These suspicions were soon reaffirmed, and ultimately it turned out, no surprise, that this Shalika Fandation was indeed a fake company. The money was then rerouted back to the Bangladesh Bank's New York account. Then there were four, $81 million dollars. But, we won't drag this out because these four were all sent not just to the same country, not just to the same bank, but to the same branch. The Jupiter Street branch of the RCBC Bank, just outside Manila, in the Philippines. Four accounts had laid dormant for nine months with just $500 inside, untouched.
Until a sudden cash infusion of $81 million. These sudden bursts should've triggered an alert from RCBC but for whatever reason, it slid under the radar. And, indeed, the accounts were later found to be under fictitious identities. From there, the money was quickly withdrawn and laundered through casinos. Where the electronic money transfers were converted to hard untraceable cash. The Bangladesh Bank did try to stop the transfers, but timing was just not on their side.
The stop order was not received by RCBC Bank on the expected Monday, because Monday was Chinese New Year. A non-working holiday in the Philippines. By now you're probably noticing a trend here. Every step of the way there were delays that benefited the hackers. And, this was by design. A remarkably well timed attack.
On Thursday evening they entered the system at the start of the Bangladesh weekend when the bank is closing. On Friday, the New York Fed tries to clarify the requests with Bangladesh, but no one's there. On Sunday, Bangladesh staff return from the weekend but can't get through to New York as it's now the weekend in the US.
On Monday, the Fed finally gets the orders to stop the transfers, but not the Philippines because it just so happened to be Chinese New Year there. And, only on Tuesday, five days after the heist, that RCBC staff find out about the fraudulent transfers. But, by then it was too late. Now, two Chinese men, Ding and Gao, were eventually found to be responsible for setting up the fake RCBC accounts in the Philippines. They turned out to be just middlemen.
But, they were still a crucial part of the operation. And, investigators hoped questioning them would lead to the true culprits. Unfortunately, before the Bangladesh authorities were able to apprehend them, they left the country, Boarding flights to Macau, a special administrative region of China where it was then impossible to track them. And so, with the remaining four transfers, the hackers were able to net $81 million.
Not quite the original sum, but still enough, by some metrics, to be considered the single biggest bank heist in history. Now, despite the attackers best efforts at removing evidence from the bank's systems, cybersecurity experts were still able to analyze the malware. What they found were similarities in the techniques and tools used between the Bangladesh Bank heist and many other cyber attacks on financial institutions around the world. Which means that, this one particular group had very likely been responsible for a series of global attacks. This group was dubbed Lazarus. But, there was more.
As experts dug deeper, combing through the server logs of recent attacks, they found something even more unexpected. An IP address connecting Lazarus to a particular nation state. For a brief moment they had failed to cover their tracks. And the logs had indicated that the attack servers they used had been accessed at least once from a North Korean IP address. There was also Korean language found embedded in the computer code.