Police have arrested the suspected leader of cyber criminals who have been targeting Kenyan banks in a fraud ring that is estimated to have siphoned billions of shillings of customers’ deposits in the past six months.
The suspect, Mr Samatar Yusuf, is a holder of Somali, Kenyan and US passports that intelligence sources believe were acquired fraudulently.
Mr Yusuf was arrested last week as he attempted to bribe a Directorate of Criminal Investigations (DCI) officer to have his brother and cousin released. The two are also in custody facing cyber crimes charges.
“Mr Samatar Yusuf, a businessman of OX-Bow Property Management, was arrested and will be presented in court,” said the Ethics and Anti-Corruption Commission, which is handling the bribery aspect of the case.
The suspect is believed to have lived in the US for about a decade between 2000 and 2010, having emigrated as a refugee from Somalia. However, he holds a Kenyan identity card and passport, both of which indicate that he was born on November 18, 1977. His US passport indicates he was born on November 18, 1979. There are also discrepancies in the spelling of his names on the different identity documents.
According to documents seen by the Business Daily, Mr Yusuf’s name on his Kenyan passport reads as ‘Samatar Yussuf Adan’ while his Kenyan identification card (ID) reads as ‘Samatar Yusuf Abdi’.
Detectives handling the matter suspect that Mr Yusuf is the ring leader of the cyber criminals, relying on his information technology (IT) savvy brother, Abdikarim Yussuf Abdi, and cousin , Ahmed Mohamed Hassan, to execute hacking attacks.
Abdi and Hassan are among 130 suspected fraudsters whose pictures were published in national newspapers last week by the DCI and the Central Bank of Kenya. The DCI issued arrest warrants for all the suspects last Wednesday.
The DCI’s Economic Crimes Unit said in a notice printed in local dailies that the suspects had engaged in banking fraud between June last year and January this year and sought the public's help for their immediate arrest. Arrest warrants were issued a day after the Central Bank of Kenya (CBK) urged lenders to brace for risks that IT systems pose to their operations, reflecting fears on the rising cases of cybercrimes in financial institutions.
Detectives who sought anonymity, citing the sensitivity of the matter, also said they were investigating possible links between the hackers and financing of Al-Shabaab terrorists. They estimate that billions could have been stolen from bank customers’ accounts but say banks have been reluctant to make the information public for fear of causing panic in the industry.
On January 15, terrorists attacked Nairobi’s 14 Riverside Drive business complex, killing 21 people. Al-Shabaab claimed responsibility for the attack, whose financing is said to have transcended borders. One of the major benefactors of the terrorist group is said to have been sending money from South Africa. One person has been arrested and charged in court over suspected fraudulent mobile-phone cash withdrawals.
Experts say Kenya is increasingly becoming a soft target for cybercrimes as more people adopt the use of technology in their daily activities. Last year, two Nigerians and a Tanzanian were arrested by police for allegedly engaging in electronic fraud while in 2016, detectives arrested 41 foreigners who were in the process of setting up a sophisticated communication centre in a house within Runda Estate in Nairobi.
Last year, President Uhuru Kenyatta assented to the Computer and Cybercrimes Bill, 2017. The legislation allows authorities to search and seize stored computer data and to collect and intercept data in real-time. Computer hackers face a fine of Sh5 million ($50,000) or a three-year jail term or both for unauthorised access, interference, interception and disclosure of passwords and cyber espionage.
In addition, the new law deals with computer forgery, fraud, cyber harassment, cybersquatting, identity theft and impersonation, phishing, interception of electronic messages or money transfers, willful misdirection of electronic messages and fraudulent use of electronic data among other cybercrimes.
In 2017 and 2016, Kenya lost an estimated Sh21 billion ($210 million) and Sh17 billion ($170 million) to cybercrime respectively, an increase from a loss of about Sh14 billion ($140 million) in 2015. In the latest case, it is believed banks lost upwards of Sh7 billion.
The CBK has frequently warned that local lenders are exposed to cyber-attacks and fraud and that they should increase resilience to IT failures and cyber security incidents including organized fraud. According to the State of Cybersecurity report (2018), cybersecurity has become a boardroom concern for organizations while governments have been strengthening regulations to force data owners to exercise their responsibility to protect the privacy of data. “Attackers are getting increasingly sophisticated. Now, it’s generally accepted that we need to be ready to detect an incident and respond in a timely manner and address the challenge,” says the report.