Kenyan Bank Loses Sh517 Million in IT Breach, Funds Laundered via Cryptocurrency

A Kenyan bank has reportedly lost over Sh517 million ($4 million) in a sophisticated IT breach involving insider sabotage and cryptocurrency laundering, according to a report by the Financial Reporting Centre (FRC).

The breach was orchestrated by contractors who deliberately downgraded the bank’s card security system from a secure setting to a weaker 2D configuration. This change bypassed key verification protocols such as One-Time Password (OTP) authentication, allowing attackers to generate unauthorized digital wallets linked to customer accounts.

The funds siphoned from these accounts were subsequently converted into USDT (Tether), a popular stablecoin, and transferred across decentralized cryptocurrency platforms. This made it difficult for authorities to trace or recover the money.

While the FRC did not disclose the name of the bank or the contractors involved, it flagged the case as part of a growing trend of insider-led digital bank fraud in Kenya.

Kenya’s growing exposure to cryptocurrency-based fraud has raised alarm bells within the financial sector. Between 2021 and 2023, the FRC received more than 14,000 suspicious transaction reports involving Sh6.9 trillion. Of this, over Sh6.3 trillion — more than 90% — was transacted through banks.

The report outlines several tactics used by fraudsters, including splitting transactions to avoid mandatory reporting thresholds, creating shell companies, and leveraging loosely regulated crypto platforms for money laundering.

The Central Bank of Kenya (CBK) and the Financial Action Task Force (FATF) have raised concerns over Kenya’s vulnerability. In February 2024, Kenya was placed on FATF’s grey list due to shortcomings in anti-money laundering (AML) and counter-terrorism financing (CTF) frameworks.

In response, the CBK carried out a sector-wide compliance review in December 2024. The findings revealed that digital lenders and third-party service providers remain major weak points in Kenya’s banking cybersecurity ecosystem. Despite CBK’s issuance of cybersecurity guidelines and tighter scrutiny of third-party vendors, many banks continue to outsource critical IT services without robust vetting mechanisms.

The global threat is also mounting. According to a 2023 FBI report, cryptocurrency fraud accounted for $5.6 billion in losses, marking a 45% increase from the previous year.

FRC’s 2023 risk assessment further warned that Kenya’s largely unregulated virtual asset ecosystem is vulnerable to exploitation by criminals and extremist networks. Previous scandals such as the Worldcoin iris scan saga — suspended in 2023 — underscore the urgency for stronger oversight of digital innovation.

As Kenya continues to lead East Africa in cryptocurrency adoption, experts warn that regulation must keep pace with innovation to protect both consumers and the integrity of the financial system.

In other news:List of 5 Kenyan Women Owning and Leading Real Estate Companies

Kenyan Bank Loses Sh517 Million in IT Breach, Funds Laundered via Cryptocurrency