KIGALI — What happened at Equity Bank Rwanda between February 14 and 16, 2026 was not a glitch, not a system error, and not an internal failure. It was a carefully engineered crime, executed with precision, patience, and intent.
A confidential digital forensics report obtained by Taarifa paints a picture of a bank that was systematically targeted, studied, and ultimately exploited by a coordinated network that combined technical skill, insider access, and financial planning. The scale of the fraud underscores that reality. Investigators established that the attack led to massive financial exposure of up to RWF 4.9 billion. Recovery effort is underway with over 1/3 having been recovered.
What is also emerging is the extent to which the bank has responded. Equity Bank assembled a robust, cross-border investigative effort, tracing the fraud trail from Rwanda to Uganda and Kenya, documenting transactions, devices, communication trails, and system events with remarkable detail. Investigators have reconstructed nearly every step of the operation, leaving only small gaps that fall outside the bank’s direct control and require input from law enforcement, particularly the Rwanda Investigation Bureau (RIB), BNR and third parties such as MTN and MoMo Rwanda.
The story does not begin in February. It starts months earlier.
By September 1, 2025, one of the key suspects, Enock Mpanga, already had images of Raspberry Pi devices stored on his phone. These were not random tech photos. They included a Raspberry Pi 5 with 8GB RAM, priced at 560,000 Ugandan shillings, alongside accessories. Investigators believe this was the beginning of a hardware strategy designed to create covert, persistent access inside the bank’s internal network.
By January 4, 2026, the tone had shifted from curiosity to intent. In a Signal chat, Mpanga stated plainly, “I’m waiting for the Raspberry Pi… configurations are needed before proceeding.” That line marks a turning point. The plan was no longer theoretical. It was moving toward execution.
Around the same time, communication flowed through an intermediary identified as “KDDD,” widely linked by investigators to Solomon Mugisha. In one exchange, a suspected insider connected to the bank asked a very specific question: “Will the Raspberry Pi bypass Cisco Network Access Control (NAC)?” The response came back without hesitation: “The Pi device will not have an issue… we should go for Equity first.”
That statement is as direct as it gets. The target had been chosen. The attackers understood the bank’s internal defenses, and they believed they could get around them. Internally, the operation even had a name. Investigators established that the fraudsters used codenames that surfaced in planning communications and reflected both the boldness and symbolism attached to the operation.
By early February, the operation had moved into a more technical phase. On February 11, 2026, Solomon Mugisha shared a file titled “ECW-20hosts.xlsx” and instructed collaborators to “check for network mapping or access to any web api applications.” A collaborator responded, “I have access to them.”
That moment is crucial. It shows that by February 11, the group was no longer trying to get in. They were already inside, mapping systems and identifying how to move.
But perhaps the most critical development came two days earlier.
On February 9, 2026, at around 10:52 to 10:55 in the morning, a workstation inside the bank’s environment accessed a vendor VPN using a Chrome browser. The machine was assigned to Louis Bizimana, a software developer. There was no approved task requiring that access.
What followed reads like a step-by-step intrusion sequence. At 11:16, there was domain access through Chrome. At 11:20, successful authentication. At 11:21, a password change followed by logout. At 11:22, another login. Between 11:23 and 11:31, access to administrative and sensitive modules. Then, critically, the logs begin to disappear.
The report notes “audit log discrepancy detected” and “significant logging gaps.” In plain terms, someone went in, did something they shouldn’t have, and then tried to erase the evidence.
From that point on, the attackers were not just inside the system. They were shaping it.
One of the most striking findings in the report is how access controls were quietly restructured. Fourteen different user accounts were tied to a single phone number, +250794045257, which investigators have now established is registered under Jean Claude Kimenyi, a name expected to feature prominently in subsequent reporting. The same number received one-time passwords for multiple accounts. Several accounts were also linked to shared email addresses, including a corporate email, a Gmail address, and even root@localhost.com.
What this meant in practice is simple but dangerous. Whoever controlled that phone number could approve transactions across multiple user profiles. The usual checks and balances were effectively neutralized.
Then came the trigger.
On February 14, 2026, at exactly 03:24:46 in the morning, an SMS was generated by the system: “GLORIOSE MAMASHENGE, Your credentials were updated. Login: gloriose and new password is ed6a7p.
Just before that moment, logs show activity from a Linux machine using the user agent Mozilla/5.0 (X11; Linux x86_64). The device was actively navigating the system, accessing pages, and submitting login requests. Immediately after the password change, activity continued from the same environment.
Within minutes, unauthorized transactions began.
It is at this point that everything the group had been preparing for came together. Access had been secured. Controls had been bypassed. Credentials had been reset. The system, from the attackers’ perspective, was ready.
Meanwhile, on the ground, the financial extraction network was already in place.
As early as February 6, 2026, Kayimba Farouk had informed a cash mule that money from Equity Bank Rwanda would be cashed out over the weekend of February 14. That level of confidence, days before the incident, tells you this was not guesswork. The timing was planned.
By February 15 at around 16:00 hours, as the operation was underway, the urgency is captured in one message from Solomon Mugisha: “They should utilize the ‘ki machine’ and get money… be fast so that we keep making money.”
Funds moved rapidly through multiple channels, with mobile money platforms, particularly MTN MoMo, acting as a major conduit for distribution and withdrawal. However, according to Equity Bank officials, cooperation from MTN has been limited. Officials say that despite its central role in the movement of funds, the telecom operator has not provided sufficient support to investigators, slowing efforts to trace transactions and recover stolen money. Some of the remaining gaps in the reconstruction of events, officials note, are dependent on such third-party data and ongoing work by RIB.
Authorities have since arrested most of the key individuals linked to the operation, effectively disrupting what investigators believe could have been a wider and ongoing campaign. There is a growing view among officials that had these suspects not been apprehended, other banks could already be experiencing similar attacks.
Even now, concerns remain that other financial institutions may still be exposed or under silent targeting using similar methods.
The forensic evidence leaves little doubt about what happened. The attackers used unauthorized access, manipulated authentication systems, leveraged insider and vendor knowledge, planned hardware-based infiltration, centralized control of user accounts, and deliberately deleted logs to hide their tracks.
This was not a failure of the bank’s systems or intent. It was a case of a financial institution being targeted and exploited by a coordinated criminal network. In response, the bank has moved to tighten controls across its systems, including reinforcing even the most basic access points, strengthening monitoring, and closing gaps identified during the investigation. Officials say this is part of a broader commitment to transparency and accountability as the institution works to reassure customers and the public.
In the end, Equity Bank Rwanda was not the author of this story. It was the victim of it.
In the next part of this series, Taarifa will break down exactly how the fraud was conducted, step by step, from system manipulation to transaction execution and cross-border cash-out. It will also begin profiling each suspect, examining who they are, how they operated, and the roles they played in this highly sophisticated scheme. After the series, Taarifa will also conduct a one-on-one interview with the leadership of the bank to provide deeper insight into the incident, the response, and the way forward as the bank seeks to reassure the public.
