To comply with Europe’s General Data Protection Regulation, which goes into effect on May 25, internet companies have been updating their data policies. Here’s how you can benefit.
The senior adviser heard ‘Laurel.’ The press secretary heard ‘Yanny.’ And the president heard something else altogether.
The internet erupted in disagreement on Tuesday over an audio clip in which the name being said depends on the listener. Some hear “Laurel.” Others hear “Yanny.”
We built a tool to gradually accentuate different frequencies in the original audio clip. Which word or name do you hear, and how far do you have to move the slider to hear the other? (The slider’s center point represents the original recording.)
The Times traced the clip back to Roland Szabo, an 18-year-old high school student in Lawrenceville, Ga., who posts as RolandCamry on Reddit. He said Wednesday that he was working on a school project and recorded the voice from a vocabulary website playing through the speakers on his computer. People in the room disagreed about what they were hearing. Some other students created an Instagram poll, which was then shared widely on Reddit, Twitter and other sites.
One way to understand the dynamics at work is to look at a type of chart called a spectrogram — a way to visualize how the strength of different sound frequencies varies over time. The spectrograms above show that the word “laurel” is strongest in lower frequencies, while a simulated version of the word “yanny” is stronger in higher frequencies. The audio clip shows a mixture of both.
By using the slider to manipulate which frequencies are emphasized, it makes one word or the other more prominent.
There are times when the diagnosis announces itself as the patient walks in, because the body is, among other things, a text. I’m thinking of the icy hand, coarse dry skin, hoarse voice, puffy face, sluggish demeanor and hourglass swelling in the neck — signs of a thyroid that’s running out of gas. This afternoon the person before me in my office isn’t a patient but a young physician; still, the clinical gaze doesn’t turn off, and I diagnose existential despair.
Let’s not call this intuition — an unfashionable term in our algorithmic world, although there is more to intuition than you think (or less than you think), because it is a subconscious application of a heuristic that can be surprisingly accurate. This physician, whose gender I withhold in the interest of anonymity and because the disease is gender-neutral, is burned out in what should be the honeymoon of a career. Over the years, I have come to recognize discrete passages in a medical life, not unlike in Shakespeare’s “Seven Ages of Man” — we have our med-school equivalent of “the whining schoolboy with his satchel and shining morning face” and the associate professor “jealous in honor, sudden and quick in quarrel.” But what I see in my colleague is disillusionment, and it has come too early, and I am seeing too much of it.
Does this physician recall sitting before me as an idealistic first-year medical student, keen to take the world in for repairs? It was during those preclinical years that the class learned to use the stethoscope, the ophthalmoscope and the tendon hammer, to percuss the body, sounding out its hollows, the territorial boundaries of lung and liver. After the preclinical come the two clinical years, though I think of those phases these days as precynical and cynical. When students arrive on the wards full time, white coats packed with the aforementioned instruments, measuring tape, tuning fork, flashlight and Snellen eye chart, they are shocked to find that the focus on the ward doesn’t revolve around the patients but around the computers lining the bunkers where students, residents and attending physicians spend the majority of their time, backs to one another. All dialogue among them and other hospital staff members — every order, every lab request and result — must pass through this electronic portal, even if the person whose inbox you are about to overload is seated next to you.
In America today, the patient in the hospital bed is just the icon, a place holder for the real patient who is not in the bed but in the computer. That virtual entity gets all our attention. Old-fashioned “bedside” rounds conducted by the attending physician too often take place nowhere near the bed but have become “card flip” rounds (a holdover from the days when we jotted down patient details on an index card) conducted in the bunker, seated, discussing the patient’s fever, the low sodium, the abnormal liver-function tests, the low ejection fraction, the one of three blood cultures with coagulase negative staph that is most likely a contaminant, the CT scan reporting an adrenal “incidentaloma” that now begets an endocrinology consult and measurements of serum cortisol.
The living, breathing source of the data and images we juggle, meanwhile, is in the bed and left wondering: Where is everyone? What are they doing? Hello! It’s my body, you know!
My young colleague slumping in the chair in my office survived the student years, then three years of internship and residency and is now a full-time practitioner and teacher. The despair I hear comes from being the highest-paid clerical worker in the hospital: For every one hour we spend cumulatively with patients, studies have shown, we spend nearly two hours on our primitive Electronic Health Records, or “E.H.R.s,” and another hour or two during sacred personal time. But we are to blame. We let this happen to our trainees, to ourselves.
How we salivated at the idea of searchable records, of being able to graph fever trends, or white blood counts, or share records at a keystroke with another institution — “interoperability”! — and trash the fax machine. If every hospital were connected, we would have a monster database, Big Data that’s truly big and that would allow us to spot trends in disease so much earlier and determine best practice and predict complications. But we didn’t quite get that when, as part of the American Recovery and Reinvestment Act of 2009, $35 billion was eventually steered toward making medicine paperless.
My A.T.M. card is amazing: I can get cash and account details all over America and beyond. Yet I can’t reliably get a patient record from across town, let alone from a hospital in the same state, even if both places use the same brand of E.H.R., for reasons that are only partly explained by software that has been customized for each site. This is not like sending around a standard Word file. And so, too often the record comes by fax.
What the E.H.R. has done is help reduce medication errors; it is a wonderful gathering place for laboratory and imaging information; the notes are always legible. But the leading E.H.R.s were never built with any understanding of the rituals of care or the user experience of physicians or nurses. A clinician will make roughly 4,000 keyboard clicks during a busy 10-hour emergency-room shift. In the process, our daily progress notes have become bloated cut-and-paste monsters that are inaccurate and hard to wade through. A half-page, handwritten progress note of the paper era might in a few lines tell you what a physician really thought. (A neurosurgeon I once worked with in Tennessee would fill half the page with the words “DOING WELL” in turquoise ink, followed by his signature. If he deviated from that, I knew he was very worried and knew to call him.) But now, with a few keystrokes, you can populate your note with all the listed diagnoses, all the medications, all the labs, all the radiology reports, pages and pages of these, as well as enough “smart phrases” — “.EXT2” might spit out “Extremities-2+ pedal edema, normal pulses” — to allow you to swear you personally examined the patient from head to foot and personally took all the elements of the history, personally did a physical exam separate from the admitting physician that would put Sir William Osler to shame, all of which make it possible to bill at the highest level for that encounter (“upcoding”).
As a result, so much of the E.H.R., but particularly the physical exam it encodes, is a marvel of fiction, because we humans don’t want to leave a check box empty or leave gaps in a template. Over the years, I have met one-legged patients with “pulses intact in both feet” and others with “heart sounds normal, no murmur or gallop” whose mechanical heart valve’s clicks and murmurs are so loud that the patient in the next bed demands earplugs. For a study, my colleagues and I at Stanford solicited anecdotes from physicians nationwide about patients for whom an oversight in the exam (a “miss”) had resulted in real consequences, like diagnostic delay, radiation exposure, therapeutic or surgical misadventure, even death. They were the sorts of things that would leave no trace in the E.H.R. because the recorded exam always seems complete — and yet the omission would be glaring and memorable to other physicians involved in the subsequent care. We got more than 200 such anecdotes. The reason for these errors? Most of them resulted from exams that simply weren’t done as claimed. “Food poisoning” was diagnosed because the strangulated hernia in the groin was overlooked, or patients were sent to the catheterization lab for chest pain because no one saw the shingles rash on the left chest.
I worry that such mistakes come because we’ve gotten trapped in the bunker of machine medicine. It is a preventable kind of failure. Our $3.4 trillion health care system is responsible for more than a quarter of a million deaths per year because of medical error, the rough equivalent of, say, a jumbo jet’s crashing every day. Much of that is a result of poorly coordinated care, poor communication, patients falling through the cracks, knowledge not being transferred and so on, but some part of it is surely from failing to listen to the story and diminishing skill in reading the body as a text.
Five years ago, I experienced a sudden asthma attack while visiting another city. The E.R. physician was efficient, the exam adequate. The nurse came in regularly, but not to visit me so much as the screen against the wall. Her back was to me as she asked, “On a scale of 1 to 10, with 10 being great difficulty breathing …?” I saw her back three more times before I left. My visit recorded in the E.H.R. would have exceeded all the “Quality Indicators,” measures that affect reimbursement and hospital ratings. As for my experience, it was O.K., not great. I received care but did not feel cared for.
A senior colleague who was hospitalized for a longer spell, a person whose scientific and technological discoveries have helped transform care in virtually every hospital, told me with some chagrin that during his stay, the only people who got to know him as an individual human being were the nursing assistant and the housekeeper. The nurses, through no fault of theirs, were tethered to the COWs — Computers on Wheels — into which they entered data about him. But what, he asked, if it had been the other way around? What if the computer gave the nurse the big picture of who he was both medically and as a person? What if it reminded the nurse, because it was post-op Day 6 and his white count was rising, to check the surgical wound and the puncture sites where intravenous fluid was administered? What if the top screen reminded the nurse about his family members, his life outside this room and his unique concerns? What if it gave the nurse specific insights on how he was handling his suffering and suggested a strategy to support him?
For all the effort that goes into data gathering and entering, too often the data is ignored. One of my brothers, a professor at M.I.T. whose current interest in biomedical engineering is “bedside informatics,” marvels at the fact that in an I.C.U., a blizzard of monitors from disparate manufacturers display EKG, heart rate, respiratory rate, oxygen saturation, blood pressure, temperature and more, and yet none of this is pulled together, summarized and synthesized anywhere for the clinical staff to use. The physician or the nurse walks in and looks at 10s of seconds of information, a snapshot at that moment. What these monitors do exceedingly well is sound alarms, an average of one alarm every eight minutes, or more than 180 per patient per day. What is our most common response to an alarm? We look for the button to silence the nuisance because, unlike those in a Boeing cockpit, say, our alarms are rarely diagnosing genuine danger.
The biggest price for “digital medicine” is being paid by physicians like the sad case seated before me, who is already considering jumping to venture capital or a start-up, not because that is where the heart is but because it’s a place to bail out to. By some estimates, more than 50 percent of physicians in the United States have at least one symptom of burnout, defined as a syndrome of emotional exhaustion, cynicism and decreased efficacy at work. It is on the increase, up by 9 percent from 2011 to 2014 in one national study. This is clearly not an individual problem but a systemic one, a 4,000-key-clicks-a-day problem. The E.H.R. is only part of the issue: Other factors include rapid patient turnover, decreased autonomy, merging hospital systems, an aging population, the increasing medical complexity of patients. Even if the E.H.R. is not the sole cause of what ails us, believe me, it has become the symbol of burnout.
Burnout is costly. My colleague at Stanford, Tait Shanafelt, a hematologist and oncologist who specializes in the well-being of physicians, is Stanford Medicine’s first chief wellness officer. His studies suggest that burnout is one of the largest predictors of physician attrition from the work force. The total cost of recruiting a physician can be nearly $90,000, but the lost revenue per physician who leaves is between $500,000 and $1 million, even more in high-paying specialties. Turnover begets more turnover because those left behind feel more stress. Physicians who are burned out make medical errors, and burnout can be infectious, spreading to other members of the team.
I hold out hope that artificial intelligence and machine-learning algorithms will transform our experience, particularly if natural-language processing and video technology allow us to capture what is actually said and done in the exam room. The physician focuses on the patient and family, and if there is a screen in the room, it is to summarize or to share images with the patient; by the end of the visit, the progress notes and billing are done. But A.I. applications will help us only if we vet all of them for their unintended consequences. We need sufficient regulatory scrutiny so that we don’t have debacles like that of Theranos, a company that claimed it could perform comprehensive lab tests from just a few drops of blood. Technology that is not subject to such scrutiny doesn’t deserve our trust, nor should we ever allow it to be deeply integrated into our work.
Starting with good data is critical for medical applications of A.I. and machine learning. The messy nature of medical data, of the E.H.R., makes the task difficult. Garbage in begets garbage out — sanitized, pretty, color-coded garbage, but garbage nonetheless. Advances in pattern recognition applied to X-rays and CT scans and retinal scans will be very helpful aids to the clinician. But as with any lab test, what A.I. will provide is at best a recommendation that a physician using clinical judgment must decide how to apply.
I remind my young colleague that no one else can fulfill that final role: If data scientists complain about “messy data,” then there is nothing messier than an emergency meeting with a seriously ill patient when the information on what preceded this moment emerges in dribbles, and all the while we need to make a provisional diagnosis, start therapy, then make quick decisions as the disease evolves and recalibrate with more story from the patient, or from the firefighters who found the bottles of medication by the patient’s side, or from the friend or family member who suddenly shows up and mentions the sneezing parakeet, or from the lab numbers that come back. True clinical judgment is more than addressing the avalanche of blood work, imaging and lab tests; it is about using human skills to understand where the patient is in the trajectory of a life and the disease, what the nature of the patient’s family and social circumstances is and how much they want done.
The seriously ill patient has entered another kingdom, an alternate universe, a place and a process that is frightening, infantilizing; that patient’s greatest need is both scientific state-of-the-art knowledge and genuine caring from another human being. Caring is expressed in listening, in the time-honored ritual of the skilled bedside exam — reading the body — in touching and looking at where it hurts and ultimately in localizing the disease for patients not on a screen, not on an image, not on a biopsy report, but on their bodies.
I recall an occasion when we were on rounds seeing a patient, and suddenly a vile odor filled the air. Time stood still until an earthy and wonderful nurse said: “Do you all smell poop? Let’s fix that!” and stepped forward, and we did, too, rolled up sleeves and learned from a master, with minimal fuss and minimal embarrassment to the patient, how to take care of something that a keyboard won’t do for you, what no algorithm will sanitize. Medicine is messy and complicated, because humans are messy and complicated. That is why I love it. And what all of us in the trenches — housekeepers, nurses, nursing assistants, therapists, doctors — have in common is that humanity. We came to this for many reasons, but it sobers me how many people came because they had a sense of calling, because they genuinely care.
So let’s not be shy about what we do and ought to do and must be allowed to do, about what our patients really need. As he was nearing death, Avedis Donabedian, a guru of health care metrics, was asked by an interviewer about the commercialization of health care. “The secret of quality,” he replied, “is love.”/•/
The social network overhauled itself into three new divisions and shuffled the leadership of its key businesses in one of its biggest reorganizations.
Top executives of the company, which was once tech’s biggest villain, are outspoken advocates for protecting user privacy and establishing ethical guidelines for new technology like artificial intelligence.
The European Union is introducing some of the strictest online privacy rules in the world. The changes aim to give internet users more control.
Held for questioning in a $2 million theft of Bitcoin-mining computers, Sindri Stefansson soon escaped a low-security facility. But his arrest days later in Amsterdam made him eager to get back.
At 8:45 in the morning on Friday, Feb. 5, 2016, Zubair Bin Huda, a director at Bangladesh’s central bank, entered the 30-story, concrete-and-glass headquarters in Dhaka. Bin Huda, slim and soft-spoken, with a thin black mustache and beard, rode an elevator to the ninth floor and eventually walked into the back office of the Accounts and Budgeting Department’s “dealing room,” the most restricted area of the building, accessible to only a handful of employees.
Until about a decade ago, Bangladesh’s central bank was stuck in the analog age: Staff members sent international payment instructions via a teleprinter, an electromechanical typewriter that sent and received messages over standard phone lines and other channels. But since a new bank governor took over in 2009, the institution had gone digital. Its international transfer orders are now dispatched via Swift, the Brussels-based electronic network used by 11,000 financial institutions in more than 200 countries and territories. Inside a 12-foot-by-8-foot glass-walled chamber, under the scrutiny of closed-circuit security cameras, staff members log into Swift and dispatch the payment orders with encrypted communications. With a few keystrokes, a complex process is set in motion that sends millions of dollars zipping across continents.
Bin Huda was the duty manager that morning, which meant he was tasked with scrutinizing printouts of transfer confirmations, routine queries and other Swift messages that had come in overnight. Friday is a bank holiday in Bangladesh, but a dedicated printer still generated hard copies of digital transfer messages. A few dozen would usually come in over the course of a day, but that morning Bin Huda didn’t see any on the printer. He assumed it was a technical glitch and decided to deal with it on Saturday.
At 9 o’clock the next morning, he returned to the office. This time, he found that the Swift software — the program that launches the messaging service — wasn’t functioning, either. Each time he tried to open it, a disconcerting error message appeared: A file is missing or changed. He and his colleagues huddled over the dedicated Swift computer, following directions on the monitor on how to get the software running again. Shortly after noon, he was able to retrieve three messages from the Federal Reserve Bank of New York and to print them out one by one. The New York Fed is, in effect, the gatekeeper of much of world banking, and hosts accounts for 250 central banks and governments with deposits of about $3 trillion. A Fed employee had written to Bangladesh, asking for clarification about 46 payment instructions received over the past 24 hours. The Fed had never seen orders like that or a total so large from the bank — nearly $1 billion.
It had to be a mistake, Bin Huda thought. Bangladesh Bank, as the central bank is known, never sent payment instructions on weekends, and even during business hours, it rarely sent more than two or three to the Fed in a day. He scrolled through the message file in search of more information. Where was the money headed? The one debit statement he could find was corrupted and unreadable. Desperate to stop the transactions from moving forward, but unsure where to turn, Bin Huda emailed a Swift case manager at the organization’s Brussels headquarters. He told bank officials that he had reported a “big accident” in the Swift system. He tried to reach the Fed in New York by telephone, but the bank was shut down for the weekend. Bin Huda emailed and faxed a demand to the Fed to stop processing all payments, including all those mentioned in the queries. Hoping that someone would get the message, Bin Huda then shut down his computer and went home to enjoy his weekend with his family.
Although no one knew this yet, Bin Huda was in the middle of the most daring bank robbery ever attempted using Swift. And it would prove to be the most severe breach yet of a system designed to be unbreachable. Swift’s transmission process — by which money moves through the dispatching of encrypted messages to multiple operating centers and then on to the receivers — has become the standard in the banking world, flawlessly processing more than three billion payment orders a year. It uses “military grade” security systems, says Adrian Nish, the head of Threat Intelligence for BAE Systems, a cybersecurity firm in Britain that investigated the attack on Bangladesh Bank. Swift (the acronym stands for the Society for Worldwide Interbank Financial Telecommunication, a cooperative founded in 1973 and owned by its member banks) recommends that its institutions use multifactor authentication to log on and that they segregate the Swift server from the rest of their internal network.
Even for skilled and dedicated hackers, the most viable path to penetrating Swift runs through the member banks, which operate the software that lets them log into the Swift system — providing “the technical handshake that opens the secure pipe,” as one cybersecurity expert put it to me. During the past three years, a rash of smaller incidents have shown the vulnerabilities in the system, as cyberthieves broke into the computer networks of banks in Ecuador, Taiwan, Vietnam, Poland, India and Russia to send out phony payment instructions via the Swift network. Alert bank officials were able to call back some fake payments, but millions of dollars were lost. “A lot of institutions in emerging markets don’t have the same security controls that more mature banks have,” says Patrick Neighorn of FireEye, a U.S. cybersecurity firm. “In some the passwords aren’t centrally managed, or they didn’t know what all the devices connecting their network are.”
The Bangladesh job, though, was an order of magnitude more sophisticated. The hackers’ approach was masterly in its foresight and complexity, and the malware they used, or variations of it, later turned up in several of the other bank breaches. The intruders most likely entered the bank’s computer network through a single vulnerable terminal, using a contaminated website or email attachment, and planted malware that gave them total control, even a view of the screens they were manipulating. There, hiding in plain sight, they waited for months to gain an understanding of the bank’s business operations. They harvested employee passwords and worked their way to the most tightly guarded corner of the network: the Swift server. Despite Swift’s warnings, the bank had not segregated its Swift server from the rest of the computer network. “It takes a huge amount of skill to understand the target systems and to be able to subvert them the way they did,” says Nish of BAE Systems.
In contrast to off-the-shelf tools that have been used in many recent attacks — such as the “SQL injection code” deployed in 2015 to break into the database of TalkTalk, a British telecommunications firm, and access the bank information and personal details of more than 20,000 subscribers — the malware that the thieves devised was “a custom code, built for attacks on banks and configured for a specific bank,” Nish says. And because it was written from scratch, it was unfamiliar to existing virus-protection programs. After the hackers sent their counterfeit payment orders via the secure Swift messaging network, they completely erased their footprints by deleting those orders from the bank’s Swift database, wiping out the evidence from the printer statements and updating the balances in the bank’s New York Fed account to make it appear that no money had been debited. In effect, Nish says, “the thieves figured out how to make themselves disappear.”
The hackers also succeeded in turning one of Swift’s defining features — its global reach — into a vulnerability. After months of lurking in the system, they planned their attack for a moment when the banks were unable to communicate effectively. Beginning on Thursday afternoon, New York time, when the Fed had received a total of 70 fraudulent payment orders to four bank accounts in the Philippines and one in Sri Lanka, totaling $1 billion, Bangladesh Bank was closed for the weekend. On Sunday, when the bank reopened and discovered the error, it was unable to reach the Fed. Bin Huda sent a stop-payment order to the Philippines central bank, which was closed for the Chinese New Year. “There was no hotline between the Bangladesh Bank and the Fed in New York,” says Atiur Rahman, the governor of Bangladesh Bank at the time of the heist. “Essentially, I think this was a flaw of the global payment system.”
Late on Monday afternoon, Dhaka time, as the Fed was opening for business, Bangladesh Bank asked officials in New York to block the money transfer to the Philippines but were told it was too late and that the money was with recipient banks. On Tuesday morning, more than four days after the theft, Rahman finally reached his Philippine counterpart via a landline from his office and begged him to intervene. The Philippine bank governor asked him to file a written complaint, a Bangladesh Bank official says, and to send it through the diplomatic pouch. Rahman says he was told to keep the matter quiet until it was fully clear what happened.
In early March, according to a bank official, an elite police unit was given permission to inspect the back office. Investigators seized passports to see if anyone had traveled to the Philippines, slapped one employee with a travel ban and questioned the others for hours. Rahman resigned a few days later.
Ultimately, it was only a few strokes of good luck that kept the heist from being far worse. On Thursday, Feb. 4 — the day before Bin Huda noticed that the Swift software had crashed — five payment orders went through without triggering an alarm: a $20 million deposit for the Shalika Foundation, an agricultural NGO in Sri Lanka that had an account at Pan Asia Bank, and four for individual accounts at the Jupiter branch of Rizal Commercial Banking Corporation near Manila. They didn’t clear instantaneously: Fedwire, a Fed-run service for 5,300 clients, enables participants to transfer cash to one another in seconds, but neither of those banks was a member of Fedwire. So the Fed instead began steering the payments to several “correspondent banks” — typically, large commercial institutions that serve as intermediaries between the Fed and smaller banks that aren’t part of its network. In this case, Deutsche Bank had a financial relationship with the bank in Sri Lanka; and the Bank of New York Mellon, Citibank and Wells Fargo dealt regularly with R.C.B.C. When these banks’ automated systems also failed to pick up anything suspicious, the orders were processed.
But the next 30 payment orders, totaling $850 million, were held up by a fortunate coincidence. Representative Carolyn B. Maloney, a senior member of the House Financial Services Committee, says that the automated system flagged the word “Jupiter,” the name of the R.C.B.C. bank branch to which the Swift order was addressed, because it happened to match the name of a totally different business on a sanctions list: Jupiter Seaways Shipping, an Athens-based firm that was blackballed for evading sanctions against Iran. When Fed compliance officers took a close look at the orders, other irregularities became apparent. According to the former Philippine senator Sergio Osmeña III, who later examined the transactions as part of his nation’s investigation into the heist, the payments bore the addresses of the same four account holders in the R.C.B.C. Jupiter branch. “If it hadn’t been for the quick action of someone at the central bank in New York, an additional $900 million would have been lost,” Maloney says.
Then one of the first five transactions — those that had initially cleared — ran aground, too. An alert clerk at the small bank in Sri Lanka noticed something that the global players had not: The payment was unusually large for such a small NGO. The clerk held the $20 million order and went to Deutsche Bank for clarification. Deutsche Bank took a closer look and discovered that the word “Foundation” had been misspelled. Suspicious, Deutsche Bank contacted Bangladesh Bank, which sent a stop-payment order.
This left four payments, totaling $81 million, that went through — an enormous bank job by any metric (by contrast, the most recent large-scale cyberheist, when hackers hit India’s City Union Bank in February 2018, reaped about $1.5 million) and an enormous blow to the global financial system. “What struck me the most was that this action struck at trust in the international banking system,” Representative Maloney says. “And if you can’t trust international banking, then international commerce could grind to a halt.”
Yet when it came to the Bangladesh heist, transferring the cash was only the first part of the scheme. It was one thing to use malicious software to tunnel into the bank’s Swift network and send out dozens of phony transfer orders to banks around the world. It was quite another to turn that digital cash into real money and then make it disappear.
Philippine authorities have focused on Maia Santos-Deguito, a career banker in her early 40s, as the linchpin of the heist’s second phase. At the time of the transfers, she was working as the manager of the Rizal Commercial Banking Corporation’s Jupiter branch. Santos-Deguito worked at several smaller banks before earning her prized position at R.C.B.C., a branch that primarily serves the residents of Bel-Air Village, an affluent neighborhood of tree-shaded residential streets and busy commercial boulevards lined with yoga salons, boutiques and expensive cafes.
In May 2015, nine months before Bin Huda of Bangladesh Bank was baffled by the Swift breakdown, Santos-Deguito met with a longtime client, Kam Sin (Kim) Wong, according to her lawyer. A Hong Kong-born restaurateur and president of Eastern Hawaii Leisure Company, Wong ran “casino junkets” in Manila and northern Luzon, bringing in Chinese high rollers on charter flights, operating V.I.P. rooms in casinos, providing them chips on credit and then taking a cut of the house profit. Wong had experience moving money in and out of an industry where it was nearly impossible to keep track of it. The U.S. State Department’s 2017 International Narcotics Control Strategy Report described the Philippines as a “major” money-laundering site, noting that “criminal groups use the Philippine banking system, commercial enterprises and particularly casinos to transfer drug and other illicit proceeds from the Philippines to offshore accounts.”
In 2001, the Philippines passed an Anti-Money Laundering Act, and by 2016 the Legislature had amended it three times to evade a blacklist designation by the Financial Action Task Force, an international watchdog. But Juan Ponce Enrile, a powerful ex-secretary of national defense, used his position as Senate president to persuade his colleagues to shield casinos from the law — keeping their operations secret and their customers anonymous. In the mid-1990s, Enrile started the Cagayan Economic Zone, a free port near northern Luzon that has attracted casinos and reportedly become a money-laundering hub. The secrecy seems to have been very good for business. In 2016 Bloomberry Resorts, one of the region’s biggest casino operators, posted a net income of $46 million. Melco Crown Philippines Resorts, the operator of City of Dreams Manila, another major gambling resort, had the best-performing casino stock in the world in 2017. “There are no controls, none whatsoever,” Osmeña told me.
According to Santos-Deguito’s attorney, Wong introduced her to a few Filipino associates and asked her to open accounts for them at the Jupiter branch. R.C.B.C. colleagues claimed at a Senate hearing that these “clients” never existed, and they accused Santos-Deguito of using forged signatures and a driver’s-license photo from a former colleague to manufacture their identities. Santos-Deguito’s attorney maintains that his client is innocent and says that she trusted Wong. The prospect of lining up wealthy new clients was enticing for her. It was a potential win for her employer, R.C.B.C., as well. Santos-Deguito kept the accounts open — and nearly empty — for eight months. Then on Friday morning, Feb. 5, 2016, they suddenly became active.
That morning, R.C.B.C. headquarters received Swift instructions from its correspondent banks in the United States to transfer the $81 million into the accounts. Santos-Deguito had already vouched for the integrity of her clients, and she again confirmed that they were legitimate. A colleague at the Jupiter branch testified at the Senate hearings that, on the same day the cash arrived, he watched Santos-Deguito stuff $400,000 into a paper bag and carry it to her car. A three-day weekend, including the Chinese New Year, followed. Then on the morning of Tuesday, Feb. 9, Santos-Deguito arrived at her storefront branch office in Bel-Air Village and began moving the $81 million out of the accounts.
By that point, at the R.C.B.C. headquarters in downtown Manila, employees in the payments department were working through a backlog of nearly 800 Swift messages that had accumulated during the holiday weekend. Among them was a stop-payment order marked “urgent” from Bangladesh Bank. The message went unread until 11 a.m. — by which time Santos-Deguito was in the midst of transferring the $81 million into a fifth account, and from there to a remittance firm called PhilRem, owned by a married couple, Michael and Salud Bautista. Santos-Deguito, who claims she was just following her clients’ orders, finished transferring the funds by 11:30 a.m. The Bautistas converted at least $61 million into Philippine pesos — more than three billion of them.
Around 7:30 that evening, a courier from PhilRem testified, he picked up a suitcase, a traveling bag and a shoulder bag at the company’s office. The luggage was stuffed with 90 million pesos, worth $1.8 million, and $500,000 in U.S. cash. The courier placed the cash into the back of a van, and with a company driver, his uncle, at the wheel, set out for the Bloomberry-owned Solaire Resort and Casino. There, at the lobby entrance, the pair dragged out the luggage and placed it onto a casino trolley. The courier wheeled the money across the lobby, past rows of digital slot machines and a section of tables for Sabong, a card game based on Philippine-style cock fighting. He took an elevator at the far end of the lobby to the second floor V.I.P. room, where, he testified, Kim Wong, Salud Bautista and one of Wong’s associates were waiting.
The Bautistas claimed in Senate testimony that this delivery was the first of many that his firm would make: It delivered $30 million in cash to Wong’s associate and wired $29 million to the Solaire Casino and another $21 million to Wong’s company, Eastern Hawaii. (Through their lawyers, Wong and the Bautistas declined to comment; they have maintained their innocence.) In his Senate testimony, Wong claimed that he received only $13.5 million and that the Bautistas pocketed the rest. Two of Wong’s fellow gambling promoters, Gao Shuhua and Ding Zhize, also received large amounts of cash.
In the V.I.P. room at Solaire, a plush lounge with butterscotch carpets, brass chandeliers and about a dozen round baccarat tables, junket players crowded around in a haze of cigarette smoke, drinking Chinese tea and fruit juice while placing their bets. The minimum bet at the table was 10,000 Philippine pesos, or roughly $200 in U.S. cash, and millions of pesos could move into the house or into the player’s pockets in a single evening. At the end of each night, during a spree that seems to have lasted a week or more, the gamblers turned their chips back into untraceable cash. Their names remained unregistered, their winnings unreported: It was, Philippine officials say, the ultimate money-laundering operation. “All we know is that the cash was delivered to certain gamblers at the casinos,” Osmeña says, “and then, after that, the gamblers weren’t here anymore, and the money was gone.”
Who had the expertise and the audacity to carry out such a heist? Weeks after the crime, Bangladesh Bank hired FireEye, the U.S. cybersecurity firm, to investigate. FireEye signed a nondisclosure agreement with the bank and has declined to discuss specifics, but some of the bank’s findings have leaked out, and other cybersecurity firms have drawn their own conclusions from publicly available evidence.
The analysts compared some of the tools used with those employed in two other notorious cyberattacks: the November 2014 hack of Sony Pictures, when a group calling itself the Guardians of Peace released embarrassing emails and salaries and wiped out many of Sony’s servers; and “Dark Seoul,” a March 2013 hack that disabled internet servers at three South Korean banks and froze computers at two South Korean broadcasters. (The base code, Nish says, was also the same one used in the WannaCry ransomware attack in May 2017, in which hackers paralyzed more than 200,000 computers around the world and demanded Bitcoin payments to unfreeze them.) All these operations, the experts concluded, bore the markings of what the security firms called the Lazarus Group — a shadowy organization that U.S. intelligence experts say is most likely affiliated with North Korea. Harsh economic sanctions have left the dictatorship struggling with nationwide food shortages and inching ever closer to a nuclear confrontation. At an Aspen Institute panel last March, the National Security Agency deputy director Richard Ledgett mentioned the findings of the cybersecurity firms and said that they could indicate a new level of North Korean criminality. “If that linkage is true, that means a nation-state is robbing banks,” he said. “That’s a big deal; it’s different.”
The New York Times has reported that North Korea is believed to maintain a network of about 1,700 computer hackers around the world, aided by 5,000 trainers, supervisors and other support staff. Many operations are aimed at harvesting intelligence from South Korea; others, as in the case of Sony, are intended to avenge slights, or others to reap financial gain. North Korean hackers have become especially adept at targeting the weak links in the financial system: banks in developing nations, especially those in Southeast Asia. “They are easy prey,” says Vitaly Kamluk of Kaspersky Lab, which found Korean-language coding embedded in some Lazarus Group malware and claims it definitively linked the Lazarus Group to North Korea, through an I.P. address that the group briefly used during a wave of attacks in Europe and the United States in 2017. “These central banks often cannot afford good security, good software, or hire a proper specialist to configure their network,” Kamluk says. “They are low-hanging fruit.”
Although gambling is strictly prohibited inside the country, North Korean leadership has a well-documented interest in the casino industry. The country has been suspected of running online casinos and, according to news reports, has been seeking $20 million from foreign investors to launch a luxury liner and casino that would cruise to Vladivostok and ports in Southeast Asia.
Since the heist, Philippine authorities have managed to recover about one-fifth of the missing money for Bangladesh Bank. Wong turned over $15 million, and the Bautistas, suspected by the Senate of walking away with $17 million but still denying wrongdoing, offered to pay $200,000, but the Bangladeshis rejected the money. The rest is probably gone for good. Gone, too, are the shadowy casino-junket operators from mainland China, Ding and Gao, who in February apparently boarded charter flights from Manila to Macau. A former Portuguese colony, Macau has long been an important financial conduit between North Korea and the outside world.
Bangladesh Bank is still trying to recoup as much as it can. In February, its deputy governor announced that the bank was filing a lawsuit against R.C.B.C., charging that its employees had doubts about the Swift payment instructions but executed the orders anyway. R.C.B.C., which has been fined a record $1 billion pesos by the Philippine central bank over the incident, threatened a countersuit against Bangladesh Bank for defamation. One bank that did authorize the payments, Wells Fargo, just reached an out-of-court settlement with Ecuador’s Banco del Austro, which had filed a lawsuit seeking to hold the bank responsible for approving the transfer of $12 million from its account in a 2015 cyberheist. The undisclosed settlement could give a boost to Bangladesh Bank’s attempts to recover its losses.
In the United States, thanks to Representative Maloney’s prodding, the Fed has instituted a 24/7 hotline to deal with such emergencies. And in the Philippines, the Senate hearings about the crime prompted Congress to impose the first set of transparency rules on the casinos, requiring that every bet over five million pesos, or $100,000, be reported to the Anti-Money Laundering Council. But there was no indication, Osmeña told me, “that anything had changed.” Indeed, Gabriel Lingan, the head of marketing and business development at the Cagayan Economic Zone Authority, which oversees the Eastern Hawaii Casino and Resort in Santa Ana, said that nearly a year after the law was passed, the exact policies regarding when and how casinos will file reports were still being negotiated. “We are still working on the details,” he said.
Of the many people believed to be involved in the Bangladesh Bank heist, only one faces charges: Maia Santos-Deguito, who was indicted on multiple counts of money laundering and faces a possible 14-year prison term. Kim Wong, the Bautistas and others suspected of helping Santos-Deguito have all walked away. “Santos-Deguito was guilty, and PhilRem was guilty, and to a certain extent Kim Wong was guilty,” Osmeña said one day at his home as servants prepared lunch in his palm-filled garden. “The Department of Justice is very crooked, very crooked, and you would do us a favor if you would point that out,” he went on. “It’s a joke, I’m frustrated by it all, but what can I do?”
Officials assume that once the junketeers stepped off the plane in Macau, it would have been easy for them to send the money, via wire or courier, to Pyongyang. But the junket operators’ precise ties to North Korea — or the exact route taken by the cash from Macau — remain a mystery. “We never got to find out who was really behind it,” Osmeña told me, shaking his head in frustration. “And what the ultimate destination is, we don’t know.”
The file landed on Rob Sand’s desk with something less than a thud. Despite holding the contents of an investigation still open after more than two years, the file was barely half an inch thick. “Happy birthday,” his boss said.
It was not Rob Sand’s birthday. His boss, an Iowa deputy attorney general named Thomas H. Miller, was retiring in July 2014 after nearly three decades of prosecuting everything from murder to fraud. He hired Sand about four years earlier and made him the youngest prosecutor in a nine-attorney team that handled challenging cases all over the state. Now Miller was offloading cases to colleagues. This one, having to do with a suspicious lottery ticket worth $16.5 million, was full of dead ends. Investigators didn’t even know if a crime had been committed. The most tantalizing pieces of evidence were on a DVD: two grainy surveillance clips from a gas station. Sand slid the disc into his laptop and pressed play.
A man walked into a QuikTrip convenience store just off Interstate 80 in Des Moines. It was a weekday afternoon, two days before Christmas. The hood of the man’s black sweatshirt was pulled over his head, obscuring his face from two surveillance cameras overhead. Under the hoodie, he appeared to be wearing a ball cap; over the hoodie, he wore a black jacket. The man grabbed a fountain drink and two hot dogs.
“Hello!” the cashier said brightly.
The man replied in a low-pitched drawl, a voice that struck Sand as distinct: “Hell-ooooh.”
“Couple hot dogs?” the cashier asked.
“Yes, sir,” the man replied quietly, his head down.
The man pulled two pieces of paper from his pocket. They were play slips for Hot Lotto, a Powerball-like lottery game available in 14 states and Washington, D.C. A player — or the game’s computer — picked five numbers between 1 and 39 and then a sixth number, known as the Hot Ball, between 1 and 19. The prize for getting the first five numbers right was $10,000. But a much larger prize that varied according to the number of players who bought tickets went to anyone who got all six numbers right. The record Hot Lotto jackpot of nearly $20 million had been claimed in 2007. The jackpot at the time of this video was approaching the record. The stated odds of winning it were one in 10,939,383.
The cashier took the man’s play slips, which had already been filled out with multiple sets of numbers. At 3:24 p.m., the cashier ran the slips through the lottery terminal. An older man with a cane limped by the refrigerated section. A bus drove by. The cashier handed over his change. Once outside, the man pulled down his hood and removed his cap, got into his S.U.V. and drove away. The gas-station parking lot gleamed; there had been snow flurries that afternoon.
Two years into the case, that was virtually all the investigators had. Sand watched the video again and again, trying to pick up every little detail: the S.U.V.’s make; the man’s indistinct appearance: most likely in his 40s, and 100 pounds overweight, maybe more; the tenor of his voice.
Sand, a baby-faced Iowan who turned down Harvard Law School for the University of Iowa College of Law, had a background that seemed perfect for the case: a high school job writing computer code and doing tech support, a specialty in white-collar crime. His recent cases included securities fraud and theft by public officials.
The ticket in the video was purchased on Dec. 23, 2010. Six days later, the winning Hot Lotto numbers were selected: 3, 12, 16, 26, 33, 11. The next day, the Iowa Lottery announced that a QuikTrip in Des Moines had sold the winning ticket. But one month after the numbers were drawn, no one had presented the ticket.
The Iowa Lottery held a news conference. Phone calls poured in; dozens of people claimed to be the winner. Some said they had lost the ticket. Others said it was stolen from them. But lottery officials had crucial evidence that wasn’t publicly available: the serial number on the winning ticket and the video of the man buying it. One by one, they crossed off prospective claimants. One caller said his friend was a regular Hot Lotto player who had just died in a car wreck — should he go to the junkyard to search through his deceased friend’s car?
Three months after the winning ticket was announced, the lottery issued another public reminder. Another followed at six months and again at nine months, each time warning that winners had one year to claim their money. “I was convinced it would never be claimed,” says Mary Neubauer, the Iowa Lottery’s vice president of external relations. Since 1999, she had dealt with around 200 people who had won more than $1 million; she’d never seen a winning million-dollar ticket go unclaimed. “And then comes Nov. 9, 2011.”
A man named Philip Johnston, a lawyer from Quebec, called the Iowa Lottery and gave Neubauer the correct 15-digit serial number on the winning Hot Lotto ticket. Neubauer asked his age — in his 60s, he said — and what he was wearing when he purchased the ticket. His description, a sports coat and gray flannel dress pants, did not match the QuikTrip video. Then, in a subsequent call, the man admitted he had “fibbed”; he said he was helping a client claim the ticket so the client wouldn’t be identified.
This was against the Iowa Lottery rules, which require the identities of winners to be public. Johnston floated the possibility of withdrawing his claim. Neubauer was suspicious: The winner’s anonymity was worth $16.5 million?
One year to the day after the winning numbers popped up on the random-number-generator computers — and less than two hours before the 4 p.m. deadline — representatives from a prominent Des Moines law firm showed up at the Iowa Lottery’s headquarters with the winning ticket. The firm was claiming the ticket on behalf of a trust. Later, the Iowa Lottery learned that the trust’s beneficiary was a corporation in Belize whose president was Philip Johnston, the Canadian attorney. “It just absolutely stunk all over the place,” says Terry Rich, chief executive of the Iowa Lottery. The Iowa attorney general’s office and the Iowa Division of Criminal Investigation opened a case.
In an interview in Quebec City, Johnston told investigators that he had been contacted about the ticket by a Houston attorney named Robert Sonfield. Johnston also pointed investigators toward a Sugar Land, Tex., businessman named Robert Rhodes. A trip to Texas by Iowa investigators proved fruitless; during their several days there, both Sonfield and Rhodes managed to avoid them.
By the time the file ended up on the desk of Rob Sand in 2014, the case had acquired cultlike status in his office. It was spoken about with gallows humor: “We’ll find the guy who bought the ticket ended up getting offed,” Sand said. “That’s what this is going to turn out to be, a murder case.”
Miller had mentored Sand and saw in him a kindred spirit, someone for whom practicing law was a calling. Sometimes Sand’s moral compass was so steady that he came off as a square; his brothers-in-law nicknamed him Baby Jesus. Sand grew up in Decorah, in northeast Iowa, the son of a small-town doctor who still made house calls. He wanted to get into white-collar criminal prosecution because it focused not on crimes of desperation but on crimes of greed. “Crimes against gratitude,” Sand called them.
But all he had was grainy video of a man buying a lottery ticket worth $16.5 million. “We only had one bullet left in our revolver,” Sand says, “and that was releasing the video.”
On Oct. 9, 2014, nearly 46 months after the man in the hoodie left the QuikTrip, the Iowa Division of Criminal Investigation put out a news release that included a link to a 74-second clip of the surveillance footage. A few days later, in Maine, an employee of the Maine Lottery opened an email forwarded from his boss. The employee recognized the distinct voice in the video: It belonged to a man who had spent a week in the Maine Lottery offices a few years earlier conducting a security audit.
In Des Moines, a web developer at the Iowa Lottery who watched the video also recognized that voice: It belonged to a man she had worked alongside for years. A receptionist in another lottery office handed her earbuds to Noelle Krueger, a draw manager, and told her to listen. “Why am I listening to a video or listening to a tape of Eddie?” Krueger replied.
By Eddie, she meant Eddie Tipton, the information-security director for the Multi-State Lottery Association. The organization runs lotteries for 33 different states plus the District of Columbia, Puerto Rico and the U.S. Virgin Islands. It was based in the Des Moines suburbs. Among the games it ran was the Hot Lotto.
Eddie Tipton cut a big, friendly figure around the office of the Multi-State Lottery Association. He grew up in rural Texas, but while his siblings were outside, he was always in his room, fiddling with his computer. He was a paranoid sort who rarely paid with credit cards, who worried about people tracing his identity. But he always wanted people to like him. When a co-worker was in a bad mood, one colleague said, Tipton would pat him on the shoulder and say, “I just want you to know I’m your friend.”
Tipton built a 4,800-square-foot, $540,000 house in the cornfields south of Des Moines. The house had five bedrooms and a huge basement, including a pool table, a shuffleboard table, a stadium-style home theater with couches and a space he considered turning into a basketball court. Friends wondered why a single man needed such a big house and how he could afford it on a salary just shy of $100,000 a year. In private moments, Tipton told them he was lonely and wanted a family more than anything, so he poured his savings into the house he hoped to fill with a wife and children. But the right partner never came. Instead, he hosted office Christmas parties, and he constantly asked friends to visit. His family, still in Texas, checked on him frequently.
His life revolved around his job. The Multi-State Lottery Association was a small organization, and Tipton felt overextended. He wrote software and worked on web pages. He handled network security and firewalls. And he reviewed security for lottery games in nearly three dozen states. He was putting in 60-hour weeks and staying at the office until 11 p.m.
When Ed Stefan, the chief information officer and chief security officer at the Multi-State Lottery Association, saw the surveillance video, he didn’t want to believe it. This wasn’t just some co-worker. This was Eddie Tipton, a man he had known for more than two decades, since they were in calculus class at the University of Houston. Stefan met his future wife while he and Tipton were on a charity bike ride in Texas; Tipton would later be in their wedding. Stefan helped Tipton get his job at the association. They bought some 50 acres of land together and built adjacent houses. They even applied for a joint patent for computer-based lottery security.
Stefan watched the convenience-store video for the first time after a former co-worker sent him the link that had been released by prosecutors. That just can’t be Eddie, he thought. Then: That’s Eddie. Why is he wearing a hoodie? I’ve never seen Eddie in a hoodie. Stefan got sick to his stomach: His friend, a man with deep knowledge of the computers that ran the lottery, was there onscreen buying a ticket that would be worth $16.5 million. Later, Stefan would tell investigators it was like finding out your mother was an ax murderer. He felt betrayed.
Jason Maher was another friend and colleague who didn’t want to believe what he was seeing on the video. He and Tipton had met at Taki, a Japanese restaurant outside Des Moines that they both frequented. The lifelong computer aficionados and gamers hit it off; Tipton joined Maher’s gaming clan, and they spent hours playing the multiplayer online game World of Tanks. Tipton suggested Maher apply for a job at the lottery association as a network engineer. Tipton, Maher told me, “had a heart of gold.”
So when Maher saw the video and heard that familiar low-pitched voice, he did what a computer whiz does. “That night I sat down — there’s no way Eddie did this,” Maher said. “There’s got to be something wrong.” He put the file of the surveillance tape into audio software, removed white noise and isolated the voice. Then he took footage from security cameras in his house — Tipton had just visited the night before — and compared Tipton’s voice in that footage with the convenience-store video. “It was a complete and utter match, sound wave and everything,” Maher said. The next day, he went to the QuikTrip where the ticket was purchased and measured the dimensions of the tiles on the floor, the height of the shelving units, the distance between the door and the cash register. He used the results to compare the hand size, foot size and height of the man in the video with the man he had become friends with.
“When the F.B.I. guys came in, I wanted to be able to tell them it wasn’t Eddie,” Maher said. “Once I did this, it was like, ‘Well, [expletive] — it’s Eddie.’ ”
In November 2014, state investigators showed up at Tipton’s office. They asked him whom he knew in Houston. He told them about his family — mother, sister and brothers, including Tommy, a former sheriff’s deputy turned justice of the peace near the Texas Hill Country. He did not mention Robert Rhodes, the man who initially passed the $16.5 million ticket to an attorney. By searching Tipton’s LinkedIn profile, investigators found that Tipton had been employed at Rhodes’s Texas-based software company, Systems Evolution, for six years as its chief operations officer. In fact, the two were best friends and vacationed together.
Tipton was arrested in January 2015 and charged with two felony counts of fraud. Half a year later, on a hot, sticky July morning, Rob Sand stood before a jury at the Polk County Courthouse. “This is a classic story about an inside job,” he began. “A man who by virtue of his employment is not allowed to play the lottery, nor allowed to win, buys a lottery ticket, wins and passes the ticket along to friends to be claimed by someone unconnected to him. This story, though, has a 21st-century twist.”
The prosecution knew Tipton had bought the winning ticket. The video, specifically the distinct voice that colleagues had recognized, made that pretty clear. So did cellphone records, which showed Tipton was in town that day, not out of town for the holidays as he claimed, and that he had been on the phone for 71 minutes with Robert Rhodes, the man who briefly had possession of the ticket. Investigators believed he’d fixed the lottery. But how?
Jason Maher, Tipton’s gaming buddy, told them about Tipton’s interest in rootkits: malicious software that can be installed via flash drive in order to take control of a computer while masking its existence until it deletes itself later. Sand theorized that Tipton went into the draw room six weeks before the big jackpot and, despite the presence of two colleagues, managed to insert a thumb drive into one of the two computers that select the winning numbers. That thumb drive contained the rootkit; the rootkit allowed Tipton to direct which numbers would win the Hot Lotto on Dec. 29, 2010.
Tipton’s defense attorney, Dean Stowers, called this the “Mission: Impossible” theory. Stowers characterized the story of a malicious, self-destructing rootkit (“magic software”), installed while two colleagues looked on, as preposterous. His closing arguments referenced a quotation attributed to Albert Einstein: “Logic will get you from A to B. Imagination will take you anywhere.”
But Sand called Stowers’s focus on this complicated rootkit theory a red herring. Sand told the jury to focus on the many ways Tipton could have fixed the lottery: He wrote the code. He had access to the random-number-generator machines before they were shipped to other states. You don’t have to understand the exact technology to convict Tipton, Sand argued; you just have to realize the near-impossible coincidence of the lottery security chief’s buying a winning ticket and that ticket’s being passed to his best friend. The prosecution had to prove only that Tipton tried to illegally buy lottery tickets as a Multi-State Lottery Association employee and tried to claim the prize through fraudulent means.
The jury found him guilty on July 20, 2015. He would be sentenced to 10 years in prison, and he would appeal. The State Supreme Court later dismissed his conviction on one charge, tampering with lottery equipment, and the case was sent back to District Court.
Six weeks after the trial concluded, Sand had returned to his desk. It had been a busy summer. But in the back of his mind, he was still thinking about Eddie Tipton. Sand knew white-collar criminals aren’t usually caught on their first attempt. The fact that Tipton’s attorney had demanded a 90-day speedy trial, an unusual maneuver that cut short the prosecution’s time to investigate, made Sand suspicious. His gut said other fraudulent lottery tickets were out there.
One morning Sand’s office phone rang, and an area code he recognized popped up: 281, from Texas, where Tipton used to live. Sand picked up. The caller had a drawl and told Sand he’d seen an article in the La Grange, Tex., newspaper about Tipton’s conviction. “Did y’all know,” the tipster asked, “that Eddie’s brother Tommy Tipton won the lottery, maybe about 10 years back?”
Richard Rennison’s phone rang at the F.B.I. office in Texas City, a port town on the shore of Galveston Bay. Sand was on the line, inquiring about a case that Rennison, a special agent for the bureau, investigated a decade before. At the time, it turned out to be nothing. But the case still stuck in Rennison’s mind. “Hey,” Rennison replied, “that’s my Bigfoot case.”
A man named Tom Bargas had contacted local law-enforcement authorities in early 2006 with a suspicious story. Bargas owned 44 fireworks stands in Texas. Twice a year — after the Fourth of July and after New Year’s — he had to handle enormous amounts of cash, more than a half-million dollars at once. A local justice of the peace who shod Bargas’s horses called him around New Year’s. The justice of the peace caught Bargas off guard: “I got half a million in cash that I want to swap with your money.” “What’s wrong with your money?” Bargas replied.
What’s a justice of the peace who makes around $35,000 a year doing with that much cash? Bargas thought. He called the sheriff and the police, who called the F.B.I. Soon, the bureau contacted Bargas. Federal agents outfitted him with a wire. Bargas met with the man, who pulled out a briefcase filled with $450,000 in cash, still in their Federal Reserve wrappers. As the F.B.I. listened, Bargas swapped $100,000 of worn, circulated bills for $100,000 of the man’s crisp, unused bills. To the F.B.I., this smelled like public corruption, and they went to work investigating the serial numbers on the bills.
One day a couple of months later, Rennison got a call from the Fayette County sheriff in La Grange, a place best known for the Chicken Ranch, the brothel that inspired “The Best Little Whorehouse in Texas.” The sheriff was laughing so hard he could hardly speak. He told Rennison the justice of the peace was holed up in a Houston hospital with two shattered legs. He had fallen 31 feet out of a tree. He had been hunting Bigfoot.
“My grandmother was raised on a farm in Arkansas where this creature would come in and harass all the farm animals,” this man later told investigators. “My grandmother would tell me all these stories of this animal that harassed my family.” He went on: “I started hitting the woods. It was always that doubt in your mind. And then something happened to me in Louisiana where I actually watched these animals for a couple of hours, and I’ve been hooked ever since.”
Rennison visited the man in the hospital and then set up an interview once he was discharged. The man was a member of the Bigfoot Field Researchers Organization. He told Rennison he’d won the lottery in Colorado while on a Bigfoot hunt. He was on the outs with his wife and was trying to keep the lottery winnings from her. A Bigfoot-hunting friend claimed the prize in exchange for 10 percent of the money. It all checked out. Case closed.
“Right before I leave, we’re still sitting down at this nice conference table, and he looks over at his attorneys and says, ‘Can I show him?’ ” Rennison recalled. “Hanging off the back of his chair is a plastic grocery bag. He pulls out a plaster cast of a footprint.”
Rennison put the footprint next to his own foot. They were roughly the same size. “That doesn’t look like Bigfoot,” the F.B.I. agent said. “It was a juvenile,” the man snapped. The man’s name was Tommy Tipton.
Now the hunt was on for more illicitly claimed tickets. Iowa investigators noticed that the friend who claimed the $568,990 Colorado Lottery prize for Tommy Tipton, a man named Alexander Hicks, was dead. “We first thought, Whoa — this is our first body related to this case,” Sand says. It wasn’t. Hicks had died of cancer.
The investigators collected a decade’s worth of winners from lotteries around the country associated with the Multi-State Lottery Association. They loaded data from approximately 45,000 winning tickets into Microsoft Excel spreadsheets and searched for any connections to Eddie Tipton. They reviewed Tipton’s Facebook friends, pulled phone records and looked for matches with the spreadsheet.
In September 2015, they learned that a $783,257.72 payout for Wisconsin’s Very Own Megabucks Game had been claimed in early 2008 by a Texas man named Robert Rhodes, who wanted to deposit it into the account of a limited-liability corporation. That drawing took place on Dec. 29, 2007 — the same day the winning numbers on Tipton’s $16.5 million Iowa ticket were selected three years later. Rhodes was Eddie Tipton’s best friend. Another hit.
One evening over the holidays, Sand was at his parents’ house working on his laptop, sifting through records, using search commands on his computer again and again. He noticed that a Kyle Conn from Hemphill, Tex., won a $644,478 jackpot in the Oklahoma Lottery some years back. Tommy Tipton had three Facebook friends named Conn. Sand got a list of possible phone numbers for a Kyle Conn and cross-referenced them with Tommy Tipton’s cellphone records. Another hit.
Investigators noticed two winning Kansas Lottery tickets for $15,402 apiece were purchased on Dec. 23, 2010 — the same day Tipton had purchased the Iowa ticket, and the same day that cellphone records indicated he was driving through Kansas on the way to Texas for the holidays. One of the winning tickets was claimed by a Texan named Christopher McCoulskey, the other by an Iowa woman named Amy Warrick. Each was a friend of Eddie Tipton’s.
Early one morning, Sand and an investigator knocked on the woman’s door. She told them she’d gone on one date with Tipton, but their relationship became platonic. Tipton told her he wasn’t able to claim a winning lottery ticket because of his job. If she could claim it, Tipton said, she could keep a significant portion as a gift for her recent engagement.
“You have these honest dupes,” Sand says. “All these people are being offered thousands of dollars for doing something that’s a little bit sneaky but not illegal.” Investigators in Iowa now had six tickets they figured were part of a bigger scam. But the question remained: How did it work?
Investigators in Wisconsin discovered they still had the random-number-generator computers used for the 2007 jackpot sitting in storage. Unlike Iowa’s computers, the hard drives had not been wiped clean; their software was the same as the day Robert Rhodes won $783,257.72. Wisconsin enlisted a computer expert named Sean McLinden to conduct an investigation that included forensic analysis and reverse engineering.
On Jan. 7, 2016, Sand’s phone rang. It was David Maas, an assistant attorney general in Wisconsin. He told Sand to check his email. Maas had sent him an attachment with 21 lines of “pseudocode,” a common-language translation of McLinden’s forensic analysis that showed part of Tipton’s malicious computer code. The code was small enough that it would not radically change the size of the file, which might create suspicion. And the code hadn’t been hidden. You just needed to know what to look for.
“This,” Maas says, “was finding the smoking gun.”
The smoking gun would help lead to a guilty plea from Tipton. In the plea deal, Sand insisted that Tipton come clean about how he fixed the lottery. This could help the lottery industry improve its security. If Tipton lied — or if another fraudulent ticket were found later — the deal would be voided, and Tipton would be subject to further charges.
Tipton’s program was called QVRNG.dll: Quantum Vision Random Number Generator. In Tipton’s telling, his wasn’t an evil plan to get rich. This was just a computer nerd’s attempt to crack the system. “It was never my intent to start a full-out ticket scam,” Tipton told investigators. “It occurred to me, like, Wow, I could do this, I could be making a living doing this.” He went on: “If this was, like, some mob-related thing, I’d just give this information to the mob and they would go out and win the lotteries left and right. Nobody would know. But that — I don’t have any mob ties. I don’t know anybody. I gave tickets to friends or family.”
More than a decade ago, Tipton told them, he walked past one of the organization’s accountants at the Multi-State Lottery Association. Tipton was conservative, the accountant liberal, and they often ribbed each other.
“Hey, did you put your secret numbers in there?” the accountant said, teasing Tipton.
“What do you mean?”
“Well, you know, you can set numbers on any given day since you wrote the software.”
And that’s when the idea first came. “Just like a little seed that was planted,” Tipton said in his proffer. “And then during one slow period I just had a — had a thought that it’s possible, and I tried it and I put it in.” The code wasn’t a brazen “Mission: Impossible” stunt of sneaking into the draw room with a malicious thumb drive. It was a simple piece of code, partly copied from an internet source, inserted by the one man responsible for information security at an organization that runs three dozen United States lotteries.
Here’s how the Multi-State Lottery Association’s random-number generators were supposed to work: The computer takes a reading from a Geiger counter that measures radiation in the surrounding air, specifically the radioactive isotope Americium-241. The reading is expressed as a long number of code; that number gives the generator its true randomness. The random number is called the seed, and the seed is plugged into the algorithm, a pseudorandom number generator called the Mersenne Twister. At the end, the computer spits out the winning lottery numbers.
Tipton’s extra lines of code first checked to see if the coming lottery drawing fulfilled Tipton’s narrow circumstances. It had to be on a Wednesday or a Saturday evening, and one of three dates in a nonleap year: the 147th day of the year (May 27), the 327th day (Nov. 23) or the 363rd day (Dec. 29). Investigators noticed those dates generally fell around holidays — Memorial Day, Thanksgiving and Christmas — when Tipton was often on vacation. If those criteria were satisfied, the random-number generator was diverted to a different track. Instead, the algorithm would use a predetermined seed number that restricted the pool of potential winning numbers to a much smaller, predictable set of numbers.
So Tipton knew what no one else knew: For the Iowa Hot Lotto drawing on Dec. 29, 2010, there weren’t really 10,939,383 sets of possible winning numbers. There were only a few hundred. Late at night before a draw that fulfilled his criteria, Tipton stayed in his messy, computer-filled office. He set a test computer to the date and time of the coming draw, and he ran the program over and over again. For the first lottery he rigged, the Nov. 23, 2005, drawing in Colorado, Tipton wrote down each potential set of winning numbers on a yellow legal pad. He handed the pad — each sheet had 35 or so sets of six numbers — to his brother.
It was a cheat sheet; instead of playing every possible number combination to ensure one combination won, he had to play only a few hundred. “If you want a chance to win, you need to play all of these,” Tipton told his brother. “I don’t know if any of them will win, but you’re going anyway” — his brother was about to go on a Bigfoot-hunting trip to Colorado — and “these have a good chance of winning based on my analysis.
“Play them,” he said. “Play them all.”
On a clear, blue summer day in Des Moines last year, Eddie Tipton, a square-shaped, balding man who was then 54, trudged up the stairs of the Polk County Courthouse. He wore bluejeans and a short-sleeved salmon-colored button-up shirt, untucked and unbuttoned, with a blue T-shirt underneath. His hands were shoved in his pockets, and his head was down. He had accepted a plea agreement for masterminding the largest lottery scam in American history: one count of ongoing criminal conduct, part of a package deal that allowed his brother to be sentenced to only 75 days. Tipton was here for his sentencing.
In statements to prosecutors, Tipton painted himself in the most generous way possible, a kind of coding Robin Hood, stealing from the lottery and helping people in need: his brother who had five daughters, his friend who’d just gotten engaged. “I didn’t really need the money,” Tipton said. The judge noted that Tipton seemed to rationalize his actions — that Tipton didn’t think it was necessarily illegal, just a taking advantage of a hole in the lottery’s system. It wasn’t all that different, Tipton believed, from insider trading, except laws didn’t specifically prohibit him from fiddling with the random-number-generator code. His attorney equated what he did with counting cards at a casino. Tipton wasn’t robbing the casino at gunpoint; he was cheating the house.
The other side disagreed. Tipton was “nothing but a common thief who happened to be handed the keys to the candy store,” Miller, Sand’s former boss, told me. “It’s not a case of Sherlock Holmes’s archnemesis, Moriarty, being a criminal genius. This is just a regular schlub, who is a thief who happens to have knowledge of computer security.”
From Tipton’s point of view, it was complicated. He had done something to see if he could do it. To his surprise, it worked. He said he inserted that code only once; after the code was approved by Gaming Laboratories International, machines containing it were shipped all over the country. He had created a beast and sent it into the world. “You plant that money tree in your backyard,” as Maas, the Wisconsin prosecutor, put it, “and it’s hard not to keep picking at it.”
In interviews, investigators had asked Tipton if he was proud of the success of his code. “It was more like I’m ready for it to be gone,” Tipton said. “It was never my intent to go out there and start winning all these lotteries. It was just, like I said, step by step it happened.”
At sentencing, the judge asked if Tipton had anything to say. After a long pause, Tipton cleared his throat. Family members and former co-workers were in the courtroom. “Well,” Tipton said matter-of-factly, “I certainly regret my actions. It’s difficult to say that with all the people behind me that I hurt. And I regret it. I’m sorry.” As the case was being litigated, Tipton had confessed to friends that he was racked with guilt. At another point during the proceedings, Tipton leaned across a divide and extended his hand to Sand. Sand took the handshake as a sign of respect, as if Tipton had thought he outsmarted the system but the system figured him out. On the day of his sentencing, Tipton told the judge he’d been taking classes to go into ministry. A deputy placed Tipton in handcuffs and led him away.
Earlier in the summer, Tipton sat in a conference room with Sand and law-enforcement and lottery officials to give his full confession, as promised in his plea agreement. Eventually he would head to Clarinda Correctional Facility in southern Iowa, near the Missouri border, where he remains today, Offender No. 6832975. (Through his attorney, he declined interview requests for this article; Tipton did not respond to nearly a dozen emails through the prison email system.)
During a lunch break in Tipton’s hourslong confession, Sand and others involved in the prosecution walked a few blocks to the High Life Lounge. They ordered bacon-wrapped tater tots to celebrate. “Eddie sees himself as much brighter than the rest of the world, the sharpest tool in the toolbox,” Sand says. “It’s the kind of thing I see in white-collar case after white-collar case, people who think they’re better than everybody else, that people trust them and love them, and that no one will be able to figure this out.”
The judge sentenced Tipton to a maximum of 25 years in prison. His restitution payments to the various state lotteries came to $2.2 million even though, according to his attorney, Tipton pocketed only around $350,000 from the scam, the rest going to those who claimed the tickets. (Prosecutors did not believe that, pointing to Tipton’s massive house as well as the fact that Tipton and his brother owned 11 pieces of property either jointly or individually in Fayette County, Tex.) In Iowa, which has indeterminate sentencing, a 25-year sentence could mean Tipton is released much sooner; Sand expects Tipton to be released by the Iowa Board of Parole within seven years.
Sand says he felt a deep intellectual satisfaction in solving the puzzle: “The justice system at its best is really about a search for truth.” But it couldn’t go back in time and correct wrongs. At the end of this yearslong case, he came to a realization: He had grown weary of dealing with criminals. “In so much darkness,” Sand says, “I started to lose my light.”
A few months after the highest-profile case of his career, Sand went up to his boss and quit. He had decided to run for state auditor in the coming November election, so he could make positive changes. If he wins, he will be investigating government waste, abuse and fraud. “There’s no way I would make a move to get away from the darkness of prosecution without finishing this case first,” Sand says. “So finishing it, to me, was not merely satisfying. It was liberating.”