On Thursday, 4 February 2016, after a year of meticulous malware-enabled close observation of its computer systems, an international criminal group called Lazarus tried to steal a billion dollars from Bangladesh Bank. The country’s central bank was a soft target, with no firewall, and simple $10 electronic switches connecting it to the SWIFT global payment system — used by over 11,000 financial institutions around the world.
The Federal Reserve in New York, meanwhile, is the largest bank in the world, housed in one of its most secure buildings, with its own power plant, water supply and communications system. One problem: back in 2016, it hadn’t thought to put in an emergency hotline for its customers. This, in an institution responsible for providing financial services to foreign central banks and international organisations as well as to the US government, has since proved to be, shall we say, a source of embarrassment.
An interview with British investigative journalist Misha Glenny provides the narrative for Billion Dollar Heist, a documentary that makes up, with its talking heads and comic-book graphics, what it lacks in expensive location shots. Reuters journalist Krishna Das guides us through the heist itself. Of the 35 financial transactions Lazarus attempted, the Federal Reserve Bank of New York cleared five, sending 101 million dollars in two directions: $20 million to Sri Lanka (where a spelling error raised a red flag and stopped the transaction) and $81 million to the Philippines, where Under Philippine banking laws, the stolen funds could not be frozen until a criminal case was lodged. Most of the $81 million disappeared into the country’s casino industry, which is exempted from anti-money laundering laws, and was lost, presumably forever.
Requests for payment continued to pour in, totalling around a billion dollars. By then, though, and frankly more by luck than good management, the fraud had been detected. (The fraud: not the hack. That took months to unpick.)
Finnish computer security expert Mikko Hyppönen and Eric Chien, technical director of Symantec’s Security Technology and Response division, lead the film’s discussion of the implications.
The Lazarus Group, bankrolled by the North Korean government, was responsible for the heist. In 2017, a year after the events recounted here, it attacked five Asian crypto exchanges and made off with $571 million.
If they worked purely to line their own pockets, this would be bad enough, but such organisations — and there are about a dozen of them, including APT 10 (backed by China) and Sandworm (backed by Russia) — are very much thieves for hire, riding the boom in state-sponsored cybercrime that’s been triggered, we’re told here, by the growing effectiveness of the global sanctions regime.
If the daylight world of international diplomacy stops your bank accounts, you know who to call.
Billion Dollar Heist is directed by Daniel Gordon, a sports documentary maker whose 2002 film, about the 1966 North Korea national football team drew him into more politically charged territory. True to his pedigree, he spins a logistically complex story in terms that are easy to follow. No ponderous political generalisations cloud his narrative. This is a caper movie, albeit one with a vicious sting in the tale, as Misha Glenny spends the last few minutes of screentime preparing us for the world this heist and others are ushering in. The world hasn’t had an all-out cyberwar yet, but it’s coming, care of Lazarus and other groups the US State Department has designated “Advanced Persistent Threats”.
Health services, transport networks, communications, finance and the apparatus of government: all are a single human error away from compromise, and then annihilation.
Remember that, next time you forget your keys.