Baccarat binge helped launder the world’s biggest cyberheist17 min read . Updated: 04 Aug 2017, 02:52 PM IST
Here is how hackers stole $81 millionin the world's biggest cyberheist from Bangladesh central bank through bogus instructions
Here is how hackers stole $81 millionin the world's biggest cyberheist from Bangladesh central bank through bogus instructions
Paris/Shanghai: For someone supposed to be laundering millions of dollars in stolen funds, with investigators from three countries scrambling to track the money, Ding Zhize was a surprisingly unhurried man. He’d brought a dozen or so high rollers from China to play in the glitzy VIP room in MetroManila’s Solaire casino. The game was baccarat. It was late February 2016—still high season for Asian casinos, thanks to the Lunar New Year holiday—and Ding had been here for days. As red-shirted dealers laid down hand after hand, gamblers smoked Double Happiness cigarettes and helped themselves to an endless supply of mineral water, lemon tea, and Hennessy XO cognac. The chips they played in a steady stream were valid only in that room. The most valuable ones were rectangular plaques worth $20,000.
Ding, his partner, Gao Shuhua, and the gamblers in tow were probably betting on both the house’s hand and the players’ hands, trying to strike a balance between gains and losses. After all, the important thing for anyone looking to launder money through a casino isn’t to win. It’s to exchange millions of dollars for chips you can swap for cool, untraceable cash at the end of the night.
It wasn’t the first time the Chinese duo of Ding and Gao had managed a transaction like this. Running illegal gambling operations, including recruiting people for foreign gaming junkets, was their main business, according to previously unreported court documents in China obtained by Bloomberg Markets as well as interviews with family members and former business partners. By the time Ding, Gao, and their players had their casino accounts frozen in March 2016, they’d managed to make tens of millions of dollars disappear, according to a Philippine Senate committee that investigated the theft.
The money was part of the largest cyberheist in history. In early February, $81 million had been stolen from Bangladesh’s central bank by hackers who issued bogus instructions via Swift, the global interbank payment system, according to reports by the Philippine Senate committee, the Federal Reserve Bank of New York, and the Bangladesh ministry of finance. The cyberthieves messaged the New York Fed, where Bangladesh Bank had funds on deposit, directing it to send funds to a handful of bank accounts mostly in the Philippines set up using fake names.
Just a few days after the theft, Bangladesh Bank officials asked their Philippine counterparts for help. Yet the gamblers were allowed to play on for weeks, according to reports by the casino’s parent company, Bloomberry Resorts Corp., and the Philippine Senate Committee on Accountability of Public Officers and Investigations. Even after the remaining funds were frozen, no charges were filed against Ding, Gao, or the players with them, so Philippine police didn’t make any arrests, says Sergio Osmeña III, a former senator who last year was a member of the inquiry panel. “They waited until it was too late," he says.
What Ding and Gao did with the loot remains unknown. That’s the point, of course: You want to conceal the money’s criminal origins and then stir it into the rivers of legitimate cash that course around the world every day: $60-odd million here, a few million there. It adds up. PricewaterhouseCoopers LLP says money laundering may total $2 trillion a year worldwide—an amount roughly equivalent to the market for online shopping.
Like the money, Ding and Gao left the Philippines without a trace. (Osmeña says customs authorities have no record of the duo’s departure.) Gone too, it seemed, was any chance that Bangladesh, the Philippines, or the US would find the funds.
But if Ding and Gao thought they’d gotten away scot-free, they were mistaken. The story didn’t end in the floral-scented VIP room of the Solaire. It just moved on—to China and then maybe even North Korea, home to Lazarus, one of the world’s most active state-sponsored hacking collectives.
As big as it was, the heist could have been a lot bigger. The hackers originally intended to funnel $951 million of Bangladesh Bank’s money into phony accounts, according to various investigations. Via Swift, they fired off a series of messages to the New York Fed to do just that. The theft of the full amount was only averted because, after the initial payments had been made, several transactions were flagged “for sanction compliance review," according to an 14 April 2016, letter from the Fed to US Representative Carolyn Maloney, a New York Democrat. (In the wake of the Bangladesh theft, Swift took measures to prevent such intrusions. “We are fully committed to helping customers in the fight against cyber-attacks," Patrick Kerkels, the Swift general counsel, said in an emailed response to questions. Swift’s security program, he said, “has demonstrably helped to detect and even prevent successful frauds.")
Since then, Philippine authorities have recovered almost a fifth of the stolen money and returned it to Bangladesh, but most of the rest, after flowing through a series of accounts, a money-transfer company, and into local casinos, disappeared into the muggy Manila air.
Some or all of it may have found its way to North Korea. The FBI is examining the totalitarian state’s link to the hack, according to two officials with direct knowledge of the investigation.
What’s required in the case of a theft like the one from Bangladesh Bank is a mix of hacking wizardry to divert the money and some old-school laundering to clean it and cover the trail
In addition, security companies, including Symantec Corp. and BAE Systems Plc, say Lazarus hackers working for the rogue state were probably behind the attack. They cite similarities between the methods used in the Bangladesh attack and those in other cases, such as the hack of Sony Pictures Entertainment Inc. in 2014, which US officials attributed to North Korea. Cybersecurity experts say Lazarus was also behind the WannaCry ransomware attack in May that infected hundreds of thousands of computers around the world.
All but cut off from the world and hamstrung by sanctions imposed by the United Nations, the US, South Korea, and Japan, North Korea needs convertible currencies to finance imports, among other things. It uses a shifting array of agents, shipping companies, and brokers to bring in illicit cash, says Juan Zarate, a former deputy US national security adviser and author of Treasury’s War: The Unleashing of a New Era of Financial Warfare.
Stealing money from a central bank would be another way of doing it. “It’s a clear fact that these menacing groups are continuously preparing or attempting attacks on the financial sector," South Korea’s government-funded Financial Security Institute said about Lazarus and related hacking rings in July. What’s required in the case of a theft like the one from Bangladesh Bank is a mix of hacking wizardry to divert the money and some old-school laundering to clean it and cover the trail. Ding and Gao were certainly not specialists in the former, according to descriptions of them in court records and from family members and acquaintances. Gao’s wife, Yan Wenli, says he’s computer illiterate. Ding is such a tech novice, he needed help setting up a WeChat account he used to post selfies while out on hikes, says a former business partner, who declined to be named.
Walk along the zig-zag lanes of Chendai, a Chinese town on the Taiwan Strait, and you’ll see a lot of Dings on business signs. They’re a prominent family, part of a Muslim community that settled along this stretch of the coast centuries ago when the region was the main port of entry for foreign traders. While some of the Ding clan built business empires here—manufacturing athletic shoes, for instance—Ding Zhize made a name for himself 600 kilometers (373 miles) down the coast in Macau’s casinos.
Now 45, Ding set up an investment company in 2007 as Macau was becoming the world’s biggest gambling center by revenue. Neighbours and a former business partner say he also arranged for gamblers from mainland China to go on casino trips, which would be illegal under Chinese law. In addition, these people say, Ding specialized in arranging off-table bets, private wagers from anonymous gamblers using bookmakers. These often dwarf bets by gamblers physically present at casinos, according to a paper published in the British Journal of Criminology in February.
While it’s unclear exactly how much Ding earned from his operations, his spending soared. By 2008 he’d invested $1 million in a real estate company near his hometown and hired Asian pop stars to promote a spa there called Bali. Ding and his wife eventually shut down those businesses. Afterward, they bought a Macau high-rise now valued at $1 million. About a half-hour drive from there, the couple owns a four-story mansion surrounded by a koi pond, bonsai trees, and at least seven security cameras. The lot alone is worth $5 million, local real estate agents estimate. The Dings’ wealth can also be measured by what they’ve lost. A police report itemizes more than $600,000 in items stolen in a burglary at their home a few years ago, including two Swiss watches, HK$200,000 ($25,600) in cash, and a kilo of gold.
Gao, a buzz-cut 53-year-old, is from a dusty Beijing suburb that supplies the capital with watermelons and pears. He’s one of the richest men in town, people in his neighbourhood say. From there, he ran an illegal casino as far back as 2004, according to Chinese police reports and court documents. That summer, according to an account in Chinese court documents, thugs working for Gao beat up a group of men whom they mistook for another gang that had robbed them. The victims turned out to include cops, and Gao found himself serving an 18-month prison sentence.
Upon his release in 2006, Gao apparently travelled to Macau and the Philippines, where he’d invested as much as $2 million in businesses that ran casino VIP rooms, according to court records. One of those companies was Eastern Hawaii Leisure Co., which would wind up with more than a quarter of the stolen funds from Bangladesh, according to the Philippine Senate report. When Chinese authorities arrested Gao again in 2012, they found he ran one of the biggest gambling networks in the country—one that spanned 29 provinces and had made him more than $8 million. He was sentenced to an additional four years in prison, according to a copy of the verdict obtained by Bloomberg Markets.
Gao appealed the sentence, and a court cut it by a year, suggesting in its ruling that he’d assisted the police investigation in some unspecified way. He was officially released on medical parole in 2015, court documents show. It’s not clear how much time Gao spent in prison, because corporate records in Macau show him forming a company there in 2014.
Ding and Gao’s familiarity with Macau would have been useful to North Korean hackers, says Steve Vickers, a former head of the Hong Kong Police Force’s Criminal Intelligence Bureau who now runs an eponymous risk consulting company. That, he says, is because Macau was traditionally one of the few locations where the Pyongyang government has managed to maintain covert bank accounts and interact with the global financial system. (Priscilla Fong, a spokeswoman for Macau’s Financial Intelligence Office, declined to comment on this case or to respond to questions about the region’s links to North Korea.)
About 90% of North Korea’s trade is with China, and Chinese junket operators are well equipped to use the formal banking sector and informal financial networks created by the Chinese traders and small businessmen who’ve crisscrossed the world for 1,000 years, says Andrew Klebanow, a senior partner at Global Market Advisors LLC in Las Vegas. “These networks evolved and continue to this day, allowing money to move into and out of China," he says. Often money doesn’t even need to cross borders, Klebanow says. As with other informal networks, a deposit in the Philippines might be credited to an account in Macau or China, even though the money stays in Manila.
Months before Ding, Gao, and their baccarat players showed up in Manila, several bank accounts that would later receive the Bangladeshi funds appeared on the books at the Jupiter Street branch of Rizal Commercial Banking Corp. in MetroManila, according to testimony at the Senate hearings. At the hearings, Kim Wong, president of Eastern Hawaii Leisure, which operates a number of VIP rooms in Manila-area casinos, including the Solaire, testified that he’d set up the RCBC accounts along with Ding’s business partner, Gao, and the Jupiter branch manager at the time, Maia Deguito.
For her part, Deguito said she’d been acting on instructions from RCBC bosses. That assertion netted her a libel claim by Lorenzo Tan, the former chief executive officer of RCBC, who also sued Deguito’s lawyer. “Based on our investigation, Ms. Deguito acted alone with the help of some of her co-workers and subordinates at the Jupiter Branch which she headed," RCBC said in an emailed statement. “Her actions were inimical to her job and against RCBC’s policies, which resulted in her termination and the filing of cases against her." The bank said it’s confident the Philippine Department of Justice investigation will find that senior executives had no knowledge of Deguito’s actions.
According to the Senate committee report, Ding, Gao, and Deguito ginned up the accounts using fake names, fake addresses, and fake declarations that Deguito had met the account holders in person and confirmed their identities. Assuming the Senate report got the facts right—there was contradictory testimony—the stage was set for laundering what the hackers hoped would be almost $1 billion. “If you have a bank employee who is in connivance with creating these nonexistent people in the first place, it’s easy to launder," says Vencent Salido, head of investigations at the Philippine government’s Anti-Money Laundering Council, which is leading the local investigation into the theft.
All the accounts created at the RCBC branch lay dormant until Friday, Feb. 5, 2016. The Swift attack began the day before, the last day of the workweek in Bangladesh. Sums ranging from $6,000,039.12 to $30,000,039.12 went zipping from the New York Fed through Citibank, Wells Fargo, and the Bank of New York-Mellon to a series of accounts at the branch, which sits below a bridal shop. Some even passed through the account of a real person who later told the Senate panel that his signature had been forged. After four such transfers (and a fifth to an account in Sri Lanka), the Fed stopped the routing, triggering a manual review that in turn ended up blocking any transactions beyond the $81 million that had already flowed through the system.
The following Monday was Chinese New Year. Banks in the Philippines were closed, so four stop-payment requests from Bangladesh Bank to RCBC went unheeded. The next morning, almost all the money in the four fake accounts was transferred through a variety of accounts, obscuring, at least initially, the money’s provenance. It then went on to a payment company called Philrem Service Corp. At about 7:45pm on Tuesday, after getting a call from the Anti-Money Laundering Council, RCBC finally placed a hold on the remaining funds: $68,305.
Of the money transferred out of RCBC, about $29 million was wired by Philrem to Bloomberry Resorts and credited to Ding, mainly for gambling at the Solaire VIP room; $21 million was wired to Eastern Hawaii Leisure and used primarily in the VIP rooms of other casinos. An additional $31 million, according to testimony from Philrem Chairman Michael Bautista, was delivered in cash to Wong, Eastern Hawaii’s president, mostly through an intermediary named Xu Weikang, who was working for Ding and Gao. In his Senate testimony, Wong disputed the amount. He claimed that Philrem had kept about $17 million, and only $13.5 million had been delivered in cash. Bautista, who’s also the subject of a complaint by the Anti-Money Laundering Council, has repeatedly denied keeping the cash. His lawyer, Howard Calleja, didn’t respond to multiple requests for comment. When reached by Bloomberg Markets, Xu, a debt-ridden businessman from Zhejiang, China, said he was a victim of identity theft. Silverio Benny Tan, Bloomberry’s lawyer, declined to comment on the matter, citing a court case over funds the casino froze from Ding’s group.
In an interview last year with Philippine Dragon Media Network, a Chinese-language website, Wong said Gao and Ding had tricked him. He said Gao, a business partner of his since 2007, told him the money had come from a land sale to the Chinese government to make way for a new airport in Beijing. Wong said Gao introduced him to Ding, who claimed he got the money by selling shares in Macau casinos, which he intended to invest in the Philippines. Wong declined to be interviewed for this article.
For her part, Deguito, the fired bank manager who claimed she’d been acting on instructions from RCBC bosses, said she hadn’t meant to do anything wrong. Her lawyer, Ferdinand Topacio, declines to comment on the details of his client’s actions or statement. He notes there are three criminal cases pending against Deguito in Philippine courts that include allegations of anti-money-laundering violations, perjury, and falsification of documents. Referring to varying accounts of what happened from Deguito, Wong, and Bautista, Osmeña, the former senator, says, “I couldn’t take seriously what they were all saying."
The FBI and the Bangladeshi government have recently turned their attention to pursuing the Chinese connection in the case, Topacio says. He met twice with FBI agents between May and July. At those meetings, he says, the agents pressed for details about Ding and Gao, as well as about ethnic Chinese doing business in the Philippines such as Wong. Topacio says FBI agents and Bangladeshi law enforcement officials told him the usual path would have taken the laundered funds from the Philippines to Macau and from there, directly or indirectly, to North Korea. While the officials didn’t give any indication that they’d been able to track the funds, they did say their suspicions were backed by the fact that the money was sent to middlemen—Ding and Gao—with direct connections to Macau.
Philippine authorities are still investigating Ding and Gao as well as all aspects of the case, says Salido of the Anti-Money Laundering Council. In April, the country’s justice department indicted Deguito and the owners of Philrem but dropped the case against Wong, citing a lack of evidence, Salido says. Wong has returned $15 million to the authorities, which was then transferred back to Bangladesh Bank.
What galls Salido, among other things, he says, is that he never did manage to interview the elusive Ding and Gao.
Chinese authorities apparently had better luck. Ding’s former business partner says police from Xiamen, a city near Ding’s hometown, arrested him in March 2017. In Chendai, standing next to a Lexus sedan, Ding’s sister-in-law, who declined to give her name, confirmed the arrest but refused to say more. (The Xiamen City Public Security Bureau declined to comment for this article.)
It does appear that, for whatever reason, Ding’s finances have suffered. In May 2015 he and his brother, Ding Xiaoming, registered an investment company called Ninin, the same name Ding had used for a series of entities in Hong Kong, Macau, and mainland China. Held under Xiaoming’s name, the company was supposed to have 100 million yuan ($15 million) in registered capital. If Ninin was expecting an influx of money, it never arrived. Xiaoming dissolved it in July, corporate registry records show.
As for Gao, his wife says the whole affair has brought nothing but grief. Gao, a devoted gambler, had met Ding at a card table, Yan says. She wouldn’t say when or where. “He knew too many people," she says. The family compound includes an L-shaped house, parcels of farmland, and a carved stone pagoda set in a big garden five miles north of that planned Beijing airport. Sitting inside, Yan vehemently slaps down all the speculation about her husband. “He has never opened any account or received the money in question," she says, between drags on her cigarette.
In August 2016, Yan says, police, again from Xiamen, came to the compound and took Gao away to a detention center in Ding’s home region. When she asked what she could do to get him out, one of the cops said, “Don’t bother calling a lawyer."
Katz is the legal enforcement team leader for Europe. Fan writes about China from Shanghai. With assistance from Simon Lee, Daniela Wei, Rachel Chang, Michael Riley, Peter Martin, and Norman P. Aquino. Bloomberg