Cybercrime, on top of being difficult to detect and even more so to prove, is notoriously tricky to visualize. The impact may be tangible, even devastating – nuclear plants damaged, hospitals disabled, pipelines shut down – but the perpetrators are shadowy and inscrutable, the crime unseen and insidious, the methods vague and indecipherable to lay people without a knack for computer science.
Billion Dollar Heist, a new feature-length documentary, attempts the formidable challenge of turning one of the biggest financial crimes in history – the February 2016 cyber heist of $81m from the US Federal Reserve accounts for the central bank of Bangladesh – into informative entertainment. Director Daniel Gordon employs a range of cinematic techniques – some illuminative, some overly cliched – to get at a highly sophisticated cyber crime involving several countries, time zones and financial institutions. Among them: animation, dramatic recreation, stock footage of beeping ones and zeros, archival footage on the relatively brief history of hacking, ominous narration from British broadcaster and cybersecurity journalist Misha Glenny.
Perhaps unsurprisingly, this scattershot approach has its limits for understanding both the history and execution of ransomware attacks, though it does tell a moderately entertaining story that makes life as we know it – our power, medical, financial and communication systems dependent on networks connected to the internet – seem perilously fragile. As Glenny somewhat dramatically puts it, the human race faces four existential threats: pandemic, weapons of mass destruction, climate change and cyber.
Cyber, specifically ransomware attacks, may indeed threaten humanity in seen and unforeseen ways, though the film’s survey of cyber history and financial crimes spans only a few minutes and mostly consists of stitched together videos of news anchors saying “a new virus” in serious tones. Numerous cybersecurity experts, such as Mikko Hyppönen and Eric Chien, explain how beginning around the year 2000, cybercrimes morphed from fame-seeking hackers to an organized, faceless havoc, exploiting weaknesses in an internet never designed for privacy. The titular billion-dollar heist targeted the global Swift financial transaction system, which communicated massive transfers from the US Federal Reserve, via a more relatively porous institution, the central bank of Bangladesh in Dhaka. (Somewhat hilariously, the first sign that something was amiss at the Bangladesh central bank was a malfunctioning printer, that most tangible and intransigent of devices; it’s hard not to fault Gordon’s decision to dramatize this with actors, though it does cheapen what can otherwise be slick storytelling.)
The film swiftly recounts how the unknown hackers picked on certain Bangladeshi employees with phishing emails; how they jumped from computer to computer within the network; how they timed their attempted billion-dollar heist to national holidays and weekends in three different countries. There’s great relish in explaining how a typo and an unlucky account name kept a billion in requested illicit transfers down to just $101m, and how the thieves made off with $81m via an elaborate laundering scheme at a Filipino casino.
Some of the dramatic flourishes work well, particularly the comparison of the hackers, suspected to be a shadowy semi-formal organization known as the Lazarus Group, to Ocean’s Eleven, down to the delineation of roles (the social engineer, the digger, the fence, the thief) and the casino caper, rendered in animation. A visualization involving early video game graphics succinctly conveys the basic premise of the group’s intra-network hacking. Other methods, such as staging recreations of Bangladeshi bank employees frantically poring over papers on the bank floor or frequent animations of the stock faceless male hacker in a hoodie, feel overdone and hackneyed. It could be true that the members of the Lazarus Group are hoodie-clad hackers hunched over computers, but the film gives us curiously little characterization of the criminal association credited with everything from the 2014 Sony hack to the 2017 WannaCry ransomware attack, and, according to the internet (if not the film, at least explicitly), is associated with North Korea.
Billion Dollar Heist, instead, refers to the group’s activities as “on the level of nation-state”. This could be a smart decision appropriate to what we know about the crime – I am not a cybersecurity expert, and the film-makers worked with several people who are. But it’s impossible to tell – the film’s approach to the Bangladesh bank heist story is often vague and sweeping and hampered by frequent invocations of perpetrators who remain, at least to viewers, unknown and without motive. I left the film convinced that cybercrimes do indeed pose a serious threat to anything from medical records to peace of mind. But I’m light on specifics.
Billion Dollar Heist is now available to rent in the UK and is available to rent in the US on 15 August