On a quiet Friday morning in early February, a series of instructions using authenticated SWIFT codes was sent to 33 Liberty allegedly from the Bangladesh central bank requesting the transfer of nearly $1 billion from the country’s FX reserves.

Now, the first thing that should jump out at you there is that Friday is a weekend in Bangladesh, a fact which probably should have set off alarm bells. But alas, it didn’t and by the time the hackers who sent the transfer instructions screwed the pooch by spelling “foundation” wrong in one of the requests, more than $80 million was sent to the Philippines where it landed in four accounts and eventually ended up transferred to at least two casinos and one unidentified man “of Chinese origin” who has since been named as a Weikang Xu. For those who might have missed the story, here are our three previous accounts of what is truly a Hollywood-esque plot line:

• Plot Thickens In New York Fed Heist As $30 Million In Cash Said Delivered To Mystery Chinese Man
• The Incredible Story Of How Hackers Stole $100 Million From The New York Fed
• Chinese Hackers Break Into NY Fed, Steal $100 Million From Bangladesh Central Bank

You’re reminded that the stolen funds ended up in the Jupiter Street, Makati City, branch of Rizal Commercial Banking Corp where the branch manager is one Maia Santos Deguito. Here she is:

According to testimony from a Rizal executive heard at a Senate hearing in the Philippines late last week, some $427,000 in cash was withdrawn from one of four accounts that received the illicit funds. That money was promptly deposited – into the back of Deguito’s car.

“On February 5 – the day when RCBC said $22 million was put into [the accounts] – Deguito’s assistant, Angela Torres, requested P20 million from the bank’s cash center, which was delivered by armored car,” PhilStar reports. “The teller then put the money in a box, which was brought to Deguito’s office. The branch messenger, a certain Jovy Morales, then looked for a paper bag to put the money in and then brought it to the branch manager’s car.”

Deguito then ignored a direct order from the Bangladesh central bank and the Rizal head office to freeze the accounts. “Instead, she moved the money to a foreign-currency account opened Feb. 5 under the name of Centurytex Trading, a local brokerage firm owned by businessman William Go,” WSJ writes. “$15 million of the stolen money on Feb. 5 was remitted from the account to a local money-transfer company called Philrem [and] then, about another $66 million was transferred to Philrem on Feb. 9.” From there, it found its way to the casinos and to Weikang. Here’s a diagram from FT:

Mr. Go is apparently innocent according to a private investigation conducted by Truth Verifier Systems Inc who says the accounts were forged. However, Torres (Deguito’s assisstant) insists that Go picked up cash in a “Lexus SUV” and that he signed the withdrawal slip personally.

Go is now suing both Torres and Deguito.

Apparently, the hackers used malware to infiltrate the central bank’s computers and monitor daily activity. “They were counting on the likelihood that there wouldn’t be any direct communication between the banks over the weekend,” an official who spoke to WSJ said. And they were correct. As we documented earlier this week, Bangladesh was unable to contact the New York Fed on Saturday and Sunday.

Bangladesh hired FireEye to investigate the incident. According to what Bloomberg describes as an “interim report,” the hackers “sought to cover their tracks by deleting computer logs as they went [and] before making transfers they sneaked through the network, inserting software that would allow re-entry.”

The report allegedly describes the operation as something that would normally be the purview of nation-state hackers. “Malware was specifically designed for a targeted attack on Bangladesh Bank to operate on SWIFT Alliance Access servers,” Bloomberg quotes the report as saying. “The security breach of the SWIFT environment is part of a much larger breach that is currently under investigation.”