Developer who stole $24m from HIT appears in court (it wasn’t a hack)

Leonard Sengere Avatar

The Harare Institute of Technology (HIT) was robbed by one of its developers, allegedly. About ZW$24 million (~US$2000) was pinched but HIT has recovered $21 million of it so far. These are not huge amounts but theft is theft.

You may have heard that HIT was hacked but that’s not technically what happened. I know, people hear ‘developer’ and they immediately think ‘hacking.’ However, you will find that what this guy allegedly did could have been done by a non-developer.

Arnold Chifamba, a 26-year-old developer, was employed by HIT. It was his responsiblity to integrate HIT’s online application system with Paynow to enable the collection of registration fees.

Due to his access to the system, he decided to change the account where the funds were to be deposited. Instead of using HIT’s account, he changed it to his own Paynow account. This led to HIT funds going into his personal Paynow account.

He did this in 2023 and managed to divert ZW$3 302 564. He then moved the funds from his Paynow account to his CBZ account and that money was in the wind.

2023 was apparently a trial run because this year he stepped it up a notch and diverted ZW$21 217 069,61. Turns out that was a little too much and HIT noticed the missing funds and contacted Paynow.

Chifamba tried to move the funds to his CBZ account again but the funds were frozen after HIT reached out to Paynow. That’s how the $21 million was recovered. The $3 million stolen last year is still to be recovered.

HIT reported the matter to the police and Chifamba was arrested.

Chifamba appeared in court yesterday, the 8th of February, charged with theft. He was granted US$100 bail and will return to court on the 16th of April.

Supervision

Chifamba did not unlawfully gain access to the HIT system. He was the chief developer working on the Paynow integration and so he had access. He misused this access and changed account numbers. Simple theft.

It was a case of “mbudzi yaidya payakusungirirwa” getting caught.

You would expect that there were other eyes that went over Chifamba’s work. Especially when it involved accounts that would hold HIT funds. You know, at least to check that there were no typos on the account numbers.

Or maybe not, it could be that this simple detail was overlooked, that although Chifamba could make all sorts of communications with Paynow as he worked on the integration, there were certain instructions he could not give Paynow without authorisation.

I think in between queries about API problems and test accounts, Chifamba snuck in his change of account note.

We saw this to a much greater extent when we talked about the deepfake scam that netted criminals US$26m in Hong Kong. An employee had authority to transfer that much money with no oversight.

So, in closing, HIT systems were not hacked. An employee stole from them by changing the organisation’s Paynow account to his. Something some other guy in accounting could have done. They also could have given the developers the wrong account to integrate with.

Let’s be frank though, this was a stupid idea. The Bibles worth of paper trails he left meant it was only a matter of time until he was caught.

Also read:

12 comments

What’s your take?

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  1. Maya

    I wonder if IT Auditors don’t look at this during their audit.

  2. As a dev, I feel embarrassed for him.

    What a stupid guy. I wonder how he even got such a job with that thinking capacity. It was obvious he’d eventually get caught. These transactions are not anonymous in any way. The fact that he’s a developer makes the issue especially embarrassing.

    1. Zero

      Thank you. This nigga was depositing the funds in his PayNow account. How he thought he would never get caught is beyond me. Ndiwo Mdara anopiwa basa bcz of age not expertise.

  3. Sir Titus ve tech

    So is it possible to have a paynow account as an individual that can receive that sum of money and transfer it to your bank account

  4. //////

    That brings a new question,how secure is this Paynow gateway in case of a cyber attack

    1. Uncle Murda

      Question is more about the security of websites which accept payments and their internal controls.
      This one didn’t even have anything do do with cybersecurity or Paynow system, the dev would have pulled off the same fraud with any payment gateway like Stripe or Paypal.
      This guy obviously had back-end access to HIT website /app and switched out the Payment gateway credentials from HIT’s to his own. Simple but paper trail leading all the way to his personal bank account 😂

      1. Gandalf the Zimbabwean

        No! Some platforms don’t accept personal accounts for companies. Even Paynow itself for a high level account of a University must always be a verified account and a personal account is not part of the verified merchant account application.

        1. Uncle Murda

          Gandalf, This Dev anogona kuita Paynow account yake as a Sole trader iri Verified/Unverified, just like HIT had its own verified Paynow account, both accounts are legit. Problem iri pano ndeyekuti Dev uyu akaisa his personal Paynow credentials mukati me HIT web application because he had full access, saka all transactions were appearing under his own account.

  5. Tapiwa

    A proper PR review could have picked this. No pushing code to production without a review from 2 other colleagues.
    I have noticed that most Zim orgs don’t have proper developer guidelines for CI/ CD.

    1. Bornwell

      I don’t think PR reviews are the real solution here, SECRETS like Account Numbers should never be committed to a code repo in the first place. A tool like AWS Secret Manager could be used and the Developers granted read only access whilst the relevant Finance department gets read and write perms.

  6. talent

    check out some money schemes happening at clicknpay

    1. Munashe

      Which one exactly

2023 © Techzim All rights reserved. Hosted By Cloud Unboxed