WEBVTT 00:00:08.090 --> 00:00:11.780 JACK: [MUSIC] I’ve heard a few stories of people robbing banks just to get a few hundred 00:00:11.780 --> 00:00:12.780 dollars. 00:00:12.780 --> 00:00:16.240 I heard this one story of a guy who walked into a bank; he acted like he had a gun under 00:00:16.240 --> 00:00:17.240 his jacket. 00:00:17.240 --> 00:00:22.320 He placed a note on the bank teller counter and the note quietly said, this is a robbery. 00:00:22.320 --> 00:00:23.780 Give me some money. 00:00:23.780 --> 00:00:28.590 The teller straightened up and handed over some cash, and the guy ran out. 00:00:28.590 --> 00:00:33.739 He risked it all just for a few hundred or a thousand dollars. 00:00:33.739 --> 00:00:36.130 Then there are people who rob banks with bigger goals. 00:00:36.130 --> 00:00:38.430 Like, they want to score $100,000. 00:00:38.430 --> 00:00:43.050 To do this, you might have to hold up the whole bank, not just one teller, which causes 00:00:43.050 --> 00:00:44.050 total panic. 00:00:44.050 --> 00:00:48.660 You need to jump behind the counter and empty all the tills, and maybe bring a real gun 00:00:48.660 --> 00:00:49.660 this time. 00:00:49.660 --> 00:00:51.800 It’s intense and crazy. 00:00:51.800 --> 00:00:54.040 But for some people that still isn’t enough. 00:00:54.040 --> 00:00:56.790 They have even bigger bank robbery ambitions. 00:00:56.790 --> 00:01:01.950 They want to score a million dollars and that kind of bank robbery is not easy. 00:01:01.950 --> 00:01:06.060 You have to time it just right, like just after someone makes a big deposit or maybe 00:01:06.060 --> 00:01:10.190 you plan to knock over a few of those armored bank trucks all at once. 00:01:10.190 --> 00:01:14.750 But some people have done it and it usually takes a lot more resources and skill to pull 00:01:14.750 --> 00:01:17.390 off a million-dollar bank robbery. 00:01:17.390 --> 00:01:22.060 But still, that’s not good enough for everyone. 00:01:22.060 --> 00:01:30.070 This is a story about how a group of people with some very interesting ties tried to rob 00:01:30.070 --> 00:01:33.990 a bank for one billion dollars. 00:01:33.990 --> 00:01:42.979 (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. 00:01:42.979 --> 00:01:47.640 I’m Jack Rhysider. 00:01:47.640 --> 00:01:51.860 This is Darknet Diaries. 00:01:51.860 --> 00:02:01.100 [INTRO MUSIC ENDS] 00:02:01.100 --> 00:02:07.360 JACK: This is a big story and to help tell it, I brought in Geoff White. 00:02:07.360 --> 00:02:08.750 GEOFF: I’m Geoff White. 00:02:08.750 --> 00:02:14.030 I’m an investigative journalist and I cover technology for, among others, BBC News, Channel 00:02:14.030 --> 00:02:17.340 4 News, and my own podcast Cybercrime Investigations. 00:02:17.340 --> 00:02:23.050 JACK: [MUSIC] Geoff has had his head in this case for over a year trying to unravel, understand, 00:02:23.050 --> 00:02:24.580 and crack this case. 00:02:24.580 --> 00:02:29.450 He knows more about this case than anyone else I could find, so let’s get into it. 00:02:29.450 --> 00:02:32.720 A billion-dollar bank robbery; that’s the goal here. 00:02:32.720 --> 00:02:36.500 But that’s like, impossible. 00:02:36.500 --> 00:02:39.700 Who would have a billion dollars lying around for someone to grab? 00:02:39.700 --> 00:02:42.320 A billion is a lot of money. 00:02:42.320 --> 00:02:46.360 Your average consumer bank like your local Chase or Wells Fargo bank branch is not gonna 00:02:46.360 --> 00:02:51.230 have this much money anywhere, probably not even in their bank headquarters, so your typical 00:02:51.230 --> 00:02:53.150 bank is out. 00:02:53.150 --> 00:02:58.540 We have to aim higher, possibly like a Federal Reserve Bank or something, some bigger place 00:02:58.540 --> 00:03:00.260 that has a lot of money. 00:03:00.260 --> 00:03:05.769 The robbers knew that national banks would have a large amount of money like this, like 00:03:05.769 --> 00:03:11.040 a country’s reserve bank, so they started looking around for what national banks might 00:03:11.040 --> 00:03:12.540 be a good target. 00:03:12.540 --> 00:03:16.220 They chose the Bangladesh Bank. 00:03:16.220 --> 00:03:20.640 This was an interesting target to choose as far as central banks go. 00:03:20.640 --> 00:03:25.099 Bangladesh has a growing economy and is starting to really flourish, but it’s still a developing 00:03:25.099 --> 00:03:29.960 nation and its central bank doesn’t have the best security. 00:03:29.960 --> 00:03:35.599 I don’t know, which might make this an easier target than a more developed nation’s national 00:03:35.599 --> 00:03:39.260 bank, like the US Federal Reserve Bank. 00:03:39.260 --> 00:03:41.170 The Bangladesh Bank became the target. 00:03:41.170 --> 00:03:43.150 GEOFF: Which is the national bank of Bangladesh. 00:03:43.150 --> 00:03:45.629 It’s like the Federal Reserve Bank or the Bank of England. 00:03:45.629 --> 00:03:47.430 It’s like the country’s bank. 00:03:47.430 --> 00:03:50.790 Billions of dollars of reserve currency is sitting in there. 00:03:50.790 --> 00:03:52.880 JACK: Alright, so the target is set. 00:03:52.880 --> 00:03:55.890 Now, this group has a special weapon; they’re pretty good hackers. 00:03:55.890 --> 00:03:59.270 So, their plan isn’t to bust down the door, draw their weapons, and shout, [MUSIC] everyone 00:03:59.270 --> 00:04:01.680 on the floor, give me a billion dollars! 00:04:01.680 --> 00:04:03.650 No, that’s not an option here. 00:04:03.650 --> 00:04:08.650 Instead, the plan was to hack into the Bangladesh Bank and transfer out as much money as they 00:04:08.650 --> 00:04:10.750 could before anyone could catch them. 00:04:10.750 --> 00:04:12.730 GEOFF: It starts a full year before. 00:04:12.730 --> 00:04:18.500 I think it was January 2015, the first e-mail started popping up inside Bangladesh Bank. 00:04:18.500 --> 00:04:24.860 A few employees get the classic phishing e-mail; it’s a zip file that contains a CV for somebody 00:04:24.860 --> 00:04:26.310 who looks like a job applicant. 00:04:26.310 --> 00:04:32.280 Opens the zip file, has a look at the CV or perhaps doesn’t ever get the CV but nonetheless, 00:04:32.280 --> 00:04:33.360 they get infected. 00:04:33.360 --> 00:04:38.840 Three people opened the e-mail in Bangladesh Bank and at least one of them got infected. 00:04:38.840 --> 00:04:44.500 JACK: Okay, so the hackers, or in this case the bank robbers, infiltrate the network. 00:04:44.500 --> 00:04:49.580 Now, when they get in using a phishing e-mail like this, they only get into one person’s 00:04:49.580 --> 00:04:53.169 computer, whoever that person was who opened the e-mail, and that’s it. 00:04:53.169 --> 00:04:56.190 They just have access to that one computer. 00:04:56.190 --> 00:05:00.180 From there they have to try to hop around to other computers in the network. 00:05:00.180 --> 00:05:04.720 [00:05:00] Once they get in, they use three types of malware to set up for the next part. 00:05:04.720 --> 00:05:09.710 GEOFF: As far as I’m aware, one of them created the backdoor into Bangladesh Bank. 00:05:09.710 --> 00:05:13.960 Another of them created the encrypted channel so that you could pull stuff out of that backdoor 00:05:13.960 --> 00:05:18.210 without being spotted, and the third piece of software was used to scan and navigate 00:05:18.210 --> 00:05:19.210 across the network. 00:05:19.210 --> 00:05:23.880 JACK: [MUSIC] They spent some time mapping out the network of the Bangladesh Bank, moving 00:05:23.880 --> 00:05:28.160 around, establishing persistence, and learning about how to transfer money around. 00:05:28.160 --> 00:05:32.319 GEOFF: One of the first things they do is they work out where Bangladesh Bank’s got 00:05:32.319 --> 00:05:33.319 its money. 00:05:33.319 --> 00:05:37.170 It’s not all sitting in Dhaka, the capital of Bangladesh, the money that – the Bangladesh 00:05:37.170 --> 00:05:42.570 Bank has a foreign currency reserve account in New York at the New York Fed, so, there’s 00:05:42.570 --> 00:05:43.810 a billion dollars sitting there. 00:05:43.810 --> 00:05:45.860 The criminal’s like, okay, there’s a billion dollars. 00:05:45.860 --> 00:05:48.470 That would be good if we can get that. 00:05:48.470 --> 00:05:51.810 In order to transfer money, banks have this system called SWIFT. 00:05:51.810 --> 00:05:54.610 SWIFT is the international bank transfer system. 00:05:54.610 --> 00:05:58.710 There’s an international bank version of that which transfers millions, billions of 00:05:58.710 --> 00:05:59.720 dollars around the world. 00:05:59.720 --> 00:06:04.479 JACK: SWIFT is a banking network used to send payment orders between banks. 00:06:04.479 --> 00:06:09.670 There are over 11,000 members, financial institutions in over two hundred countries around the world 00:06:09.670 --> 00:06:12.680 who use SWIFT to send payment orders to each other. 00:06:12.680 --> 00:06:13.680 Anyway… 00:06:13.680 --> 00:06:17.510 GEOFF: The thieves realize okay, to transfer that billion dollars out of the New York Fed, 00:06:17.510 --> 00:06:24.300 we’re gonna have to get to the SWIFT software and do a series of transfers using SWIFT. 00:06:24.300 --> 00:06:25.300 That’s exactly what they’re doing. 00:06:25.300 --> 00:06:29.440 When they get into Bangladesh Bank, they’re trying to navigate their way around the network 00:06:29.440 --> 00:06:34.840 and find the computer that’s got SWIFT on it so that they can then manipulate that computer 00:06:34.840 --> 00:06:39.509 and transfer the money out of New York and out of the New York account of Bangladesh 00:06:39.509 --> 00:06:40.509 Bank. 00:06:40.509 --> 00:06:43.030 JACK: The thing about SWIFT is that it’s pretty secure. 00:06:43.030 --> 00:06:44.030 It is secure. 00:06:44.030 --> 00:06:48.389 It has to be because it’s handling this very sensitive financial communications. 00:06:48.389 --> 00:06:54.780 It’s practically impossible to hack but as with all computers, there is a weakness 00:06:54.780 --> 00:06:58.319 and one of the biggest weaknesses is human error. 00:06:58.319 --> 00:07:02.310 Hackers rooted around the Bangladesh Bank network looking for the right computer that 00:07:02.310 --> 00:07:04.370 can authorize bank transfers. 00:07:04.370 --> 00:07:10.190 Of course, they find it; the computer authorized to make SWIFT transfers. 00:07:10.190 --> 00:07:11.710 Bingo. 00:07:11.710 --> 00:07:16.970 Instead of trying to hack into the SWIFT system, they got to the human users of the computer 00:07:16.970 --> 00:07:19.420 terminals that ran SWIFT. 00:07:19.420 --> 00:07:23.449 They watched how the users interacted with it and they learned how to impersonate those 00:07:23.449 --> 00:07:29.060 human users, and then trick the SWIFT network into thinking that they were authorized users 00:07:29.060 --> 00:07:32.349 making real transaction requests. 00:07:32.349 --> 00:07:34.000 But first, the SWIFT terminal. 00:07:34.000 --> 00:07:37.389 GEOFF: I don’t know about you; if I was confronted with the SWIFT terminal, I would 00:07:37.389 --> 00:07:39.270 have no idea where to start. 00:07:39.270 --> 00:07:41.390 I’d probably make some mistakes. 00:07:41.390 --> 00:07:46.860 It did not take these guys very long at all to make the transfers to transfer out the 00:07:46.860 --> 00:07:47.860 money. 00:07:47.860 --> 00:07:52.080 JACK: Hm, this makes me think that these hackers are probably already familiar with the SWIFT 00:07:52.080 --> 00:07:53.080 bank system. 00:07:53.080 --> 00:07:58.139 Perhaps this was someone who had done work for SWIFT before or someone who hacked into 00:07:58.139 --> 00:08:00.690 a bank and did some SWIFT transfers already. 00:08:00.690 --> 00:08:04.919 Since they knew how to use it right away without having to sit and watch how a typical bank 00:08:04.919 --> 00:08:07.889 operator does it, it’s very interesting. 00:08:07.889 --> 00:08:13.210 They got that piece sorted, but now they needed to figure out how to hide their tracks to 00:08:13.210 --> 00:08:14.430 blend in. 00:08:14.430 --> 00:08:18.770 To do this, they obtained bank transfer record and used them to learn what a typical large 00:08:18.770 --> 00:08:19.770 transfer would look like. 00:08:19.770 --> 00:08:23.110 [MUSIC] They studied the bank’s high-dollar value transfers. 00:08:23.110 --> 00:08:24.870 What kind of transactions were they? 00:08:24.870 --> 00:08:26.840 When were they made and to who? 00:08:26.840 --> 00:08:29.240 They used these insights to plan their theft. 00:08:29.240 --> 00:08:33.959 They would use transactions that looked like the bank’s typical large transactions to 00:08:33.959 --> 00:08:37.450 steal their billion dollars without raising suspicions. 00:08:37.450 --> 00:08:39.210 GEOFF: There’s transactions they lined up. 00:08:39.210 --> 00:08:43.120 Not only did they know how to run SWIFT, but they knew what to type into SWIFT to make 00:08:43.120 --> 00:08:44.600 the transfers look legit. 00:08:44.600 --> 00:08:46.839 They had all this almost in advance. 00:08:46.839 --> 00:08:49.190 It was almost like how they knew how SWIFT ran. 00:08:49.190 --> 00:08:54.290 JACK: With the right keystrokes on this computer, they can move that one billion dollars to 00:08:54.290 --> 00:08:58.030 another bank account, an account owned by the hackers. 00:08:58.030 --> 00:09:04.000 But hold up, even if they now had access and a plan for making their transfer blend in, 00:09:04.000 --> 00:09:08.470 making one giant transfer to themselves still might not be the best idea. 00:09:08.470 --> 00:09:11.610 Using this strategy might have raised a flag somewhere in the system. 00:09:11.610 --> 00:09:16.320 A big transfer like that might require additional authorization or something. 00:09:16.320 --> 00:09:17.820 Why put all your eggs in one basket? 00:09:17.820 --> 00:09:22.050 If that one-billion-dollar transfer fails, then everything fails. 00:09:22.050 --> 00:09:26.130 The hackers decided to break up the theft into many smaller transfers. 00:09:26.130 --> 00:09:28.530 GEOFF: This is classic money laundering technique. 00:09:28.530 --> 00:09:34.990 JACK: In May 2015, five bank accounts were opened in the RCBC Bank on Jupiter Street 00:09:34.990 --> 00:09:37.210 in Manila, the capital of the Philippines. 00:09:37.210 --> 00:09:41.740 Each of these accounts were opened with an initial five hundred-dollar deposit. 00:09:41.740 --> 00:09:48.730 These accounts sat untouched for nearly a year until the weekend of February 5th, 2016. 00:09:48.730 --> 00:09:51.600 By that point, the bank robbers had everything set up. 00:09:51.600 --> 00:09:56.050 They launched a successful spear phishing operation on Bangladesh Bank employees which 00:09:56.050 --> 00:09:59.510 allowed them to get access to the bank’s computer network [00:10:00] and the SWIFT 00:09:59.510 --> 00:10:00.510 terminals. 00:10:00.510 --> 00:10:04.540 They figured out how to impersonate Bangladesh Bank’s credentials on SWIFT. 00:10:04.540 --> 00:10:10.160 Now, they have bank accounts set up around the world waiting to receive the stolen money. 00:10:10.160 --> 00:10:12.610 We know about those five accounts in the Philippines and… 00:10:12.610 --> 00:10:16.200 GEOFF: At least one account set up in Sri Lanka. 00:10:16.200 --> 00:10:18.650 I don’t know where the other accounts are. 00:10:18.650 --> 00:10:21.420 Despite efforts, I have not managed to find out. 00:10:21.420 --> 00:10:23.519 But this was a worldwide operation. 00:10:23.519 --> 00:10:26.110 JACK: Now, they’re ready to roll. 00:10:26.110 --> 00:10:32.279 On February 3rd, 2016, the hackers entered the Bangladesh Bank network one more time. 00:10:32.279 --> 00:10:33.279 It was a Thursday. 00:10:33.279 --> 00:10:37.339 They waited for the bank to close that night and as soon as it did, they made the keystrokes 00:10:37.339 --> 00:10:39.589 needed to get into the SWIFT terminal. 00:10:39.589 --> 00:10:44.750 See, the Bangladesh Bank actually has a lot of money in the US Federal Reserve Bank, so 00:10:44.750 --> 00:10:48.959 they accessed the Bangladesh Bank account in the New York Federal Reserve Bank and started 00:10:48.959 --> 00:10:54.730 making transfers to thirty-six of the hacker’s bank accounts all over the world. 00:10:54.730 --> 00:11:00.200 The thirty-six transactions totaled 951 million dollars. 00:11:00.200 --> 00:11:05.920 Now, the timing of this transaction was perfect; a Thursday night in Bangladesh. 00:11:05.920 --> 00:11:10.500 GEOFF: In classic heist movie tradition, you try and pick out a weekend to do your bank 00:11:10.500 --> 00:11:11.500 break-in. 00:11:11.500 --> 00:11:16.839 What you’re ideally looking for is a long weekend, a bank holiday weekend, public holiday 00:11:16.839 --> 00:11:18.360 weekend, which would give you three days. 00:11:18.360 --> 00:11:23.490 JACK: In an already really well thought-out, elaborate plan, the timing was a stroke of 00:11:23.490 --> 00:11:28.589 genius because it meant that not only are the hackers dealing with a long weekend, but 00:11:28.589 --> 00:11:30.440 they’re also taking advantage of… 00:11:30.440 --> 00:11:33.190 GEOFF: Three time zones, here; you’ve got Bangladesh Bank which is the bank that’s 00:11:33.190 --> 00:11:36.240 been hacked into where the money’s gonna be transferred from, you’ve got where the 00:11:36.240 --> 00:11:39.700 actual money is which is New York, which is obviously a different time zone, and you’ve 00:11:39.700 --> 00:11:43.140 got where the money is going which is the Philippines which is yet another time zone. 00:11:43.140 --> 00:11:45.930 What they did was played these three time zones to their advantage. 00:11:45.930 --> 00:11:49.510 JACK: Now, besides the time zones being to their advantage, in Bangladesh, the weekend 00:11:49.510 --> 00:11:51.620 starts Thursday night. 00:11:51.620 --> 00:11:55.690 Because this was Thursday night, nobody was gonna be in on the weekend to see anything 00:11:55.690 --> 00:11:57.090 suspicious happening. 00:11:57.090 --> 00:12:01.440 However, it’s not the weekend in New York; it’s Friday in New York which means the 00:12:01.440 --> 00:12:03.350 funds can be transferred properly there. 00:12:03.350 --> 00:12:06.070 GEOFF: By that time, a lot of the bank workers would have gone home. 00:12:06.070 --> 00:12:08.769 They know they’ve got a good, long weekend – a weekend, two days, to work with. 00:12:08.769 --> 00:12:13.970 But of course, it’s 9:36 a.m. in New York where the actual money is. 00:12:13.970 --> 00:12:18.250 When they start issuing the commands to transfer out the money, in New York, they’ve got 00:12:18.250 --> 00:12:22.329 an entire day of New York working on it knowing that the people in Bangladesh who might be 00:12:22.329 --> 00:12:25.320 keeping an eye on it, most of them aren’t to work over the weekend. 00:12:25.320 --> 00:12:28.829 JACK: There’s another detail of timing that also helped them out. 00:12:28.829 --> 00:12:31.640 The attack started on Thursday, February 4th. 00:12:31.640 --> 00:12:36.160 On that following Monday, February 8th, was the Chinese New Year which is a bank holiday 00:12:36.160 --> 00:12:41.250 in the Philippines which is where those RCBC bank accounts were sitting. 00:12:41.250 --> 00:12:46.520 GEOFF: You’ve got all of Thursday, Friday, Saturday, Sunday, and Monday with these three 00:12:46.520 --> 00:12:48.500 time zones working to your advantage. 00:12:48.500 --> 00:12:52.680 JACK: On Friday morning in New York, the Federal Reserve receives all these SWIFT transaction 00:12:52.680 --> 00:12:56.170 requests that look like they’re coming from the Bangladesh Bank. 00:12:56.170 --> 00:12:59.890 The New York Federal Reserve Bank proceeds to process the transactions. 00:12:59.890 --> 00:13:05.769 [MUSIC] Money starts being sent to the hacker’s bank accounts one by one. 00:13:05.769 --> 00:13:08.740 Millions here, millions there. 00:13:08.740 --> 00:13:12.389 One of the transactions is for twenty million dollars to one of the hacker’s bank accounts 00:13:12.389 --> 00:13:13.410 in Sri Lanka. 00:13:13.410 --> 00:13:16.279 GEOFF: Twenty million dollars was gonna go to Sri Lanka which is a huge amount of money 00:13:16.279 --> 00:13:18.140 for the charity concern that it was going to. 00:13:18.140 --> 00:13:22.410 JACK: The New York Federal Reserve approves the request and the twenty million dollars 00:13:22.410 --> 00:13:26.990 starts making its way to the intermediary bank which happens to be in Germany. 00:13:26.990 --> 00:13:31.339 But it gets stopped there because of a pretty basic human error. 00:13:31.339 --> 00:13:35.720 The money was trying to be sent to the Shalika Foundation but the transfer request spelled 00:13:35.720 --> 00:13:37.580 it as Shalika Fundation. 00:13:37.580 --> 00:13:40.860 It was missing an ‘o’. 00:13:40.860 --> 00:13:44.370 When a human looked at this transfer, it rang some alarm bells. 00:13:44.370 --> 00:13:48.850 GEOFF: The bank in Sri Lanka flagged it back to a bank in Germany that had done the transfer. 00:13:48.850 --> 00:13:52.389 They in turn transferred it back to New York and said, we think something’s wrong with 00:13:52.389 --> 00:13:53.389 this. 00:13:53.389 --> 00:13:56.940 New York, you can imagine, had some pretty hairy moments looking at these transactions 00:13:56.940 --> 00:13:59.310 and going oh shit, something’s wrong here. 00:13:59.310 --> 00:14:02.899 JACK: This raises the alarm and the New York Federal Reserve is now scrambling to try to 00:14:02.899 --> 00:14:04.360 figure out what’s going on. 00:14:04.360 --> 00:14:09.500 They tried calling the Bangladesh Bank on a Friday, but Friday is the weekend in Bangladesh 00:14:09.500 --> 00:14:11.600 so they were unable to get through. 00:14:11.600 --> 00:14:14.340 By this point, the first part of the hack was done; they hacked into the Bangladesh 00:14:14.340 --> 00:14:17.440 Bank, sent the money to the New York Federal Reserve, and then told the New York Federal 00:14:17.440 --> 00:14:19.410 Reserve to send it to thirty-six accounts. 00:14:19.410 --> 00:14:24.850 By Friday at 3:59 a.m. local time in the Philippines, the hackers logged out of the Bangladesh Bank 00:14:24.850 --> 00:14:25.850 SWIFT network. 00:14:25.850 --> 00:14:30.000 The malware that they had installed on the machines began deleting evidence of their 00:14:30.000 --> 00:14:31.000 crime. 00:14:31.000 --> 00:14:34.970 But hold up, you’d think that the bank’s security systems would have some kind of failsafe 00:14:34.970 --> 00:14:37.500 to protect against this kind of robbery, right? 00:14:37.500 --> 00:14:41.509 GEOFF: There’s a printer, an HP LaserJet printer, in the corner of the office in Bangladesh 00:14:41.509 --> 00:14:47.200 Bank and its job is partly to print out records of SWIFT transactions when they’re made. 00:14:47.200 --> 00:14:51.699 JACK: Every day, including on Bangladeshi weekends, that printer is automatically printing 00:14:51.699 --> 00:14:54.110 out all the transactions that are coming in. 00:14:54.110 --> 00:14:57.440 Normally, that’s not that many, maybe a dozen. 00:14:57.440 --> 00:14:59.910 The paper printouts [00:15:00] are one safeguard. 00:14:59.910 --> 00:15:03.880 Another safeguard is that there’s employees who are on-duty and it’s their job to scrutinize 00:15:03.880 --> 00:15:06.079 the transactions on these records. 00:15:06.079 --> 00:15:10.420 On the Friday of the hack, that employee was named Zubair and he was the director of the 00:15:10.420 --> 00:15:11.420 bank. 00:15:11.420 --> 00:15:12.880 But the hackers had a plan for this, too. 00:15:12.880 --> 00:15:16.649 GEOFF: Now, the hackers, one of the smart things they did when they did their heist, 00:15:16.649 --> 00:15:20.590 was to realize that if the printer kept going, it would immediately expose what they’d 00:15:20.590 --> 00:15:21.590 done. 00:15:21.590 --> 00:15:25.110 JACK: To deal with this failsafe, the thieves hacked the printer to make it print blank 00:15:25.110 --> 00:15:27.959 pages of transaction records. 00:15:27.959 --> 00:15:32.540 Then they installed malware on the computers running the printer that would delete evidence 00:15:32.540 --> 00:15:34.060 of the messages. 00:15:34.060 --> 00:15:39.570 Zubair was in the office on Friday, but the printer was just printing out blank pages. 00:15:39.570 --> 00:15:43.910 He assumed it was just some technical glitch and he could deal with it on Saturday. 00:15:43.910 --> 00:15:47.490 But then on Saturday, there was an even bigger problem. 00:15:47.490 --> 00:15:52.810 When the Bangladesh Bank employees tried to log into the SWIFT terminal, they were seeing 00:15:52.810 --> 00:15:55.570 errors and couldn’t log in. 00:15:55.570 --> 00:15:59.529 When they finally were able to log into the system, they saw three messages from the New 00:15:59.529 --> 00:16:03.270 York Federal Reserve asking about the large quantity of payment instructions that they 00:16:03.270 --> 00:16:09.139 had received over the Bangladeshi weekend which altogether totaled almost one billion 00:16:09.139 --> 00:16:10.810 dollars. 00:16:10.810 --> 00:16:14.209 At this point, on Saturday, Zubair was pretty panicked. 00:16:14.209 --> 00:16:18.889 He tried to call the New York Federal Reserve Bank but of course, it’s now Saturday where 00:16:18.889 --> 00:16:20.940 the banks are closed in the US. 00:16:20.940 --> 00:16:25.270 He starts e-mailing and faxing in requests to the Federal Reserve to stop all transactions 00:16:25.270 --> 00:16:26.470 and payments for this. 00:16:26.470 --> 00:16:30.790 At some point, the Bangladesh Bank employees also shut down their server in an attempt 00:16:30.790 --> 00:16:33.819 to stop even more fraudulent transactions from executing. 00:16:33.819 --> 00:16:35.560 GEOFF: They then start making a series of appeals. 00:16:35.560 --> 00:16:40.430 They’re obviously contacting the New York Federal Reserve to try and get the money back. 00:16:40.430 --> 00:16:43.360 I never realized this about the international banking system, but there’s a lot of intermediaries. 00:16:43.360 --> 00:16:46.250 It’s not just from the New York Fed that the money goes straight to the Philippines 00:16:46.250 --> 00:16:47.269 or straight to Sri Lanka. 00:16:47.269 --> 00:16:49.529 It goes to a number of intermediary banks. 00:16:49.529 --> 00:16:53.980 To get the kinda of sense of panic, one bank contacting another and saying well, hang on, 00:16:53.980 --> 00:16:54.980 what’s happened here? 00:16:54.980 --> 00:16:56.209 Who transferred the money to you? 00:16:56.209 --> 00:16:57.320 Where’s the money gone now? 00:16:57.320 --> 00:17:02.730 You’ve got multiple different banks to go through. 00:17:02.730 --> 00:17:11.209 JACK: While thirty-six transactions were attempted, which totaled almost a billion dollars, only 00:17:11.209 --> 00:17:13.760 four transactions actually went through. 00:17:13.760 --> 00:17:18.751 The bank robbers successfully transferred 81 million dollars to their five RCBC bank 00:17:18.751 --> 00:17:24.770 accounts in the Philippines which they had set up nearly a year before using fake IDs. 00:17:24.770 --> 00:17:28.120 One reason the money made it to their accounts in the Philippines was that the transfers 00:17:28.120 --> 00:17:32.590 occurred during the Chinese New Year, so [MUSIC] RCBC Bank was closed when the Bangladesh Bank 00:17:32.590 --> 00:17:34.740 tried to call up and stop the transfer. 00:17:34.740 --> 00:17:37.070 But that’s not the only reason. 00:17:37.070 --> 00:17:42.870 There’s some allegations that there might have been an insider at the RCBC Bank, too. 00:17:42.870 --> 00:17:44.679 The timeline is pretty suspicious. 00:17:44.679 --> 00:17:49.679 On February 9th, RCBC logs into the SWIFT system and sees the stop payment messages 00:17:49.679 --> 00:17:52.570 that Bangladesh Bank has now sent them. 00:17:52.570 --> 00:17:57.720 Yet even after seeing those stop payments, that same day the hackers were able to completely 00:17:57.720 --> 00:18:00.870 empty their bank accounts, huge sums of money. 00:18:00.870 --> 00:18:01.870 Once they’re withdrawn… 00:18:01.870 --> 00:18:03.510 GEOFF: That money was programmed to disappear. 00:18:03.510 --> 00:18:07.990 There was a whole system in place to take that money and speed it through the system 00:18:07.990 --> 00:18:10.740 so that no one could ever find it again. 00:18:10.740 --> 00:18:15.850 JACK: A large percentage of the 81 million dollars went to a single person. 00:18:15.850 --> 00:18:20.280 GEOFF: From the investigation in the Philippines, that thirty million was given to a bloke, 00:18:20.280 --> 00:18:24.159 Chinese national, who just disappeared with it and he’s never been heard of again. 00:18:24.159 --> 00:18:28.890 JACK: Perhaps this Chinese man was in on it somehow, a middle man or something, and he 00:18:28.890 --> 00:18:31.210 required a cut of the money to do his job. 00:18:31.210 --> 00:18:34.770 But yeah, we don’t know what happened to him or his money. 00:18:34.770 --> 00:18:35.770 He just vanished. 00:18:35.770 --> 00:18:40.690 [MUSIC] But that’s still fifty million dollars for the rest. 00:18:40.690 --> 00:18:44.440 The next part of the plan was for the hackers to make it so that this money couldn’t be 00:18:44.440 --> 00:18:46.530 traced back to the bank heist. 00:18:46.530 --> 00:18:49.700 They needed to come up with a plan to launder fifty million dollars. 00:18:49.700 --> 00:18:52.929 To do that, they sent it directly to a casino. 00:18:52.929 --> 00:18:55.760 GEOFF: One’s called the Midas Casino and one’s called the Solaire Casino. 00:18:55.760 --> 00:18:59.100 I think it was thirty million in the Solaire and twenty million in the Midas. 00:18:59.100 --> 00:19:03.280 JACK: Now, it’s not clear how the money got to the casino but from what I understand, 00:19:03.280 --> 00:19:06.860 when high-rollers come into town, they don’t stroll in through the front door with like, 00:19:06.860 --> 00:19:08.650 a million dollars in a briefcase. 00:19:08.650 --> 00:19:13.230 No, they link up their bank account to the casino’s bank account and initiate transfers 00:19:13.230 --> 00:19:14.660 to the casino that way. 00:19:14.660 --> 00:19:18.850 My guess is that on Friday, the funds were transferred into these bank accounts in the 00:19:18.850 --> 00:19:21.799 Philippines and then on Monday, those funds were cleared. 00:19:21.799 --> 00:19:25.700 However, Monday was a Chinese New Year, so those banks were closed. 00:19:25.700 --> 00:19:30.510 But my theory was that the hackers had prearranged with the casino to make these huge transfers 00:19:30.510 --> 00:19:32.120 on Monday. 00:19:32.120 --> 00:19:38.100 They were done online or through the casino somehow without having to go into the bank. 00:19:38.100 --> 00:19:42.010 But now that the money was in the casino, they couldn’t just grab their money and 00:19:42.010 --> 00:19:43.010 go. 00:19:43.010 --> 00:19:45.740 They needed to gamble for a while to not look suspicious. 00:19:45.740 --> 00:19:49.400 GEOFF: The way it might work for you and I is we’d go and we’d say okay, I want to 00:19:49.400 --> 00:19:50.760 bet a million dollars this weekend. 00:19:50.760 --> 00:19:55.330 The casino would say okay, pay your million dollars into our account, numbered X. 00:19:55.330 --> 00:19:58.730 That way when you go, there’s a record of that transaction. 00:19:58.730 --> 00:20:02.080 You turn up at the casino and say hey, I’ve got a million dollars in your bank account. 00:20:02.080 --> 00:20:03.700 I’d like to bet [00:20:00] my money now. 00:20:03.700 --> 00:20:07.980 JACK: A few Chinese men who were working with these hackers took the money from the heist, 00:20:07.980 --> 00:20:10.750 went into the casino, and requested a junket. 00:20:10.750 --> 00:20:16.020 A junket is a private room for high-rollers who can gamble without being bothered. 00:20:16.020 --> 00:20:20.070 Basically, you tell the casino I want a room for a certain number of gamblers and we’re 00:20:20.070 --> 00:20:22.490 going to spend ten million dollars here. 00:20:22.490 --> 00:20:24.850 GEOFF: What’s most important about this, certainly from a money laundering point of 00:20:24.850 --> 00:20:30.080 view, is the chips that are issued, the casino chips that are issued, only work in that room. 00:20:30.080 --> 00:20:32.220 They’re like, branded casino chips. 00:20:32.220 --> 00:20:34.710 They only work in that room. 00:20:34.710 --> 00:20:39.490 What that means is if you’re a money launderer and you’ve paid your fifty million to these 00:20:39.490 --> 00:20:44.110 casinos, you hire out a room, you’ve got your guys in there to gamble. 00:20:44.110 --> 00:20:48.640 You know that those chips are only gonna be spent and gambled in that room so you’ve 00:20:48.640 --> 00:20:50.350 got a controllable situation. 00:20:50.350 --> 00:20:53.310 These guys can’t wander off somewhere with your chips and spend them elsewhere. 00:20:53.310 --> 00:20:54.820 They’ve got to spend them in that room. 00:20:54.820 --> 00:20:57.260 You can keep an eye on what they’re spending. 00:20:57.260 --> 00:21:00.770 JACK: The other important detail about these junket rooms is that they were playing Baccarat. 00:21:00.770 --> 00:21:05.720 GEOFF: Baccarat is interesting because there’s only two things to bet on in Baccarat. 00:21:05.720 --> 00:21:08.221 You bet on the bank or you bet on the player. 00:21:08.221 --> 00:21:11.420 JACK: They say that if you keep playing Baccarat over a long period of time, the odds are pretty 00:21:11.420 --> 00:21:14.940 good that you’ll get about ninety percent of your money back. 00:21:14.940 --> 00:21:18.530 The casino will end up with ten percent of your money after you play for a long period 00:21:18.530 --> 00:21:23.190 of time which is sort of a safe way to gamble without losing too much. 00:21:23.190 --> 00:21:27.730 This will allow the hackers to gamble without causing suspicion, like they’re just cashing 00:21:27.730 --> 00:21:29.540 out and laundering money. 00:21:29.540 --> 00:21:34.590 The hackers sat there in a private junket in the two casinos in the Philippines, gambling 00:21:34.590 --> 00:21:40.559 their loot that they just stole, just trying to buy enough time to cash out without raising 00:21:40.559 --> 00:21:42.130 suspicion. 00:21:42.130 --> 00:21:45.289 Because at this point, everyone involved; the Bangladesh Bank, the New York Federal 00:21:45.289 --> 00:21:50.730 Reserve, the RCBC, and the law enforcement agencies, they know that $81 million has been 00:21:50.730 --> 00:21:51.730 stolen. 00:21:51.730 --> 00:21:56.020 The authorities were able to follow the money to the casino which raises a question. 00:21:56.020 --> 00:22:01.520 If we know all this money passed through two casinos to be laundered, are the casinos responsible 00:22:01.520 --> 00:22:02.630 at all? 00:22:02.630 --> 00:22:07.530 Well, as it turns out, just days after the bank heist, Bangladesh Bank asked the Philippines 00:22:07.530 --> 00:22:08.570 authorities for help. 00:22:08.570 --> 00:22:12.630 The authorities shut down those fake bank accounts and they knew where the men went 00:22:12.630 --> 00:22:13.860 with the money. 00:22:13.860 --> 00:22:18.160 They knew what casinos they were in, but the country’s law enforcement let them play 00:22:18.160 --> 00:22:20.039 without making any arrests. 00:22:20.039 --> 00:22:23.350 The casinos, for their part, had some plausible deniability. 00:22:23.350 --> 00:22:27.870 GEOFF: To us, this just sounds crazy; a bunch of Chinese guys turn up and bet ten million, 00:22:27.870 --> 00:22:28.910 tens of millions of dollars. 00:22:28.910 --> 00:22:32.880 But if you’re a casino in the Philippines, that happens a lot. 00:22:32.880 --> 00:22:36.190 It isn’t unfeasible that the casino could have looked at this and thought well hey, 00:22:36.190 --> 00:22:38.220 here’s some high-rollers in town, big spenders. 00:22:38.220 --> 00:22:42.690 JACK: It’s worth pointing out that in the Philippines at that time, casinos didn’t 00:22:42.690 --> 00:22:44.940 have good money laundering regulations. 00:22:44.940 --> 00:22:49.410 So, it’s possible that’s why these casinos were targeted for this. 00:22:49.410 --> 00:22:53.169 The robbers finished their gambling which was actually money laundering, quietly cashed 00:22:53.169 --> 00:22:58.940 out their chips, walked out of the casino, and promptly left the country, flying to China. 00:22:58.940 --> 00:23:05.990 In total, the hackers were able to successfully steal 81 million dollars from the Bangladesh 00:23:05.990 --> 00:23:07.080 Bank. 00:23:07.080 --> 00:23:10.799 So, who exactly were these hackers? 00:23:10.799 --> 00:23:14.880 Well, it turns out it was the North Korean government. 00:23:14.880 --> 00:23:19.549 GEOFF: [MUSIC] North Korea starts getting into computer hacking, from what the experts 00:23:19.549 --> 00:23:20.549 are saying, about 2009. 00:23:20.549 --> 00:23:24.130 There’s the creation of a thing called the Reconnaissance General Bureau which pulls 00:23:24.130 --> 00:23:27.520 together a lot of their hacking people into one unit. 00:23:27.520 --> 00:23:31.970 JACK: Security researchers dubbed this North Korean hacking group the Lazarus Group which 00:23:31.970 --> 00:23:37.090 also is known as the Reconnaissance General Bureau or APT38. 00:23:37.090 --> 00:23:40.960 Researchers found traces of Lazarus Group on other attacks, too. 00:23:40.960 --> 00:23:46.640 It’s really interesting to see a nation state getting into the game of bank robberies 00:23:46.640 --> 00:23:49.190 because nation state hackers don’t rob banks. 00:23:49.190 --> 00:23:51.669 They never hack for financial gains. 00:23:51.669 --> 00:23:56.299 I seriously can’t find any other story of a nation state hack where their goal was to 00:23:56.299 --> 00:23:57.700 steal money. 00:23:57.700 --> 00:24:03.429 North Korea seems to be the only one hacking for financial gains which is so weird. 00:24:03.429 --> 00:24:08.290 But according to Geoff, this actually kind of makes sense from a geopolitical standpoint. 00:24:08.290 --> 00:24:15.370 GEOFF: 2013, the sanctions have passed restricting North Korea from bulk transfers of money which 00:24:15.370 --> 00:24:21.659 is a response to North Korea launching missile tests that the world does not want it to do. 00:24:21.659 --> 00:24:23.340 That’s 2013. 00:24:23.340 --> 00:24:25.990 It stopped from getting access to international money. 00:24:25.990 --> 00:24:30.120 Two years later, 2015, they start hacking into Bangladesh Bank, according to the FBI. 00:24:30.120 --> 00:24:33.880 You can see a progression where it’s like oh, uh-uh, we can’t get any money. 00:24:33.880 --> 00:24:34.880 How are we going to do that? 00:24:34.880 --> 00:24:36.299 Oh, well, let’s just try and hack our way around that. 00:24:36.299 --> 00:24:39.309 JACK: That’s where Lazarus Group and these bank robberies come in. 00:24:39.309 --> 00:24:41.930 It wasn’t just Bangladesh Bank that they targeted. 00:24:41.930 --> 00:24:47.420 Lazarus Group has been tied to almost all of the world’s SWIFT attacks to date. 00:24:47.420 --> 00:24:53.049 Banks in Ecuador, Vietnam, Poland, India, Taiwan, and Russia have all been hacked and 00:24:53.049 --> 00:24:57.440 had attempted bank robberies which can be attributed to hackers within the North Korean 00:24:57.440 --> 00:25:00.290 government being the main culprits. 00:25:00.290 --> 00:25:06.510 They’ve been hitting bank after bank, [00:25:00] attempting to steal millions of dollars. 00:25:06.510 --> 00:25:13.740 All in, Geoff estimates that the Lazarus Group has tried to steal roughly 1.2 billion dollars 00:25:13.740 --> 00:25:18.210 but has only ended up with $122 million. 00:25:18.210 --> 00:25:23.409 Some say that this 81-million-dollar bank heist from the Bangladesh Bank was the largest 00:25:23.409 --> 00:25:24.770 bank robbery in history. 00:25:24.770 --> 00:25:28.919 GEOFF: If it is North Korea, that’s 1.2 billion dollars going to a country that’s 00:25:28.919 --> 00:25:30.860 under international, financial sanctions. 00:25:30.860 --> 00:25:36.710 From the ones I’ve added up, they’ve tried to get $1.2 billion. 00:25:36.710 --> 00:25:38.549 What they ended up with was $122 million. 00:25:38.549 --> 00:25:43.190 So, roughly a tenth of what they tried to get is what they actually managed to pull 00:25:43.190 --> 00:25:44.190 out. 00:25:44.190 --> 00:25:49.750 JACK: If Lazarus Group has stolen $122 million, that would be a significant portion of North 00:25:49.750 --> 00:25:50.750 Korean’s GDP. 00:25:50.750 --> 00:25:55.320 Since it’s been so successful, I see no reason why they can’t continue to do this 00:25:55.320 --> 00:25:57.360 for years into the future. 00:25:57.360 --> 00:26:02.130 Typically, what we’ve seen is the money is taken to Macao, in China, which is where 00:26:02.130 --> 00:26:05.149 the money went after they cashed out on this casino. 00:26:05.149 --> 00:26:09.899 From Macao, it can then be wired directly into North Korea because North Korea does 00:26:09.899 --> 00:26:14.630 business with companies in China and so, this transaction could easily be hidden. 00:26:14.630 --> 00:26:18.140 Yeah, 122 million dollars stolen? 00:26:18.140 --> 00:26:20.690 This looks like North Korea got away with it. 00:26:20.690 --> 00:26:22.690 But don’t just take my word for it. 00:26:22.690 --> 00:26:26.240 The US Department of Justice investigated this a lot. 00:26:26.240 --> 00:26:30.401 The FBI wanted to know more and spent two years tracking down who hacked the Bangladesh 00:26:30.401 --> 00:26:32.500 Bank and came to a conclusion. 00:26:32.500 --> 00:26:37.700 In late 2018, the US Department of Justice gave this announcement. 00:26:37.700 --> 00:26:43.750 DOJ: We have unsealed criminal charges against a North Korean computer programmer for participating 00:26:43.750 --> 00:26:49.980 in a conspiracy that conducted sophisticated cyber-attacks around the world on behalf of 00:26:49.980 --> 00:26:51.320 the North Korean government. 00:26:51.320 --> 00:26:56.350 Members of the conspiracy are responsible for some of the most damaging and most well-known 00:26:56.350 --> 00:27:01.600 cyber-intrusions in history including the cyber-attack targeting Sony Pictures and the 00:27:01.600 --> 00:27:04.340 cyber-heist of Bangladesh Bank. 00:27:04.340 --> 00:27:10.960 The criminal complaint unsealed today specifically charges Park Jin Hyok but the complaint also 00:27:10.960 --> 00:27:17.880 alleges a wide-ranging conspiracy and describes in minute detail how we were able to link 00:27:17.880 --> 00:27:21.649 the North Korean government to these crimes. 00:27:21.649 --> 00:27:26.700 Despite their attempts to cover their tracks and despite the North Korean government’s 00:27:26.700 --> 00:27:35.360 claims that it was not involved in these crimes, the 172-page affidavit details evidence that 00:27:35.360 --> 00:27:40.550 clearly demonstrates that the North Korean subjects, backed by their government, were 00:27:40.550 --> 00:27:42.760 responsible for these crimes. 00:27:42.760 --> 00:27:44.320 JACK: Oh, whoa. 00:27:44.320 --> 00:27:46.800 The same group did the Sony hack, too? 00:27:46.800 --> 00:27:48.409 I’m sure you’ve heard of this. 00:27:48.409 --> 00:27:53.049 There was this movie that Sony Pictures was producing called The Interview, a comedy with 00:27:53.049 --> 00:27:56.970 Seth Rogan and James Franco, where they were to travel to North Korea to interview Kim 00:27:56.970 --> 00:27:57.970 Jong Un. 00:27:57.970 --> 00:28:00.940 AGENT: [MUSIC] The CIA would love it if you could take him out. 00:28:00.940 --> 00:28:01.940 AARON: Hm? 00:28:01.940 --> 00:28:03.450 AGENT: Take him out. 00:28:03.450 --> 00:28:04.800 AARON: Like, for drinks? 00:28:04.800 --> 00:28:05.800 DAVE: Like, to dinner? 00:28:05.800 --> 00:28:07.240 AARON: On the town? 00:28:07.240 --> 00:28:09.240 AGENT: No. Take him out. 00:28:09.240 --> 00:28:11.190 AARON: You want us to kill the leader of North Korea? 00:28:11.190 --> 00:28:12.190 AGENT: Yes. 00:28:12.190 --> 00:28:16.980 JACK: Well, as it turns out, North Korea did not find this funny and hacked into Sony Pictures, 00:28:16.980 --> 00:28:21.960 getting access to e-mails, personal information, unreleased movies, scripts, and salaries. 00:28:21.960 --> 00:28:25.960 They published all this to Wikileaks and at the same time demanded that Sony not release 00:28:25.960 --> 00:28:27.149 The Interview. 00:28:27.149 --> 00:28:31.670 If that wasn’t enough, they were destroying computers inside Sony using a wiper virus. 00:28:31.670 --> 00:28:36.309 Of course, this sparked a major debate over in Washington, DC as President Obama was trying 00:28:36.309 --> 00:28:37.870 to figure out what to do. 00:28:37.870 --> 00:28:40.990 An enemy nation just attacked an American company. 00:28:40.990 --> 00:28:45.010 If this had been a kinetic attack like with a bomb or fire, this would certainly be an 00:28:45.010 --> 00:28:46.470 act of war. 00:28:46.470 --> 00:28:49.880 Some people were urging Obama to consider this to be the same. 00:28:49.880 --> 00:28:55.300 But someone else said, are we really gonna go to war every time a company gets hacked? 00:28:55.300 --> 00:28:56.899 President Obama had this to say. 00:28:56.899 --> 00:29:04.470 OBAMA: We cannot have a society in which some dictator someplace can start imposing censorship 00:29:04.470 --> 00:29:06.410 here in the United States. 00:29:06.410 --> 00:29:12.600 Because if somebody is able to intimidate folks out of releasing a satirical movie, 00:29:12.600 --> 00:29:16.620 imagine what they start doing when they see a documentary that they don’t like or news 00:29:16.620 --> 00:29:18.559 reports that they don’t like. 00:29:18.559 --> 00:29:23.520 JACK: Strangely enough, Trump, who was not president at the time, was interviewed on 00:29:23.520 --> 00:29:26.420 the Wendy Williams show and was asked about this. 00:29:26.420 --> 00:29:27.770 Here’s what he said. 00:29:27.770 --> 00:29:31.840 TRUMP: Look, I hear the movie is terrible. 00:29:31.840 --> 00:29:36.600 If somebody did that to our president, whether you love your president or don’t love your 00:29:36.600 --> 00:29:42.169 president, if they start talking about assassination – and I heard they did some really vile 00:29:42.169 --> 00:29:43.169 things. 00:29:43.169 --> 00:29:44.169 It wasn’t just like, assassination. 00:29:44.169 --> 00:29:45.169 WENDY: In the movie. 00:29:45.169 --> 00:29:47.600 TRUMP: Yeah, it was really terrible, terrible things to him. 00:29:47.600 --> 00:29:49.780 That’s pretty bad stuff, right? 00:29:49.780 --> 00:29:51.590 I can see both sides of it. 00:29:51.590 --> 00:29:55.929 JACK: That’s not – I’m not even gonna comment on that. 00:29:55.929 --> 00:29:59.880 Sony backed out of releasing the film, but Washington DC urged them to publish it anyway 00:29:59.880 --> 00:30:03.740 to send a message that Kim Jong Un cannot suppress free speech [00:30:00] whenever he 00:30:03.740 --> 00:30:05.020 wants. 00:30:05.020 --> 00:30:08.679 Sony did a limited release and made the film available directly for download. 00:30:08.679 --> 00:30:13.799 But yeah, it’s fascinating to see the US has enough evidence to blame the same North 00:30:13.799 --> 00:30:17.840 Korean hacker for the hack on Sony and the Bangladesh Bank heist. 00:30:17.840 --> 00:30:23.279 The DOJ has an indictment for the hacker’s arrest but they’ll likely never be caught 00:30:23.279 --> 00:30:26.090 because there’s no way to go into North Korea and arrest him. 00:30:26.090 --> 00:30:29.360 They probably aren’t traveling anywhere anytime soon. 00:30:29.360 --> 00:30:33.940 But if the guy listed in the indictment were to travel to a country which has an extradition 00:30:33.940 --> 00:30:40.570 treaty with the US, [MUSIC] the FBI would probably find out and try to arrest them. 00:30:40.570 --> 00:30:47.240 Geoff, being the curious person he is and good journalist, decided to go to the North 00:30:47.240 --> 00:30:50.529 Korean embassy in England to get some answers. 00:30:50.529 --> 00:30:55.390 GEOFF: The embassy is in West London, in a suburb of West London, called Ealing. 00:30:55.390 --> 00:31:00.890 Look, all the embassies, there’s certain areas of London where the embassies are based 00:31:00.890 --> 00:31:05.149 like big, posh houses, security outside. 00:31:05.149 --> 00:31:09.250 The Canadian flag waves outside the Canadian embassy, and so on. 00:31:09.250 --> 00:31:13.940 North Korea really does look like a semi-detached house in a suburb. 00:31:13.940 --> 00:31:14.990 It was, actually. 00:31:14.990 --> 00:31:17.049 It’s a converted family house. 00:31:17.049 --> 00:31:22.700 I went up; I thought look, I tried to e-mail them, I’ve tried to call them. 00:31:22.700 --> 00:31:25.789 I got no response, so I went to the embassy to knock on the door. 00:31:25.789 --> 00:31:26.789 It’s really disappointing. 00:31:26.789 --> 00:31:30.399 There’s a sort of electric gate that sits across the driveway. 00:31:30.399 --> 00:31:34.850 Two very expensive Mercedes, by the way, parked in the driveway. 00:31:34.850 --> 00:31:39.220 The electric gate is all sort of remote control from inside the place. 00:31:39.220 --> 00:31:43.539 The front door of the actual embassy itself is behind that electric gate. 00:31:43.539 --> 00:31:48.800 I’ll be honest with you, it wasn’t unfeasible; I could have jumped the gate to get to the 00:31:48.800 --> 00:31:54.580 front door but I just thought at that point you’re kind of trespassing on the North 00:31:54.580 --> 00:31:55.580 Korean embassy. 00:31:55.580 --> 00:32:01.909 I didn’t want to end up in the Evening Standard as – technology journalist tasered as he 00:32:01.909 --> 00:32:03.830 tries to – I don’t know. 00:32:03.830 --> 00:32:04.830 I felt I’d done… 00:32:04.830 --> 00:32:07.179 JACK: So, there was no bell or anything to push? 00:32:07.179 --> 00:32:08.399 GEOFF: No, there is no bell. 00:32:08.399 --> 00:32:10.269 There is no bell accessible on the outside. 00:32:10.269 --> 00:32:13.120 In order to get to the bell, I would have had to have jumped the gate and jumping the 00:32:13.120 --> 00:32:17.659 gate just felt a step too far. 00:32:17.659 --> 00:32:19.470 Yeah. 00:32:19.470 --> 00:32:23.159 I sent them a letter by recorded delivery and I got a little confirmation back from 00:32:23.159 --> 00:32:28.570 the post office saying that my letter had been received by Mr. Kim at a particular time. 00:32:28.570 --> 00:32:33.340 Mr. Kim still hasn’t got back to me to answer my questions and I suspect I won’t hear 00:32:33.340 --> 00:32:34.590 back, but worth the trip. 00:32:34.590 --> 00:32:39.620 JACK: I want to take a minute to emphasize that this 81 million dollars was stolen because 00:32:39.620 --> 00:32:42.179 someone clicked a link on a phishing e-mail. 00:32:42.179 --> 00:32:45.919 This goes to show that humans are still the weakest link in the network, but the other 00:32:45.919 --> 00:32:50.970 900 million dollars in transfers was stopped because of a human. 00:32:50.970 --> 00:32:55.539 Somebody spotted these transactions and was able to take action which protected most of 00:32:55.539 --> 00:32:58.690 the one-billion-dollar payload from the hackers. 00:32:58.690 --> 00:33:03.470 Yeah, while humans are the weakest link, they’re also the strongest link at the same time. 00:33:03.470 --> 00:33:08.600 A well-trained and educated employee can do wonders for a company by protecting their 00:33:08.600 --> 00:33:10.710 systems from hackers. 00:33:10.710 --> 00:33:16.280 In 2018, the Bangladesh Bank brought a lawsuit against RCBC, the bank in the Philippines 00:33:16.280 --> 00:33:21.160 where the money was sent to, for failing to quickly put a freeze on the fraudulent accounts. 00:33:21.160 --> 00:33:24.670 They alleged there was corruption or collusion which allowed the hackers to get away with 00:33:24.670 --> 00:33:25.670 it. 00:33:25.670 --> 00:33:29.100 But RCBC responded with a defamation lawsuit. 00:33:29.100 --> 00:33:32.179 They were saying it was an inside job from the Bangladesh Bank. 00:33:32.179 --> 00:33:38.470 But check this out, in January 2019, the bank manager at RCBC was arrested and found guilty 00:33:38.470 --> 00:33:39.640 of money laundering. 00:33:39.640 --> 00:33:42.780 She was sentenced to four to seven years in prison. 00:33:42.780 --> 00:33:47.880 As it turns out, she was the one who opened the bank accounts that the stolen money was 00:33:47.880 --> 00:33:48.880 sent to. 00:33:48.880 --> 00:33:54.110 Now, she handles things related to customer care and I don’t know enough about the RCBC 00:33:54.110 --> 00:33:58.140 policies to know if it’s normal for a bank manager to open accounts for customers, so 00:33:58.140 --> 00:34:02.799 I’m not sure how suspicious this is but so far, she’s the only one to have been 00:34:02.799 --> 00:34:05.720 arrested in connection with this bank robbery. 00:34:05.720 --> 00:34:11.530 In the meantime, the Lazarus Group continues to attack the SWIFT banking system. 00:34:11.530 --> 00:34:15.740 In October 2017, they hit the Taiwanese Far Eastern International Bank. 00:34:15.740 --> 00:34:21.560 Between January and May of 2018, they targeted Mexico’s Bancomext, and in May 2018, it 00:34:21.560 --> 00:34:22.560 was the Bank of Chile. 00:34:22.560 --> 00:34:25.820 GEOFF: It used to be governments hacked into other governments for secrets, cyber-criminal 00:34:25.820 --> 00:34:30.340 groups hacked into banks for money, and hacktivist groups caused chaos to get profile. 00:34:30.340 --> 00:34:37.940 JACK: [MUSIC] It’s just so strange to me to see a government conducting cyber-crime 00:34:37.940 --> 00:34:41.639 and just out there stealing wads of money. 00:34:41.639 --> 00:34:46.329 But there it is, plain as day, and that just scares me. 00:34:46.329 --> 00:34:49.691 GEOFF: When you’ve got the time and money that governments have, suddenly you’re in 00:34:49.691 --> 00:34:50.820 a whole different ball game. 00:34:50.820 --> 00:34:55.220 If those guys are getting involved in cyber-crime operations, we are in a whole different ball 00:34:55.220 --> 00:34:56.220 game. 00:34:56.220 --> 00:34:59.869 JACK: That’s not to say this is suddenly going to be a common thing, that governments 00:34:59.869 --> 00:35:03.980 are going to be turning to international crime sprees to fund their [00:35:00] activities. 00:35:03.980 --> 00:35:08.900 North Korea, of course, does not follow the norm on many levels. 00:35:08.900 --> 00:35:13.079 But still, it’s pretty concerning that three years later, even though we know exactly who 00:35:13.079 --> 00:35:18.460 was behind the Bangladesh Bank heist, the hackers are still at large and are continuing 00:35:18.460 --> 00:35:22.190 to attack banks all over the world and developing new attacks. 00:35:22.190 --> 00:35:28.610 In fact, North Korea is responsible for another huge cyber-attack, an attack that was so big, 00:35:28.610 --> 00:35:31.900 it cost the world four billion dollars. 00:35:31.900 --> 00:35:36.120 But that story is going to have to wait until the next episode. 00:35:36.120 --> 00:35:44.570 So, join me in two weeks, will you? 00:35:44.570 --> 00:35:50.750 (OUTRO): [OUTRO MUSIC] A big thank you to journalist Geoff White for sharing his research 00:35:50.750 --> 00:35:52.359 and insights with us. 00:35:52.359 --> 00:35:54.150 Geoff has just published a new book. 00:35:54.150 --> 00:35:59.260 It’s called Crime Dot Com: From Viruses to Vote Rigging, How Hacking Went Global. 00:35:59.260 --> 00:36:00.839 I highly recommend it. 00:36:00.839 --> 00:36:05.579 Geoff is a great investigator and writer and trust me, this book is right up your alley. 00:36:05.579 --> 00:36:09.650 There’s an affiliate link to Crime Dot Com in the show notes, so check it out. 00:36:09.650 --> 00:36:14.190 Geoff also has a pretty good podcast called Cybercrime Investigations where he goes super 00:36:14.190 --> 00:36:16.430 in-depth on stories he investigated. 00:36:16.430 --> 00:36:19.109 I also highly recommend that podcast. 00:36:19.109 --> 00:36:22.250 This show is made by me, the gold coder, Jack Rhysider. 00:36:22.250 --> 00:36:25.230 This episode was produced by the sandy surfer, Eileen Guo. 00:36:25.230 --> 00:36:29.210 Original score for this episode was done by Garrett Tiedemann and our theme music is by 00:36:29.210 --> 00:36:31.619 the bobbling Breakmaster Cylinder. 00:36:31.619 --> 00:36:36.839 Even though cyber-actors are working on new cyber-pathogens to wage cyber-attacks on cyber-bullies 00:36:36.839 --> 00:36:40.230 who have too much cyber-sex, this is Darknet Diaries.