By Between December 2025 and January 2026, a single unknown person used a consumer AI chatbot to systematically dismantle the cybersecurity defences of the government of Mexico. By the time anyone noticed, 150 gigabytes of data was gone — tax records tied to 195 million taxpayers, voter files, government credentials, and civil registry documents spanning Mexico's federal tax authority, its electoral institute, four state governments, and a water utility.
The tool was not a sophisticated nation-state hacking suite. It was a consumer AI chatbot. The attacker's conversation logs were found publicly accessible online when the breach came to light on February 25.
The method was not technically novel. What made it effective was patience and AI-assisted persuasion, the ability to craft perfectly targeted social engineering at scale, probe defences continuously without fatigue, and adapt to each new barrier without human oversight slowing the attack down.
Kenya has built something similar to what Mexico lost except larger and more centralised. Over 13 million Kenyans are registered on eCitizen. More than 16,000 government services sit on a single platform. The Maisha Namba digital ID is issuing up to 30,000 new IDs every day. The question of whether Kenya's cyber defences are ready for AI-assisted attacks is not hypothetical. It is urgent.
The Ksh 29.9 Billion We Already Know About
Before discussing where cyber threats are heading, the current baseline deserves to be stated clearly.
Kenya lost Ksh 29.9 billion to cybercrime in 2024/2025. That figure comes from the Africa Cybersecurity Report Kenya 2024/2025, produced by Serianu, one of the continent's most credible cybersecurity research institutions, based on responses from 280 organisations. Continent-wide, Africa lost Ksh 650 billion, roughly $5 billion, in the same period.
Payment fraud was the most common incident category, driven by real-time mobile money transfers, weak transaction monitoring systems, and social engineering attacks that exploit the trust that makes M-Pesa so frictionless in legitimate use. Online and email fraud accounted for 40% of all incidents and 32% of recorded losses, pointing to persistent gaps in how organisations manage digital identity verification. SIM-swap attacks and mobile money fraud remain widespread despite what Serianu describes as "improved controls", a diplomatic way of saying the controls are not keeping up with the attackers.
A specific case from 2025 illustrates the gap between controls and outcomes: attackers compromised a digital payments portal, disabled OTP notifications, and funnelled Ksh 49 million into mobile wallets, bank accounts, and till numbers before the breach was detected. In a separate incident, a syndicate stole over Ksh 6 million from a commercial bank. Both were carried out with relatively conventional methods. Neither required AI.
The Ksh 29.9 billion figure is sobering on its own. What Serianu's CEO William Makatiani said at the report's launch is more sobering still: "The rate at which organisations are investing is improving, but attackers are advancing even faster."
That gap, between the pace of investment in defence and the pace of offensive capability, is where AI enters the picture.
What AI Has Already Changed for Attackers
A global survey of 500 senior leaders by Boston Consulting Group, published in December 2025, quantified the defensive side of this gap. Only 7% of organisations globally have deployed AI tools in their cyber defence. Meanwhile, approximately 60% have likely already experienced an AI-powered attack in the past year. The defensive majority is fighting with 2019-era tools against attackers who have fully adopted 2026 capabilities.
The BCG report identifies three structural shifts that make AI-enabled attacks categorically different from what came before.
The first is scale and speed. AI enables attackers to hunt for vulnerabilities across thousands of systems simultaneously, generate personalised phishing content at industrial volume, and probe defences continuously without the fatigue or cost constraints that limit human attackers. A campaign that previously required a team of analysts working over weeks can now be initiated and iterated by one person with a laptop and an API key.
The second is autonomous operation. AI has moved from static models to agentic systems, AI that can observe, reason, and act across multiple steps without human oversight. The Mexico breach demonstrated this: the attacker used AI to sustain a patient, multi-stage intrusion across months, adapting to each defensive response without escalating resources or personnel. Autonomous attacks can probe continuously, adapt instantly to defensive signals, and maintain operational tempo that human defenders cannot match in real time.
The third is identity collapse. Deepfakes, voice cloning, and synthetic identity generation have undermined authentication as a reliable safeguard. The BCG survey found that AI-generated deepfake video has already been used to impersonate a CFO in a live video call, resulting in a $25 million fraud loss at a multinational engineering firm. Voice cloning was used to spoof election-related robocalls, resulting in a $1 million regulatory fine for a telecom provider. When you cannot trust that the voice or face on your screen belongs to the person it claims to be, the entire model of identity-based verification collapses.
Kenya's digital economy is built on identity verification. M-Pesa PIN entry. OTP confirmation. Biometric matching at eCitizen kiosks. SIM registration against national ID. Every one of these controls was designed for a threat environment where forgery was expensive and required physical proximity. AI has made sophisticated forgery cheap, scalable, and remote.
Why Kenya Is a High-Value Target
Kenya's appeal to cybercriminals is a function of the same qualities that make its digital economy a regional success story.
M-Pesa processes hundreds of billions of shillings in transactions every month, with the frictionless speed that makes mobile money genuinely useful also creating opportunities for real-time fraud before monitoring systems flag anomalies. The eCitizen platform centralises access to government services at a scale that, if compromised, would expose millions of citizen records in a single breach. Kenya's position as East Africa's technology hub means it hosts the regional offices, data centres, and payment processing infrastructure of companies operating across multiple countries, making it a gateway target whose breach has continental consequences.
The Serianu report notes that Kenya's digital infrastructure remains significantly exposed at the network layer. Many devices remain accessible through open, unencrypted remote-access services (Telnet, FTP, RDP) that should have been secured or decommissioned years ago. Operational errors and system misconfigurations compound the attack surface, particularly in public sector institutions where IT staffing and budget constraints are most acute.
Kenya also has the third-highest number of internet users in sub-Saharan Africa and among the highest mobile money penetration rates globally. From an attacker's perspective, this is not a liability, it is an opportunity. More users, more transactions, more endpoints, more attack surface, and a regulatory and enforcement environment that is still building the capacity to respond at the speed and sophistication that AI-enabled attacks require.
The eCitizen Problem Nobody Is Talking About Loudly Enough
The Mexico breach warrants specific attention in the Kenyan context because the structural parallels are uncomfortable.
Mexico's breach exploited centralised government infrastructure, a single point of failure whose compromise gave the attacker access to data spanning multiple agencies. eCitizen is Kenya's equivalent architecture. The platform's value proposition is precisely its centralisation: one login, one identity, access to thousands of services. That centralisation is also its vulnerability. A successful attack against eCitizen's authentication layer, or against the identity verification systems that underpin Maisha Namba, would not be a single agency breach. It would be a systemic one.
Kenya's government moved faster on digital transformation than on the security architecture to protect it. The Maisha Namba rollout, the eCitizen expansion, the integration of biometric data across health, education, and financial services, these are genuinely impressive infrastructure achievements. But each integration point is also a potential attack surface, and the BCG survey's finding that 88% of organisations plan to deploy AI defence but only 7% have done so yet describes a gap that attackers are exploiting right now.
The government is aware of this. Secretary to the Cabinet Mercy Wanjau, speaking at the Serianu report launch, announced the establishment of a Government Security Operations Centre, a centralised national cyber-monitoring facility. That is the right structural response. The implementation timeline, resourcing, and integration with existing agency security teams will determine whether it arrives before the next major incident or after it.
What Organisations and Individuals Can Do Now
For businesses and institutions operating in Kenya, the BCG and Serianu findings point to concrete priorities rather than abstract awareness.
Identity governance is the most urgent gap. Both reports identify identity management, how you verify who is accessing what, as the primary attack surface for AI-enabled threats. Multi-factor authentication that relies solely on SMS OTPs is no longer sufficient, as SIM-swap attacks can intercept those codes. Authenticator apps, hardware security keys, and biometric verification tied to the actual device rather than a phone number are more resilient options. For organisations processing significant financial transactions, these are not optional upgrades.
Recovery readiness matters as much as prevention. The shift Serianu recommends (from risk management to resilience) reflects a hard-won insight from organisations that have been breached: prevention will sometimes fail. Immutable backups, routine recovery testing, and documented incident response procedures determine whether a breach becomes a recoverable disruption or a catastrophic loss. The organisations that recovered fastest from the attacks documented in the Serianu report were those with functioning recovery systems, not necessarily those with the most sophisticated perimeter defences.
AI-assisted monitoring is now table-stakes for financial institutions. Real-time transaction monitoring that flags anomalies (unusual patterns, atypical access times, out-of-pattern transfer destinations) needs to operate at the speed of AI-enabled attacks, which means it needs AI assistance. Human analysts reviewing logs after the fact cannot catch attacks that complete in minutes. This is not a future consideration for Kenya's banks, fintechs, and mobile money operators. It is a current gap that Serianu's documented incidents have already exploited.
Consumer awareness remains the cheapest layer of defence. Enabling two-step verification on all financial accounts. Confirming transfer requests through a separate channel before executing them. Being sceptical of urgent requests from known contacts (particularly voice or video calls requesting money or credentials) since both can now be convincingly faked. These behaviours cost nothing and intercept the social engineering attacks that remain the most common entry point for Kenya's most costly breaches.
The Asymmetry That Needs to Close
Kenya is in a position that is not unique but is particularly acute. It has built digital infrastructure fast enough to create real economic value (M-Pesa's role in financial inclusion, eCitizen's role in service delivery, Maisha Namba's potential to anchor a unified digital identity) but the security architecture protecting that infrastructure has not kept pace with either the sophistication of the threats or the centralisation of the target.
The Ksh 29.9 billion in losses documented by Serianu is a 2024/2025 figure. It reflects attacks carried out with largely conventional tools. AI-enabled attacks are already underway globally, the BCG survey's 60% figure represents organisations that have already experienced them, and Kenya's attack surface is large, high-value, and in several areas still inadequately protected.
The Mexico breach should be read as a preview, not a warning about somewhere else. The same consumer AI tools are available to the same global threat actors targeting Kenya. The centralised digital infrastructure that makes Kenya's government services efficient makes it a similarly attractive target. The response gap, between organisations that understand the risk and those actively deploying AI-native defences, is the window that attackers are operating in right now.
Closing that window is not primarily a technology problem. It is a resource, urgency, and prioritisation problem. The technology to defend against AI-enabled attacks exists. The organisations and institutions that deploy it at speed and scale will be the ones that are not in next year's Serianu report.
Comments