Billion-dollar bank theft foiled because a hacker couldn’t spell!

Bangladesh central bank

A spelling mistake in an online bank transfer instruction helped prevent a nearly $1 billion robbery last month involving the Bangladesh central bank and the New York Fed, banking officials said.

However, the unknown hackers still managed to get away with about $80 million, one of the largest known bank thefts in history.

According to senior officials at the bank, the hackers breached Bangladesh Bank's systems and stole its credentials for payment transfers. They then sent nearly over 30 requests the New York’s Federal Reserve Bank to move money from the Bangladesh Bank's account there to organisations in the Philippines and Sri Lanka.

Four requests to transfer a total of about $81 million to the Philippines went through, but a fifth, for $20 million, to a Sri Lankan non-profit organisation was held up because the hackers misspelled the name of the NGO, Shalika Foundation.

Instead of writing "foundation," the hackers wrote "fandation." This prompted a routing bank, Deutsche Bank, to seek clarification from the Bangladesh central bank, which stopped the transaction.

According to Reuters, there is no NGO under the name of Shalika Foundation in the list of registered Sri Lankan non-profits.

The unusually high number of payment instructions and the transfer requests to private entities – as opposed to other banks – helped alert staff at the Fed, which also notified the Bangladeshis, the officials said.

The details of how the hacking came to light and was stopped before it did more damage have not been previously reported. Bangladesh Bank has billions of dollars in a current account with the Fed, which it uses for international settlements.

The transactions that were stopped totalled $850-$870 million, one of the officials said.

Bangladesh Bank says it has recovered some of the money that was stolen, and is working with anti-money laundering authorities in the Philippines to try to recover the rest, Reuters reports.

More than a month after the attack, Bangladeshi officials are scrambling to trace the money, shore up security and identify weaknesses in their systems. They said there is little hope of ever catching the hackers, and it could take months before the money is recovered, if at all.

Security experts said the perpetrators had deep knowledge of the Bangladeshi institution's internal workings, likely gained by spying on bank workers.

The Bangladesh government, meanwhile, is blaming the Fed for not stopping the transactions earlier.

"The Fed must take responsibility," said Finance Minister Abul Maal Abdul Muhith, adding that his country may resort to suing the Fed to recover the money. 

The New York Fed has said its systems were not breached, and it has been working with the Bangladesh central bank since the incident occurred to investigate what happened.

The hacking of Bangladesh Bank took place sometime between Feb. 4-5, over the Bangladeshi weekend, which falls on a Friday when the bank's offices were shut, officials said.

Last year, Russian computer security company Kaspersky Lab said a multinational gang of cyber criminals had stolen $1 billion from 100 financial institutions around the world in about two years.