The “Lazarus Heist” may sound like the plot of a Hollywood movie, but in 2016, a group of real-life hackers from North Korea calling themselves the “Lazarus Group” planned and executed a nearly perfect US$1 billion raid on Bangladesh’s national bank. The hackers would’ve gotten away with it if it hadn’t been for one little coincidence and a spelling error.
On February 5, 2016, the staff in the Bangladesh Bank detected a printer malfunction that took place on the 10th floor. This was an important step in the “Lazarus Heist.” The function of this piece of equipment was to print out a record of any multi-million dollar transactions into or out of the bank. Bank staff thought it was a typical hardware or software glitch. However, as the printer was rebooted it started printing messages from the New York-based Federal Reserve Bank (the Fed) trying to verify instructions they had received to drain the U.S.-dollar account the Bangladesh Bank had on deposit with them of the entire balance — US$951 million.
The bank tried to contact the Fed to get things sorted out, but the hack had been timed so as to make this impossible. The hackers had begun on Thursday evening, February 4, at 8 p.m., knowing that Friday was the beginning of the weekend in Bangladesh and therefore the bank would be closed. Meanwhile, it was Thursday morning in New York, and the Fed would have all day to process the transfer. By the time the bank in Bangladesh could potentially find out about the hack, it would be the weekend in New York, and the Federal Reserve would be closed. On top of that, Monday, February 8, was the first day of the Lunar New Year — a holiday across much of Asia — that hackers hoped would further delay any discovery of the attack.
The Lazarus Heist had been well planned for a long time
The North Korean group had been planning the “Lazarus Heist” for a long time. In January 2015, they sent an email to several bank employees from a supposed job-seeker with a link to a website where his résumé and cover letter could be downloaded. Someone inside the bank clicked on the link, downloaded the documents, and got their computer infected with a virus the hackers used to gain access to the bank’s computer system.
Before attempting to transfer any money, the hackers had to plan out their “escape route.” They set up four accounts with a branch of RCBC in the Philippines, one of the country’s largest banks, and deposited US$500 into them. The bank branch was located in a busy part of Manila, on Jupiter Street.
The final obstacle was the printer on the 10th floor of the main office of the Bangladesh Bank. Since it was being used to provide a paper backup of all multi-million dollar transactions, the hackers had to gain access to its software and disable it. Once they accomplished this, they began carrying out their plan, initiating a series of 35 transfers to the four accounts they had set up in the Philippines, totaling US$951. And that’s when the “Lazarus Heist” got tripped up by a little coincidence.
The bank in the Philippines was on Jupiter Street. At the time, the U.S. had sanctions against an Iranian shipping vessel named Jupiter, so the mere mention of the word was enough to flag the transactions in the Fed’s computer system. Once they were reviewed, most of the payments were stopped. Only five of them, totaling US$101 million, were successful.
The hackers directed US$20 million to a charity in Sri Lanka called the Shalika Foundation, and this is where the spelling error comes into the story. The transfer was set up to go to the Shalika “Fundation.” A bank employee spotted the mistake and reversed the transaction.
Still, the “Lazarus Heist” managed to net the Lazarus Group US$81 million, a lot less than they hoped for, but a devastating blow for Bangladesh.