Kenya: Sh4bn Hacking Suspect Lives Large and Brags Big

24 March 2017

Computing

On January 20, Alex Mutuku boarded the Lady of Zanzibar, the 554-passenger ferry that operated between Dar es Salaam and Zanzibar and Pemba islands. Before that, he took a picture of the red ferry, also known as Kilimanjaro V. "I hope she takes care of me till there," he wrote on Facebook.

It was Friday, and the time was 10.50pm. A friend immediately commented: "When I grow up, I want to be like you."

Police now say the 28-year-old Mr Mutuku is the biggest nightmare for banks and other institutions and is a prime suspect in the hacking of the Kenya Revenue Authority's computer systems.

On Tuesday, he was in a Nairobi court, charged with hacking the KRA system, leading to a loss of Sh4 billion.

A man who displays his exotic lifestyle on social media, Mr Mutuku is the envy of his peers.

Alex Mutungi Mutuku is not your ordinary IT expert and has other pending cases on electronic fraud. But that has not stopped him from his frequent travels. In mid-January, he posting his exploits while on a road trip from Burundi to Zanzibar through Tanzania.

"When you are busy sleeping, I am having a night swim at this neon-lit swimming pool," he wrote about his experience at Safari Gate Hotel in Bujumbura before he took a bus ride by the shores of Lake Tanganyika.

"Nothing can stop me...I'm all the way up! All the way up!" he posted the next day from Zanzibar and listed his itinerary: Stone Town, Nakupenda Beach, Jozani Forest, Prison Island, Beit al Sahel, Beit Al Amani, The Old Fort, Christ Church Cathedral and Nugwi Beach.

At the beach, he took a few selfies and posted them on Sunday before going home. He wrote: "I can't honestly say Zanzibar is a wrap because you need a whole two weeks or more to visit every place here. Sadly, I have to leave. This was the most amazing place I have ever visited."

Back home, on January 25, he took a picture of his Kawasaki motorcycle, christened Ninja Monster: "I love you bae."

Mr Mutuku, who denied the charges before Chief Magistrate Francis Andayi, returns to court next week, when it will either grant him his request to be freed on bond or allow the police to detain him for 40 days.

Meanwhile, he and other people, believed to be his accomplices and arrested together with him on March 8, continue to be under the custody of the Special Crime Prevention Unit (SCPU) and the Flying Squad, who have been pursuing hackers behind a money siphoning wave that has hit several institutions.

Mr Mutuku was arrested at his home in Roysambu's Lumumba Drive and police accuse him of being part of a group that has been staging salami attacks on banks and financial institutions.

In IT lingo, a salami attack is when small cyber attacks add up to one major attack that can go undetected due to the nature of this type of cyber crime. It is also known as salami slicing.

A police profile of Mr Mutuku says: "He is linked to Exposure Interlink Agencies Ltd and Tylex Construction Company Ltd."

Police also linked him to five vehicles -- a Toyota saloon registration KBX, a Toyota station wagon KBN, a Toyota van KAY, another station wagon KBV and a Land Cruiser KBY.

The profile says Mr Mutuku is a "self-employed programmer" and holds a BSc degree in information systems from the University of Nairobi, from which he graduated in 2012. "He is skilled in Java, C++, Web languages, PHP, Python."

Mr Mutuku's friends who did not want their names published, said they know him as a software dealer and that he was on several occasions hired by companies to conduct penetration tests on their systems.

Penetration tests are safety measures carried out through hacking of systems to ascertain the level of their vulnerability to hacking and pinpoint weaknesses and even fix the gaps in the security of a system.

"I have been friends with him for several years and all I know is that he is an IT guru and can fix a problem with computers in a flash," said a source. "He also develops and sells mobile applications which are hosted on Google Play."

Mr Mutuku's life is displayed on his Facebook page. On January, 8, 2016, he posted a picture of himself holding a white dog while leaning against what seems to be his favourite motorcycle. There was a car in the background. He captioned it: "A house, two cars, bikes, a dog. What more could one ask for? Thank you Lord!"

The description matched that in his statement with police, in which he said his company only did the businesses of solving people's "IT problems".

"His statement is under scrutiny and sharing its contents will not be prudent at this particular moment as it contains a lot of details that we are using in our investigations as we pursue other suspects in his circles," said head of SCPU Noah Katumo, adding that three other suspects believed to be linked to Mr Mutuku had been arrested and would soon be charged.

A day after Mr Mutuku was arrested two weeks ago, a laptop was found hidden in KRA's main network chambers on the third floor of Times Tower and connected to one of the ports.

In 2015, Mr Mutuku was arrested on suspicion of manipulating and breaching Safaricom's system and making away with electronic airtime worth Sh20,000.

He had earlier been accused of demanding Sh6.2 million in Bitcoins from NIC Bank in December 2014 and threatening to publish confidential information he allegedly obtained after hacking into the bank's system. He was also believed to be behind the theft of the bank's Sh2.88 million on diverse dates.

On March 7, 2013, he bragged on his Facebook wall that he was able to download a copy of the Daily Nation electronic newspaper for free using a programme he had developed in his first year in university.

"Wow! This program still exists! Developed it in my Freshman year/UON. Stumbled upon it in my Hard Drive and thought I would share it now... It downloads the whole Daily Nation e-paper free!" he wrote while sharing a link and a source code for the e-paper app.

Mr Mutuku topped his class at Kathiani High School, Machakos, with a mean grade of A (plain).

It is not clear whether he got married after his June 16, 2015 suicide attempt, when he slit his wrists after claiming that "Delvine", a woman he had been dating, had cheated on him.

Source: The Nation