NAIROBI, Kenya — The heist left no broken glass, no silent alarm tripped in the night, no CCTV frame to review in the morning. What it left was an imbalance: a gap between the physical cash in Kingdom Bank’s vaults and the numbers on its digital ledger so large that auditors, running their routine end-of-day reconciliation, stopped cold. Sh44 million had disappeared.
The suspect now charged with that disappearance is Felix Njenga, who appeared before Magistrate Susan Shitubi at the Milimani Law Courts after what the Directorate of Criminal Investigations’ Banking Fraud Investigations Unit describes as a forensic pursuit that traced the theft back to a single IP address. Njenga denied the charges. The legal battle now begins.
But the case is unfolding at a moment of rare legal turbulence for cybercrime prosecution in Kenya. Less than a week before the charges were pressed, the Court of Appeal declared two pillars of the Computer Misuse and Cybercrimes Act unconstitutional, describing the struck-down provisions as “unguided missiles” capable of netting innocent citizens alongside genuine criminals. The ruling does not touch the provisions under which Njenga is charged, but it signals a judiciary increasingly willing to scrutinise the architecture of Kenya’s digital crime law — a fact that his defence counsel will not have missed.
“The suspect acted with high-level technical precision” — Prosecution, Milimani Law Courts
HOW THE BREACH UNFOLDED
According to court documents and the prosecution’s opening arguments, Njenga’s assault on Kingdom Bank was not a blunt intrusion but a methodical exploitation of weaknesses in the institution’s remote access infrastructure. Investigators say he obtained administrative privileges within the bank’s core banking platform — the back-end system through which every credit, debit and balance is recorded — and used that access to create fictitious credit entries that appeared, to the bank’s automated monitoring systems, as legitimate transactions.
The prosecution told the court the suspect had acted with “high-level technical precision,” suggesting a command of banking software architecture that went beyond casual familiarity. Sources with knowledge of the investigation say the method bore the hallmarks of someone who either worked in financial technology or had studied the specific architecture of the bank’s systems in advance.
The Sh44 million was not extracted in a single transfer, which would have triggered immediate anti-money laundering alerts. Instead, Njenga allegedly employed a technique investigators describe as “smurfing”: the funds were dispersed in smaller tranches across multiple accounts at different banks and mobile money platforms, each individual movement sized to avoid crossing the thresholds that would have prompted automated flags. By the time the amounts were aggregated, the money had been moved dozens of times and, in significant part, already withdrawn.
THE PAPER TRAIL AND THE ARREST
The red flag came not from any real-time fraud alert but from the most analogue moment in a bank’s digital day: the end-of-day reconciliation. When Kingdom Bank’s IT auditors matched physical cash holdings against the digital ledger, the discrepancy was impossible to overlook. The investigation that followed was handed to the BFIU, the DCI unit that has become Kenya’s primary instrument for pursuing financial cybercrime.
Detectives traced the digital footprint of the intrusion to an IP address linked to Njenga. Forensic analysis of his devices, according to the prosecution, produced remnants of the software used to bypass the bank’s firewalls and logs of the unauthorised transactions themselves. That digital evidence chain — IP address, device forensics, transaction logs — is the backbone of the state’s case.
The prosecution, in arguing against lenient bail terms, emphasised both the scale of the loss and what it characterised as the risk of the suspect interfering with digital evidence still under recovery. The court has granted the DCI additional time to pursue the remaining funds, a significant portion of which had already been withdrawn or converted into other assets by the time of the arrest.
KINGDOM BANK: A SUBSIDIARY UNDER SCRUTINY
Kingdom Bank, a Co-operative Bank of Kenya subsidiary established in 1995 and converted from a microfinance institution into a fully-fledged commercial lender, serves tens of thousands of customers across Kenya, with a strong footprint among small businesses and faith-based depositors. Its relatively lean digital infrastructure compared to its parent institution is a feature common to mid-tier lenders navigating the cost pressures of full digitalisation.
The bank has not publicly commented on the breach. Co-operative Bank Group did not respond to inquiries from The Star before publication. The silence is commercially understandable but governance-sensitive: the CBK requires institutions to report cybercrime incidents in real time, and Kingdom Bank’s pre-incident cybersecurity posture, and whether it met the regulator’s mandatory baseline standards, will almost certainly be examined as the criminal proceedings develop.
This is not the institution’s first brush with the legal consequences of a digital failure. A High Court ruling in March 2024 held Kingdom Bank liable after it failed to take adequate steps to recall funds withdrawn following a customer’s fraud report, finding the bank had not met its duty of care. That precedent, in which institutional passivity proved costly, will cast a shadow over how the bank’s conduct in the current, far larger breach is evaluated.
Mid-tier banks operate on legacy systems and lean IT teams. Hackers know precisely where the thin points are.
A SECTOR UNDER SIEGE
The Kingdom Bank heist is the most visible recent episode in a pattern of escalating digital assault on Kenya’s financial sector. Central Bank of Kenya data for 2024 documented a fourfold increase in cyber-related banking losses compared to the previous year, with fraud incidents rising from 153 to 353 and total losses to hackers reaching Sh1.59 billion. Mobile banking was the hardest hit channel, with criminals extracting Sh810.68 million through that route alone — a jump of 344 per cent. Card fraud, meanwhile, rose 16-fold to Sh263.29 million.
FACTBOX: THE KINGDOM BANK CYBER-HEIST
Amount stolen: Sh44 million
Primary suspect: Felix Njenga
Method: Unauthorised system access and falsified credit entries; smurfing to disperse funds
Investigating agency: DCI Banking Fraud Investigations Unit
Presiding magistrate: Susan Shitubi, Milimani Law Courts
Bank: Kingdom Bank (subsidiary of Co-operative Bank of Kenya)
Status: Before the Milimani Law Courts; Njenga denies all charges
Funds recovered: Partial; DCI granted additional time to pursue remaining assets
The Communications Authority of Kenya separately reported that cyberattack volumes in the country more than doubled to 7.96 billion incidents in the year to June 2025, with system-level attacks accounting for 97 per cent of recorded threats. In his November 2025 State of Security report to Parliament, President William Ruto specifically named cybercrime, including cryptocurrency fraud, as a national security threat.
Cybersecurity consultant Mark Yohance, who is Nairobi-based and has advised several Kenyan financial institutions, said the Kingdom Bank case illustrated a structural vulnerability that the sector had not yet closed. “This case is a wake-up call,” he said. “Traditional passwords and basic firewalls are no longer enough. Banks must move toward Zero Trust Architecture and real-time behavioural biometrics to catch these anomalies as they happen.”
Mid-tier banks are disproportionately exposed. Unlike large commercial institutions, which have invested hundreds of millions of shillings in cybersecurity infrastructure and carry Electronic Computer Crime Policy insurance premiums of up to Sh400 million annually, smaller lenders frequently operate on legacy systems with lean IT teams — and hackers appear to have mapped those pressure points with precision.
THE LEGAL DIMENSION: A SHIFTING BATTLEFIELD
The prosecution of Felix Njenga proceeds under provisions of the Computer Misuse and Cybercrimes Act that remain intact, specifically those covering unauthorised access, electronic fraud and computer manipulation. But the case lands in a courtroom that has just been reshaped by the Court of Appeal’s March 6, 2026, ruling in a challenge brought by the Bloggers Association of Kenya and allied petitioners.
The court, in a bench comprising Justices Patrick Kiage, Aggrey Muchelule and Weldon Korir, declared Sections 22 and 23 of the Act unconstitutional. Those sections criminalised the publication of false or misleading digital content and had been used to prosecute journalists, bloggers and activists. The court found them “so broad, wide, untargeted” as to be likely to net innocent citizens, describing the provisions as akin to unguided missiles.
The struck-down sections do not directly govern the charges facing Njenga. However, the ruling signals a broader judicial willingness to interrogate the proportionality of Kenya’s cybercrime statute, a posture that defence counsel in the Kingdom Bank case could seek to leverage in arguing how the remaining provisions should be read and applied. Kenya’s cybercrime legal architecture is in transition, and the Njenga trial sits squarely within that contested terrain.
WHAT JUSTICE REQUIRES
For depositors whose money sat in Kingdom Bank’s digital corridors when the breach occurred, the legal complexity may feel abstract. For investigators, prosecutors and the judiciary, the case demands something harder: the kind of clear-eyed technical competence and evidential rigour that Kenya’s courts are still building their capacity to apply in digital crime cases.
The BFIU has secured a string of arrests in recent months, from the May 2025 arraignment of five suspects in a multi-bank hacking scheme at Makadara Law Courts to the March 2026 detention of Albert Komen Kipkechem, linked to the theft of over Sh52 million from multiple lenders using remote access software. Arrests, though, are only the beginning. Convictions in cyber fraud matters have remained frustratingly difficult to secure at speed, partly because digital forensic evidence is technically complex and partly because suspects frequently disperse stolen funds across jurisdictions before investigators can act.
A significant portion of the Sh44 million stolen from Kingdom Bank remains unrecovered. The DCI has been granted more time by the court to pursue what can still be retrieved. Whether the money, or justice, is fully recovered will say something important about where Kenya’s capacity to police the digital economy actually stands.
