The man who allegedly spent a fortnight tunnelling silently through the digital heart of Kenya’s fintech sector is free. On March 27, 2026, Senior Principal Magistrate Daisy Mwikali dismissed the state’s vigorous opposition and released Albert Komen Kipkechem on a Sh5 million bond, with one surety of a similar amount, after he had spent 21 days behind bars at Capitol Hill Police Station.
The case returns to court on April 1, 2026 for pre-trial directions, but the full dimensions of what investigators call one of the most calculated cyberattack campaigns ever prosecuted in Kenya are only now coming into sharp focus.
Kipkechem, who also answers to the name Jonathan Kiptum Barmasai, faces charges under Sections 15(1) and 26(1)(b) of the Computer Misuse and Cybercrimes Act No. 5 of 2018, covering unauthorised access with intent to commit a further offence and computer fraud.
Prosecuting counsel Joyce Olajo, appearing for the Director of Public Prosecutions, placed the total losses at Sh96.6 million across two separate but intricately connected attacks, and told the court that investigators are probing additional schemes that could push the aggregate figure beyond Sh100 million.
The first breach targeted Eclectics International, one of East Africa’s most prominent payments aggregators. Eclectics, headquartered at Utumishi Co-op House on Mamlaka Road in Nairobi, operates as a Central Bank of Kenya-licenced payments aggregator with operations spanning Uganda, Rwanda, Zambia, and eight Francophone countries in West Africa.
The firm has been lauded for building Africa’s first World Bank-recognised shared agency banking platform, processing hundreds of millions of dollars in monthly transactions for banks, SACCOs, telcos, and government agencies. It was through this very platform, prosecutors told the court, that Kipkechem allegedly gained unauthorised access between June 6 and June 20, 2025, fraudulently causing a loss of Sh52,549,798.
The second and, in some ways, more alarming breach was routed differently. Here the entry point was not Eclectics International but Craft Silicon, a Nairobi-based financial technology powerhouse founded in 2000 that provides core banking software, mobile banking platforms, and anti-money laundering systems to more than 300 organisations in 40 countries.
Craft Silicon’s own case study on its website proudly notes that the firm stands firmly behind Kingdom Bank to achieve its growth objectives, and the bank’s AML system was integrated across all channels through the core system. Yet it was precisely through Craft Silicon’s systems that the attacker allegedly burrowed into Kingdom Bank of Kenya, draining Sh44,160,649 from the lender.
The breach did not originate from the bank’s own infrastructure but through Craft Silicon. Kingdom Bank’s customers paid the price for a vulnerability they had no way of knowing existed.
Kingdom Bank, a subsidiary of Co-operative Bank of Kenya since its acquisition of the distressed Jamii Bora Bank in August 2020, is headquartered along Argwings Kodhek Road in Kilimani, Nairobi. The lender has carved out a niche serving micro, small, and medium enterprises as well as retail customers, and has been on a striking growth trajectory.
For the year ended December 31, 2025, the bank posted a 59 per cent surge in profit after tax to Sh946.2 million, with total assets expanding 24 per cent to Sh51.17 billion and net loans jumping 58 per cent to Sh22.19 billion. Against that backdrop, a Sh44 million hit channelled through a trusted technology partner is not merely a financial wound. It is an institutional humiliation that strikes at the very centre of the bank’s promise to its small-scale traders, farmers, and informal sector clients.
The DCI’s account of the attack method is clinically precise. Investigators from the Economic and Commercial Crimes Unit, attached to the Cyber Fusion Unit at the Central Bank of Kenya, working in collaboration with experts from the National Forensic Laboratory and the Crime Research and Intelligence Bureau, established that the modus operandi in both incidents was identical.
The suspect used remote access software to gain unauthorised entry into the payment platform and bank information systems and executed transactions that deliberately did not follow the normal payment flow, slipping between the guardrails of fraud detection systems before the irregularities were eventually spotted.
Once the affected institutions reported the matter, investigators obtained the necessary court orders and search warrants, collected digital artefacts from the compromised systems, and moved in. Kipkechem was arrested in the Thome area of Nairobi and then escorted south-west to his Nakuru home, where the full contours of his alleged operation emerged from drawers, devices, and hidden compartments.
Detectives recovered multiple electronic gadgets, assorted SIM cards from various telecommunications providers, ATM cards registered under other people’s names, a money-counting machine, and cash in Kenyan currency.
The documents were even more damning. Among the recoveries were eight national identity cards, each carrying Kipkechem’s photograph but displaying different names and different nationalities, a Congolese passport bearing his photograph but registered under the name Katempa Ngoy Alexisa, and a Congolese national identity card carrying the same false name.
Chief Inspector Andrew Ngowa of the Economic and Commercial Crimes Unit, in an affidavit opposing bail, warned that Kipkechem also held a legitimate Kenyan identity document and a Kenyan passport, meaning the man in the dock has, at minimum, dual national documentation and an entire architecture of additional false identities at his disposal. Prosecutor Olajo told the court directly: although the accused is a Kenyan citizen, he is also a holder of a Democratic Republic of Congo passport, making him a significant flight risk.
A team of five defence lawyers successfully argued that possession of multiple identity documents does not automatically prove flight risk. The magistrate agreed, overruling the State’s objections and setting the accused free.
A team of five defence lawyers pushed back forcefully, arguing that the prosecution had not presented sufficient grounds to deny bond and that possession of multiple identity documents does not automatically establish a flight risk.
The magistrate agreed, dismissing the state’s objections and granting the Sh5 million bond. The court warned Kipkechem against interfering with witnesses, cautioning that any violation would attract serious legal sanctions. The case is next before the court on April 1 for pre-trial directions.
But for Eclectics International, Kingdom Bank, and Craft Silicon, the bond ruling offers cold comfort. Since the breach became public in early March 2026, Eclectics International has reportedly begun haemorrhaging institutional clients. SACCOs, banks, and government agencies that rely on its aggregator platform are quietly exploring alternative service providers, anxious that a company that processes their most sensitive financial flows has been so comprehensively compromised.
Eclectics, which markets cyber risk management as one of its own service offerings, describing its team as delivering multidisciplinary comprehensive cyber security solutions, has not issued a single public statement acknowledging the breach or outlining the corrective measures it has taken.
The silence itself has become a story.
For Craft Silicon, the reputational exposure is arguably even more severe. The firm’s business model rests on being the trusted technological backbone of financial institutions, the invisible infrastructure that banks, SACCOs, and microfinance institutions depend on for everything from core banking to anti-money laundering compliance.
The company’s website boasts that its systems undergo rigorous quality checks including ISO, SOC, and vulnerability and penetration testing. The case now before Milimani courts asks a question that no amount of certification language can deflect: if a single attacker with remote access software could penetrate a client institution through Craft Silicon’s systems and walk away with Sh44 million, what does that say about the integrity of every other institution that has staked its operations on the same technology?
The broader landscape provides harrowing context. According to the Communications Authority of Kenya’s National KE-CIRT/CC, Kenya recorded 842 million cyber threat events in just the three months between July and September 2025, with losses across that period estimated at Ksh29.9 billion.
The Central Bank of Kenya’s own data shows that hackers siphoned a record Sh1.59 billion from bank customers in 2024, a figure that dwarfs the Sh412 million recorded in 2023. Mobile banking fraud surged 344 per cent in that period, with card fraud alone jumping sixteen-fold. Kenya is ranked among Africa’s strongest countries in cybersecurity by the International Telecommunication Union, and only roughly 0.3 per cent of attempted system breaches succeed. The Eclectics-Kingdom Bank attack sits squarely in that lethal 0.3 per cent.
The prosecution told the court that Kipkechem’s alleged accomplices remain at large and that ongoing investigations are expected to yield additional charges.
The financial losses are booked. The reputational fallout is deepening by the day. And the central, uncomfortable lesson of this case is not merely that one man with a laptop allegedly stole nearly Sh100 million from Kenya’s financial system. It is that he appears to have done it, at least in part, by walking through a door that the industry’s most trusted technology providers had left open.
There's no story that cannot be told. We cover the stories that others don't want to be told, we bring you all the news you need. If you have tips, exposes or any story you need to be told bluntly and all queries write to us [email protected] also find us on Telegram
