Spelling mistake cost hackers $870mn in cyber heist on Bangladesh central bank

© Punit Paranjpe
Bangladesh's central bank suffered total damage of over $80 million in a cyber heist last month, but was lucky to keep hold of $870 million more after a spelling mistake suspended a money transfer requested by hackers, according to bank officials.

The theft took place on February 5, when the Federal Reserve Bank of New York received dozens of payment instructions. The inquiries seemed to come from the Central Bank of Bangladesh and ordered money transfers to a number of accounts based in Sri Lanka and the Philippines. Only it wasn’t the central bank that had sent the instructions, but rather a gang of hackers set on stealing hundreds of millions of dollars.

The criminals, allegedly in possession of the bank’s credentials, managed to get four transactions channeled offshore before the fifth, destined for Sri Lanka’s non-government Shalika Founation, was blocked by the Feds. The reason? It was addressing a ‘fandation,’ instead of ‘foundation.’

The hackers still got away with a total of $81 million, bank officials said.

The Bangladesh central bank was not able to immediately react to suspicious transfer activity since it wasn’t a working day in the country, media report.

We have recovered the money that went to Sri Lanka and are working with anti-money-laundering authorities in the Philippines to recover the rest of the funds,” bank spokesman Subhankar Saha was quoted by the Wall Street Journal as saying.

However, it is still possible that the Bangladeshi government will sue the Federal Reserve for not stopping the transactions at the very beginning. "We kept money with the Federal Reserve Bank and irregularities must be with the people who handle the funds there. It can’t be that they don’t have any responsibility," Finance Minister Abul Maal Abdul Muhith said.

Bangladesh’s World Informatix and US-based FireEye Inc. have been hired to provide assistance in the investigation, Reuters cites sources familiar with the case. Preliminary investigations show there is no Shalika Foundation NGO registered in Sri Lanka.

The stolen money was first transferred to foreign exchange dealers, then to casinos, where it was converted to casino chips, and then from chips into cash that eventually landed in Hong Kong accounts, local outlet the Inquirer reports.

All told, these transactions comprise the largest documented case of money laundering ever uncovered in the country by regulators,” the report reads.