portions to her personal account and an associates account as soon as it cleared. Despite her claims of innocence, the cover story completely fell apart.
Incredible. Okay, so the money trails are complex, partly successful, partly foiled by chance. What about the investigations back at the banks? What’s happening in Bangladesh?
Well, initially there was uncertainty. Was it an internal job? Was it external? They brought in outside help, cyber security firms, notably World Informatics and Mandant, a big name in cyber forensics.
What did Mandian find?
They found the digital breadcrumbs, malware samples, hacker tools left behind, evidence of remote access. The footprints pointed definitively to an external attack originating from outside Bangladesh. But that didn’t completely erase suspicion about potential inside help. An internal investigation was also launched.
Right. The question of an accomplice lingered
and in the Philippines
with $81 million washing through their system.
Oh, that became a huge public issue. The Philippine Senate launched very high-profile public hearings in March 2016. It was quite dramatic trying to untangle how the money moved through RCBC and the casinos,
putting the system under a microscope.
Absolutely. Pegshore, the gaming regulator, also investigated the casino’s role. RCBC, the bank, faced serious heat. They were slapped with a massive fine by the banko central in Filipinas. The central bank there a billion pesos for failing to comply with banking laws.
A billion pesos, that’s significant.
It was at the time the largest penalty imposed on a financial institution in the Philippines. They paid half of it fairly quickly and had a major board reorganization and as mentioned the branch manager Maasantito eventually faced criminal conviction.
So there were consequences at least within the Philippines.
Yes. Though the legal wrangling continued. RCBC actually sued Bangladesh Bank for defamation in New York later on claiming the reputation was unfairly damaged. Some parts of that suit were dismissed, but the core legal fight over liability has dragged on for years.
Fascinating. Now, the investigation didn’t stop there, did it? The US got involved and the focus shifted dramatically.
It did. The FBI started digging and their findings pointed in two key directions. One, they reinforced the suspicion of at least one insider at Bangladesh Bank possibly helping the attackers.
Okay.
But the much bigger development was the link they started building to North Korea. US Federal prosecutors began pointing fingers directly at the North Korean government,
a nation state accused of essentially bank robbery on a massive digital scale. What evidence did they have?
It came from multiple angles. Cyber security firms like Semantic and BAE systems analyzed the code, the malware, the techniques used in the Bangladesh bank heist. They found strong similarities, overlaps in code, infrastructure tactics to other major cyber attacks.
Like which ones?
Most notably, the devastating hack of Sony Pictures in 2014. and the W to cry ransomware attack that caused chaos globally in 2017. These were attacks widely attributed to a group known as Lazarus.
Lazarus group believed to be state sponsored by North Korea. Right.
That’s the consensus in the security community and among intelligence agencies. Yes. CISA, the US cyber security agency, put out an alert specifically linking this type of bank theft, which they called fast cash, to a North Korean group they dubbed Beagle Boys, operating under the Reconnaissance General Bureau on North Korea’s main intelligence agency.
Eagle Boys sounds almost playful for such serious activity.
The names can be deceptive. An NSA official even stated quite plainly that it looked like a nation state was robbing banks. It wasn’t subtle.
Did he go beyond attribution? Were there actual charges?
Yes. The US Department of Justice took the significant step of indicting a North Korean individual, a computer programmer named Park Jin Hayak.
Indicted for this specific heist.
For this heist, yes, but also explicitly linking him to the Sony Pictures hack. and the W to Cry ransomware. The indictment painted him as part of this state sponsored conspiracy involved in multiple major cyber intrusions and thefts. They suggested this was part of a pattern potentially linking North Korea to as many as 11 similar attacks worldwide.
So the picture becomes one of a state using cyber crime almost as foreign policy or at least as a revenue stream.
That’s certainly the implication. Yeah. Using sophisticated hacking skills not just for espionage but for outright theft on a global scale. It’s chilling.
Absolutely. How did Swift itself, the network at the center of this, respond. They must have been deeply concerned.
Oh, extremely. This shook confidence. Swift reacted by launching what they called the customer security program or CSP.
What did that involve?
It basically forced member banks to tighten up their own security. Swift couldn’t secure every single bank’s connection point. So, they mandated a set of security controls, the customer security controls framework or CSCF that all banks using their network had to implement. And the test too. It was about raising the baseline security across the entire ecosystem.
A necessary step it sounds like.
Definitely. The heist also shown a harsh light as we discussed on those anti-moneylaundering weaknesses particularly regarding casinos in places like the Philippines which clearly needed addressing.
What about the aftermath for Bangladesh Bank itself besides the internal turmoil?
Well, they’re still trying to get the rest of the smallen money back. They’ve recovered small amounts here and there, but the bulk of the $81 million remains lost. The Federal Reserve and Swift have pledged to help, but it’s a difficult ongoing process
and the legal fights continue.
Yes, particularly the battles with RCBC in the US courts. Politically, the fallout in Bangladesh was immediate. The governor of the central bank, Atir Raman, resigned just weeks after the heist became public. Two deputy governors were fired. The finance minister even publicly criticized the New York Fed for not catching the suspicious transactions earlier and considered suing them, though that didn’t ultimately happen.
A huge blow. institutionally and reputationally
massive and the story itself has had a lasting impact. There was a documentary in 2023 billiondoll heist which really laid out the intricate details for a wider audience.
So stepping back a single fishing email opens the floodgates. Sophisticated malware bypasses controls, manipulates a global financial network. Millions are laundered through casinos disappearing into the ether. And the prime suspect, a nation state.
It’s quite a narrative. It highlights just how vulnerable our interconnected systems can be. You had ordinary bank employees targeted, legitimate businesses used as conduits, all part of this incredibly complex plan
and the sheer audacity of targeting a central bank’s reserves.
It showed a new dimension perhaps, not just espionage, not just disruptive attacks like W to Cry, but state level actors potentially engaging in massive theft for presumably national funding. It demonstrated a kind of asymmetric capability a country may be lacking in traditional economic power using cyber tools to strike at the heart of global finance.
It really makes you think, doesn’t it? Yeah.
This wasn’t just theft. It feels like a turning point.
What does an event like this signal about, say, digital sovereignty when digital thieves can ignore borders so easily?
That’s a huge question. And what about the safety of these critical financial networks we all rely on? If a nation state decides to weaponize these capabilities, are we prepared? The Bangladesh bank heist might just be a stark warning of what’s possible, a glimpse into a future where cyber conflict and cyber crime increasingly blur. It’s a reality we’re still grappling with.
Episode 3 – The Bangladesh Bank Heist – Anatomy of a Billion Dollar Cyber Robbery
Sources
These are the most relevant and trustworthy sources used in the creation of this episode:
Bangladesh Bank robbery – Wikipedia
Detailed overview of the 2016 cyber heist, including technical execution, financial impact, and attribution.How the New York Fed fumbled over the Bangladesh Bank cyber-heist – Reuters
Investigative report revealing how the U.S. Federal Reserve handled the fraudulent SWIFT transactions.That Insane, $81M Bangladesh Bank Heist? Here’s What We Know – WIRED
Explains how the attack was carried out and the weaknesses exploited in the bank’s network.U.S. says Bangladesh Bank heist was ‘state-sponsored’ – Reuters
Report covering U.S. government statements linking the attack to a nation-state actor.Billion Dollar Heist – Wikipedia
Entry on the 2023 documentary film about the Bangladesh Bank cyberattack and its global implications.Lazarus Group – Wikipedia
Background on the North Korean-linked hacking group allegedly responsible for the attack.2015–2016 SWIFT banking hack – Wikipedia
Contextualizes the heist within a broader set of SWIFT-related cyberattacks in the same timeframe.U.S. Department of Justice: North Korean Hacker Indicted – Justice.gov
Official U.S. indictment of Park Jin Hyok for his role in the attack, among other incidents.Bangladesh Bank Heist – Mandiant Threat Intelligence
Technical forensic analysis linking the malware and tactics to known North Korean actors.SWIFT response to Bangladesh incident – swift.com
Official statement and changes implemented by SWIFT following the attack.Symantec: Tools Linked to Lazarus Group Used in Heist – symantec.com
Malware analysis connecting reused code from previous Lazarus campaigns to the Bangladesh incident.