A brazen financial scam has rocked Uganda, involving the diversion of over $15 million in international debt payments through digital manipulation.
Unlike traditional heists, this operation relied on cyber expertise and insider access, leaving investigators grappling with its sophistication and implications.
Millions Redirected to Foreign Accounts
The heist involved two significant transactions rerouted from their intended recipients to dubious private entities.
On September 10, $6.134 million (Shs22.3 billion) intended for the World Bank’s International Development Association (IDA) was wired to Roadway Co. Ltd, a company based in Tokyo, Japan.
Later, on September 26, $8.596 million (Shs31.2 billion) meant for the African Development Bank’s African Development Fund (AFD) was transferred to MJS International, a London-based company.
A confidential December 3 audit commissioned by the Bank of Uganda (BoU) revealed the fraud, which exploited vulnerabilities in the government’s Integrated Facility Management System (IFMS).
The audit, led by PricewaterhouseCoopers (PwC), outlined how the payments were manipulated through sophisticated digital forgery and insider collusion.
The Role of the Ministry of Finance
The audit points to the Ministry of Finance as the epicentre of the scam, citing failures in payment controls and potential insider involvement.
Payment instructions were reportedly tampered with before being sent to BoU for processing.
However, the Ministry of Finance has contested the findings, questioning the validity of the BoU-sanctioned audit and emphasizing the need for the Auditor General’s report to take precedence.
This has sparked speculation over the ministry’s transparency and its possible role in the heist.
How the Heist Was Orchestrated
Investigators found that payment instructions within the IFMS were intercepted and altered.
Details such as the payee names and bank account numbers were changed before the instructions were encrypted and sent to BoU.
The IFMS, which tracks external debt payments, is a critical system for Uganda’s financial management.
However, its security protocols were breached, allowing cybercriminals to reroute payments to foreign accounts.
Emails containing these instructions were intercepted and manipulated using an online spoofing service hosted in the Czech Republic, masking the perpetrators’ identities.
For example, payment files originally meant for IDA were altered to list Roadway Co. Ltd as the recipient, while files for AFD were manipulated to favor MJS International.
Investigators confirmed that the spoofed emails bypassed standard checks and were sent to key staff in the Ministry of Finance under fake credentials.
Delays in Detection and Response
Despite the massive sums involved, the fraud went undetected for weeks. IDA flagged the delayed payment in early October, a month after the first transaction.
Yet, it took another month for the Ministry of Finance to notify the Auditor General.
Junior Finance Minister Henry Musasizi admitted the breach to Parliament on December 1, describing it as a “hack.”
However, PwC’s audit suggested internal involvement, with names of persons of interest flagged for further investigation.
PwC’s Findings: A Trail of Digital Deception
PwC’s investigation, codenamed “Project Tai,” revealed that the heist was not merely a result of external hacking but involved insiders with high-level clearance.
Payment instruction files were manipulated prior to encryption, allowing altered files to be sent to BoU for processing.
The report detailed how backup copies of payment files showed discrepancies between the Ministry of Finance’s initial data and the encrypted files sent to BoU.
This confirmed that the tampering occurred before the files were relayed.
PwC also collaborated with teams in the UK and Japan to investigate the recipient companies. In London, MJS International’s listed address was found to be a rented office space with no registered business activities.
In Tokyo, Roadway Co. Ltd was linked to a legitimate recycling business with no apparent ties to Uganda or Africa.
BoU’s Defense: Fraud Occurred Outside Its Systems
BoU Deputy Governor Michael Atingi-Ego defended the institution, emphasizing that the fraud originated outside the bank’s IT systems.
“BoU is a paying entity. We receive instructions to pay, and we pay as instructed,” he stated during a December 5 press conference. He further clarified that the bank’s role was limited to processing payment instructions received from the Ministry of Finance.
Recovery Efforts: Partial Success
Efforts to recover the stolen funds have yielded mixed results. BoU successfully retrieved $8.205 million (Shs22.9 billion) from MJS International’s account in London.
However, $390,000 (Shs1.4 billion) from the same transaction remains unaccounted for and is suspected to have disappeared.
In Tokyo, investigators identified multiple companies named Roadway Co. Ltd, but only one matched the address listed in the fraudulent transaction.
This company operates in the recycling industry and has no known connections to Uganda. The $6.134 million sent to its account remains unrecovered.
The Investigation Widens
President Yoweri Museveni has ordered a multi-agency investigation involving the Criminal Investigations Directorate (CID), Defense Intelligence and Security (DIS), and the Auditor General’s office.
PwC recommended collaboration with telecom companies and other state agencies to trace communications between the conspirators and the foreign companies involved.
The audit also called for the Directorate of Public Prosecution to initiate legal action against individuals identified as culpable.
Names of several officials within the Ministry of Finance were withheld pending further investigation.
Flaws in Financial Oversight
The incident has exposed critical vulnerabilities in Uganda’s financial systems. The IFMS, designed to ensure transparency and efficiency in public financial management, proved susceptible to insider abuse and cyberattacks.
Further complicating matters, the Ministry of Finance’s quality assurance team failed to flag discrepancies in payment details. This lapse allowed fraudulent instructions to proceed without detection.
A Global Cyber Puzzle
The heist has highlighted the complexity of tracking cyber fraud in an increasingly interconnected world. Investigators traced the spoofing service used in the scam to a Czech-based provider, while the funds were funnelled through accounts in London and Tokyo.
Efforts to identify the true owners of MJS International and Roadway Co. Ltd have revealed a web of shell companies and incomplete records, complicating the recovery process.
What’s Next?
As investigations continue, questions linger about who orchestrated the heist and whether all stolen funds can be recovered.
The scandal has prompted calls for stricter controls over Uganda’s financial systems and greater accountability within the Ministry of Finance.
While some funds have been recovered, the incident underscores the urgent need for enhanced cybersecurity measures and robust oversight to prevent future fraud.
For now, the $15 million heist serves as a cautionary tale of how technology can be both a tool for progress and a weapon for crime.
