U.S. Preparing Cases Linking North Korea to Theft at N.Y. Fed

Wall Street Journal

U.S. Preparing Cases Linking North Korea to Theft at N.Y. Fed

Investigators build charges against Chinese middlemen for allegedly aiding 2016 cyberheist of $81 million from Bangladesh

The New York Federal Reserve building in New York. Some foreign governments, central banks and other institutions keep money at the New York Fed, enabling them to make payments in U.S. dollars and purchase sovereign securities.

The New York Federal Reserve building in New York. Some foreign governments, central banks and other institutions keep money at the New York Fed, enabling them to make payments in U.S. dollars and purchase sovereign securities. Photo: Scott Eells/Bloomberg News

Federal prosecutors are building cases that would accuse North Korea of directing one of the biggest bank robberies of modern times, the theft of $81 million from Bangladesh’s account at the Federal Reserve Bank of New York last year, according to people familiar with the matter.

The charges, if filed, would target alleged Chinese middlemen who prosecutors believe helped North Korea orchestrate the theft, the people said.

The current cases being pursued may not include charges against North Korean officials, but would likely implicate North Korea, people close to the process said.

The heist occurred in February 2016, when cyberthieves used the SWIFT access codes of Bangladesh’s central bank in one weekend to transfer $81 million from the bank’s account at the New York Fed to four bank accounts in the Philippines.

In February, around $100 million went missing from Bangladesh’s account at the New York Federal Reserve. Authorities are still piecing together what happened. This is what we know.

The efforts to build federal cases, people familiar with the process said, reflect a decision at the Justice Department that there is merit to the view of some private security researchers that the Fed heist was linked to the hacking in 2014 of Sony Pictures Entertainment, which the Federal Bureau of Investigation blamed on North Korea.

Richard Ledgett, the deputy director of the National Security Agency, said he was “optimistic about the truth of that,” when asked about reports of a connection between the two cybercrimes.

“If that linkage is true, that means a nation-state is robbing banks. That is a big deal; it’s different,” he said on Tuesday during a panel discussion at the Aspen Institute.

Federal investigators are focusing on Chinese individuals or businesses who allegedly helped North Korea orchestrate the theft, according to the people familiar with the matter.

U.S. Treasury authorities are considering sanctions against the alleged middlemen, these people said, an approach the government is increasingly using to go after suspected lawbreakers who are unlikely to land in U.S. custody.

The North Korean mission to the United Nations and the Chinese Embassy in Washington didn’t respond to requests for comment.

The U.S. attorney’s offices and FBI field offices in Los Angeles and Manhattan had both been investigating the theft, but Los Angeles took the leading role within the past year, according to people familiar with the matter.

That shift occurred because government investigators linked the code used to perpetrate the Bangladesh cyberheist with the Sony hack, which authorities in Los Angeles had been investigating.

Casino junket operator Kim Wong takes an oath during a senate hearing in Manila in March, 2016. Mr. Wong turned over some of the money stolen from Bangladesh to Philippine authorities.

Casino junket operator Kim Wong takes an oath during a senate hearing in Manila in March, 2016. Mr. Wong turned over some of the money stolen from Bangladesh to Philippine authorities. Photo: NOEL CELIS/AFP/Getty Images

Private security researchers have traced the Bangladesh heist to a hacking group known as Lazarus, which they say was also behind the Sony hack. In 2014, the FBI blamed North Korea for the Sony breach, which exposed embarrassing emails and led the studio to pull from theaters a movie that involved a plot to kill North Korean leader Kim Jong Un.

“The whole security community has said that the attack tools and techniques used in Sony are the same ones used in Bangladesh,” said Eric Chien, an engineer with security vendor Symantec Corp.

Prosecutors haven’t publicly filed any cases stemming from the Sony hack.

There remains a minority view among some federal officials that the evidence doesn’t prove beyond a doubt that North Korea was behind the Bangladesh theft, according to people familiar with the discussions. Some officials believe the hackers who carried out the Bangladesh heist may have appropriated, tweaked or repurposed the malicious code that the U.S. government made public after the Sony hack—which wouldn’t necessarily indicate they are linked to North Korea—the people familiar with the discussions said.

If charges are filed against alleged middlemen in the Bangladesh theft, they are expected to be similar to charges unsealed in September against a Chinese businesswoman, Ma Xiaohong, some of these people said.

Ms. Ma and her trading company were also accused of helping North Korea, and targeted by parallel Treasury Department sanctions. They were accused of helping blacklisted North Korean companies evade U.S. sanctions, move hundreds of millions of dollars and procure raw materials, potentially for use in Pyongyang’s nuclear-weapons program. Ms. Ma couldn’t be reached for comment and hasn’t pleaded in the case.

Federal prosecutors in Manhattan continue to investigate breaches of overseas financial institutions that are potentially related to the Bangladesh heist and may have been carried out by the same hackers, people familiar with the matter said. Court documents describe a hacking attack similar to the Bangladesh effort against a bank in Ecuador, and SWIFT, the global money-transfer network, has disclosed another against a bank in Vietnam.

The Justice Department brought its first case accusing another country’s government officials of cyberespionage in 2014, indicting Chinese military officials, and has stepped up its efforts to file such charges, linking state-sponsored cyberspying with criminal activity.

Last week, the department announced an indictment against four men, including two Russian government spies, accusing them of being behind Yahoo Inc.’s 2014 security breach and stealing information about more than a half billion online accounts. Prosecutors alleged the hackers sought information for intelligence purposes and for criminal schemes to steal money. The accused couldn’t be reached for comment.

Bangladesh Bank is one of scores of foreign institutions, including governments and central banks, keeping money at the New York Fed, enabling them to make payments in U.S. dollars and purchase sovereign securities, among other things. The New York Fed handles such accounts out of a special unit within its markets division.

The audacity and size of the theft, conducted through odd orders seeking millions of dollars for vague consulting fees and expenses, sent shock waves through the global money transfer system.

The thieves also transferred $20 million to the account of a nonprofit in Sri Lanka, but that transfer was halted after a bank executive in Colombo noticed that the name of the beneficiary had been misspelled. That money was later returned to Bangladesh’s foreign-currency reserve at the New York Fed.

Philippine authorities returned $15 million of the $81 million in November, after a Chinese casino operator there turned over the money to authorities.

Nearly $60 million was paid to two other casinos and another gambling junket operator in Manila, but the Anti-Money Laundering Council of the Philippines said it was unable to trace it further.

SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, a member-owned cooperative that connects more than 11,000 financial institutions and accounts for the bulk of world-wide cross-border payments traffic, said after the Bangladesh heist that its core network hadn’t been breached.

SWIFT has disclosed, however, that several of its client banks have been targeted in similar cyberattacks. The Brussels-based cooperative urged customers to improve network security and rolled out enhanced security patches for its servers.

Write to Aruna Viswanatha at Aruna.Viswanatha@wsj.com and Nicole Hong at nicole.hong@wsj.com

Leave a Reply

Your email address will not be published. Required fields are marked *