Page 1

One weekend in early February 2016, the central bank of impoverished Bangladesh found
$81,001,662.12 missing from its account with the Federal Reserve Bank of New York.

It all started with a malfunctioning printer. It's just part of modern life, and so when it happened
to staff at Bangladesh Bank they thought the same thing most of us do: another day, another
tech headache. It didn't seem like a big deal.

When staff found it wasn't working, at 08:45 on Friday 5 February 2016, "we assumed it was a
common problem just like any other day," duty manager Zubair Bin Huda later told police. "Such
glitches had happened before."

The plan was extremely complex, and took advantage of the different time zones involved in
international banking. Transferring money from the New York account of the Bangladesh Bank
into bank accounts in the Philippines meant the involvement of three time zones. The timing
was expertly planned, meaning that when the New York Fed began receiving fraudulent payment
orders on Thursday afternoon, the Bangladesh Bank was closed (their weekend begins on
Friday). Then, when the Bangladesh bank reopened on the Sunday, the New York Fed was of
course closed for the weekend. At this realisation, the Bangladesh Bank tried to contact the
banks in the Philippines, which was closed for Chinese New Year. The attack came at a time
where banks were unable to communicate effectively, increasing their chance of success. By
the time the banks in their respective countries were able to contact each other, it was too late.

It is suspected that emails containing malware were sent to employees of the Bangladesh Bank-
seemingly harmless files which, when opened, released malware onto the user’s computer.
From here, the attackers were able to gain access to the wider systems within the Bangladesh
Bank. In the meantime, bank accounts were being set up across the world for the eventual
transfer of money.
The attackers were also able to hack into the SWIFT network through the Bangladesh Bank. The
SWIFT network is used to transfer money internationally between banks, and the attackers were
knowledgeable of the system, suggesting they had carried out attacks like this before. Having
access to the SWIFT network meant that they could transfer money out of the Bangladesh
Bank’s account in the New York Federal Reserve.

A total of almost $1 billion was ordered to be transferred, though only $81 million was ever
actually transferred, as many of the requests were rejected by the New York Fed. A percentage
of the stolen money was immediately sent to a Chinese national, though it is unclear why-
perhaps this was someone who had played a role in the attack. The rest of the money, which
was sent to accounts across the world, including the Philippines and Sri Lanka, needed to be

Page 2

laundered. This was achieved by sending the money to two casinos in the Philippines, where the
hackers gambled and cashed out, leaving no trace of the money.

Representative Carolyn B. Maloney, a senior member of the House Financial Services

Committee, says that the automated system flagged the word “Jupiter,” the name of the
R.C.B.C. bank branch to which the Swift order was addressed, because it happened to match
the name of a totally different business on a sanctions list: Jupiter Seaways Shipping, an
Athens-based firm that was blackballed for evading sanctions against Iran.

The operation fit the patterns of the workings of the Lazarus Group, thought to be associated
with North Korea. North Korea is reported to employ over 1,500 hackers across the world,
supported by around 5,000 other staff. The traits of the Lazarus Group found throughout the
heist, combined with the known abilities of North Korean hackers in infiltrating banks newly
emerging into the market, leads to the strong likelihood that North Korean nation state hackers
launched the attack.

Philippine Setting

The transactions, worth over $1 billion, were eventually halted, but not before $101 million were
successfully transferred, of which $81 million went to the Philippines.

The funds were transferred into four accounts at the Jupiter Street branch of RCBC, a mid-sized
lender. The accounts, under the names of Alfred Santos Vergara, Michael Francisco Cruz, Enrico
Teodoro Vasquez and Jessie Lagrosas, were all fictitious accounts, according to the
Department of Justice (DOJ).

The accounts were opened in May 2015, a year before the heist, and remained dormant until the
transfer in 2016. The Vergara, Cruz, Vasquez, and Lagrosas accounts received $19.9 million, $6
million, $25 million and $30 million, respectively.

On the day of the transfer, an account was opened for “William Go DBA Centurytex Trading,” and
received $22.73 million from the Lagrosas account.

The money was converted into pesos by Philrem and other remittance companies, and
distributed to the bank accounts of Weikang Xu, Eastern Hawaii Leisure Co., operator of Midas
Hotel and Casino, and Bloomberry Resorts and Hotels Inc., which holds the gaming license of
Solaire Resorts and Casino.

Deguito, the RCBC branch manager, was found guilty of eight counts of money laundering on
Jan. 10, 2019.

Page 3

She said the court itself admitted that the bank accounts of Michael Francisco Cruz, Jessie
Christopher Lagrosas, Alfred Santos Vergara, and Enrico Teodoro Vasquez had been inactive
since 2015, when they were opened.

“Without the existence of an unlawful activity, its proceeds, and a monetary instrument or
property that represents, involves, or relates to such proceeds, then there can be no knowledge
of these facts as well. Clearly, no money laundering offense was committed when the accounts
were opened in May 2015,” she added.

Deguito, who is accused of allowing huge withdrawals from these accounts in February 2016,
said that just because the large sums of money, which exceeded P500,000, are considered
covered transactions under RA 9160 does not mean they came from unlawful activity.
“But a transaction does not become a violation of Republic Act No. 9160, as amended, by the
mere fact of its being a ‘covered transaction.’ The law, to be sure, does not say this. Instead, it is
the failure to report a covered transaction to the Anti-Money Laundering Council that constitutes
a money laundering offense,” Deguito noted.

The former RCBC manager said the court’s conclusion that she had full and prior knowledge of
the illegal source of funds “was not based on direct proof of the element of knowledge, as the
prosecution failed to present any.”

“Instead, it was only presumed by the Honorable Court from the alleged failure of accused to do
what the Honorable Court believes she should have done,” Deguito added.

The CA noted that one of Deguito’s major responsibilities was screening transactions according
to Anti-Money Laundering Act (AMLA) guidelines.

With her 16 years of experience in banking, she could not feign ignorance of the basic
provisions of the AMLA and the RCBC’s Money Laundering and Terrorist Financing Prevention
Program, the CA said.

The CA also noted that Deguito facilitated the opening of the accounts used for the Bangladesh
Bank heist by allowing them to be opened based on fictitious identification documents.

She did not personally witness the alleged clients filling out forms and signing customer
relationship forms and signature cards, violating the face-to-face policy of AMLA regulations,
the CA said.