In 2016 North Korean hackers planned a $1bn raid on Bangladesh's national bank and came within an inch of success - it was only by a fluke that all but $81m of the transfers were halted, report Geoff White and Jean H Lee. But how did one of the world's poorest and most isolated countries train a team of elite cyber-criminals?
It all started with a malfunctioning printer. It's just part of modern life, and so when it happened to staff at Bangladesh Bank they thought the same thing most of us do: another day, another tech headache. It didn't seem like a big deal.
But this wasn't just any printer, and it wasn't just any bank.
Bangladesh Bank is the country's central bank, responsible for overseeing the precious currency reserves of a country where millions live in poverty.
And the printer played a pivotal role. It was located inside a highly secure room on the 10th floor of the bank's main office in Dhaka, the capital. Its job was to print out records of the multi-million-dollar transfers flowing in and out of the bank.
When staff found it wasn't working, at 08:45 on Friday 5 February 2016, "we assumed it was a common problem just like any other day," duty manager Zubair Bin Huda later told police. "Such glitches had happened before."
In fact, this was the first indication that Bangladesh Bank was in a lot of trouble. Hackers had broken into its computer networks, and at that very moment were carrying out the most audacious cyber-attack ever attempted. Their goal: to steal a billion dollars.
To spirit the money away, the gang behind the heist would use fake bank accounts, charities, casinos and a wide network of accomplices.
But who were these hackers and where were they from?
According to investigators the digital fingerprints point in just one direction: to the government of North Korea.
That North Korea would be the prime suspect in a case of cyber-crime might to some be a surprise. It's one of the world's poorest countries, and largely disconnected from the global community - technologically, economically, and in almost every other way.
And yet, according to the FBI, the audacious Bangladesh Bank hack was the culmination of years of methodical preparation by a shadowy team of hackers and middlemen across Asia, operating with the support of the North Korean regime.
In the cyber-security industry the North Korean hackers are known as the Lazarus Group, a reference to a biblical figure who came back from the dead; experts who tackled the group's computer viruses found they were equally resilient.
Little is known about the group, though the FBI has painted a detailed portrait of one suspect: Park Jin-hyok, who also has gone by the names Pak Jin-hek and Park Kwang-jin.
It describes him as a computer programmer who graduated from one of the country's top universities and went to work for a North Korean company, Chosun Expo, in the Chinese port city of Dalian, creating online gaming and gambling programs for clients around the world.
While in Dalian, he set up an email address, created a CV, and used social media to build a network of contacts. Cyber-footprints put him in Dalian as early as 2002 and off and on until 2013 or 2014, when his internet activity appears to come from the North Korean capital, Pyongyang, according to an FBI investigator's affidavit.
The agency has released a photo plucked from a 2011 email sent by a Chosun Expo manager introducing Park to an outside client. It shows a clean-cut Korean man in his late 20s or early 30s, dressed in a pin-striped black shirt and chocolate-brown suit. Nothing out of the ordinary, at first glance, apart from a drained look on his face.
But the FBI says that while he worked as a programmer by day, he was a hacker by night.
In June 2018, US authorities charged Park with one count of conspiracy to commit computer fraud and abuse, and one count of conspiracy to commit wire fraud (fraud involving mail, or electronic communication) between September 2014 and August 2017. He faces up to 20 years in prison if he is ever tracked down. (He returned from China to North Korea four years before the charges were filed.)
But Park, if that is his real name, didn't become a hacker for the state overnight. He is one of thousands of young North Koreans who have been cultivated from childhood to become cyber-warriors - talented mathematicians as young as 12 taken from their schools and sent to the capital, where they are given intensive tuition from morning till night.
Short presentational grey line
When the bank's staff rebooted the printer, they got some very worrying news. Spilling out of it were urgent messages from the Federal Reserve Bank in New York - the "Fed" - where Bangladesh keeps a US-dollar account. The Fed had received instructions, apparently from Bangladesh Bank, to drain the entire account - close to a billion dollars.
The Bangladeshis tried to contact the Fed for clarification, but thanks to the hackers' very careful timing, they couldn't get through.
The hack started at around 20:00 Bangladesh time on Thursday 4 February. But in New York it was Thursday morning, giving the Fed plenty of time to (unwittingly) carry out the hackers' wishes while Bangladesh was asleep.
The next day, Friday, was the start of the Bangladeshi weekend, which runs from Friday to Saturday. So the bank's HQ in Dhaka was beginning two days off. And when the Bangladeshis began to uncover the theft on Saturday, it was already the weekend in New York.
"So you see the elegance of the attack," says US-based cyber-security expert Rakesh Asthana. "The date of Thursday night has a very defined purpose. On Friday New York is working, and Bangladesh Bank is off. By the time Bangladesh Bank comes back on line, the Federal Reserve Bank is off. So it delayed the whole discovery by almost three days."
And the hackers had another trick up their sleeve to buy even more time. Once they had transferred the money out of the Fed, they needed to send it somewhere. So they wired it to accounts they'd set up in Manila, the capital of the Philippines. And in 2016, Monday 8 February was the first day of the Lunar New Year, a national holiday across Asia.
By exploiting time differences between Bangladesh, New York and the Philippines, the hackers had engineered a clear five-day run to get the money away.
They had had plenty of time to plan all of this, because it turns out the Lazarus Group had been lurking inside Bangladesh Bank's computer systems for a year.
In January 2015, an innocuous-looking email had been sent to several Bangladesh Bank employees. It came from a job seeker calling himself Rasel Ahlam. His polite enquiry included an invitation to download his CV and cover letter from a website. In reality, Rasel did not exist - he was simply a cover name being used by the Lazarus Group, according to FBI investigators. At least one person inside the bank fell for the trick, downloaded the documents, and got infected with the viruses hidden inside.
Once inside the bank's systems, Lazarus Group began stealthily hopping from computer to computer, working their way towards the digital vaults and the billions of dollars they contained.
And then they stopped.
Why did the hackers only steal the money a whole year after the initial phishing email arrived at the bank? Why risk being discovered while hiding inside the bank's systems all that time? Because, it seems, they needed the time to line up their escape routes for the money.
Jupiter Street is a busy thoroughfare in Manila. Next to an eco-hotel and a dental surgery is a branch of RCBC, one of the country's largest banks. In May 2015, a few months after the hackers accessed Bangladesh Bank's systems, four accounts were set up here by the hackers' accomplices. In hindsight, there were some suspicious signs: the driver's licences used to set up the accounts were fakes, and the applicants all claimed to have exactly the same job title and salary, despite working at different companies. But no-one seemed to notice. For months the accounts sat dormant with their initial $500 deposit untouched while the hackers worked on other aspects of the plan.
By February 2016, having successfully hacked into Bangladesh Bank and created conduits for the money, the Lazarus Group was ready.
But they still had one final hurdle to clear - the printer on the 10th floor. Bangladesh Bank had created a paper back-up system to record all transfers made from its accounts. This record of transactions risked exposing the hackers' work instantly. And so they hacked into the software controlling it and took it out of action.
With their tracks covered, at 20:36 on Thursday 4 February 2016, the hackers began making their transfers - 35 in all, totalling $951m, almost the entire contents of Bangladesh Bank's New York Fed account. The thieves were on their way to a massive payday - but just as in a Hollywood heist movie, a single, tiny detail would catch them out.
As Bangladesh Bank discovered the missing money over the course of that weekend, they struggled to work out what had happened. The bank's governor knew Rakesh Asthana and his company, World Informatix, and called him in for help. At this point, Asthana says, the governor still thought he could claw back the stolen money. As a result, he kept the hack secret - not just from the public, but even from his own government.
Meanwhile, Asthana was discovering just how deep the hack went. He found out the thieves had gained access to a key part of Bangladesh Bank's systems, called Swift. It's the system used by thousands of banks around the world to co-ordinate transfers of large sums between themselves. The hackers didn't exploit a vulnerability in Swift - they didn't need to - so as far as Swift's software was concerned the hackers looked like genuine bank employees.
It soon became clear to Bangladesh Bank's officials that the transactions couldn't just be reversed. Some money had already arrived in the Philippines, where the authorities told them they would need a court order to start the process to reclaim it. Court orders are public documents, and so when Bangladesh Bank finally filed its case in late February, the story went public and exploded worldwide.
The consequences for the bank's governor were almost instant. "He was asked to resign," says Asthana. "I never saw him again."
US Congresswoman Carolyn Maloney remembers clearly where she was when she first heard about the raid on Bangladesh Bank. "I was leaving Congress and going to the airport and reading about the heist, and it was fascinating, shocking - a terrifying incident, probably one of the most terrifying that I've ever seen for financial markets."
As a member of the congressional Committee on Financial Services, Maloney saw the bigger picture: with Swift underpinning so many billions of dollars of global trade, a hack like this could fatally undermine confidence in the system.
She was particularly concerned by the involvement of the Federal Reserve Bank. "They were the New York Fed, which usually is so careful. How in the world did these transfers happen?"
Maloney contacted the Fed, and staff explained to her that most of the transfers had in fact been prevented - thanks to a tiny, coincidental detail.
The RCBC bank branch in Manila to which the hackers tried to transfer $951m was in Jupiter Street. There are hundreds of banks in Manila that the hackers could have used, but they chose this one - and the decision cost them hundreds of millions of dollars.
"The transactions… were held up at the Fed because the address used in one of the orders included the word 'Jupiter', which is also the name of a sanctioned Iranian shipping vessel," says Carolyn Maloney.
Just the mention of the word "Jupiter" was enough to set alarm bells ringing in the Fed's automated computer systems. The payments were reviewed, and most were stopped. But not all. Five transactions, worth $101m, crossed this hurdle.
Of that, $20m was transferred to a Sri Lankan charity called the Shalika Foundation, which had been lined up by the hackers' accomplices as one conduit for the stolen money. (Its founder, Shalika Perera, says she believed the money was a legitimate donation.) But here again, a tiny detail derailed the hackers' plans. The transfer was made to the "Shalika Fundation". An eagle-eyed bank employee spotted the spelling mistake and the transaction was reversed.
And so $81m got through. Not what the hackers were aiming for, but the lost money was still a huge blow for Bangladesh, a country where one in five people lives below the poverty line.
By the time Bangladesh Bank began its efforts to claw the money back, the hackers had already taken steps to make sure it stayed beyond reach.
On Friday 5 February, the four accounts set up the previous year at the RCBC branch in Jupiter Street suddenly sprang to life.
The money was transferred between accounts, sent to a currency exchange firm, swapped into local currency and re-deposited at the bank. Some of it was withdrawn in cash. For experts in money laundering, this behaviour makes perfect sense.
"You have to make all of that criminally derived money look clean and look like it has been derived from legitimate sources in order to protect whatever you do with the money afterwards," says Moyara Ruehsen, director of the Financial Crime Management Programme at the Middlebury Institute of International Studies in Monterey, California. "You want to make the money trail as muddy and obscure as possible."
Even so, it was still possible for investigators to trace the path of the money. To make it completely untrackable it had to leave the banking system.
The Solaire sits on the waterfront in Manila, a gleaming white palace of hedonism, home to a hotel, a huge theatre, high-end shops and - its most famous attraction - a sprawling casino floor. Manila has become a big draw for gamblers from mainland China, where the pastime is illegal, and the Solaire is "one of the most elegant casino floors in Asia", according to Mohammed Cohen, editor-at-large of Inside Asian Gaming Magazine. "It's really beautifully designed, comparable to anything in south-east Asia. It has roughly 400 gaming tables and about 2,000 slot machines."
It was here in Manila's glitzy casino scene that the Bangladesh Bank thieves mounted the next stage of their money laundering operation. Of the $81m that washed through the RCBC bank, $50m was deposited in accounts at the Solaire and another casino, the Midas. (What happened to the other $31m? According to a Philippines Senate Committee set up to investigate, it was paid to a Chinese man called Xu Weikang, who's believed to have left town on a private jet and never been heard of since.)
The idea of using casinos was to break the chain of traceability. Once the stolen money had been converted into casino chips, gambled over the tables, and changed back into cash, it would be almost impossible for investigators to trace it.
But what about the risks? Aren't the thieves in danger of losing the loot across the casino tables? Not at all.
Firstly, instead of playing in the public parts of the casino, the thieves booked private rooms and filled them with accomplices who would play at the tables; this gave them control over how the money was gambled. Secondly, they used the stolen money to play Baccarat - a wildly popular game in Asia, but also a very simple one. There are only three outcomes on which to bet, and a relatively experienced player can recoup 90% or more of their stake (an excellent outcome for money launderers, who often get a far smaller return). The criminals could now launder the stolen funds and look forward to a healthy return - but to do so would take careful management of the players and their bets, and that took time. For weeks, the gamblers sat inside Manila's casinos, washing the money.
Bangladesh Bank, meanwhile, was catching up. Its officials had visited Manila and identified the money trail. But when it came to the casinos, they hit a brick wall. At that time, the Philippines gambling houses were not covered by money laundering regulations. So far as the casinos were concerned, the cash had been deposited by legitimate gamblers, who had every right to fritter it away over the tables. (The Solaire casino says it had no idea it was dealing with stolen funds, and is co-operating with the authorities. The Midas did not respond to requests for comment.)
The bank's officials managed to recover $16m of the stolen money from one of the men who organised the gambling jaunts at the Midas casino, called Kim Wong. He was charged, but the charges were later dropped. The rest of the money, however - $34m - was leaching away. Its next stop, according to investigators, would take it one step closer to North Korea.
Macau is an enclave of China, similar in constitution to Hong Kong. Like the Philippines, it's a hotspot for gambling and home to some of the world's most prestigious casinos. The country also has long-established links to North Korea. It was here that North Korean officials were in the early 2000s caught laundering counterfeit $100 notes of extremely high quality - so-called "Superdollars" - which US authorities claim were printed in North Korea. The local bank they laundered them through was eventually placed on a US sanctions list thanks to its connections with the Pyongyang regime.-BBC