Part One of this investigation revealed how a sophisticated criminal network penetrated systems at Equity Bank Rwanda.

This Part Two turns to the next and equally critical question: once the money was taken, how was it moved so quickly, so widely, and through whose systems?

The answer, according to documents reviewed by Taarifa, leads directly into the mobile money ecosystem; particularly Mobile Money Rwanda Ltd and the wider transaction chain that enabled billions of francs to disperse within hours.

Because stealing money digitally is only half the crime. The second half is extraction.

And in this case, the extraction network appears to have been as organized and deliberate as the intrusion itself.

By the time unauthorized transfers began at Equity Bank Rwanda in mid-February 2026, investigators believe the outward channels had already been prepared. Wallets existed. SIM cards were active. Receivers were positioned.

Cash-out routes were ready. Human networks were waiting.

That level of readiness suggests the fraud never depended only on hacking systems. It relied just as heavily on external platforms capable of receiving, splitting, transferring and withdrawing large amounts of money before intervention could occur.

To move more than four billion francs through digital channels requires systems, permissions, wallet capacity, receiving accounts, transaction sequencing and cash-out pathways.

It reinforces the conclusion that the fraudsters were not improvising. They were operating through a pre-arranged commercial pipeline.

A letter reviewed by Taarifa, sent by the Bank to Mobile Money Rwanda Ltd on February 24, 2026 paints that picture sharply.

In it, the bank states that transactions involving MoMo wallets had been identified amounting to Rwf 1,746,897,761.

But the deeper review did not stop there.

Further engagements between Equity Bank and Mobile Money Rwanda reportedly uncovered additional suspicious transactions that had been routed directly to MoMo Rwanda without passing through the normal bank-to-MoMo float structure. Those additional flows amounted to Rwf 2,389,150,200.

Combined exposure reached Rwf 4,136,047,961, with only part of the funds recovered at the time.  That figure matters not only because of its size, but because of what it reveals.

Equity Bank’s language in the letter is unusually direct.

“This deviation strongly indicates system abuse and fraudulent manipulation,” the bank wrote after describing transfers that allegedly bypassed the ordinary trust-account flow.

In practical terms, money appears to have entered or moved through channels not normally associated with legitimate bulk flows.

That is where scrutiny now intensifies around MoMo Rwanda. For purposes of clarity, MTN and MoMo Rwanda are two different entities. MoMo is a subsidiary which offers mobile money services while MTN is the parent company offering GSM services.

Now, Taarifa understands that in the immediate aftermath of the fraud, National Bank of Rwanda (BNR), which regulates both Equity Bank Rwanda and Mobile Money Rwanda Ltd (MoMo) as licensed financial service providers, was contacted by Equity Bank after the incidents.

According to credible sources familiar with the matter, Equity sought urgent intervention and requested for firm engagement of MoMo Rwanda to help stop, freeze or reverse suspicious transactions while recovery remained possible.

Sources further say that before approaching the regulator, Equity had already directly reached out to MoMo Rwanda for assistance, but viewed the initial response as noncommittal at a time when funds were still moving rapidly through external channels.

Investigators say one of the most urgent requests involved access to data that could help establish whether communication existed between suspects, wallet holders, agents, facilitators or internal actors during the period of the fraud.

Such information was considered potentially decisive in mapping coordination, identifying command structures and tracing the wider network behind the cash-out operation.

According to sources familiar with the recovery effort, delays in obtaining timely cooperation and actionable data significantly slowed early tracing efforts.

In fraud cases where funds are rapidly dispersed, every hour can determine whether money is frozen or disappears permanently.

After failing to secure the level of inter-institutional support and cooperation it believed necessary to swiftly trace the funds and identify the network behind the fraud, Equity Bank is understood to have activated auxiliary channels and parallel intelligence routes to track suspects, preserve evidence and accelerate apprehensions. Six suspects were arrested in Uganda and are detained in Ruzira prison. One of their kingpins was also arrested in Kenya (he has been released on a dubious bail). We will reveal all names in our next article.

Sources also indicate that Rwanda Investigation Bureau (RIB) later intensified its involvement after what some observers characterized as an initially sluggish response phase.

At the same time, investigators examining devices, communications and planning material are said to believe the criminal group intended Equity Bank to be only the first target.

According to credible information available to Taarifa, the network had developed plans that could have been deployed against additional banks had the suspects not been disrupted in time. They are believed to be highly technical and experienced fraudsters.

In a detailed response to questions from Taarifa, MTN and MoMo Rwanda said they treat the matter with “the utmost seriousness,” maintain a “zero-tolerance stance toward fraud,” and remain committed to safeguarding customers and preserving trust in the wider financial ecosystem.

The company strongly rejected suggestions that the case stemmed from failures in SIM registration or bulk wallet creation.

According to MTN, the 341 numbers referenced by Equity Bank were mostly MTN Rwanda SIM cards linked to MoMo wallets, but they were not newly acquired in one coordinated batch.

Instead, the company says the numbers had been registered individually over many years, with some accounts dating back to 2018 and 2019, and only 12 SIM cards registered in 2026.

That distinction is important.

If accurate, it would mean the network did not rely on mass last-minute SIM acquisition, but rather on older, already active lines; giving the fraudsters a lower profile and making suspicious clustering harder to detect.

MTN further stated that these were “primarily existing active SIM cards,” not dormant or freshly activated lines. It said all registrations complied with Know Your Customer (KYC) regulations and that no single national ID can be used to register more than three SIM cards.

The company also said some registrations predated later biometric requirements but were lawful under the rules in force at the time.

That explanation partially shifts the investigative lens.

Instead of asking whether hundreds of suspicious numbers were rapidly created, the more relevant question is whether previously legitimate accounts were later repurposed, compromised, rented, coordinated or recruited into a criminal distribution network.

Because old accounts can be more valuable than new ones.

They often carry transaction history, reduced suspicion, existing wallet functionality and known usage patterns.

MTN said there was no bulk registration, no misuse of dealer channels, and no evidence that dealers or service centers created suspicious numbers for coordinated groups. It added that regulators had reviewed aspects of the registration process and found no issues.

Yet the broader concern does not disappear.

Three hundred and forty-one receiving numbers tied to 861 transactions still point to a remarkably distributed flow of funds. Whether those accounts were newly opened or long-standing, they functioned as a network at the moment the stolen money moved.

That remains the core issue.

MTN also explained that after SIM registration, customers independently activate MoMo wallets by setting a PIN. It said all wallets were KYC-compliant and that identities behind the accounts can be verified.

The company further stated that most of the implicated wallets had been active for a considerable period and were operating as normal customer accounts before the incident.

If so, that introduces another possibility: rather than fraudulent wallets created solely for the heist, investigators are examining ordinary accounts later used as conduits, knowingly or unknowingly.

Some of those wallets, MTN acknowledged, were associated with registered MoMo agents. It stressed that such agents were fully compliant, properly registered, and had been active on the network for years.

That detail could prove significant.

Agent-linked wallets often have higher activity volumes and commercial relevance, making them attractive channels for rapid movement if misused by insiders, third parties, compromised operators or external actors.

MTN said the transactions observed were “within the defined thresholds and limits applicable to customer accounts,” suggesting that transfers were structured in amounts small enough to remain inside existing controls.

That statement offers one of the clearest clues yet into how the scheme succeeded.

Rather than sending a few obviously abnormal transfers, fraudsters fragmented funds into many smaller or permitted-value transactions across numerous wallets — a classic evasion technique designed to stay below automated alert thresholds.

In anti-fraud terms, that is known as structuring.

Instead of triggering alarms once, the system is asked hundreds of times to approve amounts that individually appear ordinary.

Taarifa has further learned that material obtained from confessions by suspects detained in Uganda states that the network had an MTN insider who secured and onboarded SIM cards weeks earlier.

If confirmed by investigators, that account directly contradicts MTN’s assertion that there was no internal facilitation or irregular onboarding process and would place fresh scrutiny on the telecom’s rebuttal.

MTN said the relevant wallets and transactions were later blocked, while the SIM cards remained active to support ongoing investigations and tracing efforts.

It also said no employees are currently under internal investigation and that no gaps have been identified requiring changes to SIM activation or wallet creation procedures.

For investigators, however, compliance at onboarding is only one part of the puzzle.

The bigger issue is behavioural monitoring after onboarding. Did clusters of long-standing accounts suddenly begin receiving synchronized transfers?

Were multiple wallets transacting within minutes of each other? Did agent-linked accounts show unusual downstream withdrawals? Were there shared devices, locations or patterns?

Did known low-activity accounts suddenly become high-velocity nodes?

Those are the kinds of signals modern fraud analytics typically examine.

Sources familiar with the matter say Equity officials were frustrated by what they viewed as limited cooperation from MoMo despite the centrality of mobile wallets in the movement of funds. MTN, for its part, said it has compiled timelines and shared relevant information with authorities. Equity bank officials disagree.

But investigators say timelines alone were not enough. What was urgently needed was comprehensive operational data capable of linking transactions to human coordination, communication trails and cash-out execution networks.

In fraud cases, hours matter. Sometimes minutes matter. A delayed freeze can mean the difference between recovery and disappearance.

The longer funds remain mobile, the harder they are to claw back.

That is why mobile money operators are not passive spectators in cyber-financial crimes. Once funds enter their ecosystem, they become critical actors in containment.

This does not automatically imply wrongdoing by MTN or MoMo Rwanda. It does, however, place their systems, controls, monitoring and response protocols under legitimate public scrutiny.

Could transaction analytics have identified abnormal flows sooner? Were clusters of wallets suddenly receiving unusual sums? Did existing accounts become suspicious only at the moment of the heist? Were agent accounts involved deeper in the chain? Were internal escalation triggers activated? Did anyone manually override alerts?

And if hundreds of numbers were involved, were common fingerprints visible across registration data, devices, geography or transaction timing?

These are now central investigative questions. So far, RIB has not concluded their investigations.

Meanwhile, for millions of Rwandans, mobile money is not merely a convenience. It is salary receipt, school fees payment, business capital and daily survival.

Confidence in that system depends on the belief that suspicious activity is quickly detected and decisively stopped.

The Equity fraud case therefore extends beyond one bank. It touches the trust architecture of Rwanda’s wider digital economy.

MoMo said in a statement that the over 6 million Rwandans trust MoMo platforms to buy, sell and save their hard-earned money quickly, seamlessly and affordably.

Over the last three months, MoMo processed 803 million transactions during the quarter, with total value reaching nearly Rwf 14 trillion. “This would be impossible without our customer’s trust,” the statement said.

Meanwhile, Equity Bank appears determined to show that it was the victim of a targeted criminal campaign rather than the source of misconduct.

Internal investigations, forensic reconstruction and cross-border tracing efforts suggest an institution attempting to respond aggressively after being hit.

But no bank, however vigilant, can recover stolen money alone once it leaves into external networks.

That requires immediate cooperation from telecom operators, wallet providers, regulators, investigators and law enforcement.

The next stage of this case may therefore depend less on how the theft occurred; and more on who helps recover what remains. Because the real story is no longer only who got into the bank.

It is rather about who helped the money get away, whether regulations to safeguard citizen’s money from fraudulent cross boarders transfers exist and national apparatus to deal with such sophisticated international criminal gangs like those in the case Equity Bank Rwanda.

In Part Three, Taarifa will break down the probable cash-out architecture of the scheme: from first wallet receipt to redistribution, withdrawals, cross-border channels and the human networks that turn digital theft into real money.

Read part 1 here below.

Inside the equity bank heist (part 1): the making of a digital crime