As the investigation continues into what has been dubbed the largest financial cybercrime operation in history, it has emerged the Federal Reserve Bank of New York had previously rejected over 30 transfer requests made by hackers targeting various central banks in Asia.
The disclosures, which come courtesy of Reuters, revealed that mere hours before the New York branch of the US central bank approved five transfers totalling $101m directly to the hackers in question, the bank had blocked the same requests due to suspicious formatting.
On the same day as the Bangladesh theft, on 4 February earlier this year, the Fed reportedly halted a total of 35 transfer requests to "various overseas accounts" including the Philippines and Sri Lanka because they did not pass the checks demanded by the Swift system – which is used by 11,000 financial institutions to communicate and send money around the world.
Later in the day, however, the persistent hackers – who had allegedly exploited the Swift system via the Bangladesh central bank – resubmitted the 35 requests with the proper formatting in place, which were then authenticated by Swift.
Despite this, Reuters reports the Fed rejected 30 of the requests for a second time because they were flagged for an "economic sanctions" review. However, it did let through five requests totalling £101m, but recalled one transfer of $20m after the infamous case of misspelling that first alerted authorities it would soon be facing a major problem.
In light of this, sources told Reuters the suspicious transfers should have raised red flags at the time. "Of course, we asked the Fed why the repetition of the names did not create red flags," the source close to the Bangladesh Bank said. "They are saying they rejected 35 badly submitted ones," it added. But when the requests were re-submitted, they "paid five of them and stopped 30. Why? They can give no answer."
As previously reported, the compromised $81m ($56m) was sent to a number of accounts owned by the hackers before being re-routed to a number of unnamed casinos. It is a case that has involved high-profile resignations of banking officials and even an abduction. At the time of writing, the missing money has still been not been located and an in-depth investigation is ongoing.
The Fed declined to comment on the allegation it missed so-called red flags, However, it did say there were no problems with its internal procedures. This mirrors recent comments from the Brussels-based Swift, which maintains its core procedures were not impacted by the elusive hackers.
Meanwhile, as the scope of the investigation quickly expanded to impact banks in Vietnam and Ecuador, the chief executive of Swift, Gottfried Leibbrandt, warned the 11,000 financial members that they need to bulk up security or risk suspension.
Speaking to The Financial Times, he said: "We could say that if the immediate security around Swift is not in order we could cut you off, you shouldn't be on the network [...] the days when you needed to break into a bank and carry guns and blow torches are over. You can now rob a bank from just your own PC and that does change the game completely."