SUNDAY NATION

How Rwanda Took Down Kenyan Cybergang Forkbombo

Sunday, July 25, 2021

By Brian Wasuna
Nation Media Group

When the notorious Forkbombo cybercrime syndicate moved its operations to Rwanda, authorities were already familiar with their tactics. Security agencies, lying in wait, managed to apprehend 12 suspects.

Cybersecurity firm OnNet Africa played a crucial role in dismantling the group, having provided law enforcement with valuable intelligence over the years. This made it easier to predict the hackers’ moves and ultimately bring them to justice.

The 12 individuals arrested in Rwanda in 2019 were sentenced to eight years in prison and fined Sh6 million just two weeks ago by a Rwandan court.

The Rise and Fall of Forkbombo

Founded by former Directorate of Criminal Investigations (DCI) cybercrime detective Calvin Otieno Ogalo, Forkbombo targeted corporations and government entities until 2017, when they infiltrated the Kenya Police Sacco.

Investigators monitoring communications between Ogalo’s group and two U.S. nationals, suspected to be part of the hacking network, seized the opportunity to strike. The evidence they gathered was used to prosecute 11 members for hacking the Kenya Revenue Authority (KRA).

On March 28, 2017, police arraigned 10 alleged members of the hacking ring. A week later, Alex Mutungi Mutuku was also charged with causing KRA to lose Sh3.9 billion.

One of their fraudulent schemes at KRA involved assisting unscrupulous businessmen in illegally registering imported vehicles without paying required taxes. In exchange for a fee, the hackers altered KRA records to clear the vehicles for local use, despite pending number plate allocations.

Forkbombo had previously breached the National Transport and Safety Authority (NTSA) system, leading to suspicions that they manipulated the agency’s website to authorize these registrations. The prosecution of 11 members nearly marked the end of Forkbombo.

A Notorious Team of Hackers

With its leader, Ogalo, in custody and one of its most skilled operatives, Mutuku, also detained, Forkbombo's activities seemed to come to a halt for the first time since 2013.

However, the vacuum created by the arrests allowed Reuben Kirogothi Mwangi, the third-ranking member, to step in. An early recruit brought in by Ogalo, Mwangi was among the first to be apprehended for computer fraud.

In 2013, he and four other members were charged with siphoning Sh80 million from the Judiciary by fraudulently directing payments to fictitious firms. Mwangi’s company, Meerkats (K) Ltd, received Sh6.6 million, while other members also funneled millions into their own firms.

Mwangi and fellow accused Henry Achoka later absconded court proceedings. In his bid to revive Forkbombo, Mwangi secured support from four remaining senior members—Erick Dickson Njagi, Godfrey Gachiri, and Erickson Macharia Kinyua.

Crossing Borders to Uganda and Rwanda

The group recruited four more individuals—Dedan Muchoki Muriuki, Samuel Wachira Nyuguto, Damaris Njeri Kamau, and Steve Maina Wambugu—before relocating to Uganda in 2018 and later Rwanda in 2019.

By this time, Forkbombo was under intense surveillance, with East African security agencies collaborating to prevent cyber heists. Interpol officers in Kenya alerted Ugandan authorities when the gang crossed over, warning that businesses could soon face substantial losses.

In mid-2019, Forkbombo carried out a ‘salami attack’ on Development Finance Company of Uganda (DFCU) Bank. Over the course of a month, they gradually siphoned Ush700 million (Sh21.4 million) from customer accounts.

Instead of purchasing ATM cards from desperate bank clients, the gang registered fake accounts at DFCU. They also obtained deactivated ATM cards from customers who had surrendered them for renewal and reactivated them to withdraw cash.

By mid-July 2019, the hackers had drained Ush8 billion (Sh244 million) from accounts in a single large-scale operation. However, DFCU's internal security system failed to detect the theft immediately.

Upon realizing the breach, the bank alerted police in Kampala, leading to the arrest of two junior DFCU employees and two money mules working with Forkbombo. Meanwhile, the core members believed they had evaded capture and lay low for four months before shifting operations to Rwanda.

Rwanda Closes In

While Ugandan authorities missed the chance to catch the masterminds, they continued monitoring the gang’s movements. The moment Forkbombo entered Rwanda, security agencies were tipped off.

Arriving in Kigali in early October 2019, the hackers scouted potential targets, including four banks—one of them being Equity Bank.

When Forkbombo attempted to breach Equity's Eazzypay system, the security infrastructure held firm, forcing them to retreat and regroup. However, Rwandan intelligence was already one step ahead.

How Forkbombo Was Finally Busted

Rwandan investigators, aware of the gang’s presence, tracked their activities closely. Equity Bank's management, informed of the threat, collaborated with security agencies to counter the hackers.

As part of their recruitment, Forkbombo sought out low-income earners, such as househelps and casual laborers, to act as money mules. Some of these recruits, however, reported the suspicious job offers to authorities.

Equity Bank promptly relayed this intelligence to the Rwanda Investigations Bureau (RIB). As a result, the authorities closely monitored Forkbombo’s movements and interactions. Some recruits were even persuaded to act as double agents, feeding crucial information back to law enforcement.

On November 1, 2019, just minutes past midnight, Equity Bank's security system detected an intrusion attempt. Security teams, fully prepared, sprang into action. As the hackers tried to gain access, RIB detectives moved in and arrested them.

Rwanda’s swift justice system ensured the case was concluded in under two years, despite delays caused by the COVID-19 pandemic. This highlights the efficiency of the country’s judicial framework.

The Rise of Silent Cards

While Forkbombo is now a thing of the past, cyber threats remain. According to cybersecurity firm OnNet Africa, a splinter group known as Silent Cards emerged in 2017, formed by Forkbombo members who opposed Mwangi’s leadership.

Silent Cards executed a major heist in 2019, stealing Sh400 million from a Kenyan bank—one of the largest single cyber thefts in the country’s history.

bwasuna@ke.nationmedia.com

Note: This newspaper article has been intentionally paraphrased to ensure originality and does not violate copyright laws.