A Kenyan bank lost Sh517 million ($4 million) after contractors compromised the security system for cards, enabling unauthorised wallet creation and laundering of funds through cryptocurrency.
Kenya’s financial intelligence unit, Financial Reporting Centre (FRC), says in a new report that the incident was among the rising cases of cybercrime involving altering of card systems by fraudulent service providers.
The FRC report that tracked over 14,000 suspicious financial transactions over a three-year period to 2023 has, however, withheld the name of the bank and the contractor. The report refers to the bank as XYZ Bank.
The FRC says the bank contracted three merchants to instal and maintain a 3D secure integration system for cardholders.
The security system was supposed to be 3D secure with a feature of issuing One Time Pin (OTP) authentication code to the cardholders for transaction authentication.
However, the FRC says the contractors altered the process by downgrading the system to a 2D secure, which did not need to issue OTP codes. The contractors thereafter initiated customer wallets which required no customer authentication.
“Through this scheme, $4 million was stolen from the customer wallets. The funds were diverted and settled into an account of one of the contractors in JKA bank [code name for the unidentified bank],” says the FRC.
While a 3D secure system adds an extra layer of authentication —like an OTP— to verify a cardholder’s identity during online transactions, the 2D system only requires basic card details, making it more vulnerable to fraud.
It is not clear if the recipient bank, JKA, was a local or foreign entity. The FRC says the funds were utilised through the purchase of cryptocurrency tether in different exchanges. Tether, often referred to by its currency codes USD₮ and USDT, is a cryptocurrency stablecoin launched by Tether Limited in 2014.
The fraudulent contractors then transferred the crypto assets to a common USDT address, leaving the bank counting the losses.
Transactions in virtual currencies such as Bitcoin are largely untraceable and anonymous, making them susceptible to abuse by criminals in money laundering and financing of terrorism. The virtual currencies are traded in exchange platforms that tend to be unregulated all over the world.
“In the wake of rising ransomware cases, cybercriminals have been observed to utilise virtual currencies to move their illicitly acquired proceeds,” says the FRC in the report.
The case highlights the risks that third party service providers pose to banks even as they search for secure systems to keep fraudsters at bay.
NCBA Group is currently in a legal tussle with a software developer who is accused of defrauding the bank $445,000 (Sh57.5 million) between June 6 and 14, 2025.
The consultant had been contracted by NCBA to carry out system maintenance and upgrading of the mobile and retail banking platform at its subsidiary in Rwanda, which uses the MTN mobile network.
However, the consultant is accused of having illegally adjusted the system, which cleared all cash withdrawal requests through the MTN network even in cases where accounts were non-existent or had insufficient funds. The illegal amendments allegedly saw 70 customers in Rwanda initiate 260 transactions, resulting in the said loss.
Many banks in Kenya say they have seen a marked rise in fraud attempts using social engineering tactics targeting unsuspecting customers, bypassing technical controls put in place.
The Central Bank of Kenya (CBK) has been asking banks to enhance audits of their staff and those of third-party businesses contracted for critical operations such as IT systems, cybersecurity, data processing and payment infrastructure.
The third-party service providers often gain access to sensitive systems and customer data, creating potential entry points for fraud, data breaches and operational failures.
Unprofessional service providers can compromise a bank’s internal controls through practices such as disabling authentication systems or manipulating transaction processes, leaving banks dealing with reputational damage when money is lost.
The rising wave of digital fraud in the banking industry has seen banks form an industry-wide risk forum where they discuss the changing forms of fraud and collaborative approaches to minimising such cases.
Kenya’s financial sector is rapidly evolving with innovations such as mobile money, digital credit, online betting, forex trading and cryptocurrencies —all highlighting the need for stronger regulatory frameworks to manage emerging risks.
