LAST September 3, 2020, another major cyber bank theft hit the headlines. United Coconut Planters Bank was hit with a P167 Million theft. Inquirer’s Dax Lucas reports: Hackers exploited the Philippines’ Independence Day weekend last June to steal millions of pesos from the government-controlled United Coconut Planters Bank (UCPB) through a combination of massive automated teller machine (ATM) withdrawals and online transfers over the three-day holiday.

In at least one case, the perpetrators of this heist—believed by authorities to be a syndicate of Nigerians and Filipino cohorts—bypassed built-in computer safeguards to make 57 withdrawals during this period from a single ATM and emptied the machine’s entire stock of P4 million in cash, the Inquirer learned.

Bank officials and government regulators confirmed that the total loss to UCPB amounted to P167 million, which was first reported by bilyonaryo.com on Tuesday evening…

…Authorities are also looking into the possibility of a bigger syndicate operating in the local banking system because some of the funds stolen from UCPB were transferred via Instapay online money transfer facility to accounts in other local banks, from where they were promptly withdrawn.

A ranking bank official, who requested anonymity because several internal and external probes were still in progress, said the hackers created 13 bank accounts with UCPB in May of this year and left them dormant until the heist a month later.

“All those parties who opened the accounts are included in the complaint the bank filed with the National Bureau of Investigation,” the official said, adding that the account holders with other banks that received the stolen funds from UCPB were also included in the complaint.

“These guys were very good and they used the three-day weekend to give them more time to make the withdrawals,” said another official familiar with the details of the heist, adding that the interconnected ATM networks of banks in the country also made it easier for the perpetrators to withdraw from UCPB through other banks’ cash machines.

“In one case, they withdrew money from a single Bank of the Philippine Islands ATM 57 times during those three days,” he said. “When we checked the videos of the ATMs, the person making the withdrawals were black.”

He added that it was the NBI which identified the people making the ATM withdrawals as Nigerians, adding that some of them were on the government’s watchlist of potentially suspicious personalities…

This adds to already major financial black eyes that the Philippines seems to be getting itself involved in. Most recently there was the case of Wirecard, a money processing and remittance system in Germany with close association and affinity with the Philippines.

Much earlier, in 2016, the Bangladesh Central Bank was hacked and funds were stolen and then diverted to the Philippines. As the report of the heist in Wikipedia says: The Bangladesh Bank robbery, also known colloquially as the Bangladesh Bank cyber heist, took place in February 2016, when thirty-five fraudulent instructions were issued by security hackers via the SWIFT network to illegally transfer close to US$ 1 billion from the Federal Reserve Bank of New York account belonging to Bangladesh Bank, the central bank of Bangladesh. Five of the thirty-five fraudulent instructions were successful in transferring US$ 101 million, with US$ 20 million traced to Sri Lanka and US$ 81 million to the Philippines. The Federal Reserve Bank of New York blocked the remaining thirty transactions, amounting to US$ 850 million, due to suspicions raised by a misspelled instruction. All the money transferred to Sri Lanka has since been recovered. However, as of 2018 only around US$ 18 million of the US$ 81 million transferred to the Philippines has been recovered. Most of the money transferred to the Philippines went to four personal accounts, held by single individuals, and not to companies or corporations…

…The money transferred to the Philippines was deposited in five separate accounts with the Rizal Commercial Banking Corporation (RCBC); the accounts were later found to be under fictitious identities. The funds were then transferred to a foreign exchange broker to be converted to Philippine pesos, returned to the RCBC and consolidated in an account of a Chinese-Filipino businessman; the conversion was made from February 5 to 13, 2016. It was also found that the four U.S. dollar accounts involved were opened at the RCBC as early as May 15, 2015, remaining untouched until February 4, 2016, the date the transfer from the Federal Reserve Bank of New York was made.

On February 8, 2016, during the Chinese New Year, Bangladesh Bank informed RCBC through SWIFT to stop the payment, refund the funds, and to ″freeze and put the funds on hold″ if the funds had already been transferred. Chinese New Year is a non-working holiday in the Philippines and a SWIFT message from Bangladesh Bank containing similar information was received by RCBC only a day later. By this time, a withdrawal amounting to about US$ 58.15 million had already been processed by RCBC's Jupiter Street (in Makati City) branch.

A number of points struck us as we tried to read further and deeper into this world of big time bank cyber theft. First of all we noticed the use of mule accounts or unused ATM accounts to be used as conduits for stolen funds. Some accounts are opened in various banks – simple bank accounts – that acts as sleeper accounts that suddenly get activated at the appointed time. Funds are transferred in and out of these accounts swiftly, then the money disappears into thin air.

Second, the thieves and their operations take advantage of timing vulnerabilities like holidays when banks are physically closed and most personnel are out on vacation. In the case of UCPB it was Independence Day, in the case of the Bangladesh theft it was Chinese New Year. With a skeletal staff in operation, cybercrime can go unnoticed and unattended to until the next official banking day.

Third, there is the very high possibility and likelihood of an inside job or personnel within the bank and agencies in cahoots with the perpetrators. The RCBC Jupiter Branch Manager was charged. In the case of UCPB vulnerabilities in their computer security systems were exploited at a time when they were supposedly working on fixing these bugs.

Beyond these there is also the observation of the involvement of Nigerians in the sting. Without being racist about it we do note that there is an unusually high number of cases of online and cybercrime operations involving young and technically competent Nigerians as of late. As news reports have it: 13 Nigerians were arrested in 2018 operating their online fraud in Cavite; in 2019 a Nigerian was nabbed by police for an P8 million online scam; another Nigerian arrested in an online scam in Cavite also in 2019; and the list goes on, up until these guys were caught on ATM machine videos withdrawing millions as part of the UCPB cyber theft.

My banking sources tell me that these suspected Nigerians are but a small component of the whole cybercrime network, a network that involves various components that are compartmentalized and don’t know about what the other tentacles are doing, and the puppet masters are in various parts of the world.

Some of these Nigerian operations include acquiring or buying those earlier mentioned mule accounts.

A higher component of these are the hackers. There are Russians, Americans, Africans and Asian, all working from their caves. In the case of the UCPB heist the suspected hackers are a North Korean group called BeagleBoyz. According to a report in MSSP Alert: A North Korean-sponsored hacking group referred to as BeagleBoyz has re-ignited, after a brief lull, a six-year long, multi-country campaign to steal money through fraudulent bank transfers and ATM cash outs, four federal agencies warned in a new advisory.

The alert, jointly issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, the Federal Bureau of Investigation (FBI) and U.S. Cyber Command, identified malware and other indicators used by the North Korean government in the cyber robbery scheme, which federal officials dubbed “FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks.” The agencies pointed the finger at North Korea’s spy agency for the operation.

Officials described the cyber crew’s raids as “well-planned, disciplined, and methodical cyber operations more akin to careful espionage activities” than typical cybercrimes. Their malicious cyber operations have netted hundreds of millions of U.S. dollars and are likely a major source of funding for the North Korean regime.

Curious to note that BeagleBoyz – aptly named after a comic book gang Beagle Boys created by Carl Banks out to rob Donald Duck’s uncle the rich Scrooge McDuck – is known in the security world as a sub branch of APT 38 which did the hacking on the Bangladeshi Bank.

So while police authorities here and all over the world are moving to make arrests and file charges and even perhaps jail people, these incidents are not likely to go away. First of all the perpetrators are multi-headed with far reaching tentacles. You cut one off and a new one just grows in its place. They exist, are compartmentalized, and regenerate severed tentacles almost instantly.

Second, they are patient. They are watching for years, sitting on their logistics like mule accounts and sleeper operators which get switched on swiftly when the right time, vulnerability, and opportunity can be exploited.

Third, they are relentless. They never sleep. The cyber-attacks and hacking just goes on and on, 24/7, until they make a hit. Kapersky, one of the leading anti-virus companies, has a real-time online worldwide map in the website https://cybermap.kaspersky.com/ which meticulously details all the ongoing cyberattacks. It is mesmerizing to watch. It also places Russia as the top or #1 attacked country. The Philippines is placed at #17.

Even closer to home, when I worked on a crisis project of a financial institution during a possible sensitive data breach, a couple of cyber security people of major banks I was in touch with showed me the constant bombardment of hackers on their systems. They were attacking – but thankfully failing – to get into the banks’ systems and trying to embed their malwares and viruses that could open the gates to access into anything and everything.

Beyond the world of cybercrime there is the strong belief that all these are entangled into the movement of money and multiplication of riches of organized crime all over the world. Many years ago, while shooting the breeze with my media cohort and Bong Revilla who was then heading the Optical Media Board (OMB), we were discussing the efforts of the agency to fight movie piracy. At that time he told us that the pirated DVDs sold in the tiangges all over the country were being manufactured in ships with plastic resin processors and copying computers while floating on international waters just off our boarders.

But what struck me was what he said about the seemingly harmless crime of supplying pirated movies in the market. Yes, he said, the consumers are given access to cheap and affordable entertainment while the only victims are the big time Hollywood producers who make billions anyway despite the piracy of their intellectual property. However, they found that those involved in the pirated DVD supply are the same groups involved in the manufacture and distribution of fake medicines, smuggling, kidnapping, drug pushing, white slavery, child prostitution, murder for hire, extortion… you name the crime, they’re there.

And now there’s cybercrime. The syndicates have the cash flow, and with this cash they need to invest in such criminal operations to get more cash rolling in. Some of the money is laundered through the system of legitimate investments, but the returns are not as lucrative and the authorities are quickly catching up with these schemes with Anti Money laundering Councils and their practices.

So yes, the Bangladesh Bank/ RCBC incident had some resolution, and even with the UCPB heist have the authorities closing in on some of the identified perpetrators. But there is much more the world should look out for, especially now as we go into the post pandemic, digital money driven new normal.