A growing digital surveillance scandal is unfolding in Kenya after forensic reports confirmed that phones seized from journalists linked to the BBC Africa Eye documentary Blood Parliament were tampered with while in police custody, and had commercial spyware known as FlexiSPY installed.
The revelations stem from a series of legal filings and forensic analyses shared by advocate Ian Mutiso, who represents four filmmakers — Brian Adagala, Mark Denver Karubiu, Christopher Wamae, and Nicholas Wambugu — arrested in May 2025 after the BBC documentary aired on April 28. The journalists were accused of “publishing false information,” but no evidence has since been produced against them.
Citizen Lab finds spyware infection during DCI custody
On September 10, 2025, Mutiso revealed findings from Citizen Lab, a digital rights research group based at the University of Toronto’s Munk School of Global Affairs. The lab’s forensic report confirmed with high confidence that FlexiSPY spyware was installed on journalist Nick Wambugu’s device while it was in the custody of Kenya’s Directorate of Criminal Investigations (DCI).
The analysis traced the installation to May 21, 2025, at 17:36 GMT — a period when the device was under official DCI possession. According to Citizen Lab, FlexiSPY can record calls, activate the microphone, capture messages, take screenshots, and track location, all without user knowledge.
Further forensic analysis confirms coordinated tampering
A separate investigation by Intruvent Technologies, led by Sigurd E. Murphy III (a former U.S. Department of Defense cybercrime expert), corroborated Citizen Lab’s findings. The company examined four smartphones: an OPPO CPH2349 (OPPO A16K) belonging to Wambugu, a Samsung Galaxy S9+ belonging to Adagala, and two Redmi models belonging to Wamae and Karubiu, and found that all four devices were accessed and modified while in state custody on May 21, 2025.
The forensic reports, shared publicly in this Google Drive folder, shows a coordinated pattern: the devices were powered on, connected to Wi-Fi, and updated via Google Play before FlexiSPY (v5.6.3) was installed within hours. Notably, one device also logged the use of MyPhoneExplorer, a remote access tool capable of controlling Android devices and extracting files.
According to Intruvent, the spyware installations granted “administrative access” to the devices, effectively turning them into live surveillance tools. Both labs confirmed data integrity using cryptographic hashing (MD5, SHA-1, SHA-256), ensuring the findings weren’t tampered with during analysis.
Implications for privacy and digital rights
If upheld in court, these findings mark one of the first publicly verified cases of state-installed spyware targeting journalists in Kenya. The alleged use of FlexiSPY — a commercially available surveillance app often sold to private users — highlights how easily such tools can be misused by authorities when devices are seized during investigations.
FlexiSPY, marketed as “the world’s most powerful Android spy app,” allows remote interception of calls, live listening, GPS tracking, and camera access. It has previously been linked to surveillance of activists and dissidents globally.
Case still under review
The Office of the Director of Public Prosecutions (ODPP) is reportedly reviewing the evidence as of this writing (November 5, 2025), following multiple court appearances and forensic submissions. The matter — listed as REPUBLIC OF KENYA VS… AND FOUR OTHERS (MCCR E1640 of 2025) — is next scheduled for mention on November 10, 2025.
While the courts will determine liability, the technical findings raise broader concerns about digital security and privacy for Kenyans. For many, the revelation underscores a chilling reality: that handing your phone to authorities, even briefly, could expose your private communications to surveillance-grade tampering.
