In 2016 a group of hackers almost pulled off one of the biggest Bank cyber heist in history and they were aiming to steal nearly a billion dollars from the Bangladesh Central Bank. Their plan involved deep knowledge and a strategy to exploit the global financial systems. They were moments away from success when an unassuming typo ruined the operation.
Imagine this – cybercriminals operating from behind a veil manipulating international banking systems and transferring money around the world without raising a suspicious eyebrow. The hackers were quite confident in their plan which was working out just as it should have. But then, there was a red flag. Alarms of suspicion went off, not because of an advanced security system, but due to a mere spelling mistake. This is the astonishing true story of how the world’s costliest typo saved almost a billion dollars from falling into the wrong hands.
The Target: Bangladesh Bank and the SWIFT Network
The happened in Dhaka, Bangladesh, the country’s central bank. Like some central banks, Bangladesh Bank maintains large foreign currency reserves and this is mostly US dollars in accounts overseas for international trade and payments.
A substantial portion of these reserves were deposited at the Federal Reserve Bank of New York.
International bank-to-bank money transfers depend on SWIFT according to the banking system. Within that system, trillions of dollars in transactions zoom across a sort of digital highway, dependent on correct codes or names to make sure that money ends up in the intended destination. Basically, SWIFT is highly reliable and secure
The Infiltration: A Patient and Skilled Cyberattack
By early 2016, trouble was brewing. Unknown to Bangladesh Bank, patient and skilled criminals had found a crack in their wall. This was no smash-and-grab. It was a slow, methodical cyber-break-in. Hackers managed to infiltrate Bangladesh Bank’s computer systems and this was likely through malware delivered via a phishing email or an infected website.
Once inside, they monitored the bank’s network several weeks, watching staff habits, understanding how SWIFT transfer requests were formatted, and noting key loopholes. They aimed to identify an ideal time when the attack would occur.
The Perfect Window: Exploiting Time Zones
The hackers found a critical timing loophole, Bangladesh’s weekend falls on Friday and Saturday, and the US operates on a Saturdays and Sundays weekend. Their plan was to conduct the theft on Thursday meaning by the time the offices at Bangladesh Bank shut down for the weekend New York would be still operating due to the time difference. This was the most strategic timing because it ensured that the fraudulent transfer requests went to the New York Fed while the Bangladesh Bank’s offices in Dhaka were dark and empty. No one back home would see the alerts in real-time, thus providing the perfect window of opportunity for the hackers.
The Scheme: Almost a Billion Dollars in Transit
They didn’t send just one or two requests; they went big. Nearly three dozen transfer requests were lined up, one after the other. In total, if all of them succeeded, the hackers stood to drain about $951 million from Bangladesh Bankβs New York Fed accountβvirtually all the money available. This was an all-or-nothing scheme.
They opened accounts abroad as “getaway vehicles” where the money would be moved into, specifically accounts in the Philippines and Sri Lanka. In the Philippines, four bank accounts were set up at a local bank called RCBC, or Rizal Commercial Banking Corporation. These were opened several months in advance through phony identities and sat unused until their big payout.
There was also to be a transfer for Sri Lanka, directed at an organization called the “Shalika Foundation.” On paper, this seemed to be a charitable foundation that would receive a generous donation of $20 million. In fact, this organization was more likely to have been a front; it turned out subsequently that no registered NGO by the name of Shalika Foundation existed in Sri Lanka.
Everything was in place.
The Fatal Flaw: One Wrong Letter
Just as Bangladesh Bank staff were leaving work for the weekend on the night of February 4, 2016, hackers made their move. They started sending their fraudulent SWIFT instructions to the Federal Reserve Bank of New York. In the silent, empty halls of Bangladesh Bank, these requests went unnoticed. The hackers had even tampered with the bank’s printers to delay the hard copy printouts of transfer orders, buying them more time.
Money began flowing out. In New York, the Fed started processing the requests, believing them to be legitimate instructions. Millions of dollars poured into the Philippine accountsβ$20 million, $30 million, $50 million, climbing to a total of about $101 million in a matter of hours.
But as these requests kept coming in, some bankers and systems on the other side of the world began to raise their eyebrows, given that the volume of the transactions coming from Bangladesh Bank was very unusual. Many of them were going to private entities rather than banks.
Then came the critical moment. Of the many transfer orders, one ordered a $20 million payment to the “Shalika Foundation” in Sri Lanka. This one little transaction would turn out to be the hackers’ undoing.
In writing that specific directive, the extortionists had committed a small but fatal error: they had misspelled the recipient’s name. Where it should have read “Foundation,” they had instead typed “Fandation.” It may have been a slip of the finger, a hasty typing job, or simply inexperience with English orthography. Whatever the case, “Shalika Fandation” didn’t quite sound correct.
The Alarm: How a Typo Tripped the Wire
At Deutsche Bank, an intermediary bank helping route the money to Sri Lanka, an officer spotted the odd spelling-“Fandation.” It screamed “suspicious.” Deutsche Bank didn’t just shrug and process it; they paused. They reached out to Bangladesh Bank for clarification: “Hey, is this beneficiary name correct? We have ‘Shalika Fandation.’ Is that right?”
Remember, it was the weekend in Bangladesh, and offices were closed, so no one was answering in a timely manner. The hackers had counted on this silence, but in this case, it worked against them. Now the request was in limbo, awaiting confirmation.
For that typo, a red flag from Deutsche Bank meant that $20 million did not immediately go through; in fact, it got stopped cold before it reached the phony foundation. The typo had tripped the wire.
This unusual pause and query from Deutsche Bank likely made the Federal Reserve in New York even more suspicious about all the other transfers flowing out. On top of that, by this time, a number of the hackers’ transfer requests, totaling around $850 million, had been flagged and held back by the Fed for manual review due to the sheer volume and unusual destinations.
The Aftermath: A Global Financial Shake-Up
That following week when the Bank officials saw the messages and the printer spat out the records, panic hit. They got Deutsche Bank’s message about “Shalika Fandation” and immediately knew something was wrong. There was no Shalika Foundation authorized to receive any money. The bank immediately informed the authorities and sent out urgent messages to stop payment on all of the suspicious transfers.
Due to that single misspelling, the major transfers were stopped in time. The typo had saved about $850 million from vanishing. It’s pretty incredible: if those hackers typed “Foundation” correctly, that $20 million might have slipped through without question, just like the other payments to the Philippines. If one hadn’t raised the alarm it’s possible, the rest of the $850M of pending transfers could have been sent. In other words, a single letter saved further destruction.
The $20 million meant for Sri Lanka was recovered fully because that transfer had been stopped in time. Still, tens of millions from the Philippine transfers remained missing. Roughly $15 million was eventually returned to Bangladesh, but a large chunk of the $81 million remains unrecovered, having disappeared into the shadows of the international financial system.
The Governor of Bangladesh Bank came under intense criticism and finally resigned. The bank brought in cyber forensic teams which found malware left by the hackers hinting a organized group. This is possibly state sponsored like Lazarus Group linked to North Korea, to be behind the attack.
>The incident was a vivid illustration of how even a central bank with billions in reserves could fall prey to an ingenious attack. Banks all over the world took this as a warning, doubling security and urging more verification of unusual transfer requests.
Conclusion
The Bangladesh Bank heist that occurred is a tale which was foiled by a single misspelling. This cyberattack saw close to a billion dollars vanish into the digital ether but it was thwarted by human attentiveness.
This serves as a reminder that in our digitized world, the tiniest detail can make a difference between outcomes. While the hackers invested time in creating every minute detail, one typo turned victory to defeat.
Leave a Reply
You must be logged in to post a comment.