How big banks lost billions in one week to cyber criminals

A hacker breached the inter-bank money transfer system to siphon Sh6.9 million from a bank in the first week of January.

The hack, targeting Pesa Link, has triggered a massive cybercrime investigation into the loss of billions of shillings.

Pesa Link facilitates real time inter-bank transactions. Barely two months after it was launched in 2017, two million customers signed up.

The application is designed in such a way that a customer can transfer money from their own account to others held in other banks. It also allows customers to wire money to their mobile phones.

One can also pay bills or even buy goods through the app.

Papers filed by police in court to obtain warrants of arrest for 130 fugitives wanted by the Directorate of Criminal Investigations (DCI) detail how suspects hacked bank systems, moved cash into holding accounts and then withdrew it from multiple accounts.

Some of the withdrawals were done from automated teller machines hundreds of kilometres from the affected banks, highlighting the wide reach of the racket.

Captured figures

Although the figures captured in papers filed in courts in Nairobi and Kiambu were modest, DCI boss George Kinoti said the money involved in the investigation runs into billions of shillings.

“They have stolen billions of shillings from innocent Kenyans. Financial institutions are suffering because of these suspects’ actions,” Mr Kinoti told The Standard.

Industry players are alarmed that the amounts stolen from banks through cybercrime have risen over the years, from Sh14 billion in 2015, Sh17 billion in 2016 and Sh21 billion in 2017.

There are fears that the 2018 report expected in March could paint an even grimmer picture.

In court records, police say the suspects are habitual offenders and are wanted for various conspiracy and electronic offences by the DCI.

One of the methods used by the hackers involves gaining unauthorised access to the core banking system to make suspicious deposits - emptied from targeted accounts - and subsequent withdrawals from multiple accounts. Affected banks only uncover the theft during reconciliation.

Another scheme targets users of mobile phone money transactions. In this case, users receive an anonymous message on a certain transaction. Once they click on a link provided, they unwittingly instal a malware that harvests login information and passwords. The crooks are then able to gain access to the account and empty it.

Yet another racket involves disgruntled employees or former employees with intricate knowledge of, for instance, dormant accounts from which money can be spirited out without detection, or even gaps in the system.

The criminals then skim off a little amount from each of the accounts, say Sh10, which clients are unlikely to detect. This grows into a tidy sum once skimmed from thousands of accounts.

The fraud in question, which investigators believe happened between January 1 and 7 this year, benefited at least 50 people who are now at the centre of investigations.

The stolen money was wired through Pesa Link to accounts in eight banks and the money withdrawn through ATMs and mobile phones.

Milimani Magistrate Martha Mutuku was told of a bank that found out that it had lost money because Pesa Link transactions were not supported by its internal debits.

The hacker fused the stolen money in 14 accounts in the first bank. In the second one, eight accounts were suspected to have benefited.

A third bank had six people benefiting while the fourth bank held nine accounts that received the suspect money.

The hacker also wired money to eight accounts in the fifth bank while another lender had two accounts as beneficiaries. A seventh bank had two recipients while the eighth bank had one account.

“The amount was fraudulently credited in the said accounts on diverse dates between January I and January 7, 2019, through Pesa Link,” said Simon Obiero, who is investigating the scam.

The suspects have since gone into hiding.

Police said they were on the trail of 38 other suspects who received money from another bank that had been placed in receivership. A Kiambu court heard that the bank’s system was compromised, leading to a loss of Sh12 million. Officer Josphat Mugo said the money was lost in suspicious deposits and withdrawals from an account at a branch in Kisii on July 8, 2018, which was not a working day for the branch, affecting 43 accounts.

Kiambu Senior Principal Magistrate Stella Atambo issued warrants of arrest against the suspects, whose names will now be circulated to all police stations in the country.