DHAKA, Bangladesh—Someone using official codes stole $100 million from Bangladesh’s account at the New York Fed over a recent weekend. Authorities in four countries are still piecing together what happened.

The breach funneled $81 million from the country’s account at the New York Federal Reserve to personal bank accounts in the Philippines. Another $20 million was directed to a bank in Sri Lanka.

In scenes that would be right at home in Hollywood, the unknown criminals sent 35 transfer requests through the Swift interbank messaging system, a Bangladesh Bank official and an official of the Ministry of Finance have said. Whoever made the requests had the necessary codes to authorize Swift transfers and put in the payment requests on a weekend, the officials said.
The incident has led to recriminations, with Bangladesh’s finance minister accusing the Fed of irregularities, and questions being raised about the quality of security in the South Asian country. In an early sign of fallout from the breach, Bangladesh’s central-bank governor, Atiur Rahman , resigned Tuesday.

http://www.wsj.com/articles/crime-scene-who-stole-100-million-from-bangladeshs-account-at-the-new-york-fed-1458052955

A $1 billion cyber heist against Bangladesh’s central bank was thwarted by a spelling error

The cyber thieves, using the Bangladesh Bank’s credentials for transferring funds, tried to move another $850 million out of the US account, but one of the transfer requests raised an alarm when the word “foundation” was misspelled as “fandation.” The error was spotted by Deutsche Bank—one of the routing banks—which then asked the Bangladesh Bank for clarification, officials told Reuters. The central bank confirmed the attempted theft on March 13. But it had not immediately informed Bangladesh’s finance ministry when it learned of the breach, prompting finance minister Abul Maal Abdul Muhith to call the handling of the issue “very incompetent.”
...
On March 15, a senator in the Philippines who was investigating the theft said that more than $30 million of the stolen funds were given to a Chinese man in Manila, in cash. Reuters reported that the cash delivery would have meant a transfer of “at least 780,000 banknotes.”

The Anti-Money Laundering Council in the Philippines is in the process of drafting charges against several people suspected of being involved in the theft.

Meanwhile, the New York Fed has said there is still no evidence that its systems were penetrated. It indicated that the transfer requests passed muster with SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, which is the global messaging network used by banking institutions to securely send information about financial transactions. From the New York Fed’s March 9 statement:

http://qz.com/639369/a-1-billion-cyber-heist-against-bangladeshs-central-bank-was-thwarted-by-a-spelling-error/

A tranche of $29 million ended up in an account of Solaire, a casino resort owned and operated by Bloomberry Resorts Corp (BLOOM.PS). Bloomberry is controlled by Enrique Razon, the Philippines' fifth-richest man in 2015, according to Forbes.

Silverio Benny Tan, corporate secretary of Bloomberry Resorts, told the hearing that the $29 million was transferred into a casino account under Xu's name in exchange for 'dead chips' that can only be cashed in from winnings.

Bautista said a further $21 million went to an account of Eastern Hawaii Leisure Co., a gaming firm in northern Philippines. Reuters tried several phone numbers to seek comment from Eastern Hawaii officials but was unable to reach any.
...
Senator Guingona said that because casinos are not covered by the country's anti-money laundering laws it was not clear if the stolen funds could ever be recovered.

http://www.reuters.com/article/us-usa-fed-bangladesh-governor-idUSKCN0WH0JF