Case 2: The perfect crime that wasn’t

The first thing they stole was time.

For nearly two years, a group of insiders siphoned money from the bank, moving it in plain sight. It was a slow, calculated bleed so precise that no one noticed. Not the managers. Not the compliance officers. Not the regulators.

When an overworked auditor stumbled upon the first red flag, it was already too late. Ugx. 6.31 billion had vanished.

This wasn’t a cyberattack. It wasn’t some hacker typing away on a keyboard in a dark room. The real criminals were inside the building.

a) The illusion of money

It started with a simple observation: banks move money in bulk, but they verify in detail.

That was the weakness.

The mastermind a senior IT consultant knew how the bank processed transactions. He understood the batching system used to settle payments. It was designed for efficiency, but it had a flaw:

(i) Small adjustments in individual transactions were rarely flagged.

(ii) Internal approvals for bulk transfers relied on pre-set automation rules, not manual oversight.

(iii) Reconciliation happened at the end of each business day, meaning any temporary gaps in the books would correct themselves overnight.

He didn’t have direct access to the funds. But he had access to the system that controlled them.

b) The inside men

He needed someone on the inside. Someone with banking privileges. That’s where his accomplice came in a trusted mid-level officer in the transaction approval department.

Together, they designed the scheme.

(i) Identify dormant accounts that had minor balances but were still active.

(ii) Modify internal routing instructions to skim money from legitimate transfers.

(iii) Move stolen amounts into temporary holding accounts, disguised as vendor payments or refunds.

(iv) Use multiple smaller withdrawals instead of large, obvious transactions.

(v) Convert the money into crypto and offshore accounts before the system auto-corrected the missing funds.

Every day, the bank processed thousands of transactions. The amounts they took were so small that no one noticed. At first.

c) The movement of money

The fraud depended on speed. The stolen money never sat in one place for long.

(i) Stage One The Source

Each week, they selected real client transactions moving between corporate accounts. Using internal access, they altered the batch approvals, diverting small amounts typically between Ugx. 500,000 and Ugx. 2 million into a network of shell accounts.

(ii) Stage Two   The Cleansing

The stolen amounts were then moved to temporary internal accounts, labeled as refunds, fee reversals, or system adjustments. From there, the funds were transferred in chunks of Ugx. 10 million to Ugx. 50 million to accounts registered under fake suppliers.

(iii) Stage Three  The Disappearance

The final step was laundering the money through crypto transactions and foreign remittances. They purchased USDT (Tether) a cryptocurrency that mirrored the dollar before converting it back to cash through private money dealers.

Once the money reached these accounts, it was gone. Untraceable.

For nearly twenty-one months, they repeated this cycle. Stealing. Cleaning. Disappearing.

d) The red flag

The scam should have worked forever. It almost did.

But then, an auditor noticed something unusual.

It wasn’t a missing payment. It wasn’t a huge deficit. It was just a pattern something that shouldn’t have been there.

(i) Some refund transactions were too consistent always rounding off at Ugx. 10 million or Ugx. 15 million.

(ii) The account numbers used for internal adjustments kept appearing in different reports linked to unrelated transactions.

(iii) A bulk transfer batch showed the same approval ID across multiple payments an anomaly that should have been impossible.

That’s when she pulled the records. And what she saw didn’t make sense.

e) Following the money

Once the first inconsistency was flagged, the fraud team moved fast.

(i) They cross-checked every transaction involving the flagged accounts. What should have been a one-time refund process was recurring, structured, and systematic.

(ii) They ran timestamp comparisons on the internal approvals. The same login credentials had been used in multiple locations at the same time an obvious sign of credential sharing.

(iii) They tracked the crypto transactions. The moment they saw repeated purchases of USDT through peer-to-peer markets, they knew.

This wasn’t an error. This was a fraud.

f) The collapse

Read our latest Articles

The Rising Tide of Internet Fraud in Uganda: A Call for Vigilance and Action

Write an effective investigation report

Is conducting IT Audit necessary when you have adequate security controls in place?

Physical security: What Organizations are lacking in their security strategy?

The Incognito kids

A case for fraud risk maturity assessment

For Inquiries about anything, please contact us right now.

A dedicated team of staff are waiting to answer your inquiries.

Please submit an inquiry.

Submit an Inquiry

About IFIS

Using IFIS

IFIS Support

Popular Courses

Small Print

© All rights reserved Institute of Forensics and ICT Security | IFIS is the training arm of Summit Consulting Ltd

Report

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .

Ifis Updates

Subscribe to our newsletter

You will be able to get all our weekly updates through the email you submit.

Newsletter

No Thanks

Subscribe to Newletter

Subscribe to our newsletter and stay updated with the latest in cybersecurity and digital forensics.

No Thanks