RCBC faces lawsuit over $81-M bank heist

Agence France Presse

Posted at Feb 07 2018 09:05 PM | Updated as of Feb 08 2018 01:40 AM

DHAKA - Bangladesh's central bank will file a lawsuit in New York against a Philippine bank over the world's largest cyber heist, its finance minister said Wednesday.

Unidentified hackers stole $81 million in February 2016 from the Bangladesh central bank's account with the US Federal Reserve in New York.

The money was transferred to a Manila branch of the Rizal Commercial Banking Corp (RCBC), then quickly withdrawn and laundered through local casinos.

With only a small amount of the stolen money recovered and frustration growing in Dhaka, Bangladesh's Finance Minister A.M.A Muhith said last year he wanted to "wipe out" RCBC. 

On Wednesday, he said Bangladesh Bank lawyers were discussing the case in New York and may file a joint lawsuit against the RCBC with the US Federal Reserve.

"It will be (filed) in New York. Fed may be a party," he told reporters in Dhaka.

The deputy central bank governor Razee Hassan told AFP the case would be filed in April.

"They (RCBC) are the main accused," he said.

"Rizal Commercial Banking Corporation (RCBC) and its various officials are involved in money heist from Bangladesh Bank's reserve account and the bank is liable in this regard," Hassan said in a written statement.

The Philippines in 2016 imposed a record $21 million fine on RCBC after investigating its role in the audacious cyber heist.

Philippine authorities have also filed money-laundering charges against the RCBC branch manager. 

The bank has rejected the allegations and last year accused Bangladesh's central bank of a "massive cover-up".

The hackers bombarded the US Federal Reserve with dozens of transfer requests, attempting to steal a further $850 million.

But the bank's security systems and typing errors in some requests prevented the full theft.

The hack took place on a Friday, when Bangladesh Bank is closed. The Federal Reserve Bank in New York is closed on Saturday and Sunday, slowing the response.

The US reserve bank, which manages the Bangladesh Bank reserve account, has denied its own systems were breached.

SCAPEGOAT

In December 2017, RCBC demanded that the Bangladesh central bank release the results of its internal probe on the heist.

RCBC cited BB’s refusal to release investigation results as suspicious, after the New York Fed and the Philippine government asked for the findings, RCBC’s head of legal affairs Atty. George Dela Cuesta said in a statement. 

“For as long as BB refuses to cooperate with global efforts to find out what happened, this suspicion will linger,” he said. 

“RCBC asks Bangladesh Bank to stop making RCBC its scapegoat,” he added.

BB's demands for RCBC to return the amount was deemed “factually and legally baseless,” Dela Cuesta added. 

"If it was stolen by your own people, why ask us? We are actually a victim of BB's negligence,” he said.

Instead of releasing the result, the BB has been coming out with empty sound bites like "wiping out RCBC" which, coming from a Bangladeshi finance minister, was "extremely irresponsible," RCBC said.

At least five reports including SWIFT, FireEye, a cyber security outfit, the Bangladesh finance minister, a government-appointed panel, and a Bangladeshi expert all pointed out to a conclusion that a “malicious insider” would have made the heist possible, RCBC said.

RCBC urged BB to clarify inquiries pertaining to the heist including the report that BB had no firewall to protect its system and used second-hand $10 switches, making itself vulnerable to hackers. In January, the hackers also did trial runs but apparently BB did nothing to protect its system.

"Bangladesh police investigated some BB people but only for negligence. Up to now, we do not know if anybody has been taken to court," Dela Cuesta said.

The BB belatedly requested the funds to be frozen using ordinary email message, and not a Code Red message that banks use to raise an alarm. 

"This resulted in their message being bunched with thousands of ordinary messages RCBC receives from all other banks all over the world each day. Had they sent a Code Red, we would have caught it," RCBC said, adding that BB did not reach out to RCBC in any other way.