How Rwanda stopped Kenyan cybergang Forkbombo

When the dreaded Forkbombo cybergang relocated to Rwanda, their modus operandi was already known by security authorities, and they lay in wait and eventually arrested 12 individuals.

Cybersecurity firm OnNet Africa also had a hand in ending Forkbombo’s reign of terror, as it shared crucial information on the hackers with relevant authorities over the years, making the crooks predictable.

The 12 hackers arrested in Rwanda in 2019 were served eight-year jail terms and fined Sh6 million two weeks ago by a Rwandan court.

Forkbombo, formed by ex-Directorate of Criminal Investigations (DCI) cybercrime detective Calvin Otieno Ogalo, terrorised corporates and government institutions until 2017 when they attacked the Kenya Police Sacco.

After intercepting communication between Mr Ogalo’s group and two American nationals believed to be part of the hacking syndicate, detectives finally pounced on the cybergang and found evidence that was used to charge 11 individuals with hacking the Kenya Revenue Authority (KRA).

Police presented 10 suspected members of the hacking group to court for prosecution on March 28, 2017. Another member, Alex Mutungi Mutuku, was charged a week later for causing the Kenya Revenue Authority (KRA) to lose Sh3.9 billion.

One of the schemes the hackers ran at KRA was to help unscrupulous businessmen register imported vehicles without paying the required taxes. For a fee, the hackers would doctor the businessmen’s accounts with the KRA and clear the vehicles for use locally pending number plate allocation.

Forkbombo had been known to hack into the National Transport and Safety Authority (NTSA) system. It is not too far-fetched to imagine that the group may also have manipulated the State agency’s website to approve number plate allocations to the same businessmen.

The prosecution of 11 Forkbombo members nearly relegated the hacker group to history books.

Feared team of hackers

Its top boss, Mr Ogalo, was in custody. So was his top lieutenant and likely the most talented hackers, Mr Mutuku.

Mr Mutuku spent 40 days in police custody before he was eventually granted bail by the chief magistrate’s court. For the first time since 2013, Forkbombo’s operations seemed to have stalled.

The third in command at the syndicate, Mr Reuben Kirogothi Mwangi, saw a power vacuum and decided to fulfil his ambition to lead the feared team of hackers.

Mr Mwangi was one of the early recruits brought in by Mr Ogalo, and was also one of the first Forkbombo hackers to get arrested and charged for theft through manipulation of computer systems.

He was charged with four other Forkbombo members in 2013 for aiding in the theft of Sh80 million from the Judiciary, by making fraudulent payments to firms that had not supplied any goods or services.

Mr Mwangi paid his Meerkats (K) Ltd Sh6.6 million.

Other Forkbombo members who paid themselves from the Judiciary’s coffers were Henry Achoka through Bonarza Agencies (Sh12 million), Duncan Bokella through Integrated Real Estate Services (Sh7.5 million) and Martin Murathe through Williams Logistics (Sh3.9 million).

Mr Mwangi and Mr Achoka absconded court two years after being charged.

In filling the vacuum created by the arrest of Mr Ogalo and other members of the gang, Mr Mwangi garnered the support of four surviving senior members of the Forkbombo group, as he looked to pick up the pieces and regroup.

Erick Dickson Njagi, Godfrey Gachiri and Erickson Macharia Kinyua backed Mr Mwangi.

Read: Banks suffer in silence as cyber gangs strike at will

Multimillion shilling heists

They recruited another four individuals – Dedan Muchoki Muriuki, Samuel Wachira Nyuguto, Damaris Njeri Kamau and Steve Maina Wambugu before crossing over to Rwanda via Uganda in 2019.

By this time, the surveillance authorities placed on Forkbombo members was so intense, and security agencies across East Africa were happy to cooperate in sharing any information that would protect corporates from the multimillion shilling heists.

As soon as Mr Mwangi and his rebranded Forkbombo group crossed into Uganda in 2018, Interpol officers in Kenya alerted Ugandan authorities of the hackers’ movements, and warned that some corporates could be on the brink of losing millions.

In mid-June 2019, Mr Mwangi and his crew executed a salami attack at the Development Finance Company of Uganda (DFCU) Bank, but it took an entire month before the lender knew what had happened.

Forkbombo got two DFCU workers to plant their infamous software in computers owned by the lender.

For an entire month, the software slowly withdrew Ush700 million (Sh21.4 million) from depositors’ accounts.

This time, rather than buy ATM cards from desperate bank customers, Forkbombo went a step further and registered dummy bank accounts at DFCU. The two junior DFCU workers then collected several debit cards handed over by customers for renewal.

As the surrendered ATM cards had been deactivated, Forkbombo used its hackers to reactivate them and make withdrawals in small batches.

Much like any salami attack, the big one was yet to hit.

Siphon customers’ funds

In mid-July, DFCU discovered that Ush8 billion (Sh244 million) had been siphoned from several customers at a go.

Just as it was with Kenyan lenders that suffered under Forkbombo, DFCU’s internal monitoring system was unable to notice any irregularities between June and July, 2019 when millions was being silently siphoned from its accounts.

The lender reported the matter to police in Kampala, and the two junior DFCU workers were arrested alongside the two mules Forkbombo recruited to help withdraw the money. Forkbombo thought it had made a clean getaway.

Mr Mwangi and his crew lay low for nearly four months, before crossing into Rwanda where they would eventually suffer failure.

Authorities in Uganda may have failed to nab the hackers in Kampala, but were still keeping close tabs on Mr Mwangi and his crew.

No sooner had the hackers crossed into Uganda than police and Interpol officers in Kampala warned the Rwandan authorities of what was about to happen to banks.

The group arrived in Kigali in early October and started scouting for their next victim.

Intelligence operatives informed the Rwanda Investigations Bureau (RIB) that the hackers were targeting a minimum of four banks, including Kenyan-owned Equity Bank.

Towards the end of October, Forkbombo did a trial run by trying to get into Equity’s Eazzypay system to siphon customers’ funds. The hack failed, and the crooks retreated to reorganise their plans.

Forkbombo’s recruitment process

Rwanda’s strength in intelligence would prove to be too much for the hacker group, and it eventually led to 20 individuals – eight Kenyans, 11 Rwandans and one Ugandan – finally being locked up for cybercrime.

Equity Bank’s Kigali branch was also aware that the hackers were in town, and swiftly volunteered information it had to security authorities.

Mr Mwangi and his crew were approaching vulnerable low income earners like househelps and casual labourers to fill up vacancies in the money mule department.

Some money mules informed various security authorities, including Equity’s internal department, of the “job” offers they received.

Equity in turn told the RIB of Forkbombo’s ongoing recruitment process.

Equity Rwanda boss, Hannington Namara, told Kigali-based media outlet Taarifa Rwanda that perhaps Mr Mwangi and his crew underestimated the honesty levels in the country.

“In some countries in the region, everyone wants a deal, in this country, never. So, they did not know that the security apparatus and framework here is different. They had been here for days,” Mr Namara said.

The RIB and Equity teamed up and decided to lay in wait.

The lender ensured that the software protecting its finance management system was ready to detect any irregular access of bank accounts.

Detectives at the RIB on their part started monitoring the people Mr Mwangi and his crew would talk to. Some of the recruited mules were also approached, and a few of them became double agents, informing police of any new information from the hackers.

Pounced on Forkbombo crew

Both parties then lay in wait, as the mules eventually gave away the location of the Forkbombo crew.

Equity Bank Kigali’s internal monitoring system fired a warning a few minutes past midnight on November 1, 2019.

Security teams responding to the warning of an anomaly knew what was happening. Mr Mwangi and his team were trying to infiltrate the system.

Equity’s security informed the RIB of the attack, and detectives quickly pounced on the Forkbombo crew.

In what could mean that Rwanda enjoys the swiftest of justice systems in East Africa, it took less than two years to conduct the trial and get a conviction in a complex case involving several individuals.

The case was largely delayed last year on account of the Covid-19 pandemic and its effects, which saw Rwanda forced to implement lockdowns in some months of 2020, an indication that judges would have concluded the matter in less than a year.

But while Forkbombo is finally history, there are still several hacker groups in Kenya and East Africa that are causing banks and other institutions huge losses.

Cybersecurity firm OnNet Africa has already issued several warnings about Silent Cards, an offshoot of Forkbombo that was formed in 2017.

Forkbombo members who were not on board with a Reuben Mwangi leadership left and formed Silent Cards.

Silent Cards in 2019 executed a heist on a local bank and made away with Sh400 million, one of the single largest amounts ever stolen at a go in Kenya.

[email protected]