There are a lot of reasons to hack a vulnerable system. Many hackers have political motivations, while others simply enjoy the thrill of the chase. But there's one motivation that will always bring out the worst in people: money. There are many cyber criminals out there who make a living from ripping off unsuspecting victims, with many being so bold as to go after large financial institutions.
While criminals can obviously make a lot of money by cracking a bank's cyber defenses, the reality is that this is only part of the hacker-banker relationship. In fact, certain financial institutions are helping these malicious individuals legitimize their ill-gotten profits, showing just how deep the cyber underground can run.
How hackers almost got away with $1 billion
To begin, it's important to take a look at the stereotypical interaction between banks and hackers: theft. When it comes to larger jobs, there's been none bigger than the recent attack levied against Bangladesh Bank. After sorting through the rubble, it was revealed that the hackers got away with only $81 million dollars. Putting the world "only" in front of $81 million dollars would be ludicrous in any other scenario, but this hack could have been so much worse. Wired's Kim Zetter has reported that the criminals were actually trying to steal around $1 billion.
The whole debacle started when the hackers got ahold of credentials that allowed them to access the Society for Worldwide Interbank Financial Telecommunication system. SWIFT is basically a private network that allows banks to move money around the world in a secure fashion. This very often entails large sums changing hands, which is why it was the perfect target.
How the hackers managed to get their hands on these credentials remains a mystery, although many are alleging that it was an inside job. That said, other cyber security experts aren't so convinced. Apparently, Bangladesh Bank had a very outdated security system that didn't even have any firewalls protecting data. It's very possible that the hackers simply breached this network, rooted around and found the SWIFT credentials that they needed.
Once inside, the cyber criminals sat back and waited. They needed to gain an understanding of how money was sent and how scheduling worked within the system. While doing this, the hackers also installed a piece of malware that would force SWIFT to stop printing physical transaction reports, thereby giving them extra time to grab the money and get out.
When the illegal withdrawal finally occurred, the hackers moved swiftly and with force. They set up multiple transactions throughout the world, with two notable ones being the $81 million posted to Rizal Commercial Banking Corporation in the Philippines and $20 million to Pan Asia Banking.
Although the hackers had been meticulous up to this point, they made an incredibly simple mistake that eventually led to their scheme being found out. One of the transactions that should have been posted to the Shalika Foundation was spelled "Shalika Fandation," causing bankers to doubt the legitimacy of the move. People started asking questions and routed money was halted while the bank investigated.
Most of the money was stopped before it reached its final destination, including the $20 million posted to Pan Asia Banking. However, the hackers drained almost all of the $81 million sent to Rizal Commercial Banking Corporation, and the money instantly vanished. Bangladesh Bank is lucky it didn't lose the full $1 billion, but all involved parties are obviously furious.
Bangladesh Bank has blamed the Federal Reserve Bank of New York for allowing the transactions to go through, while many others are stating that Bangladesh's lax security is the reason this happened. In fact, there's even some evidence that North Korea may have been involved, as some of the malware was extremely similar to the code used in the 2014 Sony hack. Regardless of who is behind this, such an incredibly large heist shows that when it comes to hacking, if there's a will, there's a way. If anything, this should be a wake up call to every bank that believes its current cyber security practices are enough.
But where do they put the money?
With such a massive amount of money being directed straight into the cyber criminal underground, the question remains as to what happens to all of that cash. Hackers can't simply put $81 million under their mattresses, but they also can't just open a bank account without a lot of questions being asked.
This is where money laundering comes in. After pulling a heist, the criminal creates a legitimate back story for the money, thereby washing it of all of its illegal beginnings. In the real world, casinos are often used to launder money, as it's a cash business where the owner can simply take extra money from a criminal and report them as winnings. In fact, this is most likely how much of that $81 million from the Bangladesh Bank is being laundered, as Zetter reported that the money is making its way to casinos in the Philippines.
However, this involves a lot of personal interaction that could eventually lead to an arrest. This is why many hackers opt to clean their money through offshore bank accounts and shell companies. In fact, Trend Micro researchers have discovered multiple advertisements for such services on online forums that often house conversations between hackers.
As the recent Panama Papers scandal revealed, there are certain foreign countries that can act as tax havens for people with a lot of money. This is exactly what hackers are looking for, as they don't want the taxman asking a lot of uncomfortable questions about where they got all of this money.
So, the people behind these advertisements state that they will set up a shell company that will look like a legitimate business. The provider will do all the hard work of filling out the necessary paperwork and setting up a fake leader of the company to run the daily operations and make the business seem more real. When this is all said and done, the hacker gets a set of credit cards that they can then use to spend their now legitimate-looking money. The service provider gets a cut of the cash and everyone stays quiet about the legality of the situation.
As this shows, hackers who actually steal money are only part of the problem. These people would have nowhere to put the cash if it weren't for these malicious bankers who know how to con the system. Whether they're stealing money or hiding it, hackers will always need banks, and stopping the individuals who help these criminals deposit their stolen funds is a necessary step toward financial justice.