On a night that Rwandan banking officials are still reluctant to discuss openly, unknown operatives gained access to the digital nerve centre of Equity Bank Rwanda and began moving money. Not in trickles, but in avalanches. SIM cards with no prior transaction history were suddenly purchasing mobile money float worth Rwf100 million apiece.
At the daily transfer cap of Rwf2 million, moving Rwf4.7 billion through legitimate channels would have required more than 2,000 individual transactions over multiple days.
Instead, it vanished in what investigators now believe was a single coordinated offensive through bulk float purchases, a channel that sits outside the strict withdrawal limits governing conventional banking and that, until now, nobody had thought to weaponise at this scale.
Equity Bank Rwanda confirmed on March 15, 2026, that it had detected and contained irregular transactions within its systems, triggering internal security and incident response procedures and reversing the majority of the transactions within 24 hours.
The bank was careful with its language. It did not name a figure. It did not say it had been hacked. It said its monitoring systems had worked. “Our internal monitoring systems detected the irregular transaction activity and immediately triggered the security and incident response protocols in line with operational and risk management procedures,” the Kigali-based lender said in its public announcement.
That leaves Rwf3.5 billion still unaccounted for, scattered across mobile wallets, agent accounts and the accounts of dozens of individuals who may or may not have known what they were receiving.
Attempts by this publication to obtain comment from the National Bank of Rwanda were unsuccessful. Rwanda Investigation Bureau spokesperson Dr Thierry Murangira said he had no information on the case. The office of the Finance Minister did not respond.
THE VENDOR AT THE CENTRE
The suspected entry point into Equity Bank Rwanda’s systems was not through the bank itself but through a third-party platform.
Investigators have zeroed in on ESICIA Ltd, a Kigali-based technology company that has provided internet banking solutions to financial institutions in Rwanda since 2005. ESICIA, which markets itself as ISO 27001 and PCI DSS certified and holds contracts across the banking, government and telecoms sectors in the region, supplies Equity Bank Rwanda with a vendor-managed internet banking platform that the bank operates under licence.
Investigators are now examining whether the ESICIA platform was exploited to gain unauthorised access to the bank’s infrastructure or to manipulate transactions.
The Rwanda Investigation Bureau has moved to obtain system access logs that would show who entered the platform, at what time and what actions were performed.
Digital forensic specialists are simultaneously reviewing server records and user activity trails. ESICIA Chief Executive Officer Innocent Kaneza declined to comment when contacted by Taarifa. He did not respond to this publication’s enquiries either.
The implications of a vendor-side breach, if confirmed, would be severe. It would mean that the security of a Tier-1 bank’s digital operations had been compromised not from within its own walls but through a contractor’s system, one that sits between the bank and its customers.
It would also raise uncomfortable questions about how Rwanda’s central bank supervises the third-party technology arrangements of supervised institutions, and whether ESICIA’s ISO certifications accurately reflected the real-world security of its systems.
THE MOBILE MONEY TRAP
To understand how Rwf4.7 billion could move so quickly without triggering alarms, investigators have had to examine a gap buried inside Rwanda’s digital payments architecture.
The mechanism is called float. In Rwanda’s mobile money ecosystem, registered agents who facilitate transactions for customers obtain their operating balances by depositing equivalent cash into trust accounts held at banks.
The telecom operator, in this case MoMo Rwanda, then credits the agent’s mobile wallet with digital value that mirrors the deposit. That float is the working capital of Rwanda’s mobile economy. Without it, agents cannot transact.
The fraud appears to have weaponised this mechanism. Rather than moving funds through the bank’s normal transfer channels, where daily limits would have made bulk movement impossible, the perpetrators are believed to have used the internet banking platform to generate float purchases of extraordinary size.
SIM cards that had never previously received even Rwf1,000 were suddenly credited with Rwf100 million apiece in float.
Some of those SIM cards were registered outside Rwanda and were not recognised agents within the mobile money ecosystem. Nobody has yet explained how they were allowed to make such purchases. “That is where the biggest question arises,” a source familiar with the investigation said. “Who issued those SIM cards, who owns them and how were they allowed to purchase such large amounts of float?”
A senior official at MoMo Rwanda told Taarifa that he had learned of the matter from press reports and declined to provide details.
Neither MoMo Rwanda nor the National Bank of Rwanda has issued any public statement on the fraud. The silence from key institutions has drawn sharp comment from financial sector observers, who say it reflects a troubling pattern of opacity around major incidents in Rwanda’s financial system.
THIRTY-FIVE IN CUSTODY, SIX IN UGANDA
As of March 15, 35 people were in custody in Rwanda. The Rwanda Investigation Bureau is leading the probe, conducting forensic analysis of digital systems, financial records and electronic devices seized from suspects.
Most of those detained are believed to be individuals whose bank or mobile money accounts received suspicious transfers linked to the fraudulent transactions.
Investigators are working to determine whether the recipients knowingly participated or whether their accounts were used without their full understanding by whoever orchestrated the scheme.
“You cannot receive Rwf100 million in your account and claim you don’t know where it came from,” an official said. “Investigators want to know who sent the money and why it landed there.”
The human mule architecture of the fraud, in which stolen funds are dispersed rapidly across hundreds of accounts, is consistent with sophisticated cybercrime operations seen in Kenya, Nigeria and South Africa over the past decade.
Once money is fragmented across multiple wallets, recovering it requires either the willing cooperation of every account holder or a court process to freeze and claw back each deposit separately.
Among those detained are two Equity Bank Rwanda employees from the IT department, both connected to data centre operations. Their detention does not necessarily establish guilt, bank officials have been careful to note. Investigators are examining whether perpetrators may have gained physical or technical access to the bank’s systems from inside.
“The suspicion was that there must have been physical access to the data centre,” a source said. “But even that I cannot confirm. RIB needs to complete the forensic investigation.” Simultaneously, six suspects were arrested in Uganda.
Police forensic teams are extracting and analysing digital images from devices seized in the Ugandan arrests to determine whether those individuals were directly involved or were themselves used by a wider network.
THE MWANGI CRACKDOWN THAT WASN’T ENOUGH
The timing of the Rwanda breach is as damaging as its scale. It lands less than a year after Equity Group CEO Dr James Mwangi launched the most aggressive anti-fraud purge in East African banking history, one in which more than 1,500 Equity employees across the group’s operations were dismissed in successive waves between May and July 2025 after internal audits uncovered a culture of staff collusion, unauthorised transaction facilitation and conflicts of interest.
The trigger was a Sh1.5 billion payroll fraud in Kenya, in which the IT system credentials of a Group Processing Centre manager were used to process over 40 transactions totalling nearly Sh1.5 billion before the money was transferred to rival banks.
Mwangi, who told Business Daily in May 2025 that he would be “consistently ruthless” in the purge, extended the clean-up to Uganda in June 2025 and pledged to sweep through all seven of the group’s operating markets. Rwanda, Tanzania, South Sudan and the Democratic Republic of Congo were explicitly named as jurisdictions where similar integrity audits would follow.
Eight months after that pledge, fraudsters have apparently struck the Rwanda subsidiary in what investigators believe was an externally orchestrated attack rather than the insider collusion that drove the Kenyan losses.
But the distinction offers limited comfort to a bank that had staked its regional reputation on having cleaned house.
The Rwanda fraud raises the harder question: whether a determined, technically capable external adversary could still defeat a bank’s defences even after its internal vulnerabilities had been addressed, and whether the audit of human integrity had distracted attention from the robustness of the digital infrastructure and the third-party systems that run it.
A PATTERN ACROSS KIGALI
The Equity incident is not an isolated event. Banking sector sources have told this publication and sister outlets in Kigali that at least three other Rwandan financial institutions have been targeted in comparable attacks in recent months.
BPR Bank Rwanda, the KCB Group subsidiary that is the country’s largest commercial bank by branch network with over 154 outlets, was reportedly struck by a similar fraud scheme involving approximately Rwf1.2 billion.
NCBA Bank Rwanda faced a related incident involving around Rwf400 million, although the bank reportedly managed to recover about Rwf250 million.
Bank of Kigali, the country’s dominant lender controlling more than 30 per cent of all banking assets, has also been affected by a comparable incident in recent months, though the precise amount has not been independently confirmed.
Most striking of all, sources within the banking sector have told Taarifa that even the National Bank of Rwanda itself has recently experienced attempted cyber intrusions.
In the most brazen reported case, the suspected perpetrators allegedly operated from a hotel located less than 50 metres from the central bank’s premises, attempting to penetrate the BNR’s network from a position virtually within its shadow.
The frequency and ambition of the attacks suggest a level of organised criminal capability that has not previously been publicly acknowledged in Rwanda, a country that has invested heavily in positioning Kigali as a digital finance hub and that is currently implementing a Financial Sector Development Strategy 2025-2030 explicitly aimed at accelerating the growth of digital banking and fintech.
THIS IS NOT THE FIRST TIME
Equity Bank Rwanda has been targeted before. In November 2019, Rwandan authorities arrested 12 people, including eight Kenyans, three Rwandans and a Ugandan, in an attempted cyber-fraud operation targeting the bank. They were convicted and sentenced to eight-year jail terms in 2021.
The 2026 attack appears far more sophisticated in its exploitation of the mobile money float mechanism, its cross-border architecture, and its apparent use of a vendor’s system as the entry point rather than a direct assault on the bank’s own network. It is a reminder that the criminal ecosystem learns, adapts, and probes for new gaps even as institutions patch the ones already known.
Equity Bank Rwanda, in a statement released alongside its confirmation of the fraud, said it maintains a zero-tolerance approach to financial crime and is continuing to strengthen its cybersecurity infrastructure, transaction monitoring systems, and internal controls.
The bank insisted that no customer funds had been lost and that any unrecovered amounts would be absorbed by the institution.
The assurance, standard in such circumstances, means that Equity Group’s balance sheet will ultimately bear the exposure even as RIB works to recover the Rwf3.5 billion still outstanding.
For now, Rwanda’s financial sector regulator has said nothing. MoMo Rwanda has said nothing. The bank itself has said as little as it legally must.
The silence, investigators and observers agree, is itself an answer of sorts, one that says the full dimensions of what happened that night are still being mapped, and that the institutions responsible for oversight are not yet ready to explain how the maps came to have such large blank spaces in them.
Leave a Comment