A binge on the game baccarat, a card game played in casinos, played the critical role in the largest cyberheist in history when $81 million was stolen from the Bangladeshi central bank by hackers who issued bogus instructions through Swift, the global interbank payment system, in early February, 2016.
According to reports by the Philippine Senate committee, the Federal Reserve Bank of New York, and the Bangladesh Ministry of Finance, the cyberthieves messaged the New York Federal Reserve Bank, in which Bangladesh Bank had deposited funds, directing it to send these funds to a handful of bank accounts, mostly in the Philippines, which they had set up using fake names.
The money trail involved the Jupiter Street branch of Rizal Commercial Banking Corporation (RCBC), PhilRem Service Corporation, Solaire Resort and Casino, Midas Hotel and Resort, and some casino junket operators, reports Bloomberg Markets.
The Chinese duo Ding Zhize, 45, and Gao Shuhua, 53, who ran casino VIP rooms, facilitated the entry of the laundered money into Philippine casinos including MetroManila’s Solaire Resort by bringing in high rollers from China to play in the VIP rooms.
But how did they do it? Ding and Gao laundered the cyberheist money using rolling chips which are non-negotiable and used to track VIP’s play in casinos. They must gamble at least once, with any winnings paid in normal, negotiable chips that can then be redeemed for cash.
The Chinese duo did this by betting in both hands of the game baccarat, so as to strike a balance between gains and losses. This was because money cannot be laundered through a casino by winning a game, but rather by exchanging millions of dollars for chips which can then be swapped for untraceable cash at the end of the night. This is how the pair was able to ensure that the money disappeared.
The rolling chips also ensure that casinos pay refunds on amounts that are actually gambled.
The next day, on February 9, almost all of the cyberheist money was transferred into four fake accounts in the Philippines through a variety of other accounts. The money was then transferred onto a payment company called Philrem Service Corp. PhilRem converted part of the $81 million into pesos and delivered the money in cash instalments to registered casino junket operator Xu, Eastern Hawaii Leisure Company Limited, and Bloomberry Hotels Incorporated, the parent company of Solaire casino.
The hackers originally intended to funnel $951 million of Bangladesh Bank’s money into phony accounts, according to various investigations.
What facilitated the laundering of the stolen money was that the day following February 8, 2016 was Chinese New Year. Chinese New Year is celebrated as a public holiday in the Philippines, with banks closing.
Thus, four stop-payment requests from Bangladesh Bank to RCBC went unnoticed.
By the time Ding, Gao, and their players had their casino accounts frozen in March 2016, they had managed to make tens of millions of the cyberheist dollars disappear, according to a Philippine Senate committee that investigated the theft. Philippine authorities are still investigating Ding and Gao as well as other aspects of the case, says Vencent L Salido of the Anti-Money Laundering Council.
According to testimony given in the Senate by Kim Wong, the president of Eastern Hawaii Leisure and a Chinese junket operator who ran a number of VIP rooms in Manila casinos, including the Solaire, he had set up the RCBC accounts along with Beijing resident Gao whom he had known for eight years and a Macau resident named Ding, as well as the Jupiter branch manager at the time, Maia Deguito.
According to the Senate committee report, Ding, Gao, and Deguito were able to set up the accounts using fake names, fake addresses, and fake declarations that Deguito had met the account holders in person and confirmed their identities.
Wong said Gao and Ding had tricked him into saying that the money had come from a land sale to the Chinese government to make way for a new airport in Beijing.
In April, the Philippine Department of Justice indicted Deguito and the owners of Philrem, but dropped the case against Wong, citing a lack of evidence, Salido says. Wong has returned $15 million to the authorities, which was then transferred back to Bangladesh Bank.
Deguito denied the allegation and said that she acted on instructions from RCBC bosses.
However, RCBC said in an emailed statement: “Based on our investigation, Deguito acted alone with the help of some of her co-workers and subordinates at the Jupiter Branch which she headed.”
The bank said: “Her actions were inimical to her job and against RCBC’s policies, which resulted in her termination and the filing of cases against her.”
Of the money transferred out of RCBC, the Philippine Daily Inquirer quotes Wong as saying that about $29 million was wired by Philrem to Bloomberry Resorts and credited to Ding, mainly for gambling in the Solaire’s VIP room; $21 million was wired to Eastern Hawaii Leisure and used primarily in the VIP rooms of other casinos.
An additional $31 million, according to testimony from Philrem Chairman Michael Bautista, was delivered in cash to Wong.
Wong further alleged that $17m was still with remittance company Philrem, and that only $13.5 million had been delivered in cash, a claim that the company owners however denied during the hearing.
Ding and Gao’s main business was running illegal gambling operations, including recruiting people for foreign gaming junkets. As a result, it was not the first time that the Chinese pair had managed a laundered transaction.
Like their laundered money, Ding and Gao left the Philippines without a trace, but the duo were wrong in thinking they would be able to keep their names screened from the investigation into the money laundering.
The whole scam did not end in the casino VIP rooms. Instead it moved onto China and then perhaps even North Korea, home to Lazarus, one of the world’s most active state-sponsored hacking collectives.
According to a paper published in the British Journal of Criminology in February, Ding set up an investment company in 2007 just as Macau, in revenue terms, was becoming the world’s biggest gambling centre.
His neighbour Ding specialised in arranging off-table bets – private wagers from anonymous gamblers using bookmakers which are illegal under Chinese law.
Ding’s former business partner said that Xiamen police had arrested Ding in the city, near to his hometown, in March 2017. Ding’s sister-in-law, who requested that her name not be published, confirmed the arrest.
Gao, who hails from a village on the outskirts of Beijing, was the richest man in the area, out of which he ran an illegal casino back in 2004 according to Chinese police reports and court documents.
The documents said that thugs working for Gao beat up a group of men which they had mistaken for another gang that had previously robbed them. The victims reported the incident to the police, and Gao had to serve an 18-month prison sentence.
The documents added that, after his release in 2006, Gao travelled to ¬Macau and the Philippines, where he was reported to have invested as much as $2 million in businesses that ran casino VIP rooms. One of the companies that he invested in was Eastern Hawaii Leisure, which would wind up with more than a quarter of the stolen funds from Bangladesh.
When Chinese authorities arrested Gao for the second time in 2012, they found that he ran one of the biggest gambling networks in the country, extending into 29 provinces and through which he had made more than $8 million. He was sentenced to four years in prison.
The sentence was, upon appeal, shortened to three years, suggesting that Gao assisted the police investigation in an unspecified manner. Court documents show he was officially released on medical parole in 2015.
The exact length of that time Gao spent in prison is, however, still unclear, as corporate records in Macau show that he formed a company there in 2014.
In August 2016, Gao’s wife Yan Wenli said that Xiamen police had again detained Gao.
When she asked the police what she could do to get him out, they are reported to have said: “Don’t bother calling a lawyer.”