White Noise

( )

Chapter One
Blue
There are days when I like to go to the park, take a stroll and clear my mind. Usually these days
follow the crunch time of a big project, when I need a break from it all. The park itself is the variable, but
the routine is the same. Drive there, find a nature trail and wander off for hours. Thats how it has been
as far back as I can remember.
Im not the tree-hugging, conservationist type, but I have a fair affection for the unspoiled
environment of game parks. But where are my manners, let me first introduce myself. My name is Sam,
and Im a systems developer. Not a very bad one at that, but I could be better. There isnt much to say
when youre the developer type, were a lot like the guys on Big Bang Theoryexcept that we probably
arent that awful with girls.
Ah yes, girls. Whats a story without a girl? I met one recently, an accountant at the Central
Bank. I always imagined people who work at the Central Bank must live in some controlled environment
and only talk to workmates and stuff like that. Turns out they are humans like the rest of us, and some
are very pretty humans too. Her name is Lisa, and if Shakiras hips dont lie then Lisas are truth itself.
Shes relevant to the story as we will see presently. Or perhaps she isnt and I just wished to include her
for purposes of avoiding conflict.
Back to the park that I was wandering through. I had been working hard on a project for some
trading company client and I had earned some well-deserved time off. As I was walking through the park
I was thinking about a particular algorithm I had used for the system. The client is an electronic stock
broker called Intellect Finance. They sell shares of listed companies on the stock exchange in a fully
electronic manner. No more meetings in brick-and-mortar offices and filling paperwork to sell shares.
Just use the Android app and buy or sell, or log-in on your browser and trade without any hassle, from
wherever you are.
Intellect Finance (or IF as they love calling themselves) wanted to be able to tell when a client
makes a trade that is unusually large or unusually small. Like banks, they were also on the lookout for
fraud. A clients trading is always tracked and anything out of the ordinary is flagged for manual
verification.

I thought of the harmless herd of zebra I was walking past as ordinary transactions. Quiet,
numerous, slow and in a manner of speakinginconsequential. The sudden appearance of a lion or a
pack of hyenas would be a suspicious trade. Interesting, exciting and worthy of notice by the agents. The
other thing that would arouse suspicion was a stampede. A whole lot of zebra rushing by at speed would
be cause for alarm. Clearly today work was on my mind even when I was supposedly clearing it.
I had setup trading software for several brokers after the Nairobi Securities Exchange finally
allowed automated trading. Other companies had also set up similar systems and I knew internally they
all worked roughly the same. Everyone in the industry flagged anomalies for checking. Everyone let the
zebra through, because the zebra were numerous and unlikely to be fraud. Everyone watched for the
high frequency small transactions that would indicate some sort of hacking like the famous salami
attack where a hacker steals tiny amounts from every account. I knew this whole automated trading
thing would bring the hackers to Nairobi in force. And I wanted to be one step ahead. So the question
washow does a lion pass for a zebra? Or how to make a stampede go unnoticed?
I left the park at 1700 and drove home. I called Lisa and asked about her day. She was still at
work till around 2000, which was normal for the staff at the Central Bank. She could talk about
currencies and fiscal policy until I felt I didnt know anything, but I would still listen intentlythe
mysteries of affection. She told me that the Central Bank was worried about the security risks of online
trading, but not significantly. They left most of the worry to the Capital Markets Authority, which was
responsible for Kenyas only stock exchange. I sounded her out on my concerns and she laughed them
awayif online trading had been in operation in most of the developed world for ages without major
incident, what was I worried about?
I didnt visit the park for a while after that day. I set up the system for IF and gave them their
standard anti-fraud measures. Then I watched the activity for a week, seeing zebra go past and
occasionally a lion when one of the local tycoons was either closing or opening a position on a certain
stock. These guys never play small, they get a good feeling about a stock and next thing you know
theyve sunk more than ten million in the next day. So there were lions, but legitimate lions. They got
flagged as a formality, but no one actually made calls to the local version of the Forbes 100 to ask about
what for them would be routine transactions. These were lions that were simply waved along.
So now that youre done with your food, how is everything at the CBK?
Well, same old routine. But I have been thinking about your concerns on trading security. I like
your zebra and lions analogy. I think I have come up with a scenario that could possibly result in fraud.
Really? And here I was thinking how I must bore you with my information security ranting.
I think you have us confused. Im the one who goes on and on about fiscal policy and the forex
reserves. Anyway, back to my hypothetical exploit. Supposing I gain control of the NSE server, say
through hacking. And I set up many dummy accounts and load each with some little money, say 10,000
shillings each. Then I use them to manipulate the price of some mundane stocksomething in the
growth segment where the small fish swim.
Go on. I am beginning to like this date a lot more. And I was already thrilled to begin with

Okay. So the hawk-eyed investors dont know I have bots playing up the price. They begin to
buy up that stock. At that point if Im working for that company or own significant stake, I have instantly
made the company more valuable than it actually is.
And you can dump all your shares and run, or you could simply use your bot accounts to make
a huge transaction seem like hundreds or even thousands of unrelated small transactions. You can make
a lion pass for a large herd of zebra!
I hadnt thought that far but heyyoure the programmer Sam.
So we had an incredibly good date that Friday. So good in fact that I was dropping Lisa at CBK on
Monday morning. Enough said. That weekend I decided I was going to break into the Nairobi Securities
Exchange.

Chapter Two
Green
It was a pretty easy thing for me to get into IFs server, having built the whole system myself.
From the IF server I had access to the interface of the NSE trading application. Naturally, it demanded a
login name and password. The credentials that I had from IF wouldnt give me enough permissions to do
much inside the NSE system, and whatever I did would be logged as activity from IF. That would very
quickly be traced to me. I needed the administrator password for the NSE trading system. Contrary to
what I had expected of a government-built system in Africa, the security was incredibly strong. So I
couldnt directly hack the trading system.
Hacking is aided by peoples tendency to forget passwords and subsequently their need to have
an easy-to-remember password. Most hacking isnt typing commands at some black console in Linux like
Scorpion and the movies would have you believe. Most hacking is simply guessing passwords for
powerful user accounts (usually the administrator or root account). This can be done by brute force
(writing a program that generates passwords and tries them at a very fast rate, eventually finding the
right password if it is short and simple enough) or by social engineering (tricking people into giving their
password e.g. a fake website or spam email saying you have won millions). Very rarely youll have
malicious software downloaded to your computer that logs all your key presses (typing) and then scours
that data for passwords which it sends back to whoever wrote it.
I hacked into the NSE website (which was some ancient website in Joomla from the pre-onlinetrading days), got the administrator password and worked with the assumption that the administrator
for the website was the same guy handling administration on the trading system and he probably used
the same password. I was right. Once inside the NSE system I did what any hacker would do, I created an
administrator account for myself and called it System Backup. Nice and not suspicious. Next I logged in
using that account and cleaned up, so that the administrator would not know his account had been used
at all. So to all you system administrators out there, dont use the same password on your blog and the
critical system you manage.
After that I set up six thousand user accounts with names and IDs I pulled from the government
registry of people (another weakly protected site). I made sure I used identities of people who were
above 50 and receiving relief food. Those were people highly unlikely to actually be trading.
Now each of these accounts was active, waiting to be funded. They were registered under
various brokers, including IF. I just picked at random and set them up to look like old dormant accounts.
For a broker handling perhaps seven hundred thousand accounts across the East African region, I knew
IF managed at least fifty thousand junk accounts. Accounts that were opened and never funded. Four
hundred others would not be alarming. So far so good. I then logged out and went back to being a lawabiding citizen for a week. The idea was to let the dust settle. IF had no questions, no broker raised any
alarm. Nothing. The NSE system continued its daily march.
After a week, thousands of new accounts had been created legitimately. Hundreds of thousands
of lines of system logs had been saved. If anyone wanted to look at what I had done, it was buried under
a weeks worth of data. I was safe. The next step was incredibly ingenious. Accounts can be funded via

MPesa. The best way to fund six thousand accounts was to use the paybill option. Since MPesa was
upgraded I could do this all from my online banking.
With an incredible amount of trepidation, I logged into my savings account and transferred six
million shillings to my company account. This was not unusual. I usually transferred large sums back and
forth to make both accounts achieve high turnover values. That is incredibly good for credit ratings.
Therefree advice. I then moved all the money into Paypal. Again, this was not unusual I sometimes
import goods or pay for online services, so I use Paypal a lot. More importantly, that effectively made
my next actions invisible to the Kenyan banking system.
A lot of people run financial services that allow Kenyans in the diaspora to send money home via
Paypal. This money can either be forwarded to the recipient as MPesa or even directly used to pay bills,
buy goods or services. I found ten of these financial services companies and sent 600,000 shillings
through each. Each service provider got a list of names and the corresponding paybill number for the
broker they were registered under, and the amount for each was 1000 shillings. That was probably a
stampede, but a stampede on Paypal. On the brokers side these were hundreds of unrelated accounts
getting funded. And then I laid low for two weeks. Nothing happened on the accounts. No broker raised
any alarm. That was enough time to get my actions buried under other data. I was pretty sure if this was
the New York Stock Exchange Id have been stopped at the account creation level. But here in Nairobi no
one goes the extra mile to check out anomalies. No one expects anything complicated is going to occur.
I was very wary of the CMA those two weeks. If anyone was going to smell something fishy, it
was definitely going to be the Capital Markets Authority. I called Lisa and told her that I was trying out a
test break-in to see whether the defenses of the online trading platform were sound. I explained in
broad strokes, without specifics what I was going to do. I didnt say I had done anything yet. She seemed
amused rather than concerned.
You worry too much Sam. Like I said, we arent re-inventing anything. This online trading has
been done for decades. You fish as much as you like for loopholes, but I doubt anything will come of it
I guess youre right dear. But I will try anyway, the scientist in me wont be satisfied unless I do.
In other news, are you busy this evening.
Another Monday, another step in the plan. I now had six thousand accounts under my control
with 1000 shillings each. I knew that the trading itself was fully automatic, so I could buy and sell with all
the accounts without raising any suspicion. But I couldnt possibly operate six thousand accounts on my
own. I had to automate them. So I got a trading bot (software that automatically trades for a person
based on rules and parameters you feed it). The best in the trading bot market MetaTrader 10. It could
easily handle my six thousand accounts. I then modified it to be able to achieve group objectives rather
than think independently for each account. I wanted my bot to be able to command the accounts like
an army, sort of like how hackers use an army of infected computers to attack a website in DDoS
attacks.
So that was the first thing I modified. The other thing I modified was that I added a chatbot (a
software that uses artificial intelligence to converse with humans, like a smart version of Apples Siri) to
the MetaTrader 10. I wanted my accounts to be able to take an actionsay bet on a certain stock going
up, and then MetaTrader 10 to join the chat by all the other traders and talk up that stockpulling facts

and figures from the internet. That way, I could have six thousand accounts to create a trend or
influence trading, and also influence the human traders via chat. I knew how experienced traders built a
following through making accurate predictions such that thousands would take their advice without
even thinking. I wanted to make a trading bot the sage of the chatroom.
I began by picking up a stock of the little known Funtrench Limited, from the growth segment.
This was a company with turnovers averaging five million, not something to talk about with any serious
trader. They probably listed to get capital for staying in business like everyone else in the growth
segment. I got MT10 to make purchases of Funtrench stock randomly over a week, and then throw a
hint on the chats that a big announcement was soon coming from Funtrench Limited that would change
the software game.
By mid-week, MT10 had bought up Funtrench stock for 4500 accounts, and there was some
interest from the human traders too, mostly because a stock that wasnt even moving had suddenly
become active. By Friday the Funtrench stock had been driven from about 2.50 shillings a share to 10
shillings. Then MT10 took the plunge and started betting on a price of 50 shillings by the next Friday.
Humans followed, and soon no one was selling for anything less than 45 shillings. The market had
officially become my playground.

Chapter Three
White
I had actually read from Funtrenchs Facebook page that they had an announcement to make
the next week. I had no idea what it was or whether it would change anything. Yet here I was, singlehandedly multiplying their companys worth 20 times. Investors began talking to Funtrench, and the
announcement they were to make got lost in the noise. No one cared about the announcement, the
market had just made Funtrench valuable. Very valuable. And I had six million shillings worth of their
shares, making my value in the accounts rocket to a hundred and twenty million. Everyone wanted a
piece of Funtrench, and I finally allowed MT10 to sell half of the stake I had at 55 shillings.
Theres a heady feeling I get when a client has paid up and I have maybe a few hundred
thousand shillings in my account as disposable income. I had been careful to link all the dummy
accounts to Paypal, so that there was little possibility of Kenyan banking seeing six thousand accounts all
funneling money to me. From Paypal, I could access the money on demand and it wouldnt all appear in
my bank account at the same time. The awareness of having ten times my initial investment sitting in
Paypal was an overwhelming feeling. Part of me wanted to go to Teslas website and customize an
electric car and ship it. But I thought I should be patient. Let Funtrench make many new millionaires
first, so that we can be a herd of zebra.
Ladies and gentlemen, Funtrench Limited would like to present the first ever intelligent ERP
system in the world. We have been working over half a decade to get this project to where it is now. No
more will accounting be complicated and error-prone, no more will you need expensive support. The
Funtrench ERP will be able to advise you.
I was seated at the KICC Tsavo Ballroom as Enock Maseru, the CEO of Funtrench Limited took an
awed crowd through their new software. It was certainly going to be a game changer, I knew that as a
systems developer. I was trying to make sense of it to Lisa who was a little confused by it all. I knew that
the shift of the venue from their cramped boardroom to KICC, and the expansion of the guest list from
just a few potential clients to the entirety of corporate Kenyas blue-chips was a direct result of the
capital injection their share spike had caused. And that was when it hit methis was the perfect form of
venture capital. Just spike shares for people who need capital to solve relevant problems.
I told Lisa the story of how MT10 created white noise with dummy accounts to drown out
legitimate market noises, and how I had finally made a very big lion pass for zebra and even made a
stampede look like a leisurely trot. She listened keenly and then gave her verdict.
Im not sure whether to turn you in or marry you. This seems so much like a good thing but it is
illegal. Without your manipulation, it is likely no one would have known about intelligent software. Now
Funtrench is going to make intelligent software for traffic management, hospitals, and schools and so
on, and make a more efficient nation. That makes sense in a Robin Hood kind of way. So I suppose you
get to shop for a ring. Sometime. Maybe not. Im making this too easy for you
And that very day Lisa resigned and came to work with me. She brought an understanding of
markets and trade that I didnt have, and I used that to make MT10 smarter. I made a Central Bank
employee resign, or perhaps no one can argue with sixty million. And before I forget, IF were making

quite a sum on commissions, alongside the other brokers. I had a feeling they wouldnt tell even if they
found out they had absentee traders in their client list.
Lisa and I went about identifying companies in the growth segment for a push up, and
misbehaving monopolies like Safaricom for a push down. The power was intoxicating. We spent weeks
planning an operation, setting rules and then let MT10 do the rest. And by selling strategically we were
able to turn the initial six million into a billion shillings in a matter of months. I had to open a US bank
account to get the Paypal money into, still suspicious of the local banking system.
Funtrench Limited were launching new software every month it seemed, all filled with AI. We
had also bumped up a project management outfit called Circle One Solutions which was using phones to
revolutionize project management for small businesses. We had also managed to use complaints on
Safaricoms customer care page and KPLCs customer care page to talk down their stocks. Safaricom lost
about half its value in two months, forcing them to significantly improve service and giving Airtel a
chance to finally make it above 25% market share. The government announced that the power
distribution business would be opened up to private investors, bringing Kenya for the first time to the
same level as developed countries in terms of competition in the electricity sector. We were feeling like
super-heroes.
We realized that we had turned the NSE into a force for good, for activism and as Lisa said into
a modern-day Robin Hood. And now, three years later, MT10 does most of the work unsupervised,
including the selection of which stock to manipulate. We havent been caught yet, not even a close
shave. We are worth several billions, which we invest in companies that havent made it to the growth
segment startups with promising futures. The story of Funtrench has caused an explosion of
technology startups in the country, many concentrated around Konza City the Silicon Savannah.
Funtrench themselves maintain that they have no idea what exactly happened, just that their pending
announcement seemed to have sparked a campaign of bets. Most people assume it was just some local
tycoons deciding to throw some money at the growth segment for once, perhaps as a game of sorts.
And when that paid off handsomely, they kept investing in the growth segment, creating a new normal.
These days a lot of investment goes to the growth segment of the NSE, and the traditional bluechips are feeling the pinch. So yes, we are Robin Hoods protgs. And yes, Lisa and I are married. And
when people ask where we got our wealth, we say we bet on Funtrench really early and with all our
savings. Which is fairly true.

THE END