The theft at Bangladesh Bank

Sunday 21 December 2025 ,

Online Version

The theft at Bangladesh Bank

In our opinion the authorities need to focus more attention to discover the culprits who sent the fake transfer orders through the SWIFT system

Shawn Islam and Forrest Cookson

Some time has passed since the theft of Bangladesh Bank’s foreign exchange assets held at the Federal Reserve Bank of New York took place and it is now possible to gain some perspective on what happened and the events surrounding the loss incurred.
There are various investigations taking place to establish what happened and the responsibility for the losses. Inside Bangladesh a special committee headed by Md. Farasuddin, former Governor of Bangladesh Bank, has completed its report and it is expected to be made public soon according to AMA Muhith, Minister of Finance. The Criminal Investigation Department of the police is conducting another investigation aimed at identification of persons who might be charged for this crime. Bangladesh Bank is carrying on an investigation to help further refine the picture of what happened and to suggest remedial measures to insure the banking system is secure against such attacks. The Federal Reserve is reported to be carrying out an investigation and the SWIFT organization has already completed its investigation. Also the reputed private, independent investigation firm FireEye has submitted their findings regarding the heist. While the CID investigation must be managed following the procedures of obtaining evidence for judicial proceedings, the other investigations would be made available to the public promptly. Availability of these reports will not adversely effect any eventual prosecutions.
How does the SWIFT system operate? Participants in the system have special terminals set up in their headquarters. These terminals are linked by a closed internet system. Unless you enter through one of these SWIFT terminals you cannot send or receive messages. Ordinary computer terminals are not connected to this net and the SWIFT connected Systems are supposed to be separated from the back office computers via a FireWall with very strict security policies. To send a transfer order to take funds from one account and send it to another account these instructions must be entered into the SWIFT terminal, one or more passwords entered by different people must be used and finally a dongle, a physical key in effect must be used in the terminal before a message can be sent with proper authentication. When a transfer order is sent then the SWIFT system authenticates the order and passes it to the concerned financial institution.

Questions: 1. Can one connect up ordinary terminals to a SWIFT terminal and control the output of this SWIFT terminal by-passing the dongle used for authentication sending a transfer order on SWIFT that appears to have the appropriate authentication but actually does not?

No! this is not technically possible according to our discussions with several authorities on the swift system, who are not employees of the swift organization. in our view best analysis is that hacking is not possible.

2. Did the SWIFT staff or the Bangladesh Bank staff make unauthorized adjustments in the hardware connections? Is so would this have made it possible to send transfer orders down the SWIFT system that did not have proper authentication?

The authorities are investigating the first question and newspaper stories have quoted officials that such unauthorized connections were made. The outcome of this will emerge in due time. But even such connections would not enable the swift network to accept transfer orders without the proper authentication by passwords and dongle. Perhaps there are multiple passwords by different persons required and the malware recorded the passwords so that one person with these passwords, along with access to the dongle was able to send the transfer orders with valid authentication.

3. How did this plot go down? Who were involved at SWIFT or Bangladesh Bank? Of the transfers that were not allowed by the Federal Reserve System who owned the accounts to which the transfers were directed? What countries were involved?

The plot had two components. One was to transfer one hundred million dollars into accounts that were under the control of the gang responsible for the attack. The second component was an elaborate smoke screen to lead the investigators away from the local team that were involved. We will find that there were improper connections between the Bangladesh Bank local area networks and the computer terminals including SWIFT’s these actions were designed to make the investigators believe that the authentication was done remotely without local involvement. A non-functioning printer and a large number of false transfers added to the general confusion. Altogether these actions delayed the focus on the key recipient bank in the Philippines enabling the transfers to be shifted into casinos effectively completing the theft.
Note there have been no reports of investigations or arrests in other countries that were supposed to receive the funds. This suggests that these were dummy accounts set up to confuse. Perhaps there have been such investigations but it is odd that none have come to light. One would have thought that the various accounts that were to receive the almost one billion dollars would have been investigated.
All of this suggests the shape of the theft included a few persons, perhaps two employees of Bangladesh Bank who initiated the transfer and two persons among the SWIFT staff whose task was to make improper connections designed to confuse the investigators. This group was responsible for sending the instructions to the Federal Reserve for the transfers and also for creating a complicated screen to deflect investigators from what happened and instead lead them off into the belief that the Bangladesh Bank and the SWIFT network had been hacked. However, the efforts of CID may well come to fruition and identify those individuals that were responsible for issuing the transfer orders. The rest of the gang was busy with moving the money into untraceable paths. That seems to have been successfully accomplished.
The key to solving this mystery is to focus on the non-computer part of the plot, in order to identify those responsible for entering the illegal transfer orders in the SWIFT terminals. Once these persons are identified one can begin to trace their connections to the gang that actually took the money from the accounts. Of course larger organisations like the FBI are working on these connections in other countries and some of this may come to fruition. But the most vulnerable part of the theft remains the persons working for Bangladesh Bank and/or SWIFT who had to have cooperated in this complex deception operation.
Are high level persons in Bangladesh Bank involved? Almost certainly not. There is a very limited ability of people in Bangladesh to keep secrets and if there are more than two or three persons engaged in a conspiracy it will soon become public. We think that no more than two persons in Bangladesh Bank were involved and this makes involvement of high level officers very unlikely. But one cannot really be sure and a comprehensive investigation is clearly needed.
In the management of this terrible incident one has to say that the authorities have acted precipitously and without fairness. Senior officers, particularly two Deputy Governors had their contracts cancelled without due process, the Government acting like an angry man striking out at the nearest person without any review or investigation. It was a foolish immature action that reflects badly on the Government. Justice is an important, perhaps the key component of good governance. There was no justice here. Indeed there may have been mistakes in the handling of the actions after the theft, but these had the approval of the highest levels of the Government. The central bank has a wonderful reputation for fairness and nonpolitical behavior. The Bank was unfair in its rush to judgment. This was a public relations stunt not a fair, balanced action as one expects from a central bank. If these actions came from higher up then it is even more unfortunate as the central bank independence is undermined and personal conflicts were allowed to determine important governance decisions. The theft from Bangladesh Bank was a serious crime, throwing away right behavior for public relations is worse.
However, the most important issue is to upgrade the security of the computer systems, Firewalls and Network Securities in the Bangladesh banking system. Progress in cyber-attacks is rapid. The Bangladesh banking system is very exposed. This exposure is going to get worse as the sophistication of the hackers increases.
In a real sense the hacker problem has not been faced. The theft of Bangladesh Bank’s account at the Federal Reserve Bank of New York was not hacking; it was based on corruption of one or two individuals who simply sent transfer orders that had no official permission. An elaborate scheme was developed to give the appearance of hacking. This was a straight forward robbery involving a team of insiders and a team of outsiders. The former to send authenticated transfer orders, the latter to collect the loot.
Unfortunately it seems that the myth of the hacking of the SWIFT system has a great deal of support. In our opinion the authorities need to focus more attention to discover the culprits who sent the fake transfer orders through the SWIFT system. The authorities will never find the hackers, there are none to find.

The writers are economists

Comments

The theft at Bangladesh Bank

In our opinion the authorities need to focus more attention to discover the culprits who sent the fake transfer orders through the SWIFT system

Shawn Islam and Forrest Cookson

Some time has passed since the theft of Bangladesh Banks foreign exchange assets held at the Federal Reserve Bank of New York took place and it is now possible to gain some perspective on what happened and the events surrounding the loss incurred. There are various investigations taking place to establish what happened and the responsibility for the losses. Inside Bangladesh a special committee headed by Md. Farasuddin, former Governor of Bangladesh Bank, has completed its report and it is expected to be made public soon according to AMA Muhith, Minister of Finance. The Criminal Investigation Department of the police is conducting another investigation aimed at identification of persons who might be charged for this crime. Bangladesh Bank is carrying on an investigation to help further refine the picture of what happened and to suggest remedial measures to insure the banking system is secure against such attacks. The Federal Reserve is reported to be carrying out an investigation and the SWIFT organization has already completed its investigation. Also the reputed private, independent investigation firm FireEye has submitted their findings regarding the heist. While the CID investigation must be managed following the procedures of obtaining evidence for judicial proceedings, the other investigations would be made available to the public promptly. Availability of these reports will not adversely effect any eventual prosecutions. How does the SWIFT system operate? Participants in the system have special terminals set up in their headquarters. These terminals are linked by a closed internet system. Unless you enter through one of these SWIFT terminals you cannot send or receive messages. Ordinary computer terminals are not connected to this net and the SWIFT connected Systems are supposed to be separated from the back office computers via a FireWall with very strict security policies. To send a transfer order to take funds from one account and send it to another account these instructions must be entered into the SWIFT terminal, one or more passwords entered by different people must be used and finally a dongle, a physical key in effect must be used in the terminal before a message can be sent with proper authentication. When a transfer order is sent then the SWIFT system authenticates the order and passes it to the concerned financial institution. Questions: 1. Can one connect up ordinary terminals to a SWIFT terminal and control the output of this SWIFT terminal by-passing the dongle used for authentication sending a transfer order on SWIFT that appears to have the appropriate authentication but actually does not? No! this is not technically possible according to our discussions with several authorities on the swift system, who are not employees of the swift organization. in our view best analysis is that hacking is not possible. 2. Did the SWIFT staff or the Bangladesh Bank staff make unauthorized adjustments in the hardware connections? Is so would this have made it possible to send transfer orders down the SWIFT system that did not have proper authentication? The authorities are investigating the first question and newspaper stories have quoted officials that such unauthorized connections were made. The outcome of this will emerge in due time. But even such connections would not enable the swift network to accept transfer orders without the proper authentication by passwords and dongle. Perhaps there are multiple passwords by different persons required and the malware recorded the passwords so that one person with these passwords, along with access to the dongle was able to send the transfer orders with valid authentication. 3. How did this plot go down? Who were involved at SWIFT or Bangladesh Bank? Of the transfers that were not allowed by the Federal Reserve System who owned the accounts to which the transfers were directed? What countries were involved? The plot had two components. One was to transfer one hundred million dollars into accounts that were under the control of the gang responsible for the attack. The second component was an elaborate smoke screen to lead the investigators away from the local team that were involved. We will find that there were improper connections between the Bangladesh Bank local area networks and the computer terminals including SWIFTs these actions were designed to make the investigators believe that the authentication was done remotely without local involvement. A non-functioning printer and a large number of false transfers added to the general confusion. Altogether these actions delayed the focus on the key recipient bank in the Philippines enabling the transfers to be shifted into casinos effectively completing the theft. Note there have been no reports of investigations or arrests in other countries that were supposed to receive the funds. This suggests that these were dummy accounts set up to confuse. Perhaps there have been such investigations but it is odd that none have come to light. One would have thought that the various accounts that were to receive the almost one billion dollars would have been investigated. All of this suggests the shape of the theft included a few persons, perhaps two employees of Bangladesh Bank who initiated the transfer and two persons among the SWIFT staff whose task was to make improper connections designed to confuse the investigators. This group was responsible for sending the instructions to the Federal Reserve for the transfers and also for creating a complicated screen to deflect investigators from what happened and instead lead them off into the belief that the Bangladesh Bank and the SWIFT network had been hacked. However, the efforts of CID may well come to fruition and identify those individuals that were responsible for issuing the transfer orders. The rest of the gang was busy with moving the money into untraceable paths. That seems to have been successfully accomplished. The key to solving this mystery is to focus on the non-computer part of the plot, in order to identify those responsible for entering the illegal transfer orders in the SWIFT terminals. Once these persons are identified one can begin to trace their connections to the gang that actually took the money from the accounts. Of course larger organisations like the FBI are working on these connections in other countries and some of this may come to fruition. But the most vulnerable part of the theft remains the persons working for Bangladesh Bank and/or SWIFT who had to have cooperated in this complex deception operation. Are high level persons in Bangladesh Bank involved? Almost certainly not. There is a very limited ability of people in Bangladesh to keep secrets and if there are more than two or three persons engaged in a conspiracy it will soon become public. We think that no more than two persons in Bangladesh Bank were involved and this makes involvement of high level officers very unlikely. But one cannot really be sure and a comprehensive investigation is clearly needed. In the management of this terrible incident one has to say that the authorities have acted precipitously and without fairness. Senior officers, particularly two Deputy Governors had their contracts cancelled without due process, the Government acting like an angry man striking out at the nearest person without any review or investigation. It was a foolish immature action that reflects badly on the Government. Justice is an important, perhaps the key component of good governance. There was no justice here. Indeed there may have been mistakes in the handling of the actions after the theft, but these had the approval of the highest levels of the Government. The central bank has a wonderful reputation for fairness and nonpolitical behavior. The Bank was unfair in its rush to judgment. This was a public relations stunt not a fair, balanced action as one expects from a central bank. If these actions came from higher up then it is even more unfortunate as the central bank independence is undermined and personal conflicts were allowed to determine important governance decisions. The theft from Bangladesh Bank was a serious crime, throwing away right behavior for public relations is worse. However, the most important issue is to upgrade the security of the computer systems, Firewalls and Network Securities in the Bangladesh banking system. Progress in cyber-attacks is rapid. The Bangladesh banking system is very exposed. This exposure is going to get worse as the sophistication of the hackers increases. In a real sense the hacker problem has not been faced. The theft of Bangladesh Banks account at the Federal Reserve Bank of New York was not hacking; it was based on corruption of one or two individuals who simply sent transfer orders that had no official permission. An elaborate scheme was developed to give the appearance of hacking. This was a straight forward robbery involving a team of insiders and a team of outsiders. The former to send authenticated transfer orders, the latter to collect the loot. Unfortunately it seems that the myth of the hacking of the SWIFT system has a great deal of support. In our opinion the authorities need to focus more attention to discover the culprits who sent the fake transfer orders through the SWIFT system. The authorities will never find the hackers, there are none to find. The writers are economists