After over a fortnight now ever since a mobile money heist was carried out by ywt to be identified hackers who withdrew over sh1b from mobile money of mtn, airtel and Stanbic bank in one of the biggest cyber-attacks.
We know most people were asking questions like where was the money taken from? How do they do it? How many mobile money outlets are in the country? Who owns these SIMcards which were registered under corporate companies, who registered them?
But today we’re here to dig deep in the matter and tell you how all this happened alongside giving all the answers that you need.
Investigators are still puzzled after stumbling on information showing that hackers withdrew sh1b from the Kiseny slum mobile money agents in under six hours.
Unknown to many, Kisenyi is one of the areas in Kampala, alongside Kikuubo, where big cash transactions happen.
How did it happen? Unlike the 2011 heist where a telecom company lost sh24b due to insider dealing when they created ghost money accounts in the system and withdrew it, it took the institution a while to realize the loss.
This time round, the inside hackers got into the system of the telecom companies and sent instructions crediting curated SIMcards with money.
The SIMcards are believed to be over 2,000 and bore corporate company names.
Detectives privy to the on-going investigation in which over sh9b was withdrawn by hackers in 48 hours, shared with The Ugandan Daily on how it likely played out. Earlier investigations revealed it was done within 36 hours.
They reveal that it was done by a group of 10 individuals, each in possession of 30 SIMcards belonging to the affected telecom companies.
“In Kisenyi, they withdrew from 16 mobile money points out of the 378 outlets operating in the area,” said the detective.
When the Pegasus system was compromised and instructions sent to banks to disburse the money, the hackers and the cronies were on red alert.
They immediately went for the loot. They mapped their location for the withdrawals. When the mobile money outlets became overwhelmed, they went to bank tellers who handle mobile money float.
In this particular case, a high-profile banker was caught on closed-circuit television (CCTV) giving money to one of the suspects.
Police preliminary investigations revealed he cashed sh170m to a gentleman and a lady. Imagine a group of 10 people with 30 SIM cards, withdrawing a maximum permitted limit of sh3.9m in each transaction.
Detectives have also picked interest in transactions around the same time that happened in Kampala areas of Nkrumah Road, Nasser Road, Shauri Yako, Nakawa, Wandegeya, Nakawa, Natete, Entebbe Road, Masaka and Jinja.
Investigations show that the culprits targeted areas with a lot of traffic. These are close-knit areas, where one spends less than sh5,000 traversing on a bodaboda from one point to another.
Kisenyi, for instance, is an area that integrates with WorldRemit, a global leader in mobile money transactions and most traders in Kisenyi use it for international transactions, especially trading in China.
Mobile money outlets in Kisenyi have large volumes of cash, which made it an easy spot. For Nasser and Nkrumah roads, the large volumes of business and large amounts of monetary transactions in the printing sector made them easy targets.
Large withdrawals were made without raising eyebrows. “Withdrawing such sums is not easy. They worked as a well-coordinated team,” a detective revealed.
As detectives continue to unravel the case, there are some unanswered questions. How is the system built between Pegasus and the telecoms? How is the interface between Pegasus and the bank? Is there a person who monitors the payment?
Where was the money taken from? How do they do it? How many mobile money outlets are in the country? Who owns these SIMcards which were registered under corporate companies, who registered them?
What is the process of registering a company SIMcard? Is there a limit to company SIMcards?
According to sources, the managing director of Pegasus Technologies, Ronald Azairwe, told Police that on October 2, between 3:00 pm and 4:00 pm, he received a telephone call from a staff of Bank of Africa, notifying him of payments from one of their account (Bank of Africa) to MTN and Airtel, which they had not originated from the bank.
“When we checked the list of the transactions, we discovered that the request was not sent to the telecom companies through the Pegasus formal channel.” He, however, acknowledged that the transactions originated from Pegasus without following the official channel.
So far, what is known is that Bank of Africa lost sh900m, Stanbic Bank sh9b, Airtel sh4.5b and MTN lost the biggest chunk.
“The money was withdrawn in 36 hours from 2,000 mobile money agent points for both MTN and Airtel across the country,” said the Police.
“Over 1,200 MTN SIMcards were used to channel the money to various agents across the country,” said the source.
A cyber-fraud expert, who spoke to The Ugandan Daily on condition of anonymity, said companies are not paying attention to cybersecurity by recruiting professionals in the field to deal with information security and fraud risk.
The Police cybercrime unit detectives have asked the affected telecoms and banks to carry out fresh vetting of their IT staff in view of the suspicion that the hackers worked closely with insiders from the financial institutions to accomplish their crime.
The noose is tightening on the perpetrators and several arrests have been made within Kampala Metropolitan area.
Suspects include two Pegasus employees and a software developer attached to a financial institution (name withheld). Others in detention are mobile money agents who paid out the money.
Until Sunday October 25, ever since telecoms and banks detected the breach, authorities from both institutions and the police have remained tight-lipped on the progress of the case.
However, a senior security official, who spoke on condition of anonymity, said: “We have made interesting arrests that will lead us to a major breakthrough in the case.”
Recently, Criminal Investigations Directorate spokesperson Charles Maniso Twiine confirmed the arrests of the suspects.
Twiine was cagey to divulge details attributed to the key suspect linked to the theft of mobile money.
He, however, revealed: “We have a productive suspect. He has first-hand knowledge of how the offence was orchestrated. He is being profiled.”
Sources said the key suspect allegedly created and distributed malicious software designed to collect bank accounts passwords.
Impeccable sources said the attack (cyber) poses a threat to national security, prompting the force to devise more ways to clamp down on the criminals.