The Federal Bureau of Investigation suspects that an insider took part in the theft of $81 million from Bangladesh’s central bank account at the Federal Reserve Bank of New York in February. Agents of the bureau say at least one Bangladesh bank employee acted as an accomplice, according to news reports.
The hackers, allegedly also with the help of malware, attempted to steal nearly $1 billion from Bangladesh Bank’s computers that got through the Philippines’ RCBC bank and eventually to the country’s casino business, according to investigators.
Subhankar Saha, a spokesman for Bangladesh Bank, said the FBI hadn’t informed it that one or more of its employees could have acted aided the hackers. The bank, he said, will pursue the case with “utmost vigor and if anyone within the bank is found to be involved, we will take legal action as appropriate.”
Earlier, officials from the bank and Bangladesh police alleged that technicians of the Society for Worldwide Interbank Financial Telecommunication (SWIFT) introduced security holes into the bank's network while connecting SWIFT to Bangladesh's first real-time gross settlement (RTGS) system. They have also suggested that some responsibility may lie with the Federal Reserve Bank of New York, which stopped as suspicious most of the 35 transfer orders sent by the attackers but let five through.
But SWIFT has denied the allegations. “SWIFT rejects the false, inaccurate and misleading allegations made by Bangladesh Bank and Bangladesh Police's Criminal Investigation Department (CID) officials to Reuters. The accusations have no basis in fact,” the Brussels-based bank-owned cooperative in a statement posted on its website.
SWIFT says it “was not responsible for any of the issues cited by the officials, or party to the related decisions. As a SWIFT user like any other, Bangladesh Bank is responsible for the security of its own systems interfacing with the SWIFT network and their related environment – starting with basic password protection practices – in much the same way as they are responsible for their other internal security considerations.”