Just weeks after busting a Chinese hacking group that had stolen millions from cash machines around Kathmandu, police, over the last two days, have arrested 12 people, including some hundi operators, for their alleged involvement in yet another bank heist.

According to police, the group, operated by a man from India identified as Peter aka Kaley, has stolen Rs48.5 million from the Lahan branch of the state-run Agriculture Development Bank and Panas Remittance in Baneshwor.

“They used credential hacking to steal the money,” said Superintendent of Police, Ishwor Karki, from the Metropolitan Crime Division. “The gang had plans to steal money worth $50 million from different banks.”

Between April and September 22, the gang stole Rs47.3 million from the Agriculture Development Bank and Rs1.2 million from Panas Remittance.

“The mastermind, Peter, who lives in Mumbai, India, had deployed as many as 12 Nepali agents who had opened up current accounts in various banks,” said Karki. “The hacked amount was transferred to their bank accounts. Later, they would send the amount through hundi to Peter. Nepali agents were getting commissions of up to 35 percent for their work.” said Karki.

Though the exact modus operandi is not clear, it is believed that hackers from Mumbai were using one of the malware variants in order to gather information and steal credentials, which were later used to plunder bank accounts. In such cases, the malware not only stays hidden but camouflages itself as a legitimate bank security system. As a result, the heist goes unnoticed.

According to Anil Kumar Upadhyay, CEO of Agricultural Development Bank, hackers breached their system by using passwords from the Lahan branch to log in.

“After getting the news, we immediately formed a committee to investigate further,” Upadhyay told the Post. “We have sent our IT team along with police officials to Lahan to figure out the flaws. The incident took place due to staff weakness. Otherwise, no one can hack the bank system as it is very secure.”

The investigation by the bank’s IT team and police has revealed that the hackers transferred amounts from the bank’s profit and that customers’ funds are safe, said Upadhyay.

Police, however, have recovered only Rs4.5 million from those arrested.

“Nepali agents have sent only around Rs3 million to Peter through hundi as we were able to block all illegal transactions,” said Senior Superintendent of Police Sahakul Thapa of the Teku Metropolitan Crime Division. “Our investigation is ongoing to find out where the remaining amount is.”

The arrests on Monday and Tuesday were possible after Panas Remittance filed a complaint on September 22 with police following as many 21 back-to-back suspicious transactions coming to its notice.

“We immediately launched our investigation, which resulted in the arrest of 12 individuals,” said Karki.

The suspects have been identified as Lawang Tamang, 43; Laxmi Lama Tamang, 40; Sanjay Ghale, 26; Nirmala Tamang, 20; Nima Tamang, 18; Pusparaj Khadka, 42; Bidhya Sagar Lamichhane, 23; Shrawan Kumar Shrestha, 38; Sunita Shrestha, 32; Subankar Panja, 30; Bijay Shah, 22; and Chandra Bahadur Bandal, 45.

“We had found during our investigation that the gang had stolen money from the Agriculture Development Bank as well,” said Karki. “The bank was oblivious to the heist until police informed its officials.”

Two instances of hacking in a span of three weeks has raised concerns about the safety and security of the Nepali banking system.

On the night of August 31, police arrested four Chinese nationals for illegally withdrawing money from ATMs belonging to different banks in Kathmandu. Police had confiscated Rs12.60 million and around $10,000 along with 132 forged VISA debit cards, 17 authentic VISA cards, six mobile phones, a laptop and a data card.

According to officials, the Chinese suspects had hacked the Nepal Electronic Payment Systems, an interface that allows the transaction of money deposited in a bank by using cards issued by other member banks.

NEPS has incorporated 11 commercial banks, including Prabhu Bank, Sunrise Bank, Machhapuchchhre Bank, Janata Bank, Siddhartha Bank, Citizens Bank, NIC Asia Bank, Prime Bank, Nepal Bangladesh Bank and Global IME Bank.

Nepal Rastra Bank, the banking regulator, had said that only money stacked in ATM vaults had been withdrawn by the hackers, with depositors' money very much safe. However, the latest heist, perpetrated using what police call credential hacking, has now raised alarm bells.

In the wake of the ATM hack, the central bank had issued a circular to all banks, asking them to place a cap on daily withdrawals from ATMs to Rs60,000—Rs20,000 in a single transaction.

Tej Budhathoki, former chief executive officer of the Agriculture Development Bank, said that state-owned banks’ security systems have become vulnerable after the hiring of incapable officials due to pressure from trade unions.

“This has mainly given rise to negligence in fulfilling duties and a lack of understanding of the technology being used by banks, providing ample space for malpractices,” said Budhathoki.

Increasing dependency on imported technology, where banking contracts are provided to vendors with poor history, is also leading to security lapses, Budhathoki added.

Rajesh Khanal contributed reporting.