In April, 2023 detectives say someone hacked into Equity Bank’s payment and fraud management system, and changed security levels of three merchants who were registered with the lender for credit card payments.
In the Cybersource system, security levels for the three merchants are suspected to have been changed from three-dimensional, which involves multiple authentication processes before allowing payments, to two dimensional which has lower safeguards.
For the next three months, a number of transactions were allegedly run on fraudulent credit cards with payments done in favour of the three merchants.
Investigators say no goods or services had changed hands despite millions going to the three merchants, straight from the pot where Equity Bank stored funds for settlement of credit card transactions – the bank had been slowly but surely robbed.
By the time Equity Bank found out and reported the matter to the police, it had lost Sh322.1 million.
Correspondence between the Directorate of Criminal Investigations (DCI) and the Office of the Director of Public Prosecutions (ODPP) seen by Nation Africa has revealed how the loot was moved through multiple bank accounts, with an undisclosed portion of it ending up in the United Arab Emirates (UAE).
Investigators have recommended the prosecution of four suspects, whose names we have withheld for legal reasons.
The correspondence also gives insight into the difficulty in tracking down cybercrime suspects, as it took more than a year to investigate one of the numerous virtual robberies that have left lenders and security agencies chasing their tails while trying to recover stolen funds.
“Thus, the substance of the complaint is that between April, 2023 and July, 2023 three merchants namely (names withheld) each defrauded Equity Bank Kenya Ltd by changing their integration type in the CyberSource from 3D to 2D. This allowed the merchants to run scripts of fraudulent cards on the CyberSource platform which enabled them to obtain the sum of Sh322,154,851 directly from the bank’s settlement account,” the letter to the DPP reads.
The three merchants, would allegedly transfer money they received through the credit card fraud to an account at Middle East Bank operated by a company.
For some batches, one of the companies would wire funds to a local bank account operated by a Kenyan-Briton businessman.
The Kenyan-Briton moved the funds he received to a private company in Abu Dhabi.
The correspondence between the investigators and the prosecution does not indicate whether Kenyan authorities have engaged their UAE counterparts to aid in investigations or recover the stolen funds.
But in April, the DCI recommended to the DPP that the three merchants and their suspected Kenyan-Briton accomplice be prosecuted.
DCI officers recommended that they be charged with stealing by agents contrary to section 283(1) of the penal code, money laundering contrary to section 3(a)(i)(iii) as read with section 16(i)(a)(b) of the Proceeds of Crime and Anti-Money Laundering Act, and computer fraud contrary to section 26(1)(c) as read with section 26(2)(b) of the Computer Misuse and Cybercrimes Act.
Even as the DCI hopes that the four suspects will be charged, its officers are still looking into other merchants believed to be part of the suspected credit card syndicate.
A laptop recovered from one of the suspects the DCI wants prosecuted was confiscated and detectives are confident that forensic analysis of the device will offer more leads.
Particularly, the forensic analysis is expected to reveal whether an Equity Bank staff member aided the theft.
Interestingly, Equity Bank suffered another round of losses from credit card fraud exactly one year later when fraudsters targeted Sh179.6 million.
Equity Bank was able to freeze Sh60 million. The Sh118.9 million balance had already been shipped out of the lender.
The theft proceeds had been stashed in 551 bank accounts, which then started shipping it out.
The suspected fraudsters transferred Sh63 million to numerous M-Pesa accounts, Sh39 million was moved to accounts in other banks.
In July, the bank was also robbed of Sh1.5 billion in a separate incident. The main suspect in that incident, David Machiri, has been missing since being picked up by DCI officers in August.
Kenya Insights allows guest blogging, if you want to be published on Kenya’s most authoritative and accurate blog, have an expose, news TIPS, story angles, human interest stories, drop us an email on [email protected] or via Telegram