How NY Fed fumbled over Bangladesh Bank cyber-heist
Jupiter. That single word, by a stroke of luck, helped stop the Federal Reserve Bank of New York from paying nearly $1 billion to the cyber-criminals behind a notorious bank heist earlier this year, according to sources familiar with the incident. When hackers broke into the computers of Bangladesh's central bank in February and sent fake payment orders, the Fed was tricked into paying out $101 million. But the losses could have been much higher had the name Jupiter not formed part of the address of a Philippines bank where the hackers sought to send hundreds of millions of dollars more. By chance, Jupiter was also the name of an oil tanker and a shipping company under United States' sanctions against Iran. That sanctions listing triggered concerns at the New York Fed and spurred it to scrutinise the fake payment orders more closely, a Reuters examination of the incident has found.
It was a "total fluke" that the New York Fed did not pay out the $951 million requested by the hackers, said a person familiar with the Fed's handling of the matter. There is no suggestion the oil tanker or shipping company was involved in the heist.
The Reuters examination has also found that the payment orders sent by the hackers were exceptional in several ways. They were incorrectly formatted at first; they were mainly to individuals; and they were very different from the usual run of payment requests from Bangladesh Bank. Yet it was the word Jupiter that set the loudest alarm bells ringing at the New York Fed. Even then it appeared to react slowly. By the time the fraud was discovered, the New York branch of the U.S. central bank had approved five of the payments. It took $101 million from Bangladesh Bank and paid it to accounts in Sri Lanka and the Philippines - including $81 million to four accounts in the names of individuals. Most of that $81 million remains lost.
It was among the most audacious cyber-heists ever to emerge - shining a light on worrying weaknesses in the global financial system and into a little-known corner of the U.S. Federal Reserve: its Central Bank and International Account Services unit (CBIAS), which one former employee described as a "bank within a bank." Interviews with investigators, lawyers and current and former central bank officials in several countries, as well as a Reuters review of payment messages, emails and other documents, show disarray and bungling at all the financial institutions involved. But the most striking is the inertia and clumsiness at the New York Fed, the most powerful of the U.S. central bank's 12 regional units and a mainstay of global finance.
The heist revealed that the New York Fed lacked a system for spotting potential fraud in real time - even though such systems are used elsewhere - instead relying at times on checking payments after they were made, usually for problems such as violating U.S. sanctions.
Months of bitter finger-pointing over who is to blame for the fiasco have damaged the sensitive diplomacy of correspondent banking, where big Western institutions are entrusted with safeguarding the treasures of smaller economies.