The Kenyan police have arrested a suspect linked to the hacking of JamboPay’s payment platform, resulting in the loss of over Ksh 49 million. The suspect, Joseph Momanyi, is accused of penetrating the systems of Web Tribe, the company behind JamboPay, between July 19 and 24, 2024.
Momanyi was arrested on April 12 at his residence in Kahawa West, where police recovered multiple mobile phones, laptops, and SIM cards registered under various identities. He is being held at Muthaiga Police Station for seven days as investigators dig deeper into what is being described as part of a wider cybercrime syndicate.
According to an affidavit filed in court by DCI officer Nickson Ngigi, the hackers accessed the JamboPay client portal using credentials linked to legitimate profiles from Korapay, Finera and other transaction merchant accounts. Once inside, they disabled phone numbers receiving OTPs (One-Time Passwords), effectively bypassing transaction notifications and security prompts.
With the door wide open, the attackers transferred the funds to multiple M-Pesa wallets, bank accounts, and till numbers.
Crime and Cybersecurity in Kenya
Mr. Momanyi is being investigated for computer fraud under the Computer Misuse and Cybercrimes Act, and for money laundering. The DCI claims that he has confessed to being part of a larger group and is cooperating to help track down accomplices.
The suspect is also believed to have actively recruited others to open or manage the bank accounts and M-Pesa lines used to receive the stolen funds. Investigators say he used WhatsApp calls and SIM cards registered under different names to avoid detection—tactics commonly used by cybercriminals to evade digital footprints.
This breach raises fresh questions about cybersecurity vulnerabilities in Kenya’s payments ecosystem. JamboPay is widely used for utility payments, parking and public sector transactions.
Experts warn that many platforms still rely on OTP-based authentication, which can be compromised if a malicious actor gains access to a user’s mobile number or tricks the system into disabling verification.
“This is not just a breach of one company. It’s a breach of trust in digital finance,” says a Nairobi-based cybersecurity analyst. “It’s time for fintechs and merchants to take layered security and behavioral analytics seriously.”
Investigators are continuing to extract data from the recovered devices and trace the recipients of the stolen money.
Also Read: 74% of East African Businesses Prioritize Cyber Risks
