By Devlin Barrett
U.S. investigators suspect the theft by computer hackers of $81 million from Bangladesh’s central bank was partly an inside job—the first hint of culpability in a case that has exposed new vulnerabilities in the international banking system.
Agents with the Federal Bureau of Investigation have found evidence pointing to at least one bank employee acting as an accomplice, people familiar with the matter said. The evidence suggests a handful of others may also have assisted hackers in navigating Bangladesh Bank’s computer system, the people said.
The hackers tried to steal nearly $1 billion in a brazen attack that involved an extensive penetration of Bangladesh Bank’s computers, dozens of orders on the official interbank fund-transfer network and a money trail that ran through the Philippines’ murky casino business, according to investigators.
The attackers successfully transferred $100 million out of the bank’s account at the Federal Reserve Bank of New York. Officials have been able to recover about $20 million so far.
Subhankar Saha, a spokesman for Bangladesh Bank, said the FBI hadn’t informed it that one or more of its employees could have acted as accomplices in the heist. “The central bank is pursuing this case with the utmost vigor and if anyone within the bank is found to be involved, we will take legal action as appropriate,” he said.
Publicly, Bangladesh officials have suggested some of the blame lies with the Society for Worldwide Interbank Financial Telecommunication, or Swift—a cooperative of financial institutions that operates a crucial messaging system among thousands of banks.
Bangladesh officials have also hinted some responsibility may lie with the Federal Reserve Bank of New York, which stopped as suspicious most of the 35 transfer orders sent by the attackers but let five through.
A lawyer for Swift declined to comment.
A spokeswoman for the New York Fed also declined to comment on the investigation. At a conference in Miami last week, Richard Dzina, New York Fed executive vice president, said the bank acted on properly authenticated message instructions.
The head of Bangladesh’s central bank is scheduled to meet Tuesday in Switzerland with New York Fed President William Dudley and senior Swift officials in an effort to speed recovery of the stolen funds.
The FBI and federal prosecutors in Manhattan are investigating the attack. Suspicions that one or more Bangladesh Bank employees were involved may complicate what is already a delicate international effort to determine what happened, recover as much of the stolen money as possible, and minimize future hacking of the global financial system.
Interactions between the FBI and Bangladesh officials haven’t always been easy since the heist, and the State Department has intervened in an attempt to foster a better working relationship, according to the people familiar with the investigation.
The hacking of the Bangladesh Bank in early February showed a surprising level of understanding of the institution’s inner workings, the people familiar with the investigation said.
The hackers lurked in Bangladesh Bank’s systems logging keystrokes to get the passwords they needed, allowing them to authorize the transactions, according to a computer security report written after the incident. They used the central bank’s actual codes to authorize the transfers, the report said.
The case has raised alarms among security and banking professionals, because the hackers were able to carry out the theft via Swift, which is the main way that banks communicate about cross-border financial transfers.
After the attack, Swift warned its customers in a message accompanying a software update about “a number of recent cyber incidents in which malicious insiders or external attackers have managed to submit Swift messages from financial institutions’ back offices, PCs, or workstations connected to their local interface to the Swift network.”
—Katy Burne in New York and Syed Zain Al-Mahmood in Dhaka contributed to this article.
Write to Devlin Barrett at devlin.barrett@wsj.com
