Banks suffer in silence as cyber gangs strike at will

The bank had closed for the weekend when the robbers struck.

Apart from the security guards at the entrances and a handful of IT technicians, the rest of the employees of the bank’s headquarters in Upper Hill Nairobi had gone home. Then the complaints started streaming in.

Clients started receiving messages about withdrawal of little amounts of money from their accounts on their mobile phones.

The tech-savvy ones took to social media to complain about money disappearing from their accounts while the rest waited for Monday to lodge official complaints.

By the time the bank realised what was happening, more than Sh400 million had walked away through a computer that had been connected to the bank’s network through its headquarters branch weeks earlier.

The culprits? A cybercrime gang whose roots began in 2015 and which has never been arrested.

Reason? The criminal justice system lacks the capacity to get the evidence needed to apprehend the suspects.

Bank run

Most importantly, however, is that the lender that lost the money fears putting through a public judicial process about the loss of money in their care as it could create a bank run.

Silent Cards, the name of the gang that pulled off the Sh400 million heist last year, continues to roam free and plot more cyberattacks.

With CCTVs all over the country and armed policemen stationed round the clock in banking halls, criminals can no longer walk into a bank and order everyone to lie down like it was done in days gone by. The real robbing of financial institutions, however, takes place on the Internet.

As people continue to venture into cyberspace and conduct more of their professional activities online, opportunities for cybercrime abound.

And while homegrown cyber gangs have been active in Kenya since 2015, the lack of an effective legal means to shut them down has given them room to evolve into large cartels made up of money launderers, hackers, coders and operators.

Transnational crime

What began as one-man operated criminals exploiting the weaknesses of Internet users to extort or defraud them has evolved into a multibillion-dollar transnational crime that knows no physical borders, whose masterminds are bleeding banks.

Kenya lost Sh21.1 billion to cybercrime in 2017, 40 per cent up from Sh15.1 billion in 2015, according to the 2017 Kenya Cybersecurity Report by Serianu, an IT services consultancy firm.

In 2018, the figure climbed to Sh29 billion. Banks accounted for 18 per cent of the attacks, while payment systems accounted for 10 per cent.

The Communications Authority of Kenya's cyber intelligence team detected at least 37.1 million cases of cyber threats in the period between October and December 2019. This was a 47.3 per cent increase from the previous quarter.

“Cybercrime has become one of the biggest challenges for the DCI (Directorate of Criminal Investigations),” Mr John Kariuki, DCI’s investigations boss told the Nation.

“One of the main problems is that when we arrest some of the suspects, they reach out-of-court settlements,” he added.

Here, a person is taken to court and the next day they are free to continue stealing.

Kenya has never successfully prosecuted and jailed a single suspect of cyber fraud. The police have limited resources and expertise to investigate such crimes.

Arrests are few and far between, and if one is arrested, the penalties are often too lenient.

“In other countries, cybercrime is treated as a serious offence that once arrested you can’t get bail. Here, a person is taken to court and the next day they are free to continue stealing,” says Mr Charles Gichuki the chief technology officer at cybersecurity firm OnNet Africa.

For instance, when the court found four businessmen guilty of hacking the Judiciary finance systems and requesting the National Treasury to pay Sh80 million to fictitious firms that supplied air in January this year, the ring leader of the gang, Reuben Kirongothi, did not turn up in court.

A month before the guilty verdict, Kirongothi had been arrested in Kigali for leading another 12-man gang in an attempt to hack into a Rwandese bank.

All the four Kenyans arrested in Rwanda were facing similar charges in Kenya, but were out on bond pending completion of their cases.

Under investigation

Eric Dickson Njagi had been arrested in 2013 for stealing Sh2.7 million; Godfrey Gachiri had a pending case for stealing Sh21.5 million; while Erickson Macharia Kinyua is still under investigation in Kenya for creating and operating a non-existent bank branch for more than a year.

Another example of how the legal system is aiding hackers is the case against 12 suspected members of hacking syndicate Forkbombo, which allegedly hacked the Kenya Revenue Authority’s system in 2017.

One of the suspected Forkbombo members, Alex Mutungi Mutuku, had been separately charged in 2015 for allegedly hacking Safaricom to steal airtime and NIC Bank (now merged with CBA Bank) and trying to extort Sh6.2 million from the lender.

The cases are still pending conclusion and Mr Mutuku, the leader of the gang who deleted his social media accounts after being arrested, has returned to his flamboyant posts.

But while the justice system has been slow in concluding cases touching on cybercrime, making it difficult to curb the crime in its entirety, banks which are the main targets, would rather focus on recovering lost money instead of making public what they lose.

The result is a constant disruption of service on mobile money platforms which is mostly disguised as system upgrades in messages sent to clients, according to insiders.

On average, one bank is successfully hit by hackers every month while hundreds of attacks are successfully repulsed.

But in reality, the banks suffer much more, something Kenya Bankers Association chair Habil Olaka says is more of a security issue than the common misconception that lenders are hiding shame.

Mr Olaka told the Nation that lenders usually prioritise recovery of lost money, and would rather silently pursue thieves than risk releasing evidence by going public.

“If you tell a thief that this is the evidence I have, they will simply cover their tracks.”

This silence by banks is, however, coming at a huge price.

***

Why Kenya is a haven for cybercriminals

What is puzzling law enforcement agencies and financial institutions is how Kenya, a country with meagre computing skills and resources, has hacked its way into the list of major global cybercrime hotspots.

But with its good Internet speeds, availability of cheap computers and a robust banking system driven by technology, it’s not difficult to figure out why Kenya continues to breed such sophisticated criminals. Kenya is also regarded as Africa’s Silicon Savannah and is the first choice for technology startups. The current unemployment rate stands around 10 per cent.