Hello

Your subscription is almost coming to an end. Don’t miss out on the great content on Nation.Africa

Ready to continue your informative journey with us?

Hello

Your premium access has ended, but the best of Nation.Africa is still within reach. Renew now to unlock exclusive stories and in-depth features.

Reclaim your full access. Click below to renew.

Security probes BoU heist as insider job

Bank of Uganda establishment. The loss of billions of shillings at the Bank of Uganda (BoU) may have been an insider job, contrary to earlier reports that the money was spirited away by hackers, investigations have shown. PHOTO/MICHAEL KAKUMIRIZ

What you need to know:

  • New information indicates that $13m was taken out

The loss of billions of shillings at the Bank of Uganda (BoU) may have been an insider job, contrary to earlier reports that the money was spirited away by hackers, investigations have shown.
Security agencies investigating the loss of the money are treating it as an “inside job” that was a result of collusion between officials at BoU, Ministry of Finance’s Treasury department and the Accountant General’s office.
The narrowing down of the probe as an inside job, sources indicated, is also reinforced by findings of an independent audit sanctioned by BoU senior management last week.
In our reporting in yesterday’s story, we indicated that shadowy individuals in South East Asia had managed to swipe out $17m (Shs62.4 billion) from the Central Bank.

However, new information indicates that a total sum of $13 million (Shs47.8 billion) was taken out, with $6 million (Shs22 billion) sent to an account in Japan and $7 million (Shs25.7 billion) wired to an account in London, the United Kingdom.
The incident is said to have happened in September. When President Museveni got wind of the matter, he directed the security agencies to probe the heist.

At the end of September, a general inquiry file of the probe was opened at the Police’s Criminal Investigations Directorate (CID), with the involvement of counter intelligence detectives from the Defence Intelligence and Security (DIS), formally Chieftaincy of Military Intelligence (CMI) and the Auditor General’s office.

The BoU staff recorded statements at police last week, and yesterday it emerged that a group of Ministry of Finance staff were picked and taken to CID headquarters in Kibuli, Kampala, to record statements.
The Ministry of Finance spokesperson, Mr Jim Mugunga, referred this publication to police.

“I am not privy to any arrest or someone recording a statement from the Ministry.In any case,the designated agencies like the police are most suitable to avail more details on arrests made,”he said. 
On Tuesday evening, the BoU deputy director for communications, Dr Natamba Bazinzi, in response to inquiries by this publication said: “Bank of Uganda is waiting for the police report on the reported incident.”
Dr Michael Atingi-Ego, who since January 2022 has been holding forte simultaneously as Governor, Deputy Governor, and BoU board chairperson, was by press time on Tuesday expected to issue a substantive statement on the incident.


However, by last evening, it was not clear whether or not Dr Atingi-Ego had issued a statement,as earlier promised.
The police spokesperson, Mr Rusoke Kituuma,was non-committal on delving into the details.
“I can neither confirm nor deny. But we shall share details when we have reached a certain stage,” ACP Kituuma said.

How it happened

Knowledgeable sources told Daily Monitor last evening that the version of hacking by a shadowy group was a cover for what appears to be an “organised crime” in which the ministry staff instructed BoU to wire the money as payment for waste management in Kampala.
Sources indicated staffers in the Accountant General's office had instructed BoU to wire the money to foreign bank accounts for work done in Kampala.
“They created fictitious expenditures and transferred money from the Bank of Uganda, this was possible because the Central Bank is integrated with other banking systems globally,” a police source said.
After creating the expenditure, multiple sources this publication spoke to over the past week, said the money was sent to Bank of Uganda through an asymmetric file on a secure channel, which had
two keys; one was a public one known to the sender and recipient, and the other was known only to the recipient.
“They then used an intermediary bank to effect the international wire transfer, which occurred between two banks and different countries,” a source added. It is at this point that someone using a private key decrypted the file and created new keys for the file and compromised the system.
Part of the money ($6m) was sent to an account domiciled in Japan, and the other batch ($7m) was sent to an account in the United Kingdom.

When the BoU officials learnt of the mess, they reportedly took the matter to the police and apprehended a staff who had been in Nairobi during that period.
The staff member’s laptop was seized and handed over to a top audit firm. It emerged last evening that detectives were imaging the laptop to download log-in accounts to enable them to establish whose credentials were used in the heist.
The independent audit, sources indicated, had concluded that the Central Bank’s Treasury account network firewalls had not been breached as it was initially reported.

The coded requests for wire transfers are said to have originated from the Accountant General’s office.
The Accountant General's office is charged with budget execution and accountability duties, including releases, government payments, and management information systems to support public financial management.

It remains unclear whether the ongoing probe will widen the scope of the investigations to look into earlier episodes.
But sources said there have been numerous episodes of taking out money and sometimes returning it under such circumstances, which point to long-running schemes of money laundering.

Previously, hackers have penetrated legacy network firewalls of commercial banks and telecom companies, which transact on internet-enabled platforms, but are yet to be upgraded with ransomware that evades detection and circumvents firewalls.
Detectives in CID’s cybersecurity department told this publication that Ugandan commercial banks are being hacked almost every month, with an estimated $3 million (about Shs11 billion) swiped out during the last 12 months.

However, the incidents are kept under wraps as banks fear to scare away customers.