How Cybercrime Became the Kenya's Fastest-Growing Threat

Kenya has long positioned itself as East Africa’s digital powerhouse—boasting a thriving tech scene, world-famous mobile banking systems, and an increasingly online public sector. But new data from the 2025 Economic Survey suggests that behind the country’s digital rise lies an unspoken emergency: a cybercrime wave of staggering proportions.

Between 2020 and 2024, the scale of cyberattacks in Kenya exploded into the hundreds of millions—and in some cases, billions. The most aggressive growth came from system vulnerabilities, where incidents soared from just 114,675 in 2020 to a mind-bending 3.2 billion by 2024. Malware and botnets have also surged back after brief declines. The message is clear: Kenya’s digital growth has far outpaced its cyber defences.

Let's chart this for better context:

Malware: A Trojan Horse in the System

Once dismissed as the nuisance of individual users, malware has evolved into a national-scale economic threat. In Kenya, reported incidents rose from 124 million in 2020 to nearly 133 million in 2024. The peak came in 2021, with 181 million cases, before a temporary dip in 2023.

This resurgence reflects malware’s growing role in cyber-espionage, extortion, and large-scale fraud. Whether it’s ransomware locking down a county government’s servers or spyware silently harvesting mobile money credentials, malware remains a favourite weapon for both criminal gangs and state-linked actors. The Kenyan private sector—particularly SMEs and schools—has become a soft target, lacking the sophisticated detection systems needed to thwart stealthy digital intrusions.

System Vulnerabilities: The Billion-Bug Backdoor

No cyber threat has grown more explosively than system vulnerabilities—the flaws in software code, cloud architecture, or unpatched firmware that let attackers slip inside. From just over 100,000 cases in 2020, Kenya’s reported vulnerabilities exploded to over 3.2 billion in 2024.

Much of this can be traced to the country's accelerated push toward digitisation during the pandemic and beyond. Government services, tax platforms, healthcare records, even educational content—all migrated online, often without adequate testing. Vulnerabilities like Log4j and weak API authentication protocols were not merely inherited from global software providers; they were allowed to fester in under-maintained systems across public and private sectors. The result: a landscape riddled with access points for attackers.

Botnets and DDoS: Infrastructure Under Fire

In the shadowy world of cyberwarfare, botnets and Distributed Denial of Service (DDoS) attacks are the equivalent of digital carpet bombing—overwhelming websites, banks, or government portals with sheer volume. In Kenya, reported cases reached a stunning 92 million in 2021, briefly dipped, and then resurged to 63 million by 2024.

IoT proliferation is partly to blame. From routers and webcams to solar controllers and POS devices, poorly secured endpoints have become digital conscripts in global botnet armies. Local attackers increasingly rent these networks from criminal syndicates abroad. Last year’s DDoS attack on a major Kenyan bank’s mobile app platform, which took services offline for hours, bore all the hallmarks of such coordinated assaults.

Website Application Attacks: The Unseen Breach

Attacks on website applications—such as SQL injections or form-jacking—saw an unusual pattern in Kenya. From 11.5 million cases in 2020, numbers sharply declined to just 386,000 in 2023, only to jump again to 8.4 million in 2024.

The temporary dip may reflect improved web development practices, but the rebound indicates that vulnerabilities are far from resolved. Kenya’s growing e-commerce and fintech ecosystems—many of them bootstrapped startups—frequently rely on open-source platforms with outdated plugins. Attackers know where to probe: a customer portal, a forgotten admin login, an insecure API.

The scale may be smaller than other attack types, but the reputational and financial fallout can be devastating.

A Nation at the Digital Crossroads

Kenya’s cybercrime crisis is not a side effect of progress—it’s the price of rapid digitisation without adequate defences. The scale is no longer measured in thousands, but billions. These invisible attacks leave behind no fingerprints, only financial loss and public distrust.

In a country where mobile money dominates daily life, a single breach can cripple services or ruin livelihoods. Yet the response has been mostly reactive—lagging regulation and limited awareness.

To safeguard its digital future, Kenya must now treat cybersecurity as essential infrastructure. The frontier is no longer just technological—it’s also about trust, resilience, and national stability.