The North Korean hackers are known as the Lazarus Group, referencing the biblical figure who came back from the dead as an allusion to the resilience of the group’s computer viruses
A recent 10-episode podcast by Geoff White and Jean H Lee on BBC Sounds overviewed the 2016 movie-like escapade, where North Korea planned a $1 billion raid on Bangladesh’s national bank — only to be stopped by sheer coincidence.
So how did North Korea, one of the world’s poorest and most isolated countries, train a team of elite cyber-criminals, and how did they almost get away with it?
The story begins with a malfunctioning printer at Bangladesh Bank, the country’s central bank, responsible for overseeing Bangladesh’s currency reserves.
The printer wasn’t just any printer; it was located on the 10th floor of the bank’s main office in Dhaka and its role was to print out records of the multi-million-dollar transfers flowing in and out of the bank.
On Friday, February 5, 2016, duty manager Zubair Bin Huda later told police, “we assumed it was a common problem just like any other day … such glitches had happened before.”
But this printer was the first sign that Bangladesh Bank had been compromised. Hackers had broken into its computer networks and, Friday morning, they were attempting one of the boldest cyber-attacks ever: to steal one billion dollars.
The gang, traced back to North Korea, would use fake bank accounts, charities, casinos, and an array of accomplices to try to launder the money without suspicion.
According to the FBI, the Bangladesh Bank hack was the product of years of methodical preparation by an ominous team of hackers and middlemen across Asia supported by the North Korean regime.
The North Korean hackers are known as the Lazarus Group, referencing the biblical figure who came back from the dead as an allusion to the resilience of the group’s computer viruses.
When the bank’s staff rebooted the printer, they were prompted by urgent messages from the Federal Reserve Bank in New York — the Fed — where Bangladesh Bank keeps a US-dollar account.
The Fed had received instructions, reportedly from Bangladesh Bank, to drain the entire account: a whopping $951 million.
The time gap
This was the next phase of the plan: Bangladesh Bank tried to contact the Fed for clarification but due to the precise timing of the hack, they couldn’t get through.
The hack started at around 20:00 Bangladesh time on Thursday, but in New York, it was Thursday morning, so the Fed had plenty of time to unknowingly carry out the hackers’ plan while Bangladesh was asleep.
Here’s the kicker: Friday is the start of the Bangladeshi weekend, so the bank’s HQ was beginning their break, and when they began to uncover the theft on Saturday, it was already the weekend in New York.
“So you see the elegance of the attack,” says Rakesh Asthana, US-based cyber-security expert, “The date of Thursday night has a very defined purpose. On Friday, New York is working, and Bangladesh Bank is off. By the time Bangladesh Bank comes back on line, the Federal Reserve Bank is off. So it delayed the whole discovery by almost three days.”
Once they had transferred the money out of the Fed, they wired it to accounts they’d set up in Manila, the capital of the Philippines.
Funnily enough, in 2016 this very Monday was the first day of the Lunar New Year — a national holiday across Asia.
The hackers had created a five-day run to get the money by exploiting time differences between Bangladesh, New York and the Philippines.
And while it may have seemed to start with just a printer, it had turned out the Lazarus Group had been lurking inside Bangladesh Bank’s computer systems for a year — giving them plenty of time to plan the attack.
In January 2015, several Bangladesh Bank employees received a seemingly harmless email from a job seeker calling himself Rasel Ahlam, who included an invitation to download his CV and cover letter from a website.
Rasel, however, did not exist and according to FBI investigators, at least one person inside the bank downloaded the documents and their computer got infected with the viruses hidden inside.
Once inside the bank’s systems, the Lazarus Group worked their way towards the digital vaults and its billions of dollars by computer hopping.
There was just one problem with the printer: Bangladesh Bank had created a paper backup system to record all transfers made from its accounts — a record that could have instantly exposed the hackers’ work.
So, they hacked into the software controlling it, and disabled it.
The escape route
You’re saying the hackers had been inside the bank’s system for a year? Yup!
Why would they risk the possibility of being discovered? Seems like they needed time to create their escape routes for the money.
They chose the Jupiter Street branch of RCBC bank, one of the Philippines’ largest banks.
In May 2015, after they had accessed Bangladesh Bank’s systems, they set up four accounts through accomplices, using (at the time undiscovered) fake driver’s licenses, and the exact same job titles, and salaries.
The account remained dormant with the initial $500 deposit while the group prepared their plan.
With the paper backup covered, the money sent through the Fed, and the transfer door open, on Thursday, February 4, 2016, the hackers began 35 transfers of $951 million total.
There was just one little coincidence and one tiny detail that would put a wrench in their plan.
Bangladesh Bank had discovered the missing money, but they were struggling to figure out what had happened.
The bank’s governor called Rakesh Asthana for help and, at the time, they still thought they could retrieve the stolen money.
As such, he kept the hack secret from the public and the government.
Asthana was discovering the extent of the hack and discovering how the thieves had gained access to Bangladesh Bank’s system called Swift (a system used by thousands of banks around the world to coordinate large transfers of money).
To the bank governor’s dismay, it soon became clear that the transactions could not be reversed, as some money had already arrived in the Philippines where they would need a court order to try to reclaim it.
Due to the public nature of court orders, the story went public and gained traction worldwide as soon as Bangladesh Bank filed its case.
The governor resigned almost immediately and the world had a lot to say.
US Congresswoman Carolyn Maloney told the BBC that the heist was “fascinating, shocking — a terrifying incident, probably one of the most terrifying that I’ve ever seen for financial markets.”
She questioned, “They were the New York Fed, which usually is so careful. How in the world did these transfers happen?”
And that is when one tiny, coincidental detail cost the hackers hundreds of millions of dollars.
The RCBC bank branch was in Jupiter Street.
Maloney said, “The transactions were held up at the Fed because the address used in one of the orders included the word ‘Jupiter,’ which is also the name of a sanctioned Iranian shipping vessel.”
The mere mention of “Jupiter” set alarm bells ringing in the Fed’s automated computer systems, stopping most of the payments. But not all.
Five transactions, worth $101 million passed through and, of that, $20 million was transferred to a Sri Lankan charity called the Shalika Foundation.
The founder, Shalika Perera, says she believed the money was a legitimate donation, but yet another minute detail derailed the hackers’ plans.
The hackers wrote “Shalika Fundation,” a spelling mistake that reversed the transaction.
And so, while Jupiter Street stopped much of the transactions, $81 million still got through — a devastating blow for Bangladesh, where one in five people live below the poverty line.
The money wash
As Bangladesh Bank tried to retrieve the money, the hackers had already taken steps to ensure the money would be theirs.
The accounts set up at the RCBC branch in Jupiter Street were no longer dormant: the money was being transferred between accounts, sent to currency exchange firms, swapped into local currencies, re-deposited, and some withdrawn in cash.
Thus began the process of the “money wash.”
“You have to make all of that criminally derived money look clean and look like it has been derived from legitimate sources in order to protect whatever you do with the money afterwards,” Moyara Ruehsen, director of the Financial Crime Management Programme at the Middlebury Institute of International Studies, told the BBC.
“You want to make the money trail as muddy and obscure as possible.”
The Lazarus Group did this through gambling.
In Manila, there is a famous attraction known to draw gamblers from mainland China, the Solaire casino.
It is reportedly one of the most elegant casino floors in Asia, with 400 gaming tables and about 2,000 slot machines.
50-million-dollars of the $81 million was deposited in accounts at the Solaire and another casino, the Midas, for the next stage of their money-laundering operation.
The remaining $31 million was paid to a Chinese man called Xu Weikang, who left town on a private jet, according to a Philippines Senate investigation committee.
The idea behind washing the money through casinos was to convert the money into casino chips, gamble it, and change it back into cash — making it almost impossible to be traced back.
To mitigate the typical risks of losing money while gambling, the group booked private rooms and filled them with accomplices to give them control over how the money was gambled.
They also used the stolen money to play Baccarat, a popular yet simple game in Asia, where experienced players can recoup 90% or more of their stake (a far larger return than usual for money launderers).
For weeks, the gamblers perched themselves inside Manila’s casinos to wash the money by carefully managing players and bets.
By the time Bangladesh Bank had caught on, the Philippines gambling houses were not covered by money laundering regulations and had simply considered the group of gamblers legitimate gamblers.
The Solaire casino told the BBC it had no idea it was dealing with stolen funds and is cooperating with authorities.
One step closer to North Korea
Bangladesh Bank’s officials managed to recover $16 million of the stolen money from one of the men who organized gambling at the Midas casino.
The rest of the money, $34 million, was slowly teetering away but took investigators one step closer to North Korea.
Macau is an enclave in China, similar to Hong Kong, and it is known as being a hotspot for gambling.
The country also has long-established links to North Korea — being the place where North Korean officials were caught laundering counterfeit $100 notes of extremely high-quality “Superdollars” in the early 2000s.
US authorities claim these “Superdollars” were printed in North Korea and, in 2006, Japanese bank officials were only able to identify Superdollars by blowing them up to 400 times their original size, as reported by BBC.
Macau was also where Kim Jong-un’s half-brother, Kim Jong-nam, lived in exile before being fatally poisoned in Malaysia (thought by many to be authorized by the North Korean leader).
Investigators believe most of the stolen money ended up in this small Chinese territory on its way back to North Korea: several of the men who organized the gambling in the Solaire and two of the companies that had booked the private rooms were traced back to Macau.
North Korea ranks among the 12 poorest nations in the world, lower than Sierra Leone and Afghanistan, according to the CIA.
It is also notorious for its lack of electricity, particularly in contrast to South Korea.
So how did North Korea produce and nearly pull off one of the world’s most brazen hack attempts?
North Korea has managed to cultivate elite cyber-warfare units, especially after former leader Kim Jong-il decided to incorporate cyber into the country’s strategy.
When Kim Jong-un took over in late 2011 after his father’s death, he needed a way to fund nuclear weapons after the sanctions imposed by the UN Security Council increased.
US authorities say hacking was one solution.
To train cyber-warriors, it is believed that the regime sends its most talented computer programmers abroad, mostly to China.
They transform mathematical geniuses into hackers.
The Lazarus Group
While little is known about the Lazarus group, the FBI has painted a detailed picture of one suspect: Park Jin-hyok, also known as Pak Jin-hek and Park Kwang-jin.
He is described as a computer programmer who graduated from one of North Korea’s top universities and went to work for a North Korean company in the Chinese port city of Dalian — creating online gaming and gambling programs for clients across the world.
According to an FBI investigator’s affidavit, his cyber footprints put him in Dalian in 2002 and off and on until 2013 or 2014, when his internet activity is seen to come from the North Korean capital, Pyongyang.
However, though a programmer by day, the FBI says he was a hacker by night.
He was charged in 2018 with one count of conspiracy to commit computer fraud and abuse, and one count of conspiracy to commit wire fraud, facing up to 20 years in prison if he is ever tracked down.
Nevertheless, Park is just one of the thousands of young North Koreans who have been cultivated from childhood to become cyber-warriors: talented mathematicians as young as 12 taken to the capital, where they are given intensive training.
Digital footprints led investigators to an unassuming hotel in Shenyang, in China’s northeast, called the Chilbosan — named after a famous mountain range in North Korea.
The hotel was “well-known in the intel community,” says Kyung-jin Kim who suspected North Korean hackers were operating from the Chilbosan when they broke onto the world stage in 2014.
Defector Hyun-seung Lee says he was once invited over to the living quarters of the hackers, where he saw “about 20 people living together and in one space”, almost like an office.
They were producing mobile phone games that were selling to South Korea and Japan through brokers, making $1 million per year.
The FBI says the Lazarus Group was also reportedly behind the 2013 cyberattack on Sony Picture Entertainment after the announcement of their movie that would be set in North Korea.
In May 2017, WannaCry ransomware spread like wildfire, charging victims a ransom of several hundred dollars to retrieve their data using virtual currency Bitcoin.
Investigators from the UK’s National Crime Agency found startling similarities between the viruses used to hack into Bangladesh Bank and Sony Pictures Entertainment.
The new attack in 2017 could foreshadow a new evolution of North Korea embracing cryptocurrency to bypass traditional banking systems.
In the past years, tech security firms have attributed many more cryptocurrency attacks to North Korea, accumulating an estimated theft of more than $2 billion.
The allegations of computer hacking, global money laundering, and cryptocurrency theft paint a disturbing picture in which the world may have severely underestimated North Korea’s technical skills and the dangers it presents, says Geoff White.
Investigators uncovered how a tiny nation, desperate for funds, can exploit access by reaching into the email inboxes and bank accounts of the rich, powerful, and simultaneously vulnerable, to fight in the new front line of a global battleground — a digital battleground, paralleling the increasingly connected digital world.