In a sharp reminder of the growing vulnerabilities within Kenya’s digital payment landscape, JamboPay, a major fintech platform under Web Tribe Limited, has become the latest victim of a carefully orchestrated cyber heist.

At the centre of the scandal is 26-year-old Joseph Momanyi, who now finds himself in custody following an arrest in Kahawa West, Nairobi. Authorities accuse Momanyi of leading a complex scheme that diverted over KSh 49 million from JamboPay’s client portal, exploiting both technological loopholes and human networks.

A Calculated Breach

Between July 19 and July 23, 2024, JamboPay’s systems were silently infiltrated. According to an affidavit filed by Inspector Nickson Ngigi from the Directorate of Criminal Investigations (DCI), the attackers gained unauthorised access through seemingly legitimate customer profiles, specifically those connected to Korapay, Fincra, and the JamboPay Transaction Merchant Account.

What made this breach particularly secret was the disabling of One-Time Password (OTP) notifications, the alerts typically sent to customers to verify transactions.

By tampering with these mobile number settings, the attackers ensured that victims would not receive real-time alerts, allowing them to move large sums undetected.

READ ALSO:

Bank of Uganda Hit by $17 Million Cyber Heist

A Trail of Digital Evidence

Momanyi’s arrest led to a significant breakthrough. A search of his home yielded multiple SIM cards registered under different names, several mobile phones, and a laptop believed to have been instrumental in executing the digital theft.

Authorities allege that he utilised phone numbers linked to other individuals and relied exclusively on WhatsApp calls to evade surveillance and maintain secrecy.

Investigators believe Momanyi wasn’t acting alone. In fact, he is suspected of being part of a well-organised cybercrime syndicate, recruiting individuals who offered their bank accounts, M-Pesa wallets, and till numbers to receive and redistribute the stolen funds.

The money was then layered through various channels, complicating efforts to trace its final destination, a classic technique in money laundering operations.

Legal and Criminal Charges

Momanyi is currently being held at Muthaiga Police Station under the watch of the DCI’s Financial Investigations Unit. He is under investigation for:

• Computer Fraud, under Section 26 of the Computer Misuse and Cybercrime Act (2018),
• Money laundering, under Section 3 of the Proceeds of Crime and Anti-Money Laundering Act.

The DCI launched an official inquiry under reference ECCU 65/2024 after Web Tribe Limited reported financial anomalies and suspected unauthorised access to their systems.

Cooperation or Strategy?

Interestingly, police reports suggest that Momanyi has expressed a willingness to cooperate with investigators, potentially offering leads to the wider criminal network involved in the heist.

Inspector Ngigi acknowledged this cooperation, emphasising that Momanyi could provide crucial intelligence about his accomplices.

However, due to the serious nature of the allegations and the risk of further evasion, Milimani Magistrate Benmark Ekhumbi granted a custodial order, allowing detectives to hold Momanyi for seven more days to complete their investigations.

A Wake-Up Call for the Fintech Industry

This incident shines a spotlight on the increasing sophistication of financial cybercrime in Kenya and beyond. As fintech platforms scale and innovate, they also become attractive targets for tech-savvy criminals who exploit any weak links in security systems, regulatory oversight, or operational protocols.

For JamboPay, the breach not only represents a financial loss but also a drop in trust, both from clients and the broader digital ecosystem. The cyberattack underscores the urgent need for:

• Multi-layered security systems that can detect irregularities even when standard protocols (like OTPs) are bypassed.
• Real-time fraud monitoring, powered by AI and machine learning, to detect unusual transaction behaviour.
• Collaboration between fintech firms and law enforcement to enhance threat intelligence sharing and coordinated responses.

READ ALSO:

How Cbex Pulled Off a Massive Crypto Heist Disguised as a Verification Process

Final Thoughts

As digital financial services continue to define the future of commerce in Africa, the JamboPay heist serves as a cautionary tale.

It’s no longer enough to rely on legacy security tools or assume that digital platforms are immune to old-school criminal networks now operating with modern tools.

The convergence of technology and criminal enterprise demands an equally sophisticated defense, and that responsibility falls squarely on the shoulders of fintech operators, regulators, and users alike.

For now, all eyes are on the DCI’s next move and whether Joseph Momanyi’s cooperation will expose the full scope of the syndicate that nearly got away with millions.