Foiling a thoroughly modern bank heist

It was 7pm on a weekday evening in October 2004 when Detective Inspector Marc Kirby received a phone call at the National Hi-Tech Crime Unit (NHTCU).

“The callers said they were IT security people working for a bank in the City and were wondering if we had seen any suspicious hacking activity going on. I said I couldn’t tell them much if they wouldn’t identify themselves,” he says.

The next morning, Sumitomo Mitsui Banking Corporation (SMBC) put through a call to the main office switchboard asking NHTCU investigating officers to come to its building in Temple Court in the City. Bank employees had found network cables cut and some of their computers were not working – ­ it quickly became apparent that someone had been tampering with their systems over the weekend.

Investigators began with the bank’s CCTV cameras, which were triggered to start recording by motion sensors. They later learned that bank security guard Kevin O’Donoghue had turned down the sensitivity settings so that most of the cameras had not recorded the weekend’s events.

“But he forgot to adjust two or three of them, and these cameras showed O’Donoghue and two unknown men entering the building over the weekend,” says Kirby, who became the senior investigating officer on the case.

After preliminary investigations, it was obvious this was a big case with a money trail that led all over the world. There was palpable excitement in the NHTCU.

The investigation started with O’Donoghue. Immediately he became a suspect, though he never said anything to investigators. His phone records showed contact with overseas hackers Jan Van Osselaer and Gilles Poelvoorde, and the French and Belgian police were later instrumental in their arrest.

Kirby’s team slowly began to piece together what had happened. O’Donoghue had let Osselaer and Poelvoorde into the building, most likely in September. They had installed a keylogger application called Iopus Starr onto bank systems.

The keylogger ­ – which had been designed by a man in Germany who told police it had not been paid for ­ – was sophisticated enough to avoid the bank’s anti-virus software. It recorded keystrokes and screenshots and stored them in a file on the PC. Because it was not transmitting across the firewall, the bank’s security systems failed to detect it.

O’Donoghue let Van Osselaer and Poelvoorde back into the bank three or four weeks later. They stayed for a few hours on a Saturday, and having been unsuccessful in sending money, again for a few hours on Sunday. They accessed the keylogger files, retrieved passwords and proceeded to attempt to send £229m (US$326m) to 20 bank accounts in 10 countries. Ironically, many of their actions were traceable by forensics officers because they had been recorded by their own keylogger software.

Having seen a screen message that indicated they had been successful, they sabotaged the computers, cut some network cables and left the building.

“There was no chance the theft would go undetected,” says Kirby. “By pulling out the cables, they were trying to obstruct our forensic investigations and buy enough time for the people around the world to get the money out before we were onto them.”

What the crooks did not know is they had made a coding error. After they left, a message bounced back to the bank asking someone to confirm the transaction, which never happened, and so the money was never transferred.

The hackers took a screenshot of what they thought was the completed transaction screen and printed it out. Later that week two people walked into a bank in Dubai with a faxed copy of that screenshot and asked to withdraw the money.

Of course the cash was not there, but Kirby’s investigators managed to track down that copy of the screenshot and found it had been faxed from a video shop in Cheltenham ­ – not far from where gang leader Hugh Rodley lived.

Van Osselaer and Poelvoorde had printed out the screenshot and given it to Rodley as evidence that the job was done. Rodley gave the word, and the screenshot, to his accomplices around the world to pick up the money. The focus of the investigation now became linking O’Donoghue and the hackers to the suspected organisers Rodley, David Nash, and Bernard Davies.

In classic investigative fashion, Kirby’s team followed the money.

“We arrested a number of people while we were unsuccessfully trying to find the recruitment connection between O’Donoghue and Rodley’s crew,” says Kirby.

“Eventually, we got to them because some of the bank accounts pointed to Nash, and that gave us the connection with Rodley.”

Rodley was the self-proclaimed “chief executive” of the scam and his partner in crime Davies was an old friend. Nash had always been part of Davies’ and Rodley’s gang, and they all had loose connections with other criminal networks in London.

Just before the trial began, Davies, allegedly under pressure to change his story from Rodley on one side, and with barristers telling him the weakness of his case on the other, took his own life. He was 74.

Police never caught the two people who tried to withdraw money in Dubai, or the others around the world who had set up the various accounts –­ and were no doubt due to withdraw from them. Inger Malmros was charged but not convicted with setting up accounts in Spain. One other suspect was arrested in Israel but would not talk, so British inquiries went no further.

Kirby left the Serious and Organised Crime Agency ­ – which took over the NHTCU in 2006 – ­ before he was able to see the case through to trial, but he went back to Snaresbrook Crown Court earlier this month to watch his former prey being sentenced.

“O’Donoghue’s face went bright red when he was sentenced,” says Kirby. “Rodley didn’t turn a hair.”

The key players in the scam

“Lord” Hugh Rodley
The “chief executive” of the operation, he owed money around the British crime world. Rodley had a criminal history dating back 30 years and lived in a £2m (US$2.85m) mansion in Tewkesbury. Sentenced to eight years for conspiracies to defraud and to transfer criminal property.

Bernard Davies
Old friend of Rodley who committed suicide on 16 January – just three days before the trial began. In a suicide note to police, the pensioner thanked officers for the way they had treated him and wished them luck.

David Nash
A Soho sex shop owner who set up and was the front for many of the bank accounts. Also a long-time member of Rodley’s crew. Sentenced to three years for conspiracies to defraud and to transfer criminal property.

Kevin O’Donoghue
A security guard with no known criminal history who had been heard bragging in pubs about his role in the bank and was recruited into the gang specifically for the job. Received four years and four months after admitting conspiracy to steal.

Gilles Poelvoorde
A French national who was serving five years for another crime at the time of the trial. Tapped up through criminal networks for his hacking skills and to spread any investigation internationally. Sentenced to four years after he admitted conspiracy to steal.

Jan Van Osselaer
A computer shop worker with no previous form, probably recruited by Poelvoorde, who knew his boss. Given three-and-a-half years after admitting conspiracy to steal.

Inger Malmros
Swedish national accused of fronting bank accounts in Spain where cash was to be sent. Found not guilty.

Sumitomo Mitsui Banking Corporation
The Sumitomo Mitsui Banking Corporation has moved premises since the attempted robbery and is keeping its comments to the press to a minimum. It released a statement welcoming the outcome of the case. Last year Andrew Weston, chief information security officer at the bank, told Computing the bank had integrated its physical and electronic access systems. Staff must now use one-time passwords and fingerprint checks to log on to any bank system.