Author
Section I: Prosecuting Digital Asset Crime in Kenya
Kenya’s approach to prosecuting digital asset crime relies on a tripartite legal framework, combining a foundational criminal code with modern, specialized statutes. This framework includes the Penal Code (Cap. 63), the Computer Misuse and Cybercrimes Act, 2018 (CMCA), and the Proceeds of Crime and Anti-Money Laundering Act (POCAMLA). Recent amendments in 2024 and 2025 have significantly sharpened these instruments to address the unique challenges posed by digital assets.
1.1 The Penal Code (Cap. 63): A Foundational Backstop
The Kenyan Penal Code (Cap. 63), enacted long before the advent of digital assets, provides a foundational but often ill-fitting framework for prosecuting related crimes. Its utility hinges on the judicial interpretation of traditional property offenses to encompass intangible assets. Key offenses include theft (Section 275), forgery (Section 349), and various forms of fraud. For instance, an exchange operator misappropriating customer funds could be charged under Section 281 ( Stealing by clerks and servants).
However, prosecuting under the Penal Code presents significant hurdles in proving both the actus reus (the guilty act) and the mens rea (the guilty mind) due to the technical and pseudonymous nature of digital assets. The Code is also limited by its analogue-era concepts of jurisdiction and its lack of technological specificity to address modern crimes like phishing or smart contract exploits. Consequently, while it serves as a legal backstop, prosecutors almost invariably turn to the more modern and specific CMCA.
1.2 The Computer Misuse and Cybercrimes Act (CMCA): The primary prosecutorial tool
The Computer Misuse and Cybercrimes Act, 2018 (CMCA) is Kenya’s principal legislative instrument for combating crimes involving digital assets. Unlike the Penal Code, the CMCA is specifically tailored to the digital environment. Key offenses applicable to digital asset crime include:
1. Section 14 (Unauthorised Access): The foundational offense for hacking into exchanges or wallets.
2. Section 26 (Computer Fraud): Central to prosecuting the vast majority of digital asset scams, fraudulent ICOs, and phishing websites.
3. Section 29 (Identity Theft and Impersonation): Critical for addressing crimes like SIM-swap fraud used to gain control of accounts.
4. Section 30 (Phishing): Specifically criminalizes the act of inducing users to disclose sensitive information like private keys.
5. The Computer Misuse and Cybercrimes (Amendment) Bill, 2024, was pivotal in solidifying the Act’s application. It expanded the definition of “asset” to explicitly
include “virtual assets,” removing any legal ambiguity and significantly lowering the prosecutorial burden. The CMCA also grants investigators robust powers, including
Search and Seizure (Section 48), Production Orders to compel data from service providers (Section 50), and Expedited Preservation of digital evidence (Section 51).
1.3 The Proceeds of Crime and Anti-Money Laundering Act (POCAMLA): Targeting Illicit Profits
While the CMCA prosecutes the criminal act, the Proceeds of Crime and Anti-Money Laundering Act (POCAMLA) targets the financial benefit derived from it. Offenses under the CMCA, such as computer fraud, serve as the “predicate offenses” that generate illicit funds. The stolen or fraudulently obtained digital assets are then defined as the “proceeds of crime,” which POCAMLA empowers authorities to trace, freeze, and confiscate.
The Anti-Money Laundering and Combating of Terrorism Financing Laws (Amendment) Act, 2025, fundamentally reshaped this landscape in response to Kenya’s FATF grey-listing. The amendment explicitly brings “digital financial service providers (e.g., mobile money and cryptocurrency firms)” under the definition of reporting institutions. This subjects all Virtual Asset Service Providers (VASPs) to the full suite of AML/CFT obligations, including:
● Customer Due Diligence (CDD) and Know Your Customer (KYC).
● Suspicious Transaction Reporting (STR) to the Financial Reporting Centre (FRC).
● Beneficial Ownership Transparency.
Non-compliance carries significantly stricter penalties, including higher fines and potential criminal liability for directors.
Section II: The Multi-Agency Enforcement Ecosystem
The enforcement of Kenya’s laws against digital asset crime depends on a complex ecosystem of specialized agencies, each with a distinct but interconnected mandate. Effective prosecution and asset recovery require seamless cooperation among these bodies.
2.1 Delineating Roles of Key Agencies
1. Directorate of Criminal Investigations (DCI): The DCI’s Cybercrime Unit is the frontline agency for investigating the predicate offenses under the CMCA and Penal Code, tasked with gathering digital evidence and identifying suspects.
2. National Computer and Cybercrimes Coordination Committee (NC4): Established by the CMCA, the NC4 is the national-level coordinating body for all cybersecurity matters, providing strategic advice and facilitating cooperation among national security organs.
3. Financial Reporting Centre (FRC): As Kenya’s Financial Intelligence Unit (FIU), the FRC receives, analyzes, and disseminates financial intelligence to combat money laundering. Its role now includes the supervision of VASPs, making it the central node for tracking illicit financial flows.
4. Asset Recovery Agency (ARA): The ARA is the specialized body with the exclusive mandate to trace and recover the proceeds of crime under POCAMLA. It initiates civil and criminal forfeiture proceedings against illicitly acquired assets, including cryptocurrency.
5. Capital Markets Authority (CMA) and Central Bank of Kenya (CBK): These two bodies form the dual-regulatory pillar for the VASP sector. The CMA oversees investment-focused VASPs, while the CBK supervises payment-focused services.
2.2 The Interplay of Laws and Agencies in Practice
The legal framework operates as a sequential and complementary process. An investigation into a digital asset scam would typically begin with the DCI using the investigative powers of the CMCA to identify the predicate offense (e.g., Computer Fraud) and gather evidence. If the illicit funds are moved through a licensed Kenyan VASP, that entity is now obligated under POCAMLA to file a Suspicious Transaction Report with the FRC. The FRC analyzes this financial intelligence and disseminates it to the DCI and the ARA. Finally, the ARA uses its powers under POCAMLA to apply for court orders to freeze and ultimately forfeit the recovered digital assets. This demonstrates a lifecycle where the CMCA is used to prove the crime and POCAMLA is used to seize the profits.
2.3 The Role of International Cooperation: Operation Serengeti 2.0
The borderless nature of digital asset crime necessitates strong international cooperation. A prime example of this is Operation Serengeti 2.0, an INTERPOL-coordinated crackdown on cybercrime across Africa that ran from June to August 2025. The operation brought together investigators from 18 African countries, including Kenya, and the United Kingdom, leading to 1,209 arrests and the recovery of nearly USD 100 million.
A significant highlight of the operation was the action taken in Angola, which demonstrates the direct application of coordinated enforcement against illicit digital asset activities. Angolan authorities, as part of the operation, dismantled 25 illicit cryptocurrency mining centers that were being operated by 60 Chinese nationals. Authorities confiscated 45 illicit power stations and a substantial amount of mining and IT equipment valued at over USD 37 million. The Angolan government has since earmarked these seized assets to support power distribution in vulnerable areas, turning the proceeds of crime into a public good. Such operations underscore the importance of international frameworks like INTERPOL for tackling transnational digital crime that local agencies cannot address alone.
Section III: Legislative Gaps, Challenges, and Recommendations
Despite comprehensive reforms, certain legislative gaps and significant practical challenges remain, which will require further action to ensure the framework’s effectiveness.
3.1 Identifying Gaps and Overlaps
● Gaps: A notable gap is the framework’s application to crimes unique to Decentralized Finance (DeFi), where proving criminal intent for exploiting smart contract code can be difficult. The VASP Bill, 2025, also omits clear definitions for key fundraising mechanisms like Initial Coin Offerings (ICOs), creating potential uncertainty.
● Overlaps: A significant area of potential overlap lies in the dual regulatory mandate of the CMA and the CBK over the VASP sector. The line between an investment product and a payment service can blur, creating a risk of regulatory arbitrage and confusion for market participants.
3.2 Key Enforcement Challenges
● Jurisdiction and Cross-Border Enforcement: The borderless nature of cybercrime remains the single greatest operational hurdle, as perpetrators, servers, and assets are often scattered globally. Traditional Mutual Legal Assistance Treaties are often too slow for the pace of cybercrime.
● Anonymity and Obfuscation: The use of mixers, tumblers, and privacy coins makes it extremely difficult for investigators to trace illicit funds and link them to a real-world identity.
● Technical Capacity and Resources: A persistent challenge is the gap between the technical sophistication of cybercriminals and the capacity of law enforcement, prosecution, and the judiciary, which often lack sufficient training and specialized digital forensic tools.
3.3 Strategic Recommendations for Stakeholders
To ensure the successful implementation of this new framework and foster a secure and innovative digital asset ecosystem, targeted actions are required from all key stakeholders.
For Policymakers and Legislators:
● Develop Clear Inter-Agency Protocols: Prioritize the creation of formal, binding Memoranda of Understanding (MOUs) between the CMA and the CBK to de-conflict jurisdictional overlaps in the regulation of hybrid digital assets.
● Allocate Dedicated Funding: The national budget must reflect the new enforcement priorities, including significant, ring-fenced funding for specialized digital forensic tools and continuous, advanced technical training.
● Review and Adapt: Establish a standing parliamentary or inter-agency committee to continuously review the efficacy of the legal framework and adapt it to rapid technological changes, particularly in areas like DeFi and AI-driven financial crime.
For Law Enforcement (DCI and ARA):
● Forge Public-Private Partnerships: Establish formal partnerships with leading private-sector blockchain analytics and cybersecurity firms for tool procurement, training, and operational support.
● Operationalize International Frameworks: Actively and routinely utilize the cooperation mechanisms provided by the Budapest Convention’s 24/7 network to streamline requests for international assistance.
● Develop Digital Asset Seizure Protocols: Create a detailed, standardized operating procedure for the seizure, custody, and management of cryptocurrency to ensure a secure chain of custody.
For the Judiciary:
● Institute Specialized Judicial Training: Develop and mandate a continuous professional development program for judges and magistrates on the technical fundamentals of blockchain, digital evidence, and the unique legal questions posed by digital asset crimes.
● Establish Digital Evidence Guidelines: Develop practice directions for the admission and handling of complex digital evidence, such as blockchain transaction data and forensic reports from analytics tools.
For Virtual Asset Service Providers (VASPs):
● Invest in Robust Compliance Infrastructure: Treat the new POCAMLA and VASP Bill requirements as a core business function by investing in automated transaction monitoring systems and hiring qualified compliance personnel.
● Proactive Regulatory Engagement: Proactively engage with the CMA, CBK, and FRC to seek clarity on ambiguous provisions and contribute to the development of practical regulatory guidance.
● Enhance Cybersecurity and Consumer Protection: Beyond AML compliance, invest heavily in cybersecurity measures to protect customer assets and implement transparent terms of service, clear risk disclosures, and effective dispute resolution mechanisms.
