Bank loses Sh517 million in cyber heist linked to IT contractors

By Newsflash Reporter

A Kenyan commercial bank lost Sh517 million ($4 million) in a major cyber fraud incident after rogue contractors tampered with its card security system, paving the way for unauthorized creation of customer wallets and laundering the stolen funds through cryptocurrency.

This incident, which ranks among the most severe in Kenya’s growing cybercrime cases, is detailed in a new report by the Financial Reporting Centre (FRC), the national financial intelligence agency. The report, which analyzed over 14,000 suspicious financial transactions between 2020 and 2023, refrains from revealing the identities of both the bank and the contractor, referring to the institution under the alias “XYZ Bank.”

Security downgrade

According to the FRC, XYZ Bank had engaged three third-party merchants to install and maintain a 3D secure card integration system designed to offer advanced transaction authentication via One-Time Passwords (OTP). However, instead of implementing the enhanced security layer, the contractors deliberately downgraded the platform to a less secure 2D protocol that bypassed OTP verification altogether.

This manipulation allowed the contractors to create digital customer wallets that required no customer input or authentication. The FRC report reveals that through this vulnerability, the perpetrators stole $4 million from the fake wallets and diverted the money into a bank account held by one of the contractors at a financial institution referred to by the codename “JKA Bank.” It remains unclear whether this bank is local or foreign.

The fraudsters quickly converted the funds into the stablecoin cryptocurrency Tether (USDT), spreading the assets across various crypto exchange platforms. The crypto assets were eventually funneled into a single USDT address, leaving XYZ Bank with a massive financial loss and little hope of recovery.

“Through this scheme, $4 million was stolen from the customer wallets. The funds were diverted and settled into an account of one of the contractors in JKA bank,” the FRC reported.

While 3D secure systems rely on extra verification steps to confirm a cardholder’s identity, the 2D version only uses static card details such as the number and expiry date — making it easier to exploit. Cybercriminals have increasingly taken advantage of such lax systems to move stolen funds into untraceable platforms like cryptocurrency exchanges.

Cybercrime poses rising threat to financial sector

Cryptocurrencies such as Tether are gaining notoriety for their use in laundering illicit funds due to the anonymity and global nature of digital exchanges. “In the wake of rising ransomware cases, cybercriminals have been observed to utilize virtual currencies to move their illicitly acquired proceeds,” the FRC noted in its report.

The case underscores the vulnerability of financial institutions to fraud perpetrated by unvetted third-party service providers. Experts warn that even as banks strive to modernize their IT infrastructure, contractors granted access to sensitive systems can exploit gaps in oversight and internal control.

A similar case has emerged involving NCBA Group, which is embroiled in a legal dispute with a software contractor accused of siphoning Sh57.5 million ($445,000) within a nine-day period in June 2025. The developer had been hired to maintain and upgrade NCBA’s mobile and retail banking system at its Rwandan subsidiary, which runs on the MTN mobile network.

However, the developer allegedly manipulated the backend systems to approve cash withdrawal requests, including those made from non-existent or empty accounts. As a result, at least 70 users initiated 260 fraudulent transactions during the period, causing significant losses.

The Central Bank of Kenya (CBK) has since called for stricter internal audits among banks, particularly on staff and third-party vendors involved in core operations such as cybersecurity, data handling, and transaction processing.

“Third-party service providers often gain access to critical systems and client information, exposing banks to operational breakdowns, data breaches, and fraud,” the FRC warned. Disabling security tools such as OTPs or altering transaction pathways without proper approvals can compromise entire financial institutions, with reputational and regulatory consequences.

Increase in social engineering attacks

Kenya’s banking sector has seen a sharp increase in social engineering attacks, where criminals manipulate bank employees or unsuspecting clients into giving away access credentials. These fraud attempts frequently bypass technical controls and continue to grow more sophisticated.

The CBK and other regulatory bodies are now emphasizing the importance of cybersecurity protocols, regular vetting of contractors, and strict compliance with risk mitigation frameworks. The digital revolution in Kenya’s financial services — driven by mobile money, online betting, cryptocurrency, digital lending, and forex trading — has opened new channels for financial inclusion, but also introduced significant security threats.

To combat these evolving risks, banks have formed a collective risk-sharing platform where institutions share data on emerging fraud patterns and collaborate on preventative measures.

“The financial sector’s rapid digital transformation must be matched with equally robust regulatory oversight and technological safeguards,” the FRC advised. Without proactive strategies and due diligence, banks remain susceptible to manipulation from both external hackers and their own service providers.

As the case of XYZ Bank shows, a single security lapse can cost hundreds of millions — and leave banks chasing shadows in the opaque world of cryptocurrency laundering.