Sri Lankan in Bangladesh cyber heist says she was set up by friend
When Hagoda Gamage Shalika Perera, a small Sri Lankan businesswoman, got a deposit of $20 million in her account last month, she said the funds were expected but had no idea they were stolen from Bangladesh’s central bank in one of the largest cyber heists in history.
Unknown hackers breached Bangladesh Bank’s systems between Feb. 4 and Feb. 5 and tried to steal nearly $1 billion from its account at the Federal Reserve Bank of New York.
Many of the payments were blocked. But $20 million made its way to Perera’s Shalika Foundation before the transfer was reversed. Bangladesh central bank officers said they acted after a routing bank, Deutsche Bank, sought clarification on the transfer because hackers misspelled the company’s name as “Fundation.”
Another $81 million was routed to accounts in the Philippines, and diverted to casinos there, where the trail runs out..
The Philippines Senate is holding hearings in the case, but until now, few details had emerged on the Sri Lanka link.
In her first public comments on the case, Perera, a struggling businesswoman who heads Shalika, told Reuters she expected $20 million to come from the Japan International Cooperation Agency (JICA) to help fund a power plant and other projects in Sri Lanka. She said she had no direct dealing with JICA, but the deal was arranged by an acquaintance who she met in Sri Lanka but had connections in Japan.
Shalika was set up in October 2014 and says in its registration documents that it constructs low-cost houses and provides other social services.
Reuters was unable to independently confirm Perera’s account or to reach the acquaintance she named, via the email and phone numbers she provided.
JICA, a Japanese government agency that provides official development assistance, said it has no ties with Shalika Foundation, including through any intermediaries.
“We have had no exchange with them, and that includes such areas as loans and grants,” JICA spokesman Naoyuki Nemoto said.
The Sri Lankan police’s criminal investigation division declined to comment because the probe is ongoing.
“We are very genuine people. We are not doing any illegal things,” said Perera, speaking in English and Sinhalese in an interview in Colombo, the Sri Lankan capital. The 36-year-old was accompanied by her husband, Ramanayaka Arachchige Don Pradeep Rohitha Dhamkin, also a director in her company.
Perera said she now thinks the acquaintance was either a victim of the hackers or in league with them, and she was hoodwinked into becoming a part of their scheme.
She showed Reuters a copy of an inward remittance advisory from the SWIFT bank messaging system to put the $20 million in her company’s account. The remitting entity was shown as a Bangladesh government electricity agency that had taken a loan from JICA in 2010 to fund an electricity project.
The head of the Bangladesh government agency, the Bangladesh Rural Electrification Board, said it was “ridiculous” to think that the money could have come from them.
“Maybe they used this government organisation’s name to make it believable,” said Brigadier General Moin Uddin, the agency head.
Police have questioned Perera’s acquaintance, according to an investigation report filed in the Colombo Magistrate’s Court on Thursday. The man told authorities that a Japanese middleman had helped arrange the funding, according to the report.
The report provided the names of Perera’s acquaintance whom Reuters has been unable to locate and the Japanese middleman. Reached by phone, the middleman said he was travelling and unable to provide immediate comment.
The court has ordered a travel ban on Perera, her husband, the acquaintance and four other people listed as directors of her company.
Perera maintains she is innocent and describes the government’s move as “an injustice”.
Perera is, by her own admission, struggling. She said she has four other enterprises, including a publishing firm, an auto parts company, a construction company and a catering firm.
In 2014, losses from her publishing firm were so bad that she was forced to sell her computers. She said she now does her business from Internet cafes, and held meetings with potential investors at Pizza Hut and other restaurants.
In early February, Perera said her acquaintance, who had been helping her for more than a year to meet investors, told her to expect $20 million from JICA. Under their agreement, the payment would be split, between her power plant project and a housing project controlled by her acquaintance, she said.
According to a Sri Lankan police investigation report seen by Reuters last week, Perera told her bank, a Colombo branch of Pan Asia Bank, that the company expected to receive $20 million from a Japanese fund.
A Pan Asia Bank official declined to comment, citing the investigation.
Perera said she had not seen the report, which was submitted to the magistrate’s court last week.
According to the report, bank officials said Perera left instructions with them to transfer $7.72 million to her own personal account and $11.12 million to an account controlled by her acquaintance once the transaction had cleared.
Perera confirmed she had given the instructions to the bank, and said they reflected the money earmarked for the two projects and commissions. The rest was to be used for taxes, she said.
The money was remitted by the Pan Asia Bank to Shalika Foundation’s account on Feb 4, but the bank refused to release the funds as the amount was unusually large and sought further verification, according to last week’s police report.
On Feb. 9, Perera was told by her bank that the Bangladesh central bank had asked for the transaction to be reversed, according to the report.
A half a pound of tupenny rice,
A half a pound of treacle.
Mix it up and make it nice,
Pop! Goes the weasel.