The Federal Reserve will lend a hand to Bangladesh’s central bank as it sues to recoup losses from one of the world’s largest cyber heists, even while the Philippine bank targeted by the lawsuit on Friday called it baseless and beyond US jurisdiction.
The New York Fed’s formal agreement to provide “technical assistance” could spell some relief for Bangladesh Bank and sets the stage for its long-promised litigation over the February 2016 heist of $81 million, of which only $15 million has been recovered.
Unidentified hackers pulled off the heist by breaching Bangladesh’s systems and using the SWIFT global payments network to send fraudulent orders to the New York branch of the US central bank, which oversees the account and was tricked into releasing the funds.
Of nearly $1 billion requested, $81 million was sent to accounts at Manila-based bank Rizal Commercial Banking Corp (RCBC) and then mostly vanished into Philippines casinos.
A person familiar with the “resolution and assistance” agreement told Reuters the New York Fed would prepare affidavits and clear employees to testify at hearings or a trial, and also allow Bangladesh Bank representatives to interview employees on relevant and factual matters.
On Thursday, in US District Court in Manhattan, Bangladesh Bank sued RCBC and accused it and dozens of others, including several top executives, of involvement in a “massive” and “intricately planned” multiyear conspiracy to steal its money.
Bangladesh Bank alleged funds were stolen with the help of unnamed North Korean hackers who used malware with such names as “Nestegg” and “Macktruck” to obtain backdoor access to its network.
Separately, the US government in September charged a North Korean man it alleged was responsible for the Bangladesh incident and other heists, and detailed the ease with which hackers phished Bangladesh Bank employees.
RCBC’s attorney, Tai-Heng Cheng of US law firm Quinn Emanuel Urquhart & Sullivan, called Bangladesh’s lawsuit “completely baseless” and “nothing more than a thinly veiled PR campaign” to shift blame from itself.
“Not only are the allegations false, they don’t have the right to file here since none of the defendants are in the United States,” he said.
The suit, filed days before the statute of limitations expires, may hinge initially on jurisdiction and whether US law applies to an incident in which New York played a small but key role and the main players were mostly based in Asia.
The suit “emphasizes how the New York Fed and the Fedwire system fit into the hackers’ scheme, and (their) importance to the United States financial system. But otherwise, much of the conduct alleged in the complaint took place overseas,” said Peter Jaffe, a senior associate at Washington-based law firm Freshfields Bruckhaus Deringer US LLP.
“The hack is alleged to have occurred between North Korea and Bangladesh; much of the subsequent money laundering occurred outside the United States,” he added.
A 2016 Reuters investigatihere into the heist found that a series of missteps and miscommunications between the Fed and Bangladesh, little emergency backup, and slow reactions in New York to early warning signs all contributed, according to Reuters news agency.
Some 250 foreign central banks and governments keep more than $3 trillion of their assets at the New York Fed.
Under the agreement struck this week, the New York Fed would provide relevant non-privileged documents and information to Bangladesh Bank or to the court, and serve as consulting or testifying expert, according to the person familiar with it.
It also commits the New York Fed and Bangladesh Bank to “meeting jointly with the relevant agencies or parties in the Philippines to strongly encourage them to assist in the recovery of stolen funds,” they said in a joint statement, adding the fraud “represents a threat to the international funds transfer system.”