Bangladesh’s central bank has asked the Federal Reserve Bank of New York to join a lawsuit it plans to file against a Philippines bank for its role in one of the world’s biggest cyber-heists, several sources said.
The Fed has yet to respond formally, but there is no indication it would join the suit.
Unidentified hackers stole $81 million from Bangladesh Bank’s account at the New York Fed in February last year, using fraudulent orders on the SWIFT payments system. The money was sent to accounts at Manila-based Rizal Commercial Banking Corp and then disappeared into the casino industry in the Philippines.
Nearly two years later, there is no word on who was responsible, and Bangladesh Bank has been able to retrieve only about $15 million, mostly from a Manila junket operator.
Legal action discussed
Officials from Bangladesh Bank and the New York Fed spoke about legal action against RCBC in a conference call last month that was also attended by two representatives from SWIFT, according to three sources in Dhaka who had direct knowledge of the conversations.
It was agreed that Bangladesh Bank would send a proposal on the suit to the New York Fed, they said.
“The aim is to file a case by March-April in New York,” said one of the sources. “Work is on. Bangladesh Bank is likely to send something to the Fed soon.”
The source said the idea was it would be a civil suit to recover the money, and that Bangladesh hoped the Fed and SWIFT would be joint petitioners.
Subhankar Saha, a spokesman for Bangladesh Bank, said he had no knowledge of any plans to sue RCBC but that “efforts are on to recover the entire stolen money.”
The New York Fed and SWIFT declined comment.
A source familiar with the New York Fed’s thinking confirmed that Bangladesh Bank’s external counsel raised the idea of filing a suit against RCBC in the call.
The New York Fed officials agreed to review any proposal Bangladesh Bank wrote up, but they did not formally agree to a joint effort, and have not since worked on it nor heard from Bangladesh Bank, the source said.
RCBC has blamed rogue employees, and Philippine prosecutors have filed money-laundering charges against a former RCBC bank manager and four people who owned the bank accounts where the funds were sent, but are not identifiable because the accounts were in fake names. They are the only people to be formally cited in association with the crime.
Bangladeshi officials have cited internal RCBC documents, also seen by Reuters, to assert that the Filipino bank ignored suspicions raised by some RCBC officials when the money was first remitted to the accounts on Feb. 5, 2016, and then delayed acting on requests from RCBC’s head office to freeze the funds on Feb. 9.
RCBC did not respond to requests for comment. But it has said in the past that it would not pay any compensation and that Bangladesh Bank bore responsibility for the theft since it was negligent.
RCBC was fined a record 1 billion Philippine pesos ($20 million) by the country’s central bank last year for its failure to prevent the movement of the stolen money through it.
Separately, a Bangladesh court has sent letters rogatory to the United States seeking the findings of the Federal Bureau of Investigation (FBI) into the case, said the main police investigator in Dhaka. Letters rogatory are documents used to obtain judicial assistance from foreign courts.
“We have questions for the Federal Reserve Bank, we want to collect the FBI report, what their findings are,” Molla Nazrul Islam, a special superintendent of police in Bangladesh, told Reuters this week.
An FBI spokeswoman said the agency could not comment on ongoing cases.
A hacking group called Lazarus that is believed to have connections to North Korea has been linked to the Bangladesh cyberheist, and some U.S. officials said earlier this year that prosecutors were building a case against Pyongyang. But no case has yet been filed.