The Mystery of Bangladesh’s Missing Millions

It wasn’t a conventional heist. No masked robbers with guns. No large sacks of cash. In February, someone––or more likely, a group––tried to steal almost $1 billion from the Federal Reserve Bank of New York, out of an account Bangladesh uses for international settlements. The thieves got away with $81 million, and it’s being called one of the biggest heists in history.

For the past two weeks, bank employees, an ambassador, and businessmen, have all testified at a Senate hearing in the Philippines, where the money ended up. Until recently, little was known about who orchestrated the heist. But on Tuesday, investigators in the Philippines filed criminal complaints against two men: a businessman who organizes casino gambling trips and the president of a casino.

It’s unclear how long thieves had planned the heist, but some of the accounts at the Filipino bank used to steal the money were created in May 2015. On the first Friday in February, hackers bombarded the New York Fed with dozens of requests to transfer nearly $1 billion to accounts across the world. The Bangladeshi weekend begins on Friday––as does much of the Muslim world’s––so it wasn’t until Sunday, when employees at the Bangladesh Bank began their workweek, that they saw messages from the Fed asking to confirm some of the enormous transfers. The Bangladesh Bank’s messaging system was reportedly broken, so employees tried to reach the Fed by fax and email. But it was still the weekend in the U.S., so it was only on Monday that the true scale of the heist became clear.

In all, the thieves sent 35 transfer requests; just four—totaling $81 million—went through. (Deutsche Bank froze a fifth request for $20 million in Sri Lanka because of a spelling error.) Two weeks ago, the Filipino Senate panel learned that the funds had made their way into four accounts at the Rizal Commercial Banking Corporation (RCBC), a Filipino bank.

The Philippines has some of the strictest bank-secrecy laws in the world, and its casinos are lightly regulated. This effectively means a casino there has no obligation to report––and is even protected from reporting––suspicious transactions, like, say, someone dumping tens of millions of dollars into an account and transferring those funds into gambling chips, a move that would conceal the source of the cash.

When the banks in the Philippines opened after the weekend, an attorney for RCBC said, Maia Santos Deguito, an RCBC branch manager in Makati, the financial capital, ignored an alert from the Bangladesh Bank to freeze the four accounts into which the money had been transferred. Instead, the lawyers said, Deguito transferred funds to RCBC accounts owned by a businessman named William Go. She then sent the money through a currency-exchange company called Philrem Service Corporation to the casinos.

Go has denied owning the accounts through which the money was consolidated, or to playing any role in the heist. A representative of Philrem told the Senate panel that Deguito instructed the company to transfer the money to two casinos, as well as to an account owned by a businessman named Weikang Xu.

Xu reportedly received $30 million; $29 million passed to a casino resort called Solarie. The rest landed in yet another casino, this one owned by Eastern Hawaii Leisure Company Limited. The president of that company, a man named Kam Sin Wong, who also goes by Kim Wong, was described by Filipino Senator Sergio Osmeña III as “a missing link” in the story.

“There is an orchestrator here, a mastermind, and right now, it looks like it’s Kim Wong,” Osmeña told reporters.

The head of Bangladesh’s central bank, Atiur Rahman, kept it all quiet for a month. When he reached out to the Anti-Money Laundering Council, word got out. The Bangladesh Bank blamed the Fed for transferring the money (and by Wednesday, it looked like it might sue). The Fed said all the requests were legitimate, that its system wasn’t compromised, and that whoever made the requests had all the right authentication protocols. Rahman resigned from the Bangladesh Bank last week. Fazle Kabir, the former finance secretary, took over that position on Sunday.

Reuters reported that experts at a Silicon Valley-based investigative company believe whoever pulled off the heist “had deep knowledge of the Bangladeshi institution’s internal workings, likely gained by spying on bank workers.” In other words, an inside job. And much of last week’s Senate hearing in the Philippines has centered on Deguito, the RCBC branch manager.

The bank’s cameras were down, but her boss, Romualdo Agarrado, testified he saw her withdraw more than $400,000 (her alleged cut of the money), stash it in a paper bag, and carry it to her car. Go, the businessman, said Deguito met him at a restaurant, confessed, and offered him money to help cover her tracks. He said he declined the offer.

“Upon seating, she told me, ‘Sir, I’m sorry. I did something wrong to you. I opened an account for you at RCBC,’” Go testified, according to the Philippine Daily Inquirer.

Deguito has offered another version of the story: that bank executives helped plan and direct the heist, and that Go was in on it. A former assistant manager at RCBC testified last Thursday that, indeed, there had been a cover up. Deguito was just the patsy.

“Almost all of Mr. Agarrado’s statements in the Senate hearing yesterday were lies,” Angela Torres, the former assistant manager, said, according to the Philippine Daily Inquirer. “The cash was not put in a paper bag, instead it was placed in a box and was loaded to William Go’s Lexus.”

Go had personally opened the account used to transfer the money, Torres said, and he signed the withdrawal slip for the cut she says was taken to his car.

This view—that Deguito is taking the fall for a far larger operation—has other supporters, among them John Gomes, the Bangladeshi ambassador to the Philippines.

“I feel, as an outsider, there was a coverup,” Gomes testified, adding that when senators pushed RCBC executives, they invoked the country’s bank-secrecy act. Asked if he thought Deguito could have done it alone, Gomes said, “I don’t think so. I don’t believe a manager of any bank in the world could handle millions of dollars which suddenly appeared in some accounts.”

Even before the hearings, the Philippine Daily Inquirer had obtained internal statements that, if true, might damn Go and RCBC executives. On March 9, the paper reported:

A representative of the bank manager—who has since been suspended as part of the bank’s internal investigation—showed the Inquirer documents alleging that the transactions had the imprimatur of top bank officials ever since the manager was ordered to open five bank accounts as early as May 2015.

To support the opening of these bank accounts, the RCBC branch manager was provided with five identification documents or ID cards, all of which were determined to carry fictitious identities after the controversy broke out.

“The branch manager is now willing to speak out because she’s afraid the bank will pin it all on her,” a representative of the official told the Inquirer on late Monday. “But, in fact, she was ordered to facilitate these transactions. You can’t do anything this big without higher-ups not knowing.”

In other words, there were more people involved. On Tuesday, local investigators at Philippines’s anti-money-laundering agency filed criminal complaints against both Xu and Wong, alleging they’d both received some of the stolen money. The Wall Street Journal reported that Wong’s lawyer said he intended to testify at the Senate hearings in the Philippines, but he was out of the country. And while this latest development may have provided another glimpse into how the money was taken, there seems to be little chance Bangladesh will recoup it.

“That’s where the money trail ends,” Julia Bacay-Abad, the executive director of the Philippine Anti-Money Laundering Council, told the Nikkei Asian Review.

The heist has led many Filipino officials and executives to demand the country lift its bank and casino-secrecy laws. And as these Internet bank heists happen again, and again, and again, it reminds us the Internet can be an anarchic place where an individual––even an entire country––can be held up with just a few keystrokes.