It was a Thursday evening. The kind of evening when the city exhales, traffic thins, and executives convince themselves that the week has behaved. Then a number refused to behave.UGX 6,200,000. It appeared in the payables reconciliation as a timing difference. Not a loss. Not yet. Just a variance that would clear next cycle, but it did not clear; it lingered.
And in my line of work, lingering numbers are like a faint smell of smoke in a grass-thatched house. You do not see flames, but you know something is burning. There was no dramatic alarm and no shouting across corridors. Only a quiet tightening in the chest of a finance manager who had seen enough storms to recognize the first drop of rain.
Mpora mpora. Small small. Little by little. That is how the ledger began to empty. The trusted hand that fed from the pot. He was neither the loudest nor most flamboyant in the office. We will call him Suspect 1. Medium build, soft-spoken, efficient, and the kind of man you trust to close the office because he always remembers to switch off the lights. He had system access, had delegated authority, and he had proximity to vendor onboarding. And he had discovered something.
Below UGX 5 million, supplier bank detail changes did not require a second approval. It was a legacy configuration, installed years earlier when the company was smaller, and trust felt cheaper. So he created what I call mirror vendors, same names, and slight spelling differences, a misplaced letter, and an added space, invisible to a casual eye.
Then he waited. Payments due to legitimate suppliers were intercepted at the last minute. Bank details altered. Fundswere rerouted to mobile money wallets registered under national IDs belonging to relatives in distant districts, withdrawn in cash, reassembled elsewhere, and invested quietly. Not one large theft. Never dramatic. Always beneath the threshold. Mpora mpora.
In any village, when a trusted worker suddenly begins building rental rooms or purchasing boda bodas for family use, elders whisper. In corporations, we do not whisper; we rationalize. “He must have side businesses.” “He is hardworking.” But money speaks. And money, when interrogated properly, never lies.
Digital footprints do not fade. When we entered the picture, we did not begin with an accusation. We began with preservation. A forensic image of Suspect 1’s workstation was created. Not a casual copy, but abit-by-bit acquisition. The hash value was calculated immediately, our digital oath.
The hash value is sacred.
Under the Evidence Act (Cap 6), particularly Section 7A, electronic records must be shown to be reliable and unaltered. The integrity of the system that produced them must be established. That means we do not assume but demonstrate. The hash value matched. Exactly. That was our seal.
Inside the image, we found a deleted browser history fragment referencing vendor profile edits on dates when no official change request existed. We recovered fragments of an Excel sheet stored in temporary files, an informal tracking tool listing transaction amounts beside initials. More telling was a registry key indicating the installation of remote desktop software. Installed on a Sunday. At 1:47 a.m, people sleep at that hour, except those who believe darkness hides intent.
From his mobile device, a deleted WhatsApp database was carved out of unallocated space. Messages between Suspect 1 and Suspect 2, an older relative described in one chat as handling withdrawals. “Keep them small,” one message said. “Small small,” replied the other. Even criminals respect thresholds. The law is not a paragraph but a pulse.
Under the Computer Misuse (Amendment) Act, 2022, unauthorized modification of data and electronic fraud are not abstract offenses. They are defined with precision because Parliament understands that today’s thieves do not break doors; they alter databases. And databases remember.
The war over one missing hour
When the matter reached court, the defense did not argue morality. They attacked the procedure. A sharp advocate, experienced, and calculated. He focused on a single entry in the evidence register. A one-hour window between seizure of the laptop and logging into the evidence locker. One hour unaccounted for, he said. “Can we be sure nothing was altered?” A clever trap.
Chain of custody is a tightrope. One slip, and years of work collapse. He likened it to a leaking jerrycan. “If water can enter, how do you know what you are drinking?” But digital evidence is not water; it is binary. We recalculated the hash value of the forensic image in court. It matched the original acquisition hash exactly, bit for bit.
If a single file had changed, even a single character, the hash would have transformed. It did not. That hour was procedural, not corruptive. The seal remained intact. Circumstantial evidence suggests, and server logs confirm.
We correlated system login times with biometric access records. Suspect 1’s fingerprint opened the office door within minutes of unauthorized vendor edits. CCTV footage showed him alone at his desk during one such session.
Mobile money withdrawal timestamps are aligned within twenty-five minutes of internal transfers. Binary does not improvise. From suspicion to certainty. There is a difference between knowing and proving. Knowing is instinct, and proving is structure.
The prosecution did not rely on lifestyle changes alone; they did not parade photographs of new houses or boda bodas, but built a sequence. Unauthorized edit, fund transfer, wallet receipt, cash withdrawal, repeat, forty-three cycles, Total loss: UGX 389,750,000, mpora mpora until the pot was empty.
Suspect 1 did not wake up intending to steal nearly four hundred million shillings. He likely began with a test, a small one. The first time it worked, nothing happened. And silence is intoxicating, a masterclass in admissibility
The Electronic Signature Act provides requirements concerning electronic signatures, and attribution was addressed meticulously. The altered vendor approvals bore digital credentials tied uniquely to Suspect 1’s login. Two-factor authentication SMS records were subpoenaed from the telecom provider, and they matched. In other sections, we established that the company’s accounting system generated logs in the ordinary course of business and that the device used was functioning properly at material times. Because justice does not operate on belief, it operates on admissibility. The verdict was clinical.
Conviction.
Three truths for those who are listening
I have investigated enough cases to know this: the snake is rarely outside the compound. It lives inside the house you built.
So here are three home truths. First, trust without verification is an unsecured loan. You may believe in character. The law believes in controls. Segregation of duties, approval thresholds, and system alerts are not signs of paranoia. They are signs of maturity.
Second, thresholds create temptation. When you set a limit below which no oversight exists, you are inviting fraud mpora mpora. Review your small transactions more aggressively than your large ones. Large thefts are rare. Small repeated ones are epidemic.
Third, preserve your digital world as if it will testify tomorrow. Maintain audit logs. Protect system configurations. Train staff on the sanctity of evidence. Because when the defense questions your process, your documentation will either stand firm or collapse like a weak foundation in the rainy season. The smallest crack is where the largest flood begins. And in corporate Uganda, the enemy rarely breaks in; he signs in with an ID badge hanging neatly from his neck.
