In 2024, the country witnessed a significant financial fraud involving $21,013,562.31 (Shs 77.1 billion) at the Bank of Uganda (BoU). This fraud led to the arrest and charging of officials from the Ministry of Finance, including the Accountant General and seven others. Six of them were however released on bail.
The scandal drew the attention of President Yoweri Museveni and security agencies. In a letter dated October 24, 2024, the Director of the Criminal Investigations Directorate requested the Auditor General to conduct a forensic and IT audit. The audit aimed to support police investigations into allegations of abuse of office, embezzlement, causing financial loss, and money laundering. These allegations stemmed from two fraudulent transactions initiated through the Integrated Financial Management System (IFMS), managed by the Ministry of Finance, Planning, and Economic Development (MoFPED), and processed by BoU.
Following a review of the request and preliminary findings from the Ministry of Finance and BoU, the Auditor General conducted a forensic investigation to determine whether fraud had occurred. The investigation aimed to establish how funds meant for loan repayments to the International Development Association (IDA) and the African Development Fund (ADF) were diverted, identify those responsible, and recommend measures to prevent future occurrences.
HOW THE FRAUD UNFOLDED
September 10, 2024: IDA Loan Repayment Fraud
A legitimate transaction to settle $6,134,137.75 in outstanding loan principal and interest owed to the IDA was initiated through the IFMS. However, the transaction details were altered on the Ministry of Finance’s application server, changing the payee to “Roadway Tokyo Japan.” The fraudulent transaction was sent to BoU, processed as a normal payment, and externalized on September 12, 2024. Despite multiple security controls, they were either bypassed or proven ineffective. Efforts to recover the funds have been unsuccessful, resulting in a financial loss of $6,134,137.75.
September 26, 2024: ADF Loan Repayment Fraud
A similar fraudulent transaction was executed. A legitimate payment of $8,596,824.26, meant for ADF loan repayments, was altered at the Ministry of Finance’s application server. The payee was changed to “MJS International London.” The altered transaction was sent to BoU and processed as a normal payment, with funds being externalized two days later.
These fraudulent transactions exposed critical vulnerabilities in Uganda’s financial management system, raising concerns about internal controls and oversight within key government institutions. Authorities are expected to take further action to hold those responsible accountable and recover the lost funds.
Despite multiple safeguards designed to prevent fraudulent transactions, they were either circumvented or proved inadequate. However, recovery efforts have yielded results, with $8,205,103.81 successfully reclaimed.
The September 10, 2024, IDA Loan Transaction
According to the audit report, the Auditor General contacted the World Bank regarding the loan, which confirmed its legitimacy. The loan consisted of a principal of $4,169,569.42 and interest of $1,964,568.33, scheduled for repayment in September 2024. The World Bank stated that its policy is to use borrower-provided SWIFT details to track loan repayments.
“I confirmed that the loan amount in question was legitimate and due on September 15, 2025,” the Auditor General stated.
The report also criticized Mubarak Nansamba, the Acting Assistant Commissioner of Treasury Services, for failing to request a SWIFT message from BoU the day after the transaction. This oversight was deemed a serious lapse, contributing to the delay in detecting the diversion.
Initiation of Payment
An analysis of the Integrated Financial Management System (IFMS) at the Ministry of Finance revealed that the invoice for the payment was created on September 4, 2024, and approved on September 9, 2024, by Nansamba. He stated that the payment was legitimate, processed through the system, and received the necessary approvals.
The transaction was processed under EFT No. 14380401 on September 9, 2024, within the IFMS and included in payment file 997201241009.EXT, formatted on September 10, 2024.
The IFMS encrypts formatted payment files using the Bank of Uganda’s (BoU) public keys and the Ministry of Finance’s private keys, creating a GPG file. This encryption ensures that only BoU can open the file using its private key, while the Ministry of Finance remains accountable since the file can be verified with its public key.
On September 10, 2024, the encrypted file (997201241999.ext.gpg) was placed on the staging server, containing the $6,134,137.75 intended for the International Development Association (IDA) loan repayment. The files were then automatically picked up and transmitted via a leased line to the Managed File Transfer Server (MFTS) at BoU.
BoU’s MFTS downloaded the payment file from the Ministry of Finance’s staging server. A copy was backed up on the same server before being decrypted into plain text and transferred to BoU’s domain under the bbsuser directory. From there, it was downloaded into the Uganda Banking System (BBS), with a copy archived for record-keeping.
On the same day, Leona Faith Kwikiriza, a Senior System Analyst at the Ministry of Finance, sent an email to BoU confirming the transaction.
Processing of the Fraudulent Transaction in BoU’s Banking System
The Electronic Funds Transfer (EFT) process within BoU’s Banking System (BBS) begins when an unencrypted file from the MFTS is deposited into a staging directory within the BBS. At this stage, the system logs the transaction and performs a verification process to check the format, content, and accuracy of the payment file.
Upon reviewing the BBS logs, the Auditor General discovered that the transaction, originally intended for IDA in Washington, had been altered. The details showed that the funds were sent from the Accountant General’s Office to Roadway Co. Ltd, Tokyo, under the description: “Payment for recycling plant systems and machinery.”
“It is apparent that while the original EFT file indicated a payment in USD to IDA Washington for loan principal and interest, the BoU payment system processed the same EFT number to pay Roadway Co. Ltd, Tokyo, for recycling plant systems and machinery,” the Auditor General stated.
Further investigations revealed that upon decrypting the transaction files at both BoU and the Ministry of Finance’s IFMS, the results were identical. However, the encrypted file sent from the Ministry of Finance had already been altered, listing Roadway Co. Ltd, Tokyo, as the payee with a fabricated description for recycling equipment—an irregular and fraudulent transaction.
How the Payment Details Were Altered
System logs at the Ministry of Finance revealed that during the encryption process, a plain text file containing transaction details was left on the IFMS application server. The perpetrator exploited this vulnerability by altering the contents of the plain file before encryption, making it appear as though the transaction was genuine. Once the encryption process was completed, the manipulated file was transmitted to BoU, where it was processed without suspicion.
This fraudulent modification allowed the perpetrators to divert funds from a legitimate government loan repayment to a fraudulent account in Tokyo, bypassing standard security measures.
The investigation revealed that system change logs were captured from the IFMS application server between September 9-11, 2024. These changes were executed by a user account “tyawe,” belonging to Tony Yawe, a Senior IT Officer at the Ministry of Finance.
September 9, 2024: Yawe changed the script’s permissions on the IFMS application host server, granting himself read, write, and execute permissions while restricting other users to read and execute only. He moved the script from the bin directory to admin, renamed it sf.prog, then restored it to its original location under the name XXGOU_SFTP_ARCHIVE_PAYE_FILE.prog. This script is an Oracle program responsible for encrypting EFT files and transferring them from the Ministry of Finance to BoU for further processing.
September 10, 2024: Yawe moved bou.do, bourev.do, and sf.prog from the admin directory, granting himself full control over these files.
September 11, 2024: The file BOU_NW_10092024.dat was modified, replacing “Recycling plant systems and machinery” with “Interest Payment for IDA 1” under EFT No. 14380401—an attempt to manipulate transaction reconciliation records.
Yawe’s Defense and Firewall Breach
During interrogation, Tony Yawe confirmed ownership of the “tyawe” account but denied involvement in the fraudulent transactions. He claimed that on September 8, 2024, he detected an unauthorized server access that bypassed firewall controls and left no trace.
Despite the firewall’s ability to log both internal and external traffic, no records of this breach were found. Yawe denied executing the commands on September 9, 10, and 26, 2024, asserting that the log file presented to him appeared foreign—similar to a batch file—and did not match the system’s standard logging structure.
Second Fraudulent Transaction: $8,596,824.26 Diverted from ADF Loan Repayment
A review of the Debt Management and Financial Analysis System (DMFAS) revealed that 26 loans from the African Development Fund (ADF), totaling $8,596,824.26, were due for repayment on October 1, 2024. The breakdown included a principal of $5,698,895.35 and interest of $2,897,928.91.
Creation and Approval of the Payment
September 23, 2024 – A user identified as “MKICONCO,” an accountant at the Ministry of Finance, created the payment invoice in the Integrated Financial Management System (IFMS).
September 24, 2024 – The payment was approved by Nasamba Mubarak, the Acting Assistant Commissioner of Treasury Services.
September 25, 2024 – The transaction was processed under EFT No. 14547957 and included in payment file 997201242609.EXT, which was formatted the next day.
Encryption and Transmission to BoU
The IFMS encrypts payment files using BoU’s public keys and the Ministry of Finance’s private keys, ensuring only BoU can decrypt them while the Ministry cannot deny their authenticity.
On September 26, 2024: The plain text EFT file (997201242609.EXT) and its encrypted copy (997201242609.EXT.gpg) were created on the IFMS application server.
The plain text file contained nine transactions, including the ADF loan repayment.
After encryption, the files were transmitted via a secure line to the IFMS-BOU interface server (staging server).
BoU’s Managed File Transfer System (MFTS) retrieved the encrypted file, backed it up, decrypted it, and transferred it to the BoU Banking System (BBS).
Final Manipulation and Fraudulent Payment
Later that day, Eriphaz Sebiyonga, a Senior Systems Analyst at the Ministry of Finance, emailed BoU confirming that external payment file 997201242609.EXT, containing nine transactions totaling $12,913,674.30, had been sent for processing.
However, upon review, the Auditor General discovered discrepancies in BoU’s records.
The EFT file was supposed to pay $8,596,824.26 to ADF in Abidjan for loan repayment.
Instead, BoU’s system showed the same EFT number paying “MJS INTERNATIONAL, London” for “AE300824-ZRS.”
“I confirmed that the Accountant General’s Office sent an encrypted file in which the payee for the transaction was ‘MJS INTERNATIONAL, London’ with the reference AE300824-ZRS. This confirms that the change in payment details was made at the Accountant General’s Office before the file was sent to BoU,” the Auditor General reported.
How the Fraud Was Executed
A forensic analysis of the IFMS application server logs from September 25-26, 2024, revealed that critical system modifications were carried out under the account “mkasiiku”, belonging to Mark Kasiiku, a Data Center Consultant at the Ministry of Finance.
Key Unauthorized Actions Under Kasiiku’s Account: Granted himself read, write, and execute privileges for a critical script (add.sh). Moved critical system files (bou.do, bourev.do, and sf.prog) from their original locations to the /admin directory.
Moved XXGOU_SFTP_ARCHIVE_PAY_FILE.prog (a key encryption and transfer script) from the /bin directory to /admin.
Replaced the contents of XXGOU_SFTP_ARCHIVE_PAY_FILE.prog with an altered version (sf.prog) to manipulate transaction details.
File Manipulation and Deletion
Overwrote /bin/XXGOU_SFTP_ARCHIVE_PAY_FILE.prog with the manipulated /admin/sf.prog file. Moved the altered XXGOU_SFTP_ARCHIVE_PAY_FILE.prog back from /admin to /bin to cover up the modification. Deleted bou.do, bourev.do, and sf.prog from /admin to erase traces of the fraudulent changes.
Tampering with System Logs
Wrote the contents of File II into the lastlog file at /var/log/, which tracks user login history. This suggests an attempt to manipulate login records and conceal the actual activities.
Kasiiku’s Defense
During interrogation, Mark Kasiiku denied involvement, stating that the server activities under his username occurred before his usual arrival time (8:30 AM).
He claimed he does not have VPN credentials, meaning he can only access the system physically from inside the Ministry of Finance. Investigators noted that his system login history did not match his work hours, raising further suspicion.
Discrepancy in BoU and Ministry of Finance Records
Upon receiving the invoice, BoU sent an email to the Ministry of Finance confirming receipt.
Further investigation revealed a critical mismatch: The transaction file received by the Ministry of Finance recorded the payee as “Uganda Principal and Interest Payment for African Development Fund (ADF).”
However, the file processed by BoU listed the payee as “MJS INTERNATIONAL, London.”
This confirmed that the fraudulent modification occurred at the Ministry of Finance before transmission to BoU.
Financial loss
On November 14, 2024, a swift message from CITIBANK New York confirmed a reversal of $8,205,103.81 which was credited to the ministry of finance account in Bank of Uganda. With this reversal, the actions and inactions of staff from BOU and Accountant General’s office led to a financial loss of $391,720.45 to the government of Uganda.
Financial Loss
On November 14, 2024, a SWIFT message from Citibank New York confirmed the reversal of $8,205,103.81, which was credited back to the Ministry of Finance account in the Bank of Uganda (BoU).
Despite this partial recovery, the actions and inactions of staff from both BoU and the Accountant General’s Office resulted in a net financial loss of $391,720.45 to the Government of Uganda.
Another Attempted Fraudulent Transaction
The Auditor General, John Muwanga, highlighted another fraud attempt targeting $6,674,320.75 under the description: “Uganda Principal and Interest Payment for IDA, due January 15, 2024.”
The fraudulent transaction attempted to redirect the funds to an account in Sielska-Poznan, Poland, exploiting the same loopholes as the previous fraudulent transactions.
However, this transaction was flagged and ultimately rejected by the SWIFT messaging system, which detected a mismatch: The payee was listed as IDA (International Development Association)
However, the bank details corresponded to an account in Sielska-Poznan, Poland, rather than IDA’s headquarters in Washington, D.C. The detection and rejection of this transaction prevented further financial loss.
