NAIROBI, Kenya – July 28, 2025 – Cyberattacks targeting Kenyan systems more than doubled to 8.6 billion in the year ending June 2025, up from 3.5 billion the previous year, according to a new report by the Communications Authority of Kenya (CA). The unprecedented spike, driven by inadequate system updates, low public awareness, and increasingly sophisticated AI-driven attacks, underscores the growing threat to Kenya’s digital economy, which contributes 7% to the nation’s GDP. The surge, particularly evident in a record 4.6 billion threats detected between April and June 2025, has prompted urgent calls for stronger cybersecurity measures to protect critical infrastructure and financial systems.
The CA’s Cyber Security Report Q4 2024-2025, released on July 25, 2025, highlights system attacks as the dominant threat, accounting for 4.5 billion incidents, primarily targeting database servers, operating systems, and network devices in sectors like finance, healthcare, and government. Ransomware attacks, led by groups like Lockbit and ClOp, surged by 68%, exploiting outdated software and weak configurations, while Distributed Denial-of-Service (DDoS) attacks rose 255.6%, often using compromised Internet of Things (IoT) devices to overwhelm public services. AI-powered phishing scams, including deepfake-driven Business Email Compromise (BEC), have also grown, with attackers leveraging machine learning to craft convincing social engineering lures. Mobile application threats, particularly targeting Android devices and smart TVs, increased 177.7% due to poor credential management and insecure supply chains.
“The sharp rise in detected cyber threats can be attributed to inadequate system patching, limited user awareness of threat vectors such as phishing, and the growing adoption of AI-driven attacks,” the CA stated. The report notes that Kenya’s high mobile penetration—72 million devices, with 80.5% smartphones and 97% broadband coverage—has expanded the attack surface. The financial sector, including mobile money platforms like M-Pesa, is a prime target, with institutions allocating KES 900 million ($6.98 million) annually to cover cyber losses. Local businesses spent an average of $4.35 million each to recover from attacks in 2024, eroding consumer trust and economic stability.
Kenya ranks second in Africa for cybercrime losses, with $83 million lost in 2023, trailing only Nigeria’s $1.8 billion. The National Kenya Computer Incident Response Team (KE-CIRT/CC) issued 19 million advisories in Q2 2025, a 30% increase, recommending offline backups, network segmentation, Multi-Factor Authentication (MFA), and AI-powered DDoS protection. Despite a 41.9% drop in threats to 657.8 million in Q1 2024/25, attributed to improved training and advisories, the April-June spike signals persistent vulnerabilities. Over 100 attacks targeted critical government infrastructure from January to August 2024, including a July 2023 DDoS attack by Anonymous Sudan that disrupted the eCitizen platform, affecting 5,000 government services.
The CA’s 2022–2027 National Cybersecurity Strategy emphasizes multi-stakeholder collaboration, with initiatives like the 2024 Computer Misuse and Cybercrime Management Regulations and the Kenya Defence Forces’ Cyber Team gaining global recognition. Events like the 2025 Cyber Carnival aim to boost awareness, but experts stress that low public understanding of phishing and social engineering remains a critical gap.The surge threatens Kenya’s digital ambitions, with fintech transactions projected to reach $3.1 trillion by 2028. “Defending Kenya’s digital future requires urgent investment, strong regulation, and relentless vigilance,” said CA Director General David Mugonyi. As the government pushes for stricter access controls and regular patching, the report underscores the need for public education to counter AI-driven threats, ensuring Kenya’s digital economy remains a driver of growth rather than a target for exploitation.
