A 20-year-old Mount Kenya University (MKU) student was charged on Monday, October 27, 2025, at the Milimani Law Courts with stealing over KSh 7.8 million from Sidian Bank in a sophisticated cyber heist. Collins Mutuma, a Bachelor of Education (Science) student, appeared before Chief Magistrate Lucas Onyina, facing charges of conspiracy to defraud and theft. He denied the charges and was released on a KSh 200,000 cash bail.

According to the charge sheet presented by the prosecution, Mutuma allegedly conspired with several others who are still at large to unlawfully siphon KSh 7,882,845 from various accounts held at Sidian Bank. The alleged crime took place on January 11, 2025, at an undisclosed location within Kenya. Investigators from the Directorate of Criminal Investigations' (DCI) Banking Fraud Investigations Unit reported that the funds were systematically transferred from Sidian Bank and consolidated into a personal account held by Mutuma at Diamond Trust Bank (DTB).

Court documents further revealed that in an attempt to launder the funds and conceal their illicit origin, Mutuma allegedly made subsequent transfers. These included sending KSh 300,000 to an individual named Dominic Gichiri Kagwina and another KSh 169,000 to an M-Pesa account registered under Samuel Mukola Matheka. Prosecutors contend these transactions were part of a broader money-laundering network. Mutuma's defense argued that he was being unfairly linked to a complex cybercrime, leading to his not guilty plea. The case is scheduled for a pre-trial mention on Monday, November 3, 2025.

Kenya's Banking Sector Under Digital Siege

This high-profile case is not an isolated incident but rather a symptom of a growing and persistent threat to Kenya's economy. The nation's financial institutions are increasingly becoming prime targets for cybercriminals. According to data from the Central Bank of Kenya (CBK), local lenders lost a staggering KSh 1.59 billion to cybercriminals in the last year, with more than half of that amount—KSh 810.68 million—stolen through attacks targeting mobile banking platforms. This represents a 344% jump in mobile banking fraud from the previous year.

The Communications Authority of Kenya (CA) has also reported an alarming rise in cyber threats. In the first quarter of 2025 alone, the CA recorded 2.54 billion cyber threat incidents, a 201.7% increase from the last quarter of 2024. These statistics underscore the severe vulnerabilities in the digital ecosystem that millions of Kenyans now depend on for their daily financial transactions. The shift to digital banking, while improving efficiency and financial inclusion, has simultaneously expanded the attack surface for criminals.

Regulatory and Legal Frameworks Put to the Test

In response to the escalating threats, Kenyan authorities have been working to strengthen the country's cybersecurity posture. The Central Bank of Kenya has issued comprehensive cybersecurity guidelines that mandate all licensed financial institutions to establish robust governance structures, conduct regular risk assessments, and report significant cybersecurity incidents to the CBK within 24 hours. A key development is the establishment of the Banking Sector Cybersecurity Operations Centre (BS-SOC) in 2025, which acts as a central hub for threat intelligence and incident response coordination for the entire financial sector.

The legal framework for prosecuting such crimes is primarily the Computer Misuse and Cybercrimes Act of 2018. This legislation criminalizes a wide range of activities, including unauthorized access to computer systems, computer fraud, and identity theft, prescribing hefty fines and lengthy prison sentences for convicted offenders. Recent amendments in 2024 and 2025 have sought to introduce even tougher penalties, with fines of up to KSh 20 million and jail terms of up to ten years for offences like cyber harassment, although some of these amendments have faced legal challenges over concerns about their impact on freedom of expression.

The case against Collins Mutuma will serve as a critical test for the effectiveness of these legal and regulatory measures. As the DCI continues its investigation to apprehend the other alleged conspirators, the Kenyan public and the financial industry will be watching closely. The outcome will have significant implications for public confidence in the security of digital banking and the state's capacity to protect citizens and institutions from the ever-evolving threat of cybercrime.