In February of this year, instructions to steal nearly $1b from Bangladesh Bank were issued via the SWIFT network. Reuters recently uncovered that hours before the successful theft, the NY Fed actually blocked the requests due to formatting errors. But once the criminals resubmitted their transfer requests with the proper formatting, the requests were authenticated by SWIFT. The set of circumstances raises fresh concerns about SWIFT messaging system and central banks' cyber-security capabilities.
The Bangladesh Bank official said they lacked the names of correspondent banks, which typically receive wired funds. The Fed rejected the requests, which came from hackers who had broken into the SWIFT network through Bangladesh Bank systems. Later in the day, however, the cyber thieves resubmitted those 35 requests. On the second try, the messages had the proper formatting, the New York Fed official said. The requests had been authenticated by SWIFT, the first line of defense against fraudulent wire transfers. Despite the technical compliance, the New York Fed rejected 30 of the requests a second time. But the Fed did approve five requests – for a total of $101 million. Later, one of those five transfers - a $20 million request - was reversed because of a misspelling.