HONG KONG/CHICAGO (Reuters) - Cyber thieves who stole $12 million from an Ecuadorian bank in 2015 routed the funds through 23 companies registered in Hong Kong, some of them with no clear business activity, according to previously unreported court filings and judicial rulings.
The court papers offer a first glimpse into where some of the money was moved after it reached accounts in Hong Kong.
The filings stem from a lawsuit filed in early 2015 by Ecuador’s Banco del Austro (BDA) in Hong Kong against the web of companies that received or handled more than $9 million in stolen funds, bank records submitted to the territory’s Court of First Instance show. The BDA lawsuit alleged the companies had been “unjustly enriched” and sought recovery of the money.
The remaining $3 million was routed to entities in Dubai and elsewhere, according to separate court filings in the U.S. Those transfers are not the subject of litigation in Hong Kong.
The cyber thieves allegedly used the SWIFT global messaging system to move the funds. SWIFT, a conduit for bank money transfers worldwide, also was the network used to move $81 million out of Bangladesh Bank in February.
According to the Hong Kong court filings, BDA submitted criminal reports to police in both Hong Kong and Ecuador about the transfers. The content of those reports was not part of the court record reviewed by Reuters. The attacks have caught the attention of global investigative agencies. The U.S. Federal Bureau of Investigation and Bangladesh authorities are leading a search for criminals behind the February heist, which ranks among the largest ever.
In the Ecuadorian heist, the money was transferred by Wells Fargo WFC.N based on authenticated SWIFT messages, and both BDA and the U.S. bank now believe those funds were stolen by unidentified hackers, according to documents in a BDA lawsuit filed against Wells Fargo in New York this year.
It was not clear whether the Hong Kong Police have launched an official probe. A spokesman for the agency declined to confirm or deny the existence of an investigation.
The Ecuador attorney general’s office did not respond to a request for comment. The FBI and BDA also declined comment.
At least $3.1 million of the funds were then routed from those four companies to 19 “second layer” bank accounts, meaning the funds made a second hop to another set of Hong-Kong registered companies, the papers show.
NOT TIED TO REAL BUSINESSES
Hang Seng did not immediately respond to a request for comment. HSBC declined to comment on the details of the case but a spokesman said in an e-mail that the bank actively co-operates with law enforcement and has controls in place to know its customers and deter crime.
SWIFT, an acronym for the Society for Worldwide Interbank Financial Telecommunication, has said its core messaging system has never been breached.
A BDA lawyer said in the filings that the Ecuador bank knew none of the firms or people behind the four companies that initially received the funds. Most of the “second layer” accounts appeared not to be tied to real businesses, the lawyer added.
Hong Kong Deputy High Court Judge Conrad Seagroatt said in a December ruling in the case that the four initial recipients showed no prior history of business activity. “They all appear to be otherwise inactive corporate vehicles controlled by citizens of the People’s Republic of China,” Seagroatt wrote.
In March last year, BDA secured an order from the court to freeze the accounts of the four companies that intially received the funds, although it later settled with the recipient of the smallest transfer of $95,731.18 and withdrew its claim against that firm, the court record shows.
As of last month, complaints against five of the 23 defendants had been withdrawn or dismissed, and settlements with some defendants have taken place, court papers reviewed by Reuters indicate.
BDA has declined to speak with Reuters about the Hong Kong case or the related litigation in the United States against Wells Fargo WFC.N.
Additional reporting by Stella Tsang and Tris Pan in HONG KONG and Alexandra Valencia in QUITO; editing by Raju Gopalakrishnan and David Greising
Our Standards: The Thomson Reuters Trust Principles.