Gao Shu Hua and Ding Zhi Ze, from Beijing and Macau.
Gao and Wong are "junket operators" who are among the many small boat captains who are thought to ferry gamblers between the casinos in Macau and the Philippines.
In a series of quick financial operations, the funds were transferred from the Philippines to three large local casinos: Midas Hotel and Casino, City of Dreams, and Solaire Resort and Casino, and then wired back to various international accounts, using the common trick of laundering the money by claiming it as gambling proceeds. Fortune magazine reported that in the case of Solaire, the $29 Million was credited to the account of a Macau-based high-rolling gambler. Somehow I don't think this is what Solaire was thinking of when they advertise "The Great Exchange":
RCBC & Maia Santos-Deguito
The Epoch Times reports that in at least one of these transfers, $22 Million was placed into the Jupiter Street branch of Philippines RCBC and $427,000 of those funds were withdrawn in cash and loaded into the car of Maia Santos Deguito, the brand manager. The withdrawal was handled by Deguito's assistant, Angela Torres, who had the money delivered by armored car, took the money and placed it in a box, which was then transferred to a paper bag and placed in the branch manager's car. GMA News picks up the story of testimony from bank employees ... A bank employee said in testimony that Deguito told him, "I would rather do this than me being killed or my family," claiming that her life had been threatened if she refused to participate in the illegal activity. But when deposed herself, Deguito says her life was never threatened. The transfers from the Federal Reserve Bank of New York came to RCBC accounts under the names Michael F. Cruz, Jessie C. Lagrosas, Alfred S. Vergara, and Enrico T. Vasquez. From there, $66M was withdrawn and consolidated into an account in the name of William So Go. Deguito claims that Kim Wong, the front man for the Chinese pair, was a "friend of bank President and CEO Lorenzo V. Tan." Tan denies this, although he admits having seen Wong on a number of occasions.
The Treasurer of RCBC, Raul Victor Tan, has resigned "out of decency and honor, and despite his lack of involvement." Branch Manager Deguito reported to him and is largely believed to be the main point of contact between the bank and Gao Shu Hua. RCBC's president was also placed on leave from March 23rd. The Central Bank Governor in Bangladesh, Atiur Rahman, has been forced to resign as well.
My security is so bad that I'm suing you!According to The Epoch Times, the Bank of Bangladesh hired FireEye to investigate the situation. The initial FireEye report, released March 16th, indicated that at least 32 compromised assets had been identified that were part of a complex malware scheme for harvesting credentials needed for the SWIFT transfers and erasing logs of the activity in question.
In much the same way that small businesses have attempted to file lawsuits against their banks when their lack of security has led to malware infections that drained their accounts, the Bank of Bangladesh announced through Finance Minister AMA Muhith that they would sue the Federal Reserve Bank of New York. In Al-Jazeera, Muhith is quoted as saying "We've heard that Federal Reserve Bank of New York has completely denied their responsibility. They don't have any right."
But much like the small businesses who have lost those lawsuits once their ineptitude was put on display, Bank of Bangladesh may have trouble claiming the problem resided at the Fed. On Friday, April 22nd, Reuters and BBC both released stories exposing the horrible security at Bank of Bangladesh. The Reuters' headline read "Bangladesh Bank exposed to hackers by cheap switches, no firewall: police" while the BBC headline pronounced "$10 router blamed in Bangladesh bank hack". A forensic investigator working on the Bangladesh team, Mohammad Shah Alam, says the investigation was complicated by the lack of log files available on these discount routers, but the larger problem is the illustrated lack of any care about security that choosing such a device indicates in the first place. (It should be acknowledged that this contradicts the bank's statement that their firewall was penetrated by a sophisticated cyber attack:
"The central bank had put “zero tolerance security” and robust firewalls in place in the back office of its foreign currency division. But the cyber gang used a powerful malware to break the firewall and managed to send fake payment orders to the US bank, added the official." -- source: www.asianews.network/content/bangladesh-bank-installing-monitoring-software-11440
Who can Join Our Network?The bigger question raised in the Reuters story, though, is what responsibility should the western banking world hold in requesting to evaluate the security of those who would attach themselves to the trillions of dollars per day global financial markets? In the United States our regulations require that a holder of Personally Identifiable Information should require proof of the security of those they interact with in a wide variety of settings. HIPAA, the ruleset for protecting the privacy of your medical records, began requiring HIPAA-covered entities to take responsibility for the security of their vendors who may interact with sensitive records in 2013/2014. (See for example this story in IAPP -- "HIPAA Changes Mean Tightening Up Vendor Relationships"). In the same way the Payment Card Industry standard, PCI, that protects the privacy of credit card information also requires any covered entity to perform Due Diligence of their third party vendors (See their 47 page guidance on the subject, "Information Supplement: Third-Party Security Assurance").
So if my Hospital is not allowed to exchange patient data with an insurance company before checking the security of their networks, systems, and applications, and my Grocery Store is not allowed to exchange credit card information with a financial services company before checking the security their networks, systems, and applications, why would SWIFT and the Federal Reserve Bank system be allowed to move billions of dollars on behalf of banks that don't have a firewall and have $10 routers bought second hand off the Internet? SWIFT has announced they would be issuing "written guidance" to ensure their members are practicing proper security methods. Hopefully these are more robust than those in their 2012 Whitepaper "CPSS-IOSCO's Principles for Financial Market Infrastructures">. (To learn more see: SWIFT: Information Security)
Probably because we are trying to lower the barriers of entry to banks from depressed economies. "Is it fair" to require one of the poorest nations in the world to have to spend the same type of money that western nations spend on Internet security? Perhaps not. But until we do, these emerging economies are going to be a continual and growing target of the cyber criminals that are willing to invest "western-style" funds to accomplish heists that are truly worthy of a Hollywood movie.