The official X (formerly Twitter) account of the Directorate of Criminal Investigations (DCI) Kenya has fallen victim to hackers, who appear to be using the platform to push a cryptocurrency scam.
The account, which typically disseminates security and law enforcement updates, has been posting content promoting a dubious crypto scheme, alerting followers to potential fraud.
The breach was noticed when the DCI Kenya account deviated from its usual posts, instead sharing details about a cryptocurrency investment opportunity.
One of the messages posted on the account urged local media to support the launch of a blockchain project, while another promoted the distribution of tokens in exchange for likes and retweets.
DCI confirms the hack
However, the DCI seems to have regained control, as the posts have since been deleted.
The DCI has since issued the following statement regarding the hack on their X account:
“For some moment this evening, we experienced a cyber-attack on the DCI digital platforms (X and Facebook), but have since regained full control. During the short period, the cyber criminals who attempted to take over the accounts posted the information captured on the screenshot below.” The statement reads.
During the brief period when the accounts were compromised, the hackers managed to post misleading information, which was captured in a screenshot and referenced in the DCI’s statement. The DCI explicitly clarified that this information was “FAKE” and did not originate from them.
“The information is therefore FAKE and not from the DCI. A scrupulous interrogation into the criminal activity has been activated to bring to book the perpetrators.” It added.
This marks another high-profile case of cybercrime in Kenya, following closely on the heels of a similar attack on the Kenya Broadcasting Corporation (KBC) account just last week.
In the KBC incident, hackers not only took over the account but also swiftly changed the handle to “DeepseekOnSoI”, named after the AI chatbot DeepSeek, which mimics the functionality of well-known AI like ChatGPT. This rebranding was evidently an attempt to leverage the chatbot’s recognition for misleading potential investors.
This incident is part of a growing global trend where high-profile social media accounts, including those on YouTube, X, and other platforms, are hijacked for similar fraudulent activities. Cybersecurity experts have long warned about the increasing sophistication of such scams, where attackers often rebrand accounts to impersonate well-known entities or celebrities to gain trust and credibility.
Scammers would also hold the accounts until they’re paid. Ransomware is common especially with big corporates that are targeted by hackers and part with millions.
How Crypto scams works
According to cybersecurity trends, the attack method often involves phishing emails or malware designed to steal session cookies. This allows hackers to bypass even two-factor authentication measures. Once they gain control, the account is used to broadcast live streams or posts promising high returns on cryptocurrency investments. However, the funds ultimately disappear into the hands of the scammers.
The official X account of the Kenya Broadcasting Corporation (KBC), known by its handle @kbcchannel1, has been hacked. Reports emerging late on January 31, 2025, Eastern African Time (EAT), indicate that the account has been taken over by hackers promoting what appears to be a cryptocurrency scam.
Active X users quickly noticed unusual activity when the KBC account began posting content unrelated to its usual news broadcasts. Instead, the account started sharing information about a cryptocurrency scheme, raising concerns among followers.
The scammers swiftly changed the handle to DeepseekOnSoI. DeepSeek is the name of a free AI-powered chatbot, which looks, feels and works very much like ChatGPT.
Numerous posts from Kenyan users on X expressed surprise and alarm over the sudden shift in the account’s behavior. Many speculated that the hackers were using KBC’s platform to lure unsuspecting individuals into investing in a potentially fraudulent cryptocurrency venture.
This incident is part of a growing global trend where high-profile social media accounts, including those on YouTube, X, and other platforms, are hijacked for similar fraudulent activities. Cybersecurity experts have long warned about the increasing sophistication of such scams, where attackers often rebrand accounts to impersonate well-known entities or celebrities to gain trust and credibility.
Scammers would also hold the accounts until they’re paid. Ransomware is common especially with big corporates that are targeted by hackers and part with millions.
How Scammers Hack X Accounts
According to cybersecurity trends, the attack method often involves phishing emails or malware designed to steal session cookies. This allows hackers to bypass even two-factor authentication measures. Once they gain control, the account is used to broadcast live streams or posts promising high returns on cryptocurrency investments. However, the funds ultimately disappear into the hands of the scammers.
As of the time of publication, KBC has yet to release an official statement regarding the hack. However, the Communications Authority of Kenya and the ICT Ministry have been tagged in several posts on X, with users calling for swift action to mitigate further damage and investigate the breach.
The account remains compromised, but sources indicate that KBC’s technical team is working to regain control.
KBC is Kenya’s official national broadcaster and a trusted source of news for millions of Kenyans. This incident underscores the importance of robust cybersecurity measures to protect digital assets and maintain public trust.
Cyber criminals have targeted Equity Bank and made away with Sh179 million in what is being described as the biggest heist in card fraud this year.
In a leaked letter by the bank’s insider seen by Kenya Insights, Sh179,677,736 was stolen from the bank’s MasterCard GL and transferred to 551 accounts.
How Equity Bank got hacked
In the letter signed by Gerald Munyiri, the Equity’s General Manager Security & Investigations alerting the Banking Fraud Investigations Department at the DCI seeking for help in investigating and prosecuting perpetrators, it details how the hackers moved the money from MasterCard and quickly spread it to the 551 accounts within the bank and through M-Pesa.
“Early 15/04/2024 the bank’s risk department discovered an upsurge of transactions emanating from the banks Incoming Master Card GL. Preliminary investigations revealed that between 09/04/2024 and 15/04/2024, Ksh. 179,677,736/- was paid out from the GL fraudulently to the 551 Equity Bank accounts.” Part of the letter reads.
It continues , “additionally, Ksh. 63,023,983/- was sent to Safaricom Mpesa and Ksh. 39,047,344/- to eleven commercial banks.”
From the letter, Equity has managed to block a fraction of looted cash by locking the accounts in question and in talks with Safaricom to trail help in retrieving rest of the cash that was offloaded through M-Pesa.
Equity bank’s history with hackers
The bank is not new to claims of fraud and customers losing money in unclear circumstances, in fact, a look into their social media accounts would paint the vivid picture from the complaints.
The bank’s cybersecurity systems have been faulted by experts for being vulnerable making it an easy target for hackers.
A recent case where a cybercrime gang including Kenyans were jailed in Rwanda for targeting the bank in a hacker attack, could explain how this is done.
In 2022, eight Kenyans who had hacked the bank were handed eight-year jail terms and fined Sh5.6 million.
The eight were part of a 12-man gang arrested in 2019 by the Rwandan Investigation Bureau (RIB) that included three Rwandese nationals and a Ugandan.
The gang arrested in Rwanda had successfully hacked in Kenya and Uganda and were on police watch when they were finally caught in Rwanda.
The gang were arrested while hacking into Equity Bank accounts and funnelling the cash to Rwandans to draw out funds through Eazzy banking and ATMs.
The Kenyans include Dedan Muchoki Muriuki, Samuel Wachira Nyuguto, Kinyua Erickson Macharia, Godfrey Gachiri Githinji, Eric Dickson Njagi Mutegi, Reuben Kirogothi Mwangi, Damaris Njeri Kamau and Steve Maina Wambugu.
The hackers operating with insiders to identify targets with huge deposits tried to intercept the lender’s 14 branch network and wrote computer scripts to move money to several local accounts of accomplices.
They attempted hacking using the Eazzy banking platform, which the bank and security agents intercepted since they had been alerted on their operations, including the recruitment of Rwandans they would use to take cash out of the accounts.
Cybercriminals are using ‘BIN’ attacks in card fraud
While it’s still not clear how the Equity’s heist was executed, Bank Identification Number (BIN) attack appears to be clear guess.
Cybersecurity networks may be getting stronger, but cyber-criminals always seem to outpace that progress by coming up with more sophisticated tactics. The latest troubling trend to emerge in the space is the use of “BIN attacks” by cyber-criminals to target small businesses. This involves manipulating the BIN of credit cards, allowing fraudsters to test stolen card details through trial and error on unsuspecting e-commerce sites. This sophisticated cybercrime tactic not only poses financial threats to businesses but also leaves consumers questioning the security of their online transactions.
Behind the scenes of the ‘BIN’ attacks
Kenyan banks has been losing staggering amounts of money over the past years. What initially seemed like a clerical error has turned out to be a sophisticated cybercrime technique that put both businesses and consumers on edge.
Cyber-criminals start by obtaining the first six digits of a credit card, known as the Bank Identification Number (BIN). With this information, they employ trial-and-error methods to decipher valid combinations of card numbers, expiration dates, and security codes. The stolen card details are then tested through small transactions that are hardly noticed, to determine their validity. Once confirmed, fraudsters either sell the compromised card numbers or use them for more larger fraudulent transactions.
Many find themselves victims of unauthorized transactions. Despite never using their cards online, some victims get shocked to discover transactions on their accounts, leaving them with doubts about the safety of their financial information, even though the bank reimbursed them.
Photo/ pixabay
Contrary to popular belief, credit card numbers are not as random or infinite as consumers might think. With 16 digits on a card, removing the six-digit BIN leaves just 10 digits that adhere to a specific pattern. The relatively limited possibilities make it feasible for cyber-criminals to use automated systems to rapidly guess valid combinations, posing a significant challenge for traditional security measures.
Role of financial institutions and businesses
While the affected businesses call for tighter safety protocols, the responsibility is not solely on the banks. Financial institutions, often the victims themselves, issue cards but are not always the entities processing the transactions. The attacks highlight the need for a multi-layered defense, with businesses employing robust fraud protection tools and payment processors like Stripe and Square that prioritize online store security. This is needed since the aftermath of a BIN attack can be financially crippling for businesses.
According to the Central Bank, bank card fraud occurs in several ways, including phishing, which is when fraudsters send an email or text message that appears to come from one’s bank or a reputable financial institution.
“They use various tactics to get you to share confidential information such as your PIN, account number, login details and passwords,” the CBK notes on its website.
“For instance, they may state that your account has an issue and that you need to update or verify the information through a website link or mobile phone device. Thereafter, they use the details to steal money from your account.”
Fraud may also occur when card skimmers illegally copy information from the magnetic strip of a credit or ATM card. They then create copies of the card and make charges to one’s account.
In other instances, thieves use misplaced or stolen bank cards to make unauthorised purchases before the owners report them missing, the CBK adds.
According to data from the BFID, Kenyan banks lost Sh1. 5 billion (approximately US $17.64 million) over the last year, with only a third being recovered by investigators.
Last week, the National Assembly assented to the Computer Misuse and Cybercrime (Critical Information Infrastructure and Cybercrime Management) Regulations, 2024, giving security agencies more power to regulate cyberspace activities to curb fraud.
The regulations enhance protection measures for critical economic sectors such as telecoms, banking, transport and energy.
They stipulate how to deal with issues including scams, identity theft, hacking and internet fraud, and also address the cybercrime capacity and capability building for the public, businesses, government institutions, and private entities, to enhance their cybersecurity preparedness and prioritise cybersecurity.
Kenya’s highly digitised economy linked with mobile money through telcos and banks has made the country a target for cybercrime and online fraud.
Adapting to evolving threats
As cyberattacks become more sophisticated, businesses must adapt to protect themselves and their customers. Popular platforms like Stripe and Square can serve as valuable allies in the ongoing battle against cyber threats, providing an additional layer of defense for businesses and their customers.
In an era where convenience and speed define online transactions, the dark underbelly of cybercrime poses a persistent challenge. BIN attacks, with their focus on small businesses, remind us of the fragility of digital financial ecosystems. As businesses and financial institutions work to bolster their defenses, consumers are encouraged to remain vigilant and report any suspicious transactions promptly. The delicate balance between ease of use and security continues to be a tightrope walk in the digital age, with each innovation met by an equally cunning cyber threat.
Leading Japanese cryptocurrency exchange Liquid has been hit by hackers, with almost $100m (£73m) estimated to have been stolen.
The company announced that some of its digital currency wallets have been “compromised.”
It is the second major theft of cryptocurrencies to take place in recent days.
Last week, digital token platform Poly Network was at the centre of a $600m heist.
“We are sorry to announce that #LiquidGlobal warm wallets were compromised, we are moving assets into the cold wallet,” the company said on Twitter.
So-called ‘warm’ or ‘hot’ digital wallets are usually based online and designed to allow users to access their cryptocurrencies more easily, while ‘cold’ wallets are offline and harder to access and therefore usually more secure.
Blockchain analytics firm Elliptic said its analysis showed that around $97m in cryptocurrencies had been taken, with Bitcoin and Ethereum tokens amongst the haul.
Liquid has said that it was tracing the movement of the stolen cryptocurrencies and working with other exchanges to freeze and recover the assets.
Founded in 2014, Liquid operates in over 100 countries and serves millions of customers around the world.
It is one of the world’s top 20 biggest cryptocurrency exchanges by daily trading volumes, according to CoinMarketCap data.
Last week, $600m was stolen from blockchain site Poly Network after a hacker exploited a vulnerability in its system.
“The amount of money you have hacked is one of the biggest in defi [decentralised finance] history,” Poly Network said.
Since then the hacker, who goes under the name of Mr White Hat, has returned around $427m of the assets.
Liquid is not the only Japanese cryptocurrency platform to be hit by a major heist.
In 2014, Tokyo-based exchange MtGox collapsed after almost half a billion dollars of bitcoin went missing, while Coincheck was hacked in a $530m heist in 2018.
New evidence uncovered by Amnesty International and Forbidden Stories has revealed a massive wave of attacks by cyber surveillance company NSO Group’s customers on iPhones, potentially affecting thousands of Apple users worldwide.
Our forensic analysis has uncovered irrefutable evidence that through iMessage zero-click attacks, NSO’s spyware has successfully infected iPhone 11 and iPhone 12 models. Thousands of iPhones have potentially been compromised.
Deputy Director of Amnesty Tech Danna Ingleton said:
“Apple prides itself on its security and privacy features, but NSO Group has ripped these apart. Our forensic analysis has uncovered irrefutable evidence that through iMessage zero-click attacks, NSO’s spyware has successfully infected iPhone 11 and iPhone 12 models. Thousands of iPhones have potentially been compromised.
“These attacks have exposed activists, journalists and politicians all over the world to the risk of having their whereabouts monitored, and their personal information and used against them.
“This is a global concern – anyone and everyone is at risk, and even technology giants like Apple are ill-equipped to deal with the massive scale of surveillance at hand.
“NSO Group can no longer hide behind the claim that its spyware is only used to fight crime. There is overwhelming evidence that NSO spyware is being systematically used for repression and other human rights violations. NSO Group must immediately stop selling its equipment to governments with a track record of abusing human rights.
“These findings show that the surveillance industry is out of control. States must immediately implement a global moratorium on the export, sale and use of surveillance equipment until a human rights-compliant regulatory framework is in place.”
Background
NSO Group’s spyware has been used to facilitate human rights violations around the world on a massive scale, according to a major investigation into the leak of 50,000 phone numbers of potential surveillance targets. These include heads of state, activists and journalists, including Jamal Khashoggi’s family.
The Pegasus Project is a ground-breaking collaboration by more than 80 journalists from 17 media organizations in 10 countries coordinated by Forbidden Stories, a Paris-based media non-profit, with the technical support of Amnesty International, who conducted cutting- edge forensic tests on mobile phones to identify traces of the spyware.
The investigation today revealed that Pegasus zero-click attacks have been used to install spyware on iPhones.
Amnesty International was able to confirm that thousands of iPhones were listed as potential targets for Pegasus spyware, though it was not possible to confirm how many were successfully hacked.
Thousands of Google Android phones were also selected for targeting, but unlike iPhones their operating systems do not keep accessible logs useful for detecting Pegasus spyware infection. Among the Apple products successfully infected were iPhone 11 and iPhone 12 models, equipped with the latest updates which were believed to have high levels of security.
Israeli surveillance company NSO Group has been bankrolled by major private equity firms Novalpina Capital and Francisco Partners, with numerous investors behind them. Pension firms in the UK and US also have a stake in the rights abusing company.
The Pegasus Project
NSO Group’s spyware has been used to facilitate human rights violations around the world on a massive scale, according to a major investigation into the leak of 50,000 phone numbers of potential surveillance targets. These include heads of state, activists and journalists, including Jamal Khashoggi’s family.
The Pegasus Project lays bare how NSO’s spyware is a weapon of choice for repressive governments seeking to silence journalists, attack activists and crush dissent, placing countless lives in peril.
The Pegasus Project is a ground-breaking collaboration by more than 80 journalists from 17 media organizations in 10 countries coordinated by Forbidden Stories, a Paris-based media non-profit, with the technical support of Amnesty International, who conducted cutting- edge forensic testson mobile phones to identify traces of the spyware.
“The Pegasus Project lays bare how NSO’s spyware is a weapon of choice for repressive governments seeking to silence journalists, attack activists and crush dissent, placing countless lives in peril,” said Agnès Callamard, Secretary General of Amnesty International.
“These revelations blow apart any claims by NSO that such attacks are rare and down to rogue use of their technology. While the company claims its spyware is only used for legitimate criminal and terror investigations, it’s clear its technology facilitates systemic abuse. They paint a picture of legitimacy, while profiting from widespread human rights violations.”
“Clearly, their actions pose larger questions about the wholesale lack of regulation that has created a wild west of rampant abusive targeting of activists and journalists. Until this company and the industry as a whole can show it is capable of respecting human rights, there must be an immediate moratorium on the export, sale, transfer and use of surveillance technology.”
In a written response to Forbidden Stories and its media partners, NSO Group said it “firmly denies… false claims” in the report. It wrote that the consortium’s reporting was based on “wrong assumptions” and “uncorroborated theories” and reiterated that the company was on a “life-saving mission”. A fuller summary of NSO Group’s response is available here.
The Investigation
At the centre of this investigation is NSO Group’s Pegasus spyware which, when surreptitiously installed on victims’ phones, allows an attacker complete access to the device’s messages, emails, media, microphone, camera, calls and contacts.
Over the next week, media partners of The Pegasus Project – including The Guardian, Le Monde, Süddeutsche Zeitung and The Washington Post – will run a series of stories exposing details of how world leaders, politicians, human rights activists, and journalists have been selected as potential targets of this spyware.
From the leaked data and their investigations, Forbidden Stories and its media partners identified potential NSO clients in 11 countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates (UAE).
NSO Group has not taken adequate action to stop the use of its tools for unlawful targeted surveillance of activists and journalists, despite the fact that it either knew, or arguably ought to have known, that this was taking place.
The Pegasus Project revelations must act as a catalyst for change. The surveillance industry must no longer be afforded a laissez-faire approach from governments with a vested interest in using this technology to commit human rights violations.
“As a first step, NSO Group must immediately shut down clients’ systems where there is credible evidence of misuse. The Pegasus Project provides this in abundance,” said Agnès Callamard.
Khashoggi family targeted
During the investigation, evidence has also emerged that family members of Saudi journalist Jamal Khashoggi were targeted with Pegasus software before and after his murder in Istanbul on 2 October 2018 by Saudi operatives, despite repeated denials from NSO Group.
Amnesty International’s Security Lab established that Pegasus spyware was successfully installed on the phone of Khashoggi’s fiancée Hatice Cengiz just four days after his murder.
His wife, Hanan Elatr was also repeatedly targeted with the spyware between September 2017 and April 2018 as well as his son, Abdullah, who was also selected as a target along with other family members in Saudi Arabia and the UAE.
In a statement, the NSO Group responded to the Pegasus Project allegations saying that its “technology was not associated in any way with the heinous murder of Jamal Khashoggi”. The company said that it “previously investigated this claim, immediately after the heinous murder, which again, is being made without validation”.
Journalists under attack
The investigation has so far identified at least 180 journalists in 20 countries who were selected for potential targeting with NSO spyware between 2016 to June 2021, including in Azerbaijan, Hungary, India and Morocco, countries where crackdowns against independent media have intensified.
The revelations show the real-world harm caused by unlawful surveillance:
In Mexico, journalist Cecilio Pineda’s phone was selected for targeting just weeks before his killing in 2017. The Pegasus Project identified at least 25 Mexican journalists were selected for targeting over a two-year period. NSO has denied that even if Pineda’s phone had been targeted, data collected from his phone contributed to his death.
Pegasus has been used in Azerbaijan, a country where only a few independent media outlets remain. More than 40 Azerbaijani journalists were selected as potential targets according to the investigation. Amnesty International’s Security Lab found the phone of Sevinc Vaqifqizi, a freelance journalist for independent media outlet Meydan TV, was infected over a two-year period until May 2021.
In India, at least 40 journalists from nearly every major media outlet in the country were selected as potential targets between 2017-2021. Forensic tests revealed the phones of Siddharth Varadarajan and MK Venu, co-founders of independent online outlet The Wire, were infected with Pegasus spyware as recently as June 2021.
The investigation also identified journalists working for major international media including the Associated Press, CNN, The New York Times and Reuters as potential targets. One of the highest profile journalists was Roula Khalaf, the editor of the Financial Times.
“The number of journalists identified as targets vividly illustrates how Pegasus is used as a tool to intimidate critical media. It is about controlling public narrative, resisting scrutiny, and suppressing any dissenting voice,” said Agnès Callamard.
“These revelations must act as a catalyst for change. The surveillance industry must no longer be afforded a laissez-faire approach from governments with a vested interest in using this technology to commit human rights violations.”
Exposing Pegasus infrastructure
Amnesty International is today releasing the full technical details of its Security Lab’s in-depth forensic investigations as part of the Pegasus Project.
The Lab’s methodology report documents the evolution of Pegasus spyware attacks since 2018, with details on the spyware’s infrastructure, including more than 700 Pegasus-related domains.
“NSO claims its spyware is undetectable and only used for legitimate criminal investigations. We have now provided irrefutable evidence of this ludicrous falsehood,” said Etienne Maynier, a technologist at Amnesty International’s Security Lab.
There is nothing to suggest that NSO’s customers did not also use Pegasus in terrorism and crime investigations, and the Forbidden Stories consortium also found numbers in the data belonging to suspected criminals.
“The widespread violations Pegasus facilitates must stop. Our hope is the damning evidence published over the next week will lead governments to overhaul a surveillance industry that is out of control,” said Etienne Maynier.
In response to a request for comment by media organizations involved in the Pegasus Project, NSO Group said it “firmly denies” the claims and stated that “many of them are uncorroborated theories which raise serious doubts about the reliability of your sources, as well as the basis of your story.” NSO Group did not confirm or deny which governments are NSO Group’s customers, although it said that the Pegasus Project had made “incorrect assumptions” in this regard. Notwithstanding its general denial of the claims, NSO Group said it “will continue to investigate all credible claims of misuse and take appropriate action based on the results of these investigations”.
LinkedIn data of over 700 million users has reportedly been exposed in a new breach. LinkedIn has a total of 756 million users, which means that the data of more than 92 percent of its users has been compromised in this new breach. The new dataset obtained by an unknown hacker is said to consist of personal details of LinkedIn users, including phone numbers, physical addresses, geolocation data, and inferred salaries. In April, LinkedIn confirmed a data breach affecting 500 million subscribers wherein personal details like email address, phone number, workplace information, full name, account IDs, links to their social media accounts, and gender details were listed online.
According to LinkedIn, it did not face a data breach, but rather the information was gained from scraping the network. In an emailed statement, LinkedIn told Gadgets 360: “While we’re still investigating this issue, our initial analysis indicates that the dataset includes information scraped from LinkedIn as well as information obtained from other sources. This was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed. Scraping data from LinkedIn is a violation of our Terms of Service and we are constantly working to ensure our members’ privacy is protected.”
The new dataset of 700 million users is also on sale on the Dark Web, wherein the hacker has posted a sample set of 1 million users for buyers. RestorePrivacy was the first to spot this listing on the Dark Web and the sample data was cross-verified by 9to5Google. The sample dataset that has been published on the Dark Web includes user information like email addresses, full names, phone numbers, physical addresses, geolocation records, LinkedIn username and profile URL, inferred salaries, personal and professional experience/ background, gender, and social media accounts and usernames.
9to5Google reached out directly to the hacker who says that the data was obtained by exploiting the LinkedIn API to harvest information that people upload to the site. The dataset does not include passwords, but the information is still very valuable and could amount to identity theft or phishing attempts.
To protect your data, it is important to look at the safety, security, and privacy settings of the apps you use and make sure that these are set up properly. Ensure that you have set up a strong password and indulge in the habit of changing them frequently. Also, enable two-factor authentication (2FA) wherever available, and do not accept connections, especially on LinkedIn and Facebook, from unknown people. Subscribe to sites like Have I Been Pwned for notifications if your email address is part of a data breach.
