Instead, Bangladesh Bank is suing a bank in the Philippines where the funds briefly landed before a complex series of transfers that diverted them to Filipino casinos after which they became untraceable. The New York Fed, which was holding the money when it was illegally transferred, is helping, including by urging people and organizations in the Philippines to help recover the funds, according to an agreement between the banks.
The case — which represents one of the biggest bank heists in modern history — demonstrates a supreme challenge facing cybercrime victims, former prosecutors told me.
The global losses from cybercrime, which the Center for Strategic and International Studies reports have reached $600 billion annually, are devastating for victims. But it’s often difficult or impossible to recover the stolen money from the hackers who commit crimes across borders. The culprits — if they can even be identified — are often bad actors who are beyond the reach of governments’ law enforcement.
That means cybercrime victims have to look elsewhere for recompense — even in this scenario, where the U.S. Justice Department and cybersecurity companies have publicly concluded North Korean government-backed hackers carried out the crime.
“If you really want to recover funds, you need to find someone with deep pockets,” Marcus Christian, an attorney in Mayer Brown’s cybersecurity practice and a former executive assistant U.S. attorney, told me. “People are going to follow the money and find other parties at fault.”
In this case, the heist was interrupted before the hackers had completed their work, according to the lawsuit. If they’d been fully successful, the scam would have wrested nearly $1 billion from Bangladeshi accounts, more than two-thirds of the bank’s typical reserves and a sum that would have been “catastrophic” for the nation and its people, according to the suit.
Yet the bank is unlikely to retrieve even the comparatively meager sum of $81 million from the Pyongyang regime, which is both notoriously short of funds and a pariah from global rule of law, Christian said.
As a result, he says Bangladesh Bank is much better off suing the Filipino bank, Rizal Commercial Banking Corporation, or RCBC, which is tied into the global financial system.
This case is somewhat distinct because Bangladesh Bank alleges RCBC was actually complicit in the hack rather than simply negligent. That sets the case apart from, say, a typical data breach case where customers whose information was stolen will sue a company they say failed to adequately protect their personal information.
According to the lawsuit, RCBC assisted the North Korean hackers in transferring the stolen funds to RCBC accounts at the New York Fed and then back to the Philippines. An RCBC attorney called those claims “completely baseless” and a “PR campaign” to shift blame from Bangladesh Bank’s own negligence, Reuters reported.
The Manila bank also argued that the case’s link to New York — the fact the initial transfer occurred at the New York Fed — was too tenuous to justify filing the legal case there. International crime victims often sue in U.S. courts if there’s a reasonable argument to do so because they offer a more transparent legal process and clearer rule of law than other venues, Christian told me.
The case is also somewhat unusual because the New York Fed has pledged to take an active role in helping the Bangladesh Bank recover its money, said John Horn, a former U.S. attorney who’s now a partner with King and Spalding, focused on data security.
“That’s a definite signal that the Fed is going to do what it can to discourage the use of its system in this way going forward,” Horn told me.
The North Korean hackers haven’t escaped completely the reach of U.S. justice.
The Justice Department announced charges in September against one of the alleged Bangladesh Bank hackers, Park Jin Hyok, who’s also accused in the 2014 hack of Sony Pictures Entertainment.
Park is unlikely to see a U.S. courtroom, though, and there has been no talk of retrieving any of the hacked funds from the North Korean regime.
“This case, like most cybercrime cases, demonstrates that when [victims] cannot identify or reach the criminals who affected them adequately, they will turn to other parties for a remedy,” Christian told me.
Original report can be found on The Washington Post.