MTN-Airtel-BOA-Stanbic Heist: How sh1b was withdrawn from a city slum

To the naked eye, Kisenyi, a slum in Kampala, passes for a neighbourhood that harbours the wretched of the earth.

Behind the squalid mud-and-wattle tenements is a secret that continues to baffle police detectives.

The congested, decrepit appearance of Kisenyi

Investigators are still puzzled after stumbling on information showing that hackers withdrew sh1b from the slum’s mobile money agents in under six hours.

A fortnight ago, hackers were involved in the theft of billions from telecoms and banks in one of the biggest cyber-attacks.

Kisenyi slum is a financial hub, which the hackers, perhaps with hindsight and prior planning, exploited to make away with colossal sums without getting caught.

Unknown to many, Kisenyi is one of the areas in Kampala, alongside Kikuubo, where big cash transactions happen.

Its trademark mud-and-wattle bedsitter units with leaking tin roofs are fast being replaced by malls, bus terminals, cottage industries, storied commercial and residential structures.

Residents pride themselves on having running tap water, communal restrooms, tarred connecting roads, street lights, mobile money services, internet cafés — you name it.

So, how did it happen?

Unlike the 2011 heist where a telecom company lost sh24b due to insider dealing when they created ghost money accounts in the system and withdrew it, it took the institution a while to realize the loss.

Almost a decade later, a different script was written.

This time round, the inside hackers got into the system of the telecom companies and sent instructions crediting curated SIMcards with money.

The SIMcards are believed to be over 2,000 and bore corporate company names.

Detectives privy to the on-going investigation in which over sh9b was withdrawn by hackers in 48 hours, shared with New Vision on how it likely played out. Earlier investigations revealed it was done within 36 hours.

They reveal that it was done by a group of 10 individuals, each in possession of 30 SIMcards belonging to the affected telecom companies.

“In Kisenyi, they withdrew from 16 mobile money points out of the 378 outlets operating in the area,” said the detective.

When the Pegasus system was compromised and instructions sent to banks to disburse the money, the hackers and the cronies were on red alert.

They immediately went for the loot. They mapped their location for the withdrawals. When the mobile money outlets became overwhelmed, they went to bank tellers who handle mobile money float.

In this particular case, a high-profile banker was caught on closed-circuit television (CCTV) giving money to one of the suspects.

Police preliminary investigations revealed he cashed sh170m to a gentleman and a lady. Imagine a group of 10 people with 30 SIM cards, withdrawing a maximum permitted limit of sh3.9m in each transaction.

Imagine how much money is lost in such a short time? Billions,” a detective told New Vision.

More withdraw points named

Detectives have also picked interest in transactions around the same time that happened in Kampala areas of Nkrumah Road, Nasser Road, Shauri Yako and Nakawa.

Others include Wandegeya, Nakawa, Natete, Entebbe Road, Masaka and Jinja.

Investigations show that the culprits targeted areas with a lot of traffic. These are close-knit areas, where one spends less than sh5,000 traversing on a bodaboda from one point to another.

Kisenyi, for instance, is an area that integrates with WorldRemit, a global leader in mobile money transactions and most traders in Kisenyi use it for international transactions, especially trading in China.

Mobile money outlets in Kisenyi have large volumes of cash, which made it an easy spot. For Nasser and Nkrumah roads, the large volumes of business and large amounts of monetary transactions in the printing sector made them easy targets.

Large withdrawals were made without raising eyebrows. “Withdrawing such sums is not easy. They worked as a well-coordinated team,” a detective revealed.

The Mystery?

As detectives continue to unravel the case, there are some unanswered questions. How is the system built between Pegasus and the telecoms? How is the interface between Pegasus and the bank? Is there a person who monitors the payment?

Where was the money taken from? How do they do it? How many mobile money outlets are in the country? Who owns these SIMcards which were registered under corporate companies, who registered them?

What is the process of registering a company SIMcard? Is there a limit to company SIMcards?

According to sources, the managing director of Pegasus Technologies, Ronald Azairwe, told Police that on October 2, between 3:00 pm and 4:00 pm, he received a telephone call from a staff of Bank of Africa, notifying him of payments from one of their account (Bank of Africa) to MTN and Airtel, which they had not originated from the bank.

“When we checked the list of the transactions, we discovered that the request was not sent to the telecom companies through the Pegasus formal channel.” He, however, acknowledged that the transactions originated from Pegasus without following the official channel.

So far, the process has slowed because police is supposed to secure hundreds of court orders because most of the unanswered information pertaining personal data requires court orders.

Experts hired Bank sources say that UK audit, advisory and tax firm Deloitte Touche Tohmatsu Limited, commonly referred to as Deloitte, with headquarters in London, has been hired by Stanbic Bank to carry out a full audit and establish how much was lost.

Besides Deloitte, government’s Uganda Communications Commission, Police Forensic Department, among others, have since joined the investigation. Sources said the money lost to the hackers is estimated at over sh10b, but could be much more. The final figure will be established after a forensic audit.

So far, what is known is that Bank of Africa lost sh900m, Stanbic Bank sh9b, Airtel sh4.5b and MTN lost the biggest chunk.

“The money was withdrawn in 36 hours from 2,000 mobile money agent points for both MTN and Airtel across the country,” said the Police.

“Over 1,200 MTN SIMcards were used to channel the money to various agents across the country,” said the source.

A cyber-fraud expert, who spoke to New Vision on condition of anonymity, said companies are not paying attention to cybersecurity by recruiting professionals in the field to deal with information security and fraud risk.

The Police cybercrime unit detectives have asked the affected telecoms and banks to carry out fresh vetting of their IT staff in view of the suspicion that the hackers worked closely with insiders from the financial institutions to accomplish their crime.


The noose is tightening on the perpetrators and several arrests have been made within Kampala Metropolitan area.

Suspects include two Pegasus employees and a software developer attached to a financial institution (name withheld). Others in detention are mobile money agents who paid out the money.

Until Sunday October 25, ever since telecoms and banks detected the breach, authorities from both institutions and the police have remained tight-lipped on the progress of the case.

However, a senior security official, who spoke on condition of anonymity, said: “We have made interesting arrests that will lead us to a major breakthrough in the case.”

Recently, Criminal Investigations Directorate spokesperson Charles Maniso Twiine confirmed the arrests of the suspects.

Twiine was cagey to divulge details attributed to the key suspect linked to the theft of mobile money.

He, however, revealed: “We have a productive suspect. He has first-hand knowledge of how the offence was orchestrated. He is being profiled.”

Sources said the key suspect allegedly created and distributed malicious software designed to collect bank accounts passwords.

Impeccable sources said the attack (cyber) poses a threat to national security, prompting the force to devise more ways to clamp down on the criminals.

Spread the love

Leave a Reply

Your email address will not be published. Required fields are marked *