How Hacker Breached Fintech Firm Eclectics International‘s System And Stole Sh52 Million

Sometime in early June 2025, a cursor moved silently across a computer screen inside a payment platform that processes hundreds of millions of shillings in daily transactions on behalf of banks, SACCOs, and government agencies across Kenya and beyond.

No alarm was triggered. No security protocol flagged the intrusion.

The person behind that cursor, investigators now allege, was not an authorised employee but a man who had burrowed deep into the company’s information systems using remote access software, and who would spend the next two weeks systematically redirecting transactions outside the normal payment flow, bleeding the firm dry of Sh52,549,798 before anyone noticed something had gone catastrophically wrong.

On Thursday, Albert Komen Kipkechem, also known as Jonathan Kiptum Barmasai, stood in the dock at the Milimani Law Courts in Nairobi and pleaded not guilty to charges of Access with Intent to Commit a Further Offence contrary to Section 15(1) and Computer Fraud contrary to Section 26(1)(b) as read with Section 2(a) of the Computer Misuse and Cybercrimes Act No. 5 of 2018.

He was subsequently remanded at Capitol Hill Police Station until March 12, 2026, when the court will give directions on his bail and bond terms.

The victim at the centre of the charge sheet is Eclectics International, a Nairobi-based fintech company that operates as a duly authorised payments aggregator and has built a continental footprint spanning Uganda, Rwanda, Zambia, and eight Francophone countries in West Africa.

The company has been celebrated for developing Africa’s first World Bank-recognised shared agency banking platform. But Eclectics was not the only casualty.

The DCI confirmed that the same suspect is also the principal figure in separate incidents targeting a local commercial bank and a SACCO, with the combined financial losses across all three institutions totalling over Sh52 million in June 2025 alone.

The modus operandi, according to the DCI, was chillingly consistent across both incidents. Kipkechem is alleged to have deployed remote access software to gain unauthorised entry into the payment platform and bank information systems, after which he effected transactions that deliberately bypassed the normal payment flow.

The irregularities were designed to be invisible to automated fraud-detection systems for as long as possible, and they very nearly were. It was only when the affected institutions eventually detected anomalies in their transaction logs that the scale of the breach became apparent.

Upon discovery, the institutions reported the matter to detectives from the Economic and Commercial Crimes Unit attached to the Cyber Fusion Unit at the Central Bank of Kenya.

Investigators, working in close collaboration with experts from the National Forensic Laboratory (NFL) and the Crime Research and Intelligence Bureau (CRIB), dissected the digital footprints left behind in the compromised systems. After collecting relevant digital artefacts from the affected institutions and obtaining the necessary court orders and search warrants, detectives zeroed in on their suspect.

He was arrested in Thome, Nairobi, then escorted to his Nakuru home, where the full dimensions of an elaborate criminal enterprise began to emerge from cupboards, drawers, and electronic devices.

Among the recoveries at the Nakuru property were multiple electronic gadgets, assorted SIM cards from various telecommunications service providers, ATM cards registered under other people’s names, a money-counting machine, and cash in Kenyan currency. But it was the identity documents that told the most damning story of all.

Detectives recovered eight fraudulently registered national identity cards, each bearing Kipkechem’s photograph but displaying different names and nationalities, along with a Congolese passport carrying his photograph but registered under the name Katempa Ngoy Alexisa, and a Congolese national identity card bearing the same false name.

The sheer volume and variety of false identification documents found in a single suspect’s possession painted a portrait of a professional criminal who had invested significant time and resources in constructing multiple parallel identities.

Investigators told the court the documents raised a serious concern that Kipkechem could use one of the many false identities to flee the country before the case is concluded, particularly given that a DRC passport gives him a credible route across an international border.

The DCI further told the court that Kipkechem possesses advanced technical expertise that would enable him, if released, to remotely access, encrypt, or delete digital evidence critical to the investigation.

The prosecution also expressed concern that the accused could interfere with witnesses, some of whom are described as former associates or employees of the institutions that suffered the attacks, raising the spectre of witness tampering in a case still actively under construction.

Prosecutors told the court that investigations are continuing into other related cyber-fraud incidents and that the total losses linked to the wider suspected syndicate stand at approximately Sh100 million across several financial institutions.

The charges laid against Kipkechem thus far may represent only the opening chapter of a far longer and more complex criminal saga.

The case lands at a moment of acute anxiety for Kenya’s financial technology sector.

According to the Communications Authority’s National KE-CIRT/CC, Kenya recorded 842 million cyber threat events between July and September 2025 alone, with losses estimated at Ksh29.9 billion in that three-month window.

Mobile banking fraud cases surged by 87 per cent in the most recent annual reporting period, driven by SIM-swap attacks, credential theft, and social engineering.

Eclectics International ironically lists cyber risk management among its own service offerings, describing its team as providing comprehensive security solutions and insisting that cyber risk is multifaceted and not merely a technology concern.

That a firm with such stated capabilities could itself be penetrated so thoroughly, and for so long, raises uncomfortable questions about the adequacy of defences even among companies that trade on security expertise. The case returns to court on March 12, 2026.