It surfaced as a routine imbalance. Customer wallet balances were overstated, small enough to dismiss, but consistent enough to ignore if you were not paying attention. The finance team saw timing differences between mobile money settlements and internal postings. The explanation held for a moment. Then the numbers stopped behaving like timing differences; credits were appearing without corresponding cash movement, small numbers consistently, and always within thresholds that looked normal.
The system was crediting wallets instantly once a payment request appeared to be confirmed. That was the design choice. Speed over verification. It improved customer experience, reduced complaints, and also created a clean opening.
A dormant endpoint in the API layer was still active in production. It had been used during testing and never formally retired. It accepted callbacks that resembled telecom confirmations. No one had assigned ownership to its closure, and no one was monitoring it. It sat inside the system as a trusted voice.
That was enough. The fraud did not begin with money, but with synthetic credit. The suspect triggered pseudo-transactions through that endpoint; the system accepted them as legitimate confirmations and credited customer wallets instantly. No telecom settlement had occurred, and no funds had entered the institution.
From there, the scheme became mechanical. Wallets loaded with synthetic or artificial balances initiated outward transfers. The amounts were deliberate. UGX 800,000, UGX 1 million, UGX 1.3 million. Always below alert thresholds. Always spaced to mimic ordinary usage. The funds moved into agent wallets tied to prepaid SIM cards registered with weak or falsified identification. Within hours, the balances were cashed out.
Nothing in the system raised a red flag at the moment it mattered. The controls were designed to reconcile after the fact, not to stop the act itself. The imbalance appeared in reconciliation because the system could not hide arithmetic. Credits existed without matching settlements. That is how it was noticed, not by detection logic but by fraud analytics. By accounting for truth, catching up with system assumptions.
When you reconstruct a case like this, the instinct is to look for brilliance. There was none; it was precision applied to a known weakness. The suspect understood the transaction flow. They knew where the system trusted itself, how long reconciliation would take, and which thresholds would remain quiet. They did not break the system; they operated inside it.
Access made it possible. Internal documentation describing API flows was available beyond the development team. It was not classified as sensitive as it should have been. The suspect did not need to hack anything. They read how the system worked and followed it.
System logs told the story cleanly. Repeated calls to the deprecated endpoint. Session activity aligned with operational hours but with patterns that did not match legitimate workloads. Transactions originating from wallets that had never received real deposits. Outbound transfers clustered around specific agents. Cash-out locations concentrated in tight geographic pockets.
The money trail confirmed the technical narrative. Telecom records showed no matching inbound settlements for the credited amounts, agent networks revealed coordinated withdrawals, and CCTV at cash-out points placed individuals at the right locations, at the right times, handling the right volumes.
Denial does not survive that kind of evidence.
The legal position is straightforward in Uganda. Manipulating electronic systems to create or divert value constitutes fraud, regardless of whether physical cash is handled at the point of manipulation. Courts have consistently treated unauthorized system access and digital financial interference as theft. What becomes uncomfortable for institutions is the second layer of exposure. Where control weaknesses are predictable and unaddressed, responsibility does not sit neatly with the individual offender.
A system that credits funds before confirming settlement invites exploitation, an endpoint without ownership invites misuse, and documentation without access control invites internal reconnaissance. These are not abstract control gaps, but foreseeable risks.
Regulators do not ask whether fraud could have been prevented in theory, but whether reasonable safeguards were in place in practice. The institution had safeguards, positioned at the wrong point in the process. Everything activated after the transaction had already succeeded. The architecture trusted internal signals more than it verified external truth. That is the failure. A farm with a strong fence and an open gate does not need an external thief. Anyone inside can walk out with the harvest. The fence gives comfort and the open gate defines the outcome.
Closing this case required discipline. Logs were preserved before systems were touched, access rights were frozen to prevent contamination, Transaction trails were reconstructed from source systems rather than reports, each movement of value was tied back to its origin, or lack of it, and each system interaction was mapped to a user session.
The suspect was identified not through confession, but through convergence. System behavior, access patterns, transaction flows, and physical evidence aligned in one direction. That is how cases close cleanly. Total loss reached UGX 1.84 billion, but recovery was partial, which is typical. Once value converts to cash across distributed agents, reversal becomes negotiation, not enforcement.
The institution responded with policy updates, staff sensitization, and tighter reconciliation procedures; necessary actions, but they do not address the core problem.
The core problem is structural trust.
Every point in the system where an internal signal is accepted without independent verification is an exposure. Every process that prioritizes speed over confirmation creates a window. Every system component that operates without a clear owner becomes a silent risk.
Defense begins by removing silent trust. An API callback must be authenticated and validated against an independent source before it affects value. A transaction must not create a spendable balance until settlement is confirmed. Endpoints must have owners who are accountable for their existence, usage, and retirement. Documentation must be treated as sensitive, with access aligned to necessity, not convenience.
Access control is not about restricting people; it is about restricting possibility. Most internal fraud does not require elevated privileges; it requires ordinary access combined with overlooked opportunity. Monitoring must therefore focus on behavior, not just permissions. When a user interacts with systems in ways that deviate from expected patterns, the system should not wait for reconciliation to react.
Boards often engage when incidents are reported. That is too late to influence outcomes. The conversation at that level should be sharper. Where does the system assume trust instead of proving it? How quickly can value leave once it appears in a wallet? Which components accept external signals without strong authentication? Which parts of the infrastructure no longer have active ownership? How are unusual user behaviors detected before financial impact occurs? These are governance questions expressed through system design.
Fraud is not an interruption but a test. It reveals whether the organization controls its own processes or merely observes them. Institutions that rely on response will always be behind the event, but institutions that design for defense change the nature of the event itself. They make exploitation difficult, visible, and slow. Right now, most systems are still fast, trusting, and quiet in the wrong places.
The next person studying your processes will not be looking for a way in, but a place where your system believes itself too easily. That is where the loss will start.
Copyright IFIS 2026. All rights reserved.
