How Hackers Stole Sh1.59 Billion From Kenyan Banks

Kenyan Banks Lose Record Sh1.59 Billion to Cybercriminals in Devastating Digital Heist

Kenyan banks suffered their worst cybersecurity breach on record last year, with hackers successfully stealing Sh1.59 billion from customer accounts, according to a Central Bank of Kenya report that exposes the dark side of the country’s digital banking revolution.

The massive theft represents a fourfold increase from the Sh412 million stolen in 2023, signaling an alarming escalation in cybercrime as Kenya’s financial sector becomes increasingly dependent on digital platforms.

The losses highlight a troubling paradox: while Kenya built its reputation as a pioneer of financial inclusion through mobile money innovation, this same digital infrastructure has become a playground for sophisticated criminals.

Mobile banking bore the brunt of the assault, with fraudsters siphoning off Sh810.68 million – a staggering 344 percent jump from Sh182.41 million the previous year.

This single category accounted for more than half of all losses, underscoring the vulnerability of platforms that millions of Kenyans now rely on for daily transactions.

The attacks follow a disturbing pattern that targets the country’s social culture.

Most fraud occurs during weekend nights, particularly on Fridays and Saturdays, when unsuspecting revelers at social venues become easy prey for criminals employing social engineering tactics.

Millennials, born between 1981 and 1996, emerged as the primary victims of these carefully orchestrated schemes.

The criminals’ methods have evolved beyond simple scams to sophisticated operations involving SIM swap fraud, malware deployment, phishing schemes, and identity cloning.

They often pose as bank employees, calling victims to extract passwords and personal information that grants access to accounts.

The timing is deliberate targeting customers when they are most vulnerable and least likely to think clearly about security protocols.

The scale of attempted fraud paints an even more alarming picture.

The total amount exposed to fraud – money targeted before banks’ recovery efforts nearly tripled from Sh680.9 million in 2023 to Sh1.96 billion in 2024.

While banks managed to recover Sh368.8 million, the unsuccessful attempts demonstrate the relentless pressure the sector faces from cybercriminals.

Card fraud emerged as another major concern, costing customers Sh263.29 million nearly 17 times the Sh15.59 million lost the previous year. Computer fraud resulted in Sh203.39 million in losses, while identity theft cost bank customers Sh199.08 million, representing a sixfold increase from the prior year.

The financial toll extends beyond direct losses to customers and banks. Insurance premiums have nearly doubled as insurers grapple with the surge in claims.

Large banks now pay an average of Sh80 million annually for Electronic Computer Crime Policy coverage, with premiums reaching between Sh200 million and Sh400 million for institutions seeking comprehensive protection against losses of up to Sh10 billion.

Leonard Chirchir, acting chief operating officer at Britam General, revealed that even the smallest microfinance banks cannot secure cybercrime coverage for less than Sh5 million annually.

The insurance market itself is contracting, with many providers withdrawing from cybercrime coverage due to mounting losses, further driving up premium costs.

The Central Bank’s cyber risk stress test conducted in May provides a sobering glimpse of potential future losses.

Assuming just five percent of cyber-attacks succeed, the banking sector could face losses between Sh2.1 billion and Sh2.9 billion under moderate and severe scenarios respectively.

The crisis reflects a broader national cybersecurity challenge. Communication Authority of Kenya data shows cyberattacks on internet users more than doubled to 7.96 billion in the year ending June 2025, from 3.52 billion the previous year.

System attacks account for 97 percent of these threats, creating a hostile digital environment for financial institutions.

Banks find themselves caught in an expensive arms race, investing billions in technology upgrades while criminals rapidly adapt to exploit new vulnerabilities.

The situation is complicated by underreporting, as many institutions quietly reimburse affected customers rather than report breaches that could damage their reputation and trigger depositor panic.

Stanbic Bank Kenya has taken a proactive approach, publicly warning customers about the weekend fraud epidemic and educating them about social engineering tactics.

The bank’s data confirms that millennials remain the most targeted demographic, falling victim to sophisticated schemes that exploit their comfort with digital platforms.

As Kenya’s financial sector continues its digital transformation, the Sh1.59 billion theft serves as a stark reminder that technological advancement must be matched with robust cybersecurity measures.

The country that once led Africa in mobile money innovation now faces the challenge of protecting that same innovation from increasingly sophisticated criminal exploitation.

The Central Bank has acknowledged cybersecurity as “perhaps the most significant and emerging operational risk facing the financial sector,” but turning the tide against cybercriminals will require coordinated action from banks, regulators, and customers alike.

The cost of inaction, as last year’s losses demonstrate, is measured not just in billions of shillings, but in the erosion of trust that underpins Kenya’s digital financial revolution.​​​​​​​​​​​​​​​​