Inside the workings of a failed high-tech bank heist

When raiders hit the City of London offices of Sumitomo Mitsui Banking Corporation they did not prepare themselves with weapons and masks. Instead they simply arrived with a list of passwords jotted down on a bit of paper, logged in and attempted to help themselves to Ł229 million.

Had they succeeded, the audacious theft would have topped the record books, dwarfing the Ł53 million Tonbridge cash heist and even a Ł141 million robbery in Baghdad. The men were not foiled by hi-tech security but because they failed to enter the passwords in the correct fields of the unfamiliar electronic banking forms.

Investigators feared the low-key break-in may have never been made public because of the potentially embarrassing consequences for the bank.

Sharon Lemon, director of e-crime at the Serious Organised Crime Agency (Soca), said the first officers at the scene were confronted with little more than vandalised computer terminals. But once the illicit transactions were found the sheer scale of the theft, which involved a complicated network of front companies, quickly became apparent.

Ms Lemon said: "If the bank had not been bold enough to report this - and it was a potentially sensitive incident - we may never have known about it. This was a global investigation and the crime and effort we made to invest in international relations really paid off. It was a complicated technical and financial investigation, all of our techniques were brought to bear to arrest and convict the offenders. It does not really matter where the criminals come from. If they intend to target the UK then it is our responsibility to track and convict them. Organised criminals are not commodity specific, they are money specific and if an opportunity presents itself then they will take it."

Preparations for the raid on the evening of Friday October 1, 2004, began the previous month with three surreptitious visits by a pair of computer experts.

Corrupt security boss Kevin O'Donoghue led the way for Belgian hackers Jan Van Osselaer and Gilles Poelvoorde using security cards belonging to other staff. He also tampered with CCTV cameras and even severed cables at the Queen Victoria Street offices in a bid to prevent the illicit visits being recorded. O'Donoghue later claimed he was threatened and forced to take part but CCTV footage showed him laughing and joking with the two hackers.

The Belgians, who travelled to Britain specifically to prepare the ground for the electronic attack, downloaded pirate software on to computer systems. This gave the men administrator privileges inside the Japanese bank's sensitive financial database. Crucially, it also enabled them to upload keylogging software to spy on the passwords and log-in details of senior staff.

They intended to use the Society for Worldwide Interbank Financial Telecommunication (SWIFT) transfer system to spirit cash to accounts worldwide.

The men attempted to send 10 massive transfers in Sterling and euros. Toshiba International, Sumitomo Chemical, Nomura Asset Management and Mitsui OSK Lines were among the corporate accounts targeted by the men. Recipient accounts were based in Spain, Dubai, Hong Kong, Singapore, Turkey, United Arab Emirates, Israel, and Liechtenstein.

But the next day, conspirators quickly realised the transactions were not complete and the money would not clear in the target accounts. Following a flurry of phone calls, the two men returned to try a further 11 transactions.

On Monday morning staff arrived for work to find some computer terminals damaged and others registering unusual transactions.

Meanwhile the criminal gang were frantically trying to get their hands on the cash and move it on. Several phone calls were made to a Dubai bank and eventually a fake fax was sent from a Cheltenham corner shop asking for 12 million euros to be released. Two men who also visited the bank but left empty handed have never been identified or traced.

Defendant Hugh Rodley, a self-titled Lord of the Manor, travelled to Gran Canaria over the weekend to conduct the money laundering operation. He had created a web of front companies during a series of exotic trips, including visits to the Seychelles and Singapore.

Among the companies destined to receive the massive sums were Mediatel International PLC, Furzefield Ltd, Expoinvestment SL and Investorscan.

Rodley, whose real name is Brian McGough, was a shadowy entrepreneur who remained a mystery to his neighbours in Church End, near Tewkesbury. Locals knew him best for two petty confrontations with the authorities, one over an overgrown hedge and a second over an unpaid lawnmower bill. But detectives said a determined fraudster who was being monitored by several police forces lurked behind the eccentric, bow tie-wearing facade. bHis long-term business partner Bernard Davies, 74, faced the same charges and killed himself on the eve of the trial.

Poelvoorde and Van Osselaer were identified by a Belgian fraud squad official after Soca circulated CCTV images from the bank worldwide.

When Poelvoorde was arrested at Brussels Airport attempting to travel on a false passport a USB stick was found in his pocket. It contained screen grabs from the Japanese bank and detectives suspect he may have been preparing for a second raid.

Detectives suspect the ringleaders outsourced some of the money laundering operation to other criminals who have not been traced. One senior detective involved in the inquiry said the gang "outsourced" money laundering and technical expertise.

The detective said Ł230 million was a "fair return" for the investment in half a dozen front companies and a series of international flights.

He said: "These people are not the full conspiracy. There must be other people involved in this. None of these people are the main sponsor of this. This is not people setting up accounts at NatWest to launder money, it is a sophisticated money laundering process. These are only the accounts on the surface. There will be other accounts behind this and money will move from one to the other to frustrate law enforcement agencies. By the time we have been through all the jurisdictions to track it down it has gone."

Speaking about the scale of the theft, he said: "The Ł53 million Kent robbery was the biggest theft prior to this, and this was potentially four-and-a-half times bigger than that. I think Ł230 million would certainly be up there around the world."


Loading