25 JULY 2021
Forkbombo, formed by ex-Directorate of Criminal Investigations (DCI) cybercrime detective Calvin Otieno Ogalo, terrorised corporates and government institutions until 2017 when they attacked the Kenya Police Sacco.
After intercepting communication between Mr Ogalo’s group and two American nationals believed to be part of the hacking syndicate, detectives finally pounced on the cybergang and found evidence that was used to charge 11 individuals with hacking the Kenya Revenue Authority (KRA). The prosecution of 11 Forkbombo members nearly relegated the hacker group to history books. Its top boss, Mr Ogalo, was in custody. So was his top lieutenant and likely the most talented hackers, Mr Mutuku.
The third in command at the syndicate, Mr Reuben Kirogothi Mwangi, saw a power vacuum and decided to fulfil his ambition to lead the feared team of hackers. In filling the vacuum created by the arrest of Mr Ogalo and other members of the gang, Mr Mwangi garnered the support of four surviving senior members of the Forkbombo group, as he looked to pick up the pieces and regroup. Erick Dickson Njagi, Godfrey Gachiri and Erickson Macharia Kinyua backed Mr Mwangi.
CROSSED INTO UGANDA
They recruited another four individuals – Dedan Muchoki Muriuki, Samuel Wachira Nyuguto, Damaris Njeri Kamau and Steve Maina Wambugu before crossing over to Uganda in 2018. By this time, the surveillance authorities placed on Forkbombo members was so intense, and security agencies across East Africa were happy to cooperate in sharing any information that would protect corporates from the multimillion shilling heists. As soon as Mr Mwangi and his rebranded Forkbombo group crossed into Uganda in 2018, Interpol officers in Kenya alerted Ugandan authorities of the hackers’ movements, and warned that some corporates could be on the brink of losing millions.
In mid-June 2019, Mr Mwangi and his crew executed a salami attack at the Development Finance Company of Uganda (DFCU) Bank, but it took an entire month before the lender knew what had happened. Forkbombo got two DFCU workers to plant their infamous software in computers owned by the lender. For an entire month, the software slowly withdrew Ush700 million (Sh21.4 million) from depositors’ accounts.
This time, rather than buy ATM cards from desperate bank customers, Forkbombo went a step further and registered dummy bank accounts at DFCU. The two junior DFCU workers then collected several debit cards handed over by customers for renewal. As the surrendered ATM cards had been deactivated, Forkbombo used its hackers to reactivate them and make withdrawals in small batches. Much like any salami attack, the big one was yet to hit. In mid-July, DFCU discovered that Ush8 billion (Sh244 million) had been siphoned from several customers at a go.
Just as it was with Kenyan lenders that suffered under Forkbombo, DFCU’s internal monitoring system was unable to notice any irregularities between June and July, 2019 when millions was being silently siphoned from its accounts. The lender reported the matter to police in Kampala, and the two junior DFCU workers were arrested alongside the two mules Forkbombo recruited to help withdraw the money. Forkbombo thought it had made a clean getaway.
CROSSED INTO RWANDA
Mr Mwangi and his crew lay low for nearly four months, before crossing into Rwanda where they would eventually suffer failure. Authorities in Uganda may have failed to nab the hackers in Kampala, but were still keeping close tabs on Mr Mwangi and his crew. No sooner had the hackers crossed into Uganda than police and Interpol officers in Kampala warned the Rwandan authorities of what was about to happen to banks. The group arrived in Kigali in early October and started scouting for their next victim.
Intelligence operatives informed the Rwanda Investigations Bureau (RIB) that the hackers were targeting a minimum of four banks, including Kenyan-owned Equity Bank. Towards the end of October, Forkbombo did a trial run by trying to get into Equity’s Eazzypay system to siphon customers’ funds. The hack failed, and the crooks retreated to reorganise their plans. Rwanda’s strength in intelligence would prove to be too much for the hacker group, and it eventually led to 20 individuals – eight Kenyans, 11 Rwandans and one Ugandan – finally being locked up for cybercrime.
Equity Bank’s Kigali branch was also aware that the hackers were in town, and swiftly volunteered information it had to security authorities.
Mr Mwangi and his crew were approaching vulnerable low income earners like househelps and casual labourers to fill up vacancies in the money mule department. Some money mules informed various security authorities, including Equity’s internal department, of the “job” offers they received. Equity in turn told the RIB of Forkbombo’s ongoing recruitment process. Equity Rwanda boss, Hannington Namara, told Kigali-based media outlet Taarifa Rwanda that perhaps Mr Mwangi and his crew underestimated the honesty levels in the country. “In some countries in the region, everyone wants a deal, in this country, never. So, they did not know that the security apparatus and framework here is different. They had been here for days,” Mr Namara said. The RIB and Equity teamed up and decided to lay in wait.
The lender ensured that the software protecting its finance management system was ready to detect any irregular access of bank accounts. Detectives at the RIB on their part started monitoring the people Mr Mwangi and his crew would talk to. Some of the recruited mules were also approached, and a few of them became double agents, informing police of any new information from the hackers. Both parties then lay in wait, as the mules eventually gave away the location of the Forkbombo crew.
Equity Bank Kigali’s internal monitoring system fired a warning a few minutes past midnight on November 1, 2019. Security teams responding to the warning of an anomaly knew what was happening. Mr Mwangi and his team were trying to infiltrate the system. Equity’s security informed the RIB of the attack, and detectives quickly pounced on the Forkbombo crew. In what could mean that Rwanda enjoys the swiftest of justice systems in East Africa, it took less than two years to conduct the trial and get a conviction in a complex case involving several individuals.
ENTER SILENT CARDS HACKER GANG
But while Forkbombo is finally history, there are still several hacker groups in Kenya and East Africa that are causing banks and other institutions huge losses. Cybersecurity firm OnNet Africa has already issued several warnings about Silent Cards, an offshoot of Forkbombo that was formed in 2017. Forkbombo members who were not on board with a Reuben Mwangi leadership left and formed Silent Cards. Silent Cards in 2019 executed a heist on a local bank and made away with Sh400 million, one of the single largest amounts ever stolen at a go in Kenya.