DHAKA (Reuters) – Some Bangladesh central bank officials deliberately exposed its computer systems and enabled hackers to steal $81 million from its account at the Federal Reserve Bank of New York in February, a top police investigator in Dhaka told Reuters on Monday.
The comments by Mohammad Shah Alam, head of the Forensic Training Institute of the Bangladesh police’s criminal investigation department, are the first sign that investigators have got a firm lead in one of the world’s biggest cyber heists, which had prompted months of international finger-pointing. Arrests are soon likely, he said.
On Thursday, the head of a Bangladesh government panel that investigated the heist said five bank officials were guilty of negligence but that they were only unwitting accomplices.
Alam told Reuters his investigations had discovered that some bank officials had knowingly created vulnerabilities in the bank’s connection to the SWIFT global messaging and payments system.
“Bangladesh Bank’s SWIFT network was made insecure by some bank employees in connivance with some foreign people,” he said. “They knew what they were doing.”
He declined to name the suspects or say how many there were.
Alam said investigators were now trying to find out how the mid-ranking officials were connected to the hackers and whether they benefited financially from the heist. Asked if the officials would be arrested, he said: “We are very close to it.”
The apparent momentum comes after months of trading blame among Bangladesh Bank, the New York Fed, SWIFT, and a Philippine lender that received much of the stolen funds before they disappeared. The heist prompted an international probe headed by the U.S. Federal Bureau of Investigation.
Separately SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, told Reuters its messaging system has been targeted in a “meaningful” number of other attacks this year using a similar approach as the Bangladesh incident.
Bangladesh Bank spokesman Subhankar Saha declined to comment on Alam’s comments. A New York Fed spokeswoman also declined comment.
Another investigator in Dhaka, who declined to be named, said more than 100 Bangladesh Bank employees had been interviewed in connection with the heist, and some were barred from leaving the country.
In early February, the hackers used the SWIFT network to send fake orders requesting the transfer of nearly $1 billion from Bangladesh Bank’s account at the New York Fed.
Many of the transfer orders were blocked or reversed but, after a series of oversights and miscommunications, the New York Fed ultimately sent $81 million to four fake accounts in a branch of Rizal Commercial Banking Corp (RCBC) in the Philippines. Most of the funds then disappeared into Manila’s loosely regulated casino industry.
(By Ruma Paul; Additional reporting and writing by Krishna N. Das and Jonathan Spicer; Editing by Raju Gopalakrishnan and Phil Berlowitz)