Hacked BDO Accounts Used To Buy Bitcoin Through UnionBank – Manila Bulletin


The social media community in the country is abuzz with rants about BDO accounts hacked by cybercriminals, stealing from 25,000,000 to 50,000 pesos per account.

While initial information shows that this is a form of SMiShing attack where account holders have been scammed to verify they have accounts in BDO, the accounts to which the scammed money is transferred are all UnionBank accounts. BDO’s money is transferred to the scammer as the victims claim to a certain Mark D. Nagoyo with multiple UnionBank accounts.

Numerous victim groups on the Facebook page have surfaced where members share their experiences of what happened. One of the larger FB groups with over 150 members informed me that this was not a phishing attack. Members assured that none of them clicked a link from a message, text or email, preventing cybercriminals from obtaining their contact details.

Cover photo of the FB group of BDO account holders claiming to be victims of unauthorized transactions.

One of the victims, Ellard Chua, said P 50,000 from his account was transferred to a UnionBank account which he immediately reported. Ironically, cybercriminals used his name in one of the UnionBank accounts used to receive money from victims. His job number was also used. What alarmed Ellard Chua was the growing number of victims of this security incident. The Facebook group he monitors has more than 150 victims; it’s people on social media, “what about those who don’t join groups like this?” ” He asked. Here is his article on the incident: www.facebook.com/ellard.chua/posts/10158055201870216/

Another victim, James Sarmiento, one of the first victims to report the incident, said he lost 100,000 P on December 9 at around 3 a.m.

“To sum up, we have all had unauthorized transactions from our BDO account to another bank account, either to multiple BDO accounts or to multiple Unionbank accounts. The cases run from November 29 until today and are continuing. ”

In a Facebook chat, Sarmiento said: “What is alarming is that we are very sure that these are security breaches on BDO’s part and not our negligence.” When asked why he was sure it was not a phishing attack, he explained, “1. We never received an OTP that someone logged into our account. 2. Some of us have received email alerts that a new device has been added or password changed without receiving an SMS or OTP prompt. These alerts are accompanied by fund transfer notifications. 3. Some of us were billed more than our daily limit of 50K. I was billed 2x 50K BDO to BDO and BDO to Unionbank. 4. Finally, we are not victims of phishing and spam link clicks. I am an IT professional and one of our group is a seasoned cybersecurity professional. We want people to know that we are aware of these scams and haven’t clicked on any of them.

Manila Bulletin Technews received information from a reliable source that UnionBank account # 1094211022533 was used to purchase Bitcoin worth P5M pesos in the cryptocurrency market on December 11. The hacker siphoned money from BDO victims, transferred it to the UnionBank account number using a fictitious name, and immediately bought Bitcoin. Scammers rush to do this over the weekend because they know that complaints are usually dealt with during office hours.

UnionBank is the preferred bank for cybercriminals because it has no limits on its transactions. By default, account holders can transfer up to PHP 500,000 per day, but you can change this at any time to any amount you want. BDO’s daily limit is only 50,000 P.

Here are the names and account numbers used by crooks to receive money from BDO victims. As Ellard Chua said, account names are irrelevant to the bank when transferring money, and what is important is the correct account number that will receive the transfer. That’s right, when we checked, one of the victims’ accounts transferred money to an account with the name GDHDVD HDJDHDH V verifying what Ellard Chua said that the account names are irrelevant in money transfer transactions.

Account names are irrelevant to the bank when transferring money, and what is important is the correct account number that will receive the transfer.

I spoke with the victims with above average and advanced knowledge of computer and internet security. They all said that the cybercriminals did not trick them into clicking on a malicious link to get their credentials. Ellard Chua, a successful and low-key businessman, has been banking online for a long time and knows the dangers of this technology better than anyone. Based on his experience and expertise, cyber criminals are unlikely to be able to phish him.

With the information currently available to us, we can say that this is a successful cybersecurity attack against BDO. When I asked Ellard Chua about steps account holders could take to protect their accounts, his response was: “Nothing. It is a security breach. Until BDO secures its systems, users can only do one thing and that is to turn off their online banking so that nothing can be charged.

We are still awaiting BDO’s statement on this incident.