How Air Ticketing Firm Was Targeted and Hacked in Sh22 Million Scam

The Directorate of Criminal Investigations (DCI) has closed investigations into a sophisticated cyber fraud that saw a Nairobi-based travel agency lose more than Sh22 million through unauthorized airline ticket bookings, after a court was informed that all inquiries had been concluded.

The case, which revolved around allegations of hacking and computer fraud, was terminated after investigators told a Nairobi court that they had exhausted all available investigative avenues.

The magistrate subsequently allowed the DCI to close the file.

According to court records, the probe stemmed from a complaint lodged on July 22, 2025, by Tuli Executive and Travel Ltd Kenya, a global travel agency operating in Nairobi.

The firm’s director reported that the company had suffered a major breach of its computer systems, disrupting operations and exposing it to significant financial liability.

Investigating officer Joseph Karanja told the court that detectives were pursuing offences including unauthorized access, contrary to Section 14(1) of the Computer Misuse and Cybercrimes Act, as well as computer fraud and related cyber offences.

Investigators established that unknown persons gained unlawful access to the firm’s Global Distribution System (GDS) account, identified as NBO41236H, which is used to book airline tickets for clients.

Using the compromised credentials, the attackers booked multiple flights for different passengers, generating tickets valued at Sh22,415,575. The cost of the tickets was subsequently charged to Tuli Executive’s account.

The company uses the Amadeus Global Travel Distribution System to process airline bookings, with payments settled through the International Air Transport Association (IATA) Bill Settlement Plan (BSP).

Following the breach, IATA’s Travel Agency Commissioner’s Office demanded that Tuli Executive settle the outstanding amount for the tickets that had been fraudulently issued through its system.

As part of the investigation, the firm supplied detectives with detailed reports of the disputed tickets.

DCI cybercrime experts focused on tracing the digital footprint left during the attack, relying on internet protocol (IP) addresses, which uniquely identify devices connected to a network.

Through court orders, investigators compelled IATA and Emirates Farelogix to release system logs showing which computers interacted with the BSP platform and accessed the complainant’s payment account during the period of the breach.

Analysis of the logs revealed IP addresses linked to suspected fraudulent devices hosted within Kenya.

The DCI noted that the information sought was maintained electronically and therefore constituted electronic evidence under Section 103B(4) of the Evidence Act.

This provision requires certification of digital evidence to ensure its admissibility in court.

On the strength of these findings, the court issued orders compelling internet service providers to disclose subscriber information linked to the identified IP addresses.

Among those served was Vijiji Connect Ltd, which received the order on October 21, 2025. The order was acknowledged by the firm’s manager, John Kimotho, who undertook to forward it to the company’s chief executive officer for compliance.

Wananchi Group Kenya was also served with similar court orders.

Despite tracing the cyber trail and obtaining cooperation from airlines, IATA, and local internet service providers, investigators ultimately closed the case, with no charges disclosed in court against specific suspects.