• Home
  • Blog
  • DCI Cracks Down on Online Fraud Syndicates Targeting Kenyan Bank Customers

DCI Cracks Down on Online Fraud Syndicates Targeting Kenyan Bank Customers

DCI Cracks Down on Online Fraud Syndicates Targeting Kenyan Bank Customers

0 comments

ShareWhatsApp

The Directorate of Criminal Investigations (DCI) announced on Friday the arrest of 43 individuals in a coordinated multi-city operation targeting online fraud networks responsible for defrauding Kenyan commercial bank customers and M-Pesa users of more than Sh780 million in 2025, in what the DCI described as the largest single anti-cybercrime operation in the agency’s history.

The operation, codenamed Operation Nguvu ya Mtandao and conducted over 72 hours between Tuesday and Friday, involved simultaneous raids on 38 locations across Nairobi, Mombasa, Kisumu, Nakuru and Eldoret. Among those arrested were alleged ringleaders of three distinct fraud syndicates, telecommunications industry insiders who facilitated illegal SIM swaps, and members of a money laundering network that converted fraudulently acquired funds through a chain of shell businesses and cryptocurrency exchanges.

Methods Used by the Syndicates

DCI Director Mohamed Amin, at a press conference at Mazingira House in Nairobi, outlined the primary methods the syndicates had deployed. The most prevalent was SIM swap fraud, in which corrupt employees at mobile network sub-agents — operating outside official Safaricom, Airtel and Telkom retail outlets — facilitated the transfer of victims’ phone numbers to new SIM cards controlled by fraudsters. Once the SIM was swapped, criminals intercepted one-time passwords sent by banks and bypassed multi-factor authentication to drain accounts.

“We identified 14 telecommunications sub-agents across three networks who processed illegal SIM swaps on a fee-for-service basis, charging between Sh3,000 and Sh8,000 per swap,” Amin said. “Some of these individuals processed more than 200 fraudulent swaps over 18 months. The financial harm to victims was catastrophic.”

The second method involved sophisticated phishing operations in which victims received SMS messages and emails purporting to be from their banks or from the Kenya Revenue Authority, directing them to counterfeit websites that harvested login credentials. The DCI revealed that one syndicate had created 17 functioning counterfeit banking portals, hosted on servers in Eastern Europe and accessed via virtual private networks to mask their Kenyan operational footprint.

A third emerging threat involved fraudulent investment platforms promoted aggressively on WhatsApp, Facebook and TikTok, promising unrealistically high returns and using fabricated testimonials from public figures — including, in several cases, digitally altered images of President Ruto and prominent business leaders — to lend false credibility. Victims were required to deposit funds via M-Pesa, after which the platforms became inaccessible.

The Investigation and Prosecution Path

The DCI said Operation Nguvu ya Mtandao was the product of a 14-month investigation conducted in partnership with the Central Bank of Kenya (CBK), Safaricom’s fraud intelligence unit, the Kenya Bankers Association and Interpol’s financial crimes division. The investigation made extensive use of mobile money transaction data shared under a formal data-sharing framework signed between the DCI and major financial institutions in 2024.

“Financial crimes of this nature leave detailed digital trails. The challenge has not been evidence — it has been the speed at which the judicial system can process complex financial crime prosecutions,” Amin said, calling on Parliament to expedite passage of the Computer and Cybercrimes Act amendments currently before the National Assembly.

Of the 43 arrested, 31 are Kenyan nationals, nine are Tanzanian nationals — raising questions about cross-border syndicate organisation — and three are of other nationalities whose identity documents remain under verification. All are being held pending arraignment, with charges expected to include computer fraud, obtaining money by false pretences, money laundering and conspiracy under the Computer Misuse and Cybercrimes Act of 2018.

Bank Customer Warnings and Systemic Response

The CBK issued an advisory simultaneously with the DCI announcement, reminding all bank customers that legitimate banks and M-Pesa never request PINs, passwords or one-time verification codes via phone or SMS. The advisory was distributed via all major banks’ mobile apps, with Safaricom pushing the message through its M-Pesa platform to more than 34 million active users — a reach that no traditional media channel can match.

KCB Bank CEO Paul Russo, who attended the DCI press conference, said the banking sector had invested Sh2.3 billion in fraud detection infrastructure over the past two years but acknowledged that the SIM swap vulnerability required action at the telecommunications level that went beyond what banks could address independently. “We need the telcos, the regulators and law enforcement working as one system,” he said.

Safaricom’s Chief Customer Officer Anne Mwangi said the company had revoked the sub-agent licences of all 14 implicated agents with immediate effect and was conducting an urgent audit of all sub-agent SIM replacement records for the past three years. “Those who betrayed customer trust will face the full consequences, both criminal and contractual,” she said.

Consumer rights advocates welcomed the arrests but pointed out that victims faced lengthy waits to recover lost funds through existing bank dispute mechanisms. The Kenya Bankers Association committed on Friday to establishing a dedicated fraud victims rapid-response fund, capitalised at Sh50 million, to provide partial interim restitution to victims while criminal and civil proceedings continue — a measure that advocates said was welcome but long overdue.

About the Author

Follow me


{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}