A 43-year-old software manager of a Chinese bank managed to withdraw over 7 million yuan (more than $1 million) from ATMs of the same bank by exploiting a ridiculous loophole.
According to the South China Morning Post, Huaxia Bank’s system didn’t properly record the withdrawals made around midnight — allowing it to vend out cash without deducting the amount from the users’ account.
On realizing this flaw, Qisheng started withdrawing money in November 2016 which continued until January 2018.
Usually, withdrawing money in such manner flags the transaction but the software programmer had allegedly inserted scripts into the system to suppress those alerts.
Since the money had to come from somewhere, Qisheng used a “dummy account” created by the bank for internal testing purposes.
After 1,358 withdrawals, the bank finally discovered the bad code in its system and also reported Qisheng to the authorities. On getting caught, he tried to pass it off as “internal security tests” to examine the loophole.
However, when it came to the money, he said the funds were simply “resting” in his own account, only to be returned to the bank (yeah, because that’s usually what one does).
But here’s where the story gets interesting — Huaxia bank dropped the charges once the software manager returned the money.
Perhaps the bank feared bad publicity, and after the loophole was fixed, the bank asked the police to drop the case by going along Qisheng’s explanation — that he was simply testing the bank’s security.
However, the law enforcement did not buy the story and eventually arrested him for theft. The court didn’t accept his argument, considering that he had moved the stolen money to his personal bank account instead of the bank’s dummy account.
He had apparently invested some of it in the stock market too. So Qisheng has been sentenced to 10 and a half years in prison after losing his appeal.