A significant forensic report prepared by the renowned Citizen Lab at the University of Toronto’s Munk School has been presented before the Kenyan Judiciary, alleging the installation of FlexiSPY spyware on devices belonging to Kenyan citizens.
The report implicates the Directorate of Criminal Investigations (DCI) and suggests a troubling expansion of surveillance capabilities within the country.
The scandal came to light following the detention of four filmmakers, Bryan Adagala, Nicholas Wambugu, Chris Wamae, and Markdenver Karubiu, who are associated with the BBC’s ‘Blood Parliament’ documentary. According to their lawyer, Ian Mutiso, an independent forensic analysis by the Citizen Lab found spyware on the devices of Bryan Adagala and Nicholas Wambugu. The filmmakers were apprehended on May 2 under unclear circumstances and had their equipment and hard drives confiscated. While they were released the next day without being charged, their lawyer condemned the installation of spyware, stating it was a violation of their rights.
Today I’ve placed a forensic report prepared by @citizenlab @munkschool before @Kenyajudiciary showing proof of spyware known as @flexispy being installed in gadgets belonging to Kenyans by @DCI_Kenya & released to them. The same report has been served upon @ODPP_KE. See below: pic.twitter.com/oYFVIxgtcA
— Ian Mutiso (ايان موتيسو مبوتيلا) (@eyanm) September 10, 2025
The Citizen Lab, an interdisciplinary laboratory recognized for its expertise in tracking digital threats against civil society, conducted a forensic analysis that pointed to the installation of FlexiSPY on the devices of Bryan Adagala and Nicholas Wambugu. According to the forensic findings, the FlexiSPY spyware was installed on Adagala’s device on May 21, 2025, at 17:37:06 GMT, and on Wambugu’s device at 17:36:06 GMT on the same date. Crucially, these installation times fall within the period when the devices were reportedly in the custody of the Kenyan police. While the report notes that this “does not preclude the possibility that other spyware or manipulations were made to the device,” it strongly suggests a direct link to the state’s actions.
The ‘Blood Parliament‘ documentary, with which the filmmakers were allegedly linked, exposed the involvement of the National Police Service and the Kenya Defence Forces in the killings during the Gen Z-led protests on June 25, 2024.
What is FlexiSPY and what can it do?
FlexiSPY is a commercially available spyware tool that can be purchased and easily installed on certain devices, including Android phones, given physical access. The Citizen Lab report detailed that this readily available and low-cost spyware can covertly capture a wide range of user information. Its capabilities are extensive and deeply intrusive, allowing the operator to covertly capture a wide range of user behavior and data from the infected device. These capabilities include:
- Recording phone calls: Capturing both incoming and outgoing conversations.
- Capturing audio from the microphone: Enabling ambient listening.
- Capturing text messages: Including SMS and messages from popular apps like WhatsApp.
- Collecting screenshots: Visual recordings of device activity.
- Tracking the device’s location: Monitoring movements and whereabouts.
- Deleting and modifying data: Allowing for the manipulation of content on the device.
The report highlights that FlexiSPY’s “low cost and general availability make it attractive for a wide variety of uses.” Disturbingly, it notes that FlexiSPY “has previously been used to spy on dissidents and activists, and has even reportedly been used by drug cartels.” This history underscores the significant risks posed to civil liberties and privacy when such tools are allegedly deployed by state actors against their own citizens.
The Citizen Lab’s research mandate focuses on identifying whether devices have been targeted or compromised with various types of mercenary spyware, including sophisticated tools like NSO Group’s Pegasus, Predator by Cytrox, and others.