For someone supposed to be laundering millions of dollars in stolen funds, with investigators from three countries scrambling to track the money, Ding Zhize was a surprisingly unhurried man. He’d brought a dozen or so high rollers from China to play in the glitzy VIP room in MetroManila’s Solaire casino. The game was baccarat. It was late February 2016—still high season for Asian casinos, thanks to the Lunar New Year holiday—and Ding had been here for days. As red-shirted dealers laid down hand after hand, gamblers smoked Double Happiness cigarettes and helped themselves to an endless supply of mineral water, lemon tea, and Hennessy XO cognac. The chips they played in a steady stream were valid only in that room. The most valuable ones were rectangular plaques worth $20,000.
Ding, his partner, Gao Shuhua, and the gamblers in tow were probably betting on both the house’s hand and the players’ hands, trying to strike a balance between gains and losses. After all, the important thing for anyone looking to launder money through a casino isn’t to win. It’s to exchange millions of dollars for chips you can swap for cool, untraceable cash at the end of the night.
It wasn’t the first time the Chinese duo of Ding and Gao had managed a transaction like this. Running illegal gambling operations, including recruiting people for foreign gaming junkets, was their main business, according to previously unreported court documents in China obtained by Bloomberg Markets as well as interviews with family members and former business partners. By the time Ding, Gao, and their players had their casino accounts frozen in March 2016, they’d managed to make tens of millions of dollars disappear, according to a Philippine Senate committee that investigated the theft.
The money was part of the largest cyberheist in history. In early February, $81 million had been stolen from Bangladesh’s central bank by hackers who issued bogus instructions via Swift, the global interbank payment system, according to reports by the Philippine Senate committee, the Federal Reserve Bank of New York, and the Bangladesh Ministry of Finance. The cyberthieves messaged the New York Fed, where Bangladesh Bank had funds on deposit, directing it to send funds to a handful of bank accounts mostly in the Philippines set up using fake names.
Just a few days after the theft, Bangladesh Bank officials asked their Philippine counterparts for help. Yet the gamblers were allowed to play on for weeks, according to reports by the casino’s parent company, Bloomberry Resorts Corp., and the Philippine Senate Committee on Accountability of Public Officers and Investigations. Even after the remaining funds were frozen, no charges were filed against Ding, Gao, or the players with them, so Philippine police didn’t make any arrests, says Sergio Osmeña III, a former senator who last year was a member of the inquiry panel. “They waited until it was too late,” he says.
What Ding and Gao did with the loot remains unknown. That’s the point, of course: You want to conceal the money’s criminal origins and then stir it into the rivers of legitimate cash that course around the world every day: $60-odd million here, a few million there. It adds up. PricewaterhouseCoopers LLP says money laundering may total $2 trillion a year worldwide—an amount roughly equivalent to the market for online shopping.
Like the money, Ding and Gao left the Philippines without a trace. (Osmeña says customs authorities have no record of the duo’s departure.) Gone too, it seemed, was any chance that Bangladesh, the Philippines, or the U.S. would find the funds.
But if Ding and Gao thought they’d gotten away scot-free, they were mistaken. The story didn’t end in the floral-scented VIP room of the Solaire. It just moved on—to China and then maybe even North Korea, home to Lazarus, one of the world’s most active state-sponsored hacking collectives.
As big as it was, the heist could have been a lot bigger. The hackers originally intended to funnel $951 million of Bangladesh Bank’s money into phony accounts, according to various investigations. Via Swift, they fired off a series of messages to the New York Fed to do just that. The theft of the full amount was only averted because, after the initial payments had been made, several transactions were flagged “for sanction compliance review,” according to an April 14, 2016, letter from the Fed to U.S. Representative Carolyn Maloney, a New York Democrat. (In the wake of the Bangladesh theft, Swift took measures to prevent such intrusions. “We are fully committed to helping customers in the fight against cyber-attacks,” Patrick Kerkels, the Swift general counsel, said in an emailed response to questions. Swift’s security program, he said, “has demonstrably helped to detect and even prevent successful frauds.”)
Since then, Philippine authorities have recovered almost a fifth of the stolen money and returned it to Bangladesh, but most of the rest, after flowing through a series of accounts, a money-transfer company, and into local casinos, disappeared into the muggy Manila air.