Cybercrime suspects

From Left: David Ndung’u Wambugu, Lucy Katilo Wamwandu, Alex Mutungi Mutuku, Albert Kipkechem Komen and Calvin Otieno Ogalo in a Nairobi court where they were charged alongside five others with conspiring to steal Sh3.9 billion from Kenya Revenue Authority between March 1, 2015 and March 1, 2017. They denied the charge and were released on a bond of Sh2 million each.

| File | Nation Media Group

Inside Forkbombo, the dreaded Kenyan cybercrime gang

What you need to know:

  • It started by stealing a few thousands from victims, before graduating into multimillion-shilling heists and going international.
  • By 2013, the group of hackers was dismantling some of the best cyber-security systems and taking money from whomever they desired to rob.

When financial institutions in Kenya started recording increased cyber-attacks in 2010, it was believed the country’s detectives would easily stamp out the crime.

Back then, most cybercrime incidents involved hackers stealing small amounts of money that were near impossible to detect, before graduating to big money heists, in a what is known as salami attacks.

But soon, corporates started feeling the heat, with several individuals now running such schemes and siphoning alarming amounts of money from banks and other institutions.

Among the cybercrime detectives tasked to break the hacking cartels was Calvin Otieno Ogalo.
Mr Ogalo was so good at his job that by 2012, he had tracked down the most talented hackers in the country who had successfully executed salami attacks on institutions thought to have the best cyber-security systems.

But instead of arresting the crooks, Mr Ogalo allegedly united the hackers into the biggest and arguably the most feared cybercrime gang in East and Central Africa.

While Mr Alex Mutungi Mutuku would later end up being the best-known suspected member of the group, other talents that reportedly wound up working for Mr Ogalo’s group were Reuben Kirogothi Mwangi, Eric Dickson Njagi, Godfrey Gachiri, Erickson Macharia Kinyua and Stanley Kimeu Mutua.

There was also Henry Achoka, Duncan Bokela, Martin Murathe, ex-Kenya Revenue Authority officers Edward Kiprop Langat and David Wambugu as well as Albert Komen and James Mwaniki.

These hackers were initially running small scams to steal a few thousand shillings from victims, before reportedly joining Mr Ogalo's group and graduated into multimillion shilling heists.

The super gang would come to be known as Forkbombo. Mr Ogalo was sacked from the Directorate of Criminal Investigations’ (DCI) cybercrime unit in 2012, although the details of his acrimonious exit have never been made public.

By 2013, the group of hackers was dismantling some of the best cyber-security systems and taking money from whomever they desired to rob.

Wave of cybercrime

In some schemes, the group would gain access to companies’ finance systems remotely, while in others they worked with insiders to plant computers and other devices in server rooms.

The devices would help them gain access and rob institutions without ever having to hold a gun to anybody’s head, in a breakaway from the traditional method where armed thugs in balaclavas stormed banking halls and shouted for everyone to lie down before demanding to be given keys to the safe. They would then walk out and hop into getaway cars.

With the onset of the first wave of cybercrime, every time an institution was robbed, cyber security experts would be called in to investigate how the money or information was stolen.

In a majority of the cases, investigators like OnNet Africa invariably found an email address that was used to get into the systems – [email protected] – and which gave the gang its name.

In 2013, Mr Mutuku found a way to access the Daily Nation’s e-paper using software he developed while still a first-year student at the University of Nairobi, where he was studying for a bachelor’s degree in information systems.

Later in the year, Forkbombo executed its first major hit when it infiltrated the Judiciary’s system and used their access to trick the National Treasury into approving fictitious payments to several companies in a scheme that siphoned Sh80 million.

The job, however, did not go well. CFC Bank (now Stanbic), called the Judiciary’s finance boss, Mr Benedict Omollo, to confirm whether the payments made were genuine.

Four Forkbombo members – Mr Achoka, Mr Bokela, Mr Mwangi and Mr Murathe – were consequently arrested for the heist. The Forkbombo quartet was convicted in January, 2020 – seven years later.

Mr Mwangi may start serving his sentence in 2029, as he is currently committed to Rwanda prison for attempting to hack into Equity Bank in Kigali, alongside seven other Kenyans.

Several hits on banks

By the time he was convicted in Rwanda two weeks ago, Mr Mwangi had risen to become the top honcho at Forkbombo. After the Judiciary incident, the gang would make several hits on banks and other institutions for the next four years, at times getting caught with their hands in the cookie jar.

Every time they got arrested, they would pay the set cash bail or bond and get back to business.
In each Forkbombo operation that went awry, only a handful of individuals would end up in court.

In December 2014, detectives from the DCI arrested Mr Mutuku and Mr Stanley Kimeu Mutua for hacking into NIC bank (which later merged with CBA to form NCBA bank) and obtaining depositors’ private information, before using sensitive data to blackmail the lender.

Investigations, and later court papers, indicated the two Forkbombo members threatened to release the information if NIC did not pay them Sh6.2 million.

Curiously, the ransom was to be paid in bitcoins, a form of digital currency that is not regulated in Kenya and most countries in the world, making it difficult to track people but a perfect route for criminals looking to get away clean.

Mr Mutuku and Mr Kimeu allegedly demanded 200 bitcoins. At the time, one bitcoin was trading for Sh31,000.

Prosecutors told the court, in a second charge, that the two Forkbombo members also stole Sh2.88 million from NIC Bank. Court papers indicate the stolen money belonged to the bank, not to depositors. Both Mr Mutuku and Mr Kimeu paid Sh700,000 cash bail and were set free pending conclusion of the case.

Three months later, telecommunications company Safaricom suffered a serious system breach that saw hackers steal airtime worth Sh3.6 million.

Detectives concluded Mr Mutuku had hacked into Safaricom and made away with the airtime on February 19, 2015.

Safaricom hacking

Mr Mutuku allegedly struck again on March 9, 2015 and tricked Safaricom’s system into topping up his phone with Sh20,000 airtime.

He, however, denied the theft claim in court. Detectives extracted WhatsApp communication between Mr Mutuku and an individual identified as Paul Nderitu and filed it as evidence.

The communication seemed to implicate Mr Mutuku in the Safaricom cyber attack, and the Forkbombo member challenged its use as evidence.

The magistrate ordered that the communication be admitted as evidence, but Mr Mutuku appealed the decision at the High Court.

Last month, Justice Cecilia Githua allowed the messages to be used as evidence against Mr Mutuku.

In the Safaricom hacking case, Mr Mutuku was released after depositing Sh20,000 bail set by the court.

One year after the Safaricom incident, Forkbombo is believed to have merged with another group of hackers, Grapzone, which had since 2013 been targeting supermarkets.

Security firm OnNet found in its investigations that Grapzone forged receipts and, working with supermarket staffers, went on to print the documents.

Some members of the gang would then go to the specific retail store with detailed receipt and walk out with the items listed. The group would target expensive items like digital TV sets.

While the exact amount stolen by Forkbombo between 2013 and 2017 is only known to the group’s members, experts have estimated the figure to be upwards of Sh400 million.

Hacking operations

By the time the gang’s local operations were scuttled, it had an organised structure that mirrored a corporate entity.

The gang had financiers, just as companies have shareholders pumping in capital. It had a CEO-type leader in Mr Ogalo, whose job was to ensure day-to-day operations ran smoothly while maintaining investor confidence.

The group also had mid-level managers like Mr Mutuku and Mr Mwangi, who coordinated the hacking operations.

Forkbombo started 2017 with a lot of optimism. The hackers raided the Kenya Police Sacco early that year and made away with Sh50 million, before targeting the Kenya Revenue Authority (KRA).

Perhaps the Kenya Police Sacco heist hit too close to home for detectives, some of whom are members of the cooperative society. Immediately after the sacco heist, detectives started monitoring Forkbombo keenly. In March, two American nationals flew to Kenya after communicating with Mr Ogalo.

Larry Peckham II and Denise Huitron would end up being the weak link, as detectives used them to find out what Forkbombo was planning.

The two Americans were believed to be associates of the gang, based on intelligence gathered from their communication with Mr Ogalo and other hackers.

At the KRA, Forkbombo was planning to get in through a laptop an insider had hidden in the taxman’s server room. The laptop provided Forkbombo hackers with unfettered access to KRA’s systems.

A former KRA officer, Mr Edward Kiprop Langat, may have helped plant the laptop, according to investigations done by DCI cybercrime unit officers.

Mr Ogalo, Mr Mutuku, Mr Langat, Mr Wambugu and the two American nationals were among 10 individuals charged with causing the KRA to lose Sh3.9 billion in March 2017.

Withdraw stolen funds

Also charged were Lucy Katilo Wamwandu, Kenneth Opege Riaga, James Mwaniki, Gilbert Kiptala Kipkechem and Joseph Kirai Mwangi.

The case is still ongoing.

Back then, Mr Mwangi was a rising star among the hackers. He had risen to become the third in command after Mr Ogalo and Mr Mutuku.

After the KRA case, Mr Mwangi immediately set out to reunite the gang. He had at least four Forkbombo members in his team.

Erick Dickson Njagi, Godfrey Gachiri and Erickson Macharia Kinyua helped Mwangi take over the group in 2017 and recruit other hackers.

Mwangi managed to recruit four other Kenyans – Dedan Muchoki Muriuki, Samuel Wachira Nyuguto, Damaris Njeri Kamau and Steve Maina Wambugu – and led them to their Waterloo in Kigali, Rwanda.

In Rwanda, Forkbombo recruited a Ugandan and at least three Rwandans to join their operations.

The Kenyans’ job was to create hacking software, while the Rwandese cohort was largely used as mules to withdraw the stolen funds.

The Rwandan Investigation Bureau (RIB) arrested 12 Forkbombo members in November 2019 for trying to steal money from Equity Bank through the lender’s mobile money transfer platform. All 12 were sentenced to eight years in prison two weeks ago.

Next, Read How they did it, and how they were caught. The scam was sophisticated yet so smooth that it would take days before anyone noticed that a robbery had occurred. The hackers would script complex software that can move money from any bank account to a destination of their choice, without raising any red flags within the lender’s system or alerting the money’s true owner. The crooks would then enlist mid-level staffers at a targeted bank, and share the software.