From OTP Bypass to Crypto Cash-Out: How the Kenyan Bank IT System Fraud Unfolded Without Detection

It reads like a cybercrime thriller — but for one unnamed Kenyan bank, it was a costly reality. In a newly released report by Kenya’s Financial Reporting Centre (FRC), a chilling digital heist saw fraudsters siphon Sh517 million ($4 million) from customer wallets, all while hiding in plain sight as trusted contractors.

The Breach That Shouldn’t Have Happened

The bank, referred to as XYZ Bank in the FRC report, had hired three merchants to implement a 3D Secure system for card transactions — a protocol designed to protect users through One Time Password (OTP) authentication. But instead of fortifying the system, the contractors deliberately downgraded it to a 2D Secure system, which lacks OTP verification.

With this critical layer of security removed, they silently created unauthorised customer wallets, bypassing all authentication.

And then they moved fast.

From these compromised wallets, funds were diverted and laundered through a separate bank account, codenamed JKA Bank, before being converted into USDT (Tether) — a cryptocurrency popular for its speed and pseudo-anonymity. The crypto was traced to a common wallet address, marking the final step before the trail went cold.

Crypto: A New Laundering Playground

Tether’s popularity among criminals stems from one dangerous advantage: it’s hard to trace. Unlike traditional currencies, most crypto transactions are not linked to real-world identities, making them a growing favourite for ransomware gangs, money launderers, and rogue insiders.

The FRC’s findings reveal a worrying trend: “Cybercriminals have been observed to utilise virtual currencies to move their illicitly acquired proceeds.”

This case shows just how easily internal systems can be compromised when outsourcing IT infrastructure without strict controls or oversight.

NCBA’s $445,000 Loss: A Pattern Emerges

The XYZ Bank breach isn’t isolated. NCBA Group is embroiled in its own legal fight after a software consultant allegedly manipulated its system in Rwanda. Between June 6 and June 14, 2025, the developer bypassed account checks in the MTN network, allowing non-existent or low-balance accounts to process 260 withdrawal requests, draining Sh57.5 million ($445,000).

These digital vulnerabilities — particularly those enabled by trusted insiders — highlight how financial systems are increasingly at risk from within.

Staff Vetting and Oversight in the Spotlight

The Central Bank of Kenya (CBK) has issued repeated warnings, urging commercial banks to audit not just their own teams, but also third-party providers involved in IT systems, cybersecurity, payments, and customer data access.

Third parties, especially those in system maintenance, often enjoy deep system access. When misused — as seen in both XYZ Bank and NCBA — the consequences can be catastrophic.

Banks are now under pressure to rethink their vendor management policies, with particular focus on:

• Authentication protocols
• Access privilege controls
• Continuous monitoring of outsourced partners
• Digital forensics readiness

An Industry-Wide Problem

Kenya’s banking sector is at a turning point. As services shift digital — with mobile money, crypto trading, and online credit — the attack surface grows wider. To counter this, banks have formed an industry-wide risk forum to share fraud intelligence and build a unified response to emerging cyber threats.

But for customers, these behind-the-scenes moves offer little comfort. Money was lost. Confidence was shaken. And criminals, armed with lines of code and technical access, walked away with millions.

Mark your calendars! TechTrends Pulse lands in Nairobi this August! Join top tech leaders, innovators & AI experts for a half-day of keynotes, showcases & sharp insights on business transformation. RSVP now -limited slots available! Register here.

Follow us on WhatsApp, Telegram, Twitter, and Facebook, or subscribe to our weekly newsletter to ensure you don’t miss out on any future updates. Send tips to editorial@techtrendsmedia.co.ke