2021 BANCO DE ORO HACK

In late 2021, at least 700 account holders of the Philippine bank Banco de Oro (BDO) lost their money
through unauthorized bank transfers.

From late November to early December 2021, an numerous accountholders of BDO Unibank (Banco de
Oro; BDO) lost their money through unauthorized bank transfers. The funds were noted to have been
transferred to multiple Unionbank accounts under the name of a certain "Mark Nagoyo". Fraud victims
lost money ranging from ₱25,000 to ₱50,000 per BDO account.

The scheme has been characterized to have made through hacking. Several Facebook groups were made
by the fraud victims, where many maintained that they did not click any dubious links, sent through
messaging apps, SMS, or email, that would make them fall for a phishing attempt. Other accounts
suggest that they did not receive any one-time password (OTP), that would have alerted them to
someone making an unauthorized login to their bank accounts, receive any OTP that a new device was
linked to their accounts, and some had funds larger than the daily limit transferred out of their accounts.
Manila Bulletin Technews also reported that funds worth ₱5 million transferred to one Unionbank
account were used to buy Bitcoin on December 11.

There are also accounts of victims saying that perpetrators used other platforms such as GCash and the
Bank of the Philippine Islands (BPI) instead of Unionbank.

The name "Mark Nagoyo", which is associated to the Unionbank accounts, is believed to be fictitious or
a pseudonym. By December 15, the Bangko Sentral ng Pilipinas, the Philippines' central bank, has
identified two to four people as perpetrators of the hack. These people were neither employees of BDO
or Unionbank. Five suspects, two Nigerian nationals and three Filipinos has been arrested in relation to
the hack.

BDO released a statement on December 12, 2021, that some of its accountholders were affected by "a
sophisticated fraud technique" and has pledged to reimburse the lost funds to the fraud victims and
bolster its security infrastructure. The Bangko Sentral ng Pilipinas, has said that it is monitoring the
increase of complaints on the incident on various social media platforms and is working closely with BDO
and Unionbank over the incident. Fewer than ten Unionbank accounts which received funds from BDO
accounts have been frozen in response to the incident. The National Privacy Commission also
coordinated with BDO to determined if any personal information was compromised in connection to the
incident. Globe Telecom has also pledged assistance to the central bank on its investigation.

On December 14, BDO announced that it is reimbursing funds of around 700 account holders. It was
reported that BDO is requiring victims to sign a quitclaim before reimbursing their lost money, in
exchange of not filing legal charges against the bank. According to DTI undersecretary Vic Dimagiba, this
could put victims at a disadvantage since they could potentially be entitled to more claims than the
funds lost to the hack; such as losses arising from the inability to process the affected account holders'
housing loan installment payment.
The BSP on December 17, disclosed that its initial findings suggests that the stolen funds from BDO may
have also been transferred to multiple banks and non-bank financial institutions financial institutions
aside Unionbank.

On January 21, 2022, the National Bureau of Investigation presented five suspects who were arrested in
relation to the hack.

1. How were the victims compromised (i.e. what are the events in the case)?
2. What is OTP hijacking?
3. How can you protect yourselves from OTP hijacking?