By Joseph Marks
The Federal Reserve Bank of New York on Dec. 16, 2017. (Eduardo Munoz/Reuters)
Instead, Bangladesh Bank is suing a bank in the Philippines where the funds briefly landed before a complex series of transfers that diverted them to Filipino casinos after which they became untraceable. The New York Fed, which was holding the money when it was illegally transferred, is helping, including by urging people and organizations in the Philippines to help recover the funds, according to an agreement between the banks.
The case -- which represents one of the biggest bank heists in modern history -- demonstrates a supreme challenge facing cybercrime victims, former prosecutors told me.
The global losses from cybercrime, which the Center for Strategic and International Studies reports have reached $600 billion annually, are devastating for victims. But it’s often difficult or impossible to recover the stolen money from the hackers who commit crimes across borders. The culprits -- if they can even be identified -- are often bad actors who are beyond the reach of governments' law enforcement.
That means cybercrime victims have to look elsewhere for recompense -- even in this scenario, where the U.S. Justice Department and cybersecurity companies have publicly concluded North Korean government-backed hackers carried out the crime.
“If you really want to recover funds, you need to find someone with deep pockets,” Marcus Christian, an attorney in Mayer Brown’s cybersecurity practice and a former executive assistant U.S. attorney, told me. “People are going to follow the money and find other parties at fault.”
In this case, the heist was interrupted before the hackers had completed their work, according to the lawsuit. If they’d been fully successful, the scam would have wrested nearly $1 billion from Bangladeshi accounts, more than two-thirds of the bank's typical reserves and a sum that would have been “catastrophic” for the nation and its people, according to the suit.
Yet the bank is unlikely to retrieve even the comparatively meager sum of $81 million from the Pyongyang regime, which is both notoriously short of funds and a pariah from global rule of law, Christian said.
As a result, he says Bangladesh Bank is much better off suing the Filipino bank, Rizal Commercial Banking Corporation, or RCBC, which is tied into the global financial system.
This case is somewhat distinct because Bangladesh Bank alleges RCBC was actually complicit in the hack rather than simply negligent. That sets the case apart from, say, a typical data breach case where customers whose information was stolen will sue a company they say failed to adequately protect their personal information.
According to the lawsuit, RCBC assisted the North Korean hackers in transferring the stolen funds to RCBC accounts at the New York Fed and then back to the Philippines. An RCBC attorney called those claims “completely baseless” and a “PR campaign” to shift blame from Bangladesh Bank’s own negligence, Reuters reported.
The Manila bank also argued that the case’s link to New York — the fact the initial transfer occurred at the New York Fed — was too tenuous to justify filing the legal case there. International crime victims often sue in U.S. courts if there’s a reasonable argument to do so because they offer a more transparent legal process and clearer rule of law than other venues, Christian told me.
The case is also somewhat unusual because the New York Fed has pledged to take an active role in helping the Bangladesh Bank recover its money, said John Horn, a former U.S. attorney who’s now a partner with King and Spalding, focused on data security.
“That’s a definite signal that the Fed is going to do what it can to discourage the use of its system in this way going forward,” Horn told me.
The North Korean hackers haven’t escaped completely the reach of U.S. justice.
The Justice Department announced charges in September against one of the alleged Bangladesh Bank hackers, Park Jin Hyok, who’s also accused in the 2014 hack of Sony Pictures Entertainment.
Park is unlikely to see a U.S. courtroom, though, and there has been no talk of retrieving any of the hacked funds from the North Korean regime.
“This case, like most cybercrime cases, demonstrates that when [victims] cannot identify or reach the criminals who affected them adequately, they will turn to other parties for a remedy,” Christian told me.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
A woman walks by a Huawei store in Beijing on Dec. 11, 2018. (Andy Wong/AP)
“I think they’re identifying technologies that are key to their road map and going after them no matter what the size or scale or status of the business,” Adam Khan, founder of Akhan, said of Huawei, according to Bloomberg Businessweek.
As part of the probe, the FBI also searched a Huawei laboratory in San Diego on Jan. 28. “It’s possible that the government will conclude there aren’t grounds for an indictment against Huawei,” Schatzker wrote. “Prosecutors also could decide that what happened to Akhan isn’t serious enough to seek charges.”
Director of National Intelligence Daniel Coats on Capitol Hill in Washington on Jan. 29. (Salwan Georges/The Washington Post)
First, Coats's testimony challenges the idea in the cyber strategy that the United States will remain a leader in emerging technologies. Coats in his prepared testimony “made it clear that U.S. intelligence agencies had concluded the U.S. was already losing its edge in emerging technologies, and we’d better get used to it,” Zegart wrote.
Secondly, Coats also undercut the cyber strategy's claim that the United States will “preserve peace through strength” by pushing back against states including China and Russia that have violated norms of good behavior in cyberspace. That doesn't match the facts as Coats described them, Zegart said. “It’s time our cyber strategy got with the program,” according to Zegart. “Any strategy untethered to reality is no strategy at all.”
An aerial view of London on July 26, 2011. (Tom Shaw/Getty Images)
Christopher Pincher, deputy chief whip, informed lawmakers about the hacking attempts in an email. “Please be wary of texts and/or emails purporting to come from Colleagues asking you to provide overseas contact details and/or asking you to download a secure message app,” Pincher said, according to an image of the email published by BuzzFeed News. “This is a malicious hack that accesses your contacts list and sends texts and emails to all your private contacts.”
Sen. Mike Enzi (R-Wyo.) on Capitol Hill in Washington on Jan. 29. (Alex Brandon/AP)
— More cybersecurity news from the public sector:
Hands type on a computer keyboard in Los Angeles on Feb. 27, 2013. (Damian Dovarganes/AP)
— More cybersecurity news from the private sector:
Pedestrians walk past a Huawei store in Shanghai on Jan. 29. (Qilai Shen/Bloomberg News)
- The Center for Strategic and International Studies holds an event titled “China's Digital Silk Road.”
- CPX 360 cybersecurity summit in Las Vegas through tomorrow.
- ARC Industry Forum in Orlando through Thursday.
- Senate Armed Services Committee hearing on worldwide threats tomorrow.
- The Center for Strategic and International Studies holds an event titled “Mitigating security risks to emerging 5G networks” tomorrow.
- Texas Technology Summit in Houston tomorrow.
- The Center for Strategic and International Studies holds an event on digital surveillance on Feb. 13.
The Trump administration’s “wait-in-Mexico” policy for asylum seekers, explained:
Gay lawmaker flees Brazil due to death threats
Source: The Washington Post