Kenya Revenue Authority (KRA), several blue-chip banks, a parastatal and a supermarket chain are some of the institutions penetrated by an international cybercrime syndicate that took off with hundreds of millions of shillings – before they were all seized on Monday and Tuesday.
Working with insiders and relatives of “prominent politicians”, the crooks had formed an international band that installed malware into the systems that allowed them to take control of the institutions’ computers and steal what police sources said would run into hundreds of millions. (A malware is a software that disables the systems to enable hacking and transfer of money without detection).
On Monday night, Kenyan detectives from the Special Crime Prevention Unit, SCPU, and the Flying Squad smashed the syndicate and arrested a former police officer, a Kenya Revenue Authority employee and two American citizens who are now among 16 suspects in police custody for transnational crimes — that include cybercrime and drug trafficking.
On Wednesday evening, KRA confirmed that its staff members had been part of the syndicate and were under arrest. Commissioner General John Njiraini said KRA “played a key role in unearthing the crime … whose outcome has been the arrest of several suspects among them KRA staff in the ICT department”.
The cybercrime syndicate was operating in the Kenyan capital city centre, Muthaiga and Roysambu, suburbs in Nairobi, and Thika, an industrial town 42km northeast of the capital, and had been robbing banks using Salami attacks and electronic transfers as well as trafficking drugs.
They have also been colluding with motor vehicle importers to evade tax and were illegally registering them. During the crackdown, police recovered several vehicle number plates from one of the houses.
(In a salami attack, a cyber crook steals small undetectable amounts and deposits in one account before launching a major attack.)
Security reports, seen by Nation, also indicate that the group were “conspiring to manipulate the IEBC (Independent Electoral and Boundaries Commission) system during the elections” and had been working with relatives of senior politicians which gives the syndicate some political angle too.
How much damage they have left in their wake is unknown, but police say the leader of the cyberheist gang is 35-year-old Calvin Otieno Ogalo, a former police officer and bank employee, who on Saturdays turns into a devout SDA patriot and choir member but worked as a bank hacker every other day between 3pm and midnight.
The Cybercrime Investigation Unit estimates that Kenya lost more than $170 million to hackers in 2016, with theft of credit or debit card data and financial scams, bank salami attacks and hacking of the mobile banking systems being the greatest targets. Also, the Global Threat Index last year placed Kenya at position 69 out of the 127 countries that are vulnerable to cybercrime.
At the KRA offices in Nairobi, detectives discovered a laptop hidden within the network chambers “and connected through port 11” which allowed Mr Ogalo to have unfettered access to the system.
In Ogalo’s house, police said they found an AK47 rifle, computers, mini servers, cables, hard disks and a narcotic substance whose samples were taken to the Government Chemist for verification and classification. Ogalo is also sought by the Banking Fraud Investigation Unit (BFID), and is suspected to have been involved in the theft of $500,000 from the Kenya Police Sacco.
'A Russian' entry
The ex-officer, who once worked for the Directorate of Criminal Investigations before he was dismissed in 2012, was described as an IT guru, and has several pending cases.
The arrest of the hackers comes at a time tightly-held cybercrime records indicate that Kenyan private and public sectors lost $100 million in 2015 with the financial sector losing $40 million of that amount.
It was the entry of “a Russian” into the local syndicate that jolted police into action after they intercepted communication between the local and international criminals.
But as it turned out, the man was 52-year-old American, Larry Peckham II — who usually communicated with the son of a prominent politician and daughter — and another 32-year-old woman, Denise Huitron. The two Americans were arrested at an apartment on Riverside Drive, a prestigious address in Nairobi and are in police custody. Peckham also stayed at an unmarked house next to Madari Kindergarten, in the same neighbourhood.
The Nation has established that these cyber criminals were working with foreigners based in Spain, France, Moldova, and Belgium to gain access to various systems — and by working with insiders who installed malware into the system.
A police report says that “the criminals conspire with employees of the targeted institutions who conspire and provide them with access to the networks remotely using Remote Access Tools”, and Wednesday evening, they were looking for more suspects working in the banks.
In December last year, four banks were attacked and they lost $1.3 million which was never recovered.
The mastermind of all these was Mr Ogalo, a man who drives a navy blue Mercedes Benz and who leads a modest life.
Before he was arrested, Mr Ogalo had an office at Brightwood Apartments, near Yaya Centre, on the outskirts of Nairobi, where he worked alone into the night or in the company of friends before driving back to his house, about 10 minutes away, at the junction of Joseph Kangethe and Kabarnet Road where he stays with his wife.
Police sources say that Mr Ogalo is thought to have previously hacked the Independent Electoral and Boundaries Commission system and KenCall servers during the last general election.
“There are fears that Ogalo and his network might be targeting the IEBC in the coming August 2017 elections after a Russian male joined the network,” says the report.
At the moment, Mr Ogalo has five pending criminal cases relating to banking fraud and forgery.
Also arrested was a Kenya Revenue Authority employee Edward Kiprop Langat, the insider within KRA who worked as the contact person for Mr Ogalo.
Police say that from his Times Tower office, in Nairobi CBD, Langat was able to provide credentials of users at National Transport and Safety authority and KRA which were used to register motor vehicles illegally and hence evade payment of tax.
He is also said to be the director of Blackyard Technologies Ltd which last year had registered a phony website “Safaricon”. His co-director, Omar Ibrahim, has also been arrested and police say he is a close ally of a senior opposition politician.
Working with Langat is his friend Albert Komen, 35, who is also accused of hacking into the KRA system with the help of a former KRA officer, David Wambugu who is under suspension.
Wambugu, 35, who graduated with BSc IT from Jomo Kenyatta University of Agriculture and Technology in 2006 has been using his past access at KRA to connect the hackers to the staff members. He operates three companies — Nairobi Shuttle Ltd, Henry Battery Clinic and Tokyo Motors.
Also in the group is a programmer, James Mwaniki, 28, whose work is to approach Saccos to create financial software. He creates “a back door” that allows him to illegally access the accounts and siphon money from unsuspecting Saccos. Wednesday, some of these suspects were taken to court at Jomo Kenyatta International Airport.
The police requested Resident Magistrate Muthoni Nzibe to allow them to be detained for 20 days to allow the officers conduct more investigations. The request was granted.
Head of SCPU, Noah Katumo said the operation, which had brought together detectives from several police units, was still ongoing.