As the story goes in Nairobi, just past midnight, a governance rights activist stares at their iPhone. A cryptic security alert flashes. “State-sponsored attacker may be targeting your device.”
It’s not an isolated case. Across Kenya, a chilling pattern has emerged. Activists, Gen Zs, and opposition voices are quietly disappearing from the digital space. Victims, many suspect, of Pegasus spyware.
But is Pegasus really in use here? And what official records or public investigations back it up?
Pegasus Spyware Infrastructure in Kenya
In 2018, researchers at Citizen Lab identified Kenya as one of 45 countries with signs of Pegasus infrastructure activity. While this did not confirm direct infections, it revealed that servers linked to Pegasus had been configured to interact with Kenyan networks.
Using DNS fingerprinting, a technique that detects the covert digital handshake between infected devices and remote command servers, analysts concluded that operators were actively targeting devices within the country. The evidence stopped short of attribution, but the infrastructure was unmistakably present.
Since then, Kenya’s surveillance posture has grown more layered and domestically engineered. A system known as Optimus 3.0, mysterious in development and funded through internal budget reallocations, has been referenced in official proceedings as a “social media monitoring tool.”
On June 5, 2025, the National Assembly’s Budget and Appropriations Committee proposed a Ksh. 50 million increase to the Directorate of Criminal Investigations specifically for its deployment. The language was bureaucratic. The implications were not. Arrests and intimidation of online activists have escalated in parallel.
At street level, the expansion is equally visible. Huawei-supplied urban surveillance grids, now embedded with facial recognition overlays, have proliferated across Nairobi and other major cities. These CCTV meshes are capable of identity-matching in real time, fused with telecom metadata to enable persistent tracking of individuals through both physical and digital terrain.
What emerges is not a single monolithic system, but a constellation of interoperable technologies that together form a modern surveillance state quietly calibrated, locally legitimized, and increasingly difficult to detect.
Where Are the Public Records?
Despite these developments, Kenya's parliament has been conspicuously silent. An analysis of Hansard records shows no mention of Pegasus or similar spyware by name to date.
Discussions around cybersecurity and public safety have remained vague, often bundled under budget reallocations or digital transformation initiatives. Notably, the 2021 approval of a Ksh 9.8 billion Huawei command-and-control system was passed without open tender or public vetting.
As early as 2015, Privacy International flagged this expansion as a regulatory failure.
The removal of judicial warrant requirements and the vague language of Kenya’s amended Security Laws give intelligence agencies sweeping interception powers with little oversight.
Is There Forensic Proof of Pegasus Infections?
As of July 2025, there remains no public forensic confirmation that Pegasus has infected any Kenyan device. The silence, however, is not absence. It is a strategic void. While Amnesty International and Citizen Lab have surgically documented Pegasus infections in Mexico, Morocco, and India through memory captures and packet inspection, Kenya lingers in a curious limbo.
In late 2023, at least three Kenyan journalists received the now-infamous Apple notification—an automated, chilling alert stating they may have been targeted by mercenary spyware attacks. They did not speak on record. Their phones were not handed over. Their silence, as one cybersecurity expert noted privately, is “a survival instinct masquerading as digital discretion.”
The absence of a forensic audit is not due to a lack of suspicion but a lack of safe infrastructure. Submitting a device for inspection can turn a journalist into a target twice over—once for what was on the phone and again for admitting it was compromised.
For civil society actors, the fear is not hypothetical. In Kenya, access to internationally certified mobile forensic labs is limited, and local labs are often seen as too close to state agencies to trust with sensitive material. Even when potential infections arise, there is no neutral ground to analyze them.
Without an independent forensic trail, legal recourse stalls at the gates of plausibility. Courts demand hard proof. Advocacy needs pattern recognition. What exists now is a fog of unconfirmed targeting, a handful of alerts from a foreign tech giant, and a civil society ecosystem trapped between exposure and erasure.
Until a credible chain of custody is established, Pegasus in Kenya will remain an open secret, whispered but never sworn.
Legal Protections, Paper Shields
On paper, Kenya maintains one of Africa’s more progressive legal frameworks for digital rights. Article 31 of the Constitution explicitly affirms the right to privacy, a clause born in the post-authoritarian era to curb state overreach.
The Data Protection Act of 2019 codifies modern standards for consent, data handling, and redress, borrowing from the spirit of Europe’s GDPR. Surveillance laws, at least in theory, come shackled with judicial guardrails.
The National Intelligence Service Act and the Prevention of Terrorism Act both stipulate that interception of communication requires a court-issued warrant.
In practice, those protections have proven permeable. A quiet series of internal security circulars, passed without parliamentary scrutiny, now permits interception based solely on agency head approval. What began as emergency measures have ossified into routine protocol. The judiciary is no longer a gatekeeper, but an observer. Surveillance has become administrative, not adversarial.
The Office of the Data Protection Commissioner, the one institution capable of moderating this shift, has remained conspicuously silent. No public audits. No enforcement rulings. No technical advisories on spyware or malware deployments.
Civil society groups have repeatedly petitioned for interpretive guidance, especially in the wake of Apple's threat notifications. Each request has met the same bureaucratic shrug; “Under review.”
In effect, the laws exist. The rights are named. But the architecture of oversight has been hollowed out. Surveillance in Kenya operates within a legal scaffolding that was designed to restrain power but has instead become its camouflage.
Could Pegasus Have Been Procured Through Backchannels?
Officially, Kenya is not listed among the 37 countries approved to access Pegasus, following Israel’s post-2021 export restrictions and the NSO Group’s blacklisting by the U.S. Commerce Department.
That move was meant to tighten the tap on military-grade spyware, shielding it from autocratic misuse. In practice, the tap may have sprung leaks. Kenya’s status remains opaque—never confirmed, never denied. In the absence of explicit licensing, a new theory emerges. Pegasus, or tools functionally identical to it, may have entered through proxy doors.
Cyber policy analysts and forensic technologists now speak in probabilities, not proofs. Even if NSO Group never signed a direct contract with a Kenyan ministry, the region is thick with intermediary vendors who specialize in the discreet repackaging of offensive cyber capabilities.
These brokers operate in legal twilight zones, marketing under alternate names, routing payloads through shell companies, and bundling surveillance features into composite products that escape regulatory radar. The spyware may wear a different name, but the codebase, delivery vectors, and functionality often echo NSO’s blueprint.
Investigative teams at Africa Uncensored have in the past tried to trace procurement trails involving opaque budget reallocations, unexplained vendor line items, and quiet partnerships with firms known to resell state surveillance tools.
Still, no whistleblower leak, no internal memo, no smoking-gun contract has surfaced. What exists is the scaffolding of a possibility. Dense, circumstantial, and increasingly difficult to ignore. If Pegasus never arrived in name, something like it almost certainly did in spirit.
Surveillance Without Pegasus—IMSI Catchers and CCTV Meshes
Kenya’s surveillance apparatus does not rely on Pegasus to function at scale. According to telecom insiders with direct knowledge of internal deployments, the state increasingly uses IMSI catchers. These portable devices imitate cellular towers, silently forcing nearby phones to connect.
Once connected, they expose metadata and allow interception of voice and text communications in real time.
 |
| Source: enea.com |
Deployment is often in dense urban zones, near activist gatherings, protests, and at political events, creating a dragnet that operates without public visibility. The reach of this system expands when combined with Huawei-linked facial recognition CCTV networks, now embedded in Nairobi’s traffic systems and public security infrastructure.
Through deep integration with telecom operators, agencies gain access to call logs, live location data, and session histories across millions of users. Former intelligence officials describe this system as a layered interception model, built from a hybrid of Chinese surveillance platforms, Israeli signals intelligence technology, and locally developed tools.
Statutory oversight remains fragmented. As a result, Kenya could have assembled a powerful surveillance ecosystem that rivals Pegasus in effect while avoiding the international scrutiny that proprietary spyware often attracts.
Related Audiobooks
Data and Goliath
By Bruce Schneier
An exploration of how governments and corporations exploit mass surveillance, Data and Goliath is essential reading on digital privacy and cybersecurity strategy in the modern world.
Listen NowThe Age of Surveillance Capitalism
By Shoshana Zuboff
Surveillance Capitalism reveals how tech companies turn human experience into data for profit, shaping behaviors and power structures — vital for understanding the digital authoritarian trends reshaping democracies.
Listen NowBlown Whistles
Numerous activists have described unsettling encounters in recent months, recounting warnings from Members of Parliament and former intelligence officials. “They said I was being tracked online,” one Nairobi-based activist shared. “They even mentioned meetings I never posted about.” While such accounts remain unverified, they mirror established surveillance patterns in Uganda, where Pegasus was confirmed on the devices of journalists and politicians.
In Kenya, vague legal provisions like “incitement via digital platforms” have increasingly served as justification for pre-emptive arrests under the Computer Misuse and Cybercrimes Act. Just weeks ago, a software developer was detained for automating mass emails to Parliament opposing the finance bill. The arrest sparked outrage across tech communities and digital rights circles.
Independent monitoring groups have reported a measurable chilling effect. WhatsApp groups are falling silent, signal apps show decreased activity, and once-vocal bloggers are vanishing from online platforms.
Most starkly, Albert Omondi Ojwang, a young activist and teacher, was arrested on June 6, 2025, under a “false publication” charge. Two days later, he was found dead in police custody. His death became a flashpoint during the mass #OccupyStateHouse demonstrations, triggering a wave of arrests targeting online organizers and digital campaigners.
This is a surveillance ecosystem that doesn’t need Pegasus to paralyze dissent. It operates through intimidation, ambiguity, and the erosion of digital trust. The tools are increasingly local, the tactics more opaque, and the silence more coordinated.
How Kenyans Can Rein It In
Kenya urgently needs:
- A parliamentary committee on surveillance procurement
- Transparent judicial warrant systems for all digital interception
- Mandatory disclosure of surveillance budgets and vendor identities
- An independent device forensics lab supported by international watchdogs
Without structural reforms, Kenya risks entrenching a surveillance state with no public oversight.
How to Detect and Defend
Pegasus operates as a multi-stage spyware, designed to evade conventional detection and forensic analysis.
Its infection vectors exploit unpatched OS vulnerabilities, often before vendors can issue patches, thus, rendering typical software updates necessary but insufficient as a sole defense.
Identification requires analyzing subtle behavioral anomalies such as intermittent network beacons to command servers, encrypted payload unpacking, and kernel-level rootkit activity, often invisible to user-space monitoring tools.
Detecting Pegasus demands advanced memory forensics, traffic pattern analysis, and hardware-level instrumentation, which are beyond the reach of average users or standard antivirus solutions.
To mitigate risk, high-value targets should employ hardware isolation techniques, multi-factor authentication, use hardened, minimal-attack-surface devices, and apply continuous network anomaly detection powered by AI trained on known Pegasus signatures.
However, individual defenses can only delay, not prevent, determined state-sponsored attacks.
Structural resilience hinges on transparent governance, mandatory vendor audits, legal prohibitions against unauthorized use, and robust whistleblower protections. Only a combination of cutting-edge technical countermeasures and systemic policy reform can truly contain the threat Pegasus poses.