City estates where hackers plot multi-billion bank heists

**Gangs stole Sh2.6 billion in the last two years alone and are spreading their operations in East Africa**

During last year’s Easter holidays, several banks in Kenya switched off their local area networks (LAN) in a curious and coordinated move.

While customers could continue transacting through their mobile money accounts and Internet banking platforms, employees could not get on their work emails or access internal servers.

The next day, news broke out that criminals had made away with Sh11 million from Automated Teller Machines (ATM) belonging to Absa Bank Kenya (formerly Barclays Bank of Kenya) in a cyber-attack known as ATM jackpotting.

Word that cyber criminals were planning a massive attack on several local banks during the Easter holidays had gone around the previous week. Unsure if they were the target, many banks opted to switch off their Internet.

This significantly blunted the damage that would have been caused, forcing the gang to resort to the less-sophisticated but highly risky methods.

The criminals are part of a growing network of hackers made up of young IT graduates in their mid-to-late-20s, running multi-billion shilling heists out of estates to the North of Nairobi, including Kasarani, Roysambu and Ruiru, that are emerging as the Silicon Valley of hackers.

The Standard has also learnt that the groups made away with at least Sh2.6 billion in 2018 and 2019 alone, and are scaling their operations across the region.

However, in the past two years, business rivalry, greed and ambition has seen splintering along the ranks, with smaller groups branching out into neighbouring countries, making Kenya a regional hub for cyber-criminals.

One group known as SilentCards has grown in notoriety as the most prolific and successful gang targeting tens of banks, micro-finance institutions and Saccos in the country, according to our sources.

According to a report by Group iB, one of the top global providers of cyber security solutions, Kenya is emerging as one of the thriving hubs for cyber crime in the world.

“Currently, only five groups pose a real threat to the financial sector; Cobalt, Silence, MoneyTaker (Russian), Lazarus (North Korea), and SilentCards (a new group from Kenya),” explained the security firm in its 2019 High-tech Crimes report.

Group iB has been conducting threat analysis for the last 15 years and says SilentCards is known for attacks on ATMs and card processing systems, and has operated under the radar of global security analysts until 2018.

The report said some malicious file samples were configured to work with servers on the local network.

This means the hackers already had a device (often an infected computer installed in the company network) within an organisation that allows them to access their target.

“These groups recruit young developers fresh out of college, who have a knowledge of programming languages like Python or Powershell, and also good with System Development and then promise them heaven,” explains John Gichuki, the chief technology officer at OnNet, a cyber threat analysis firm based in Nairobi.

Recruits are scouted and picked based on recommendations by gang members, and offered a “signing” fee, usually around Sh100,000, before they are taken in and trained, according to experts.

The gangs have reportedly rented “safehouses” in Kasarani, Roysambu and Ruiru estates, where the recruits are trained on how to infiltrate systems and re-wire monies from compromised networks.

In 2017, police arrested 16 suspects, including one who had hacked into Kenya Revenue Authority systems, operating from Roysambu and Muthaiga hideouts.

The estates are favoured by the gang leaders for the high demographic of young people, mostly students from the several universities and colleges along the busy Thika Superhighway.

At the same time, the presence of high-speed Internet and unregulated broadband connections with cheap subscriptions provide the best infrastructure for the hackers.

The safehouses are also used to train bank employees who have been convinced and bribed to plant malicious software into the banking networks. An employee for a global bank headquartered in Kenya reports to have been offered Sh300,000 by members of SilentCards to plant an infected laptop in the company’s network.

“In 2018, researchers detected an incident that has been linked to the group SilentCards,” states the report in part. “The hackers gained access to a card processing system and successfully transferred Sh400 million by penetrating the corporate network and infiltrating the key servers responsible for money.”

Last year, the Directorate of Criminal Investigation (DCI) published the names and faces of more than 130 wanted people identified as suspects in ongoing cyber crime cases.

The Standard has, however, learnt that the list of suspects is largely composed of low-level gang-members, most of them used as “money mules”, and who withdraw stolen money through doctored ATM cards.

Investigators last year reported that the hackers hit Consolidated Bank, siphoning Sh6.9 million in one week, which was wired to accounts in eight other banks and the monies withdrawn through ATMs and mobile phones.

“The amount was fraudulently credited into the said accounts on diverse dates between January 1 and January 7, 2019 through Pesa Link,” cyber crimes investigator Constable Simon Obiero told the court last year during the hearing of the case where several SilentCard hackers were charged in absentia.

“The respondents have since gone into hiding. I pray this court issues me with a warrant of arrest in respect to all people who have been mentioned,” Obiero pleaded.

Last year eight members believed to be part of ForkBombo were arrested in Kigali as they attempted to attack a bank and recruit money mules after hitting the same bank in Uganda.

A warrant of arrest is currently on the suspects.

Last December, Interpol’s Cybercrime Directorate and Kenya’s DCI hosted the 6th Africa Working Group on cyber crime in Nairobi.

The meeting brought together cybercrime experts to discuss regional cyber crime trends, operation priority and capacity building “and address unique challenges in the region.”