Is crypto infosec? (not really)

CybAfriqué is a space for news and analysis on cyber, data, and information security on the African continent.

HIGHLIGHTS

Is crypto infosec? (not really

I promise we’d decided to write a crypto highlight long before yesterday’s market crash. Props for foresight, I guess??

The crypto industry, as we all know, is a “better” version of a bank. It is decentralised. It is trustless. It is also, to a large extent, unregulated. And this is all very nice in theory until you wake up one morning and find that your life savings, which you put in some crypto exchange run by a 24-year-old Sergei with a cat, has just disappeared. No one to call. No deposit insurance. No one will ever find Sergei, because the blockchain, in its wisdom, has made him pseudonymous.

And this, it turns out, is a major problem for infosec, which is what we’re all about at CybAfrique.

In the traditional financial world, information security is a big, boring, well-funded department that spends its days thinking about things like Gramm-Leach-Bliley and how to comply with federal cybersecurity audits and certifications. 

This is not fun, but it means that if a bank gets hacked, someone with a very nice suit gets a very bad day, and there's a whole framework for how to deal with it.

Crypto is slightly different. There's no cybersecurity audit for a DeFi protocol. There’s no legal requirement for an exchange to get a security audit, even if they're holding billions of dollars of other people's money. This creates what you might call a perfectly-rational-for-a-hacker-but-terrible-for-everyone-else economic model — as confirmed by the ByBit breach. 

Last week, bullish crypto news breaking out of Kenya was that the Kenyan Parliament has passed the Virtual Asset Service Providers (VASP) Bill, 2025, and it’s now just one presidential signature away from becoming a very real, very enforceable piece of legislation.

The most fundamental part of the bill is that it forces every "Virtual Asset Service Provider" (that's the official term for exchanges, brokers, wallet operators, and pretty much anyone who handles crypto for you) to get a license. This is one more departure from the current "we'll just operate here and see if anyone notices" model that dominates the industry.

To get a license, you have to be a legal entity, need to have a registered office in Kenya, an active bank account, and a board of directors. The bill also appoints enforcers and regulators for the sector, and asks that all licensed VASPs must comply with international anti-money laundering (AML) and counter-terrorism financing (CFT) standards. 

Join us next week for more on how regulations are splitting the grey crypto market into white and black.

Meta’s data lawsuit in Nigeria ends, somewhat underwhelmingly

In case you’ve been living under a rock, here’s the plot recap: 

Earlier this year, in February 2025, the Nigeria Data Protection Commission (NDPC) hit Meta with a $32.8 million fine for violating the new Nigeria Data Protection Act. The NDPC accused Meta of several things that are at the very heart of Meta’s business, including behavioral advertising without consent, unsanctioned data transfers, processing of non-user data, and failing to file an audit. 

The NDPC also gave Meta a list of corrective orders, including a demand to revise its privacy policies. Meta, as is its custom, did not take this lying down. It immediately rejected the findings and the process that led to them, arguing that it wasn't given a fair hearing. 

In March, Meta filed a motion in a Nigerian court, seeking a "judicial review" of the NDPC's orders. It basically asked the court to quash the fine and all the other directives, arguing they violated the company’s due process rights. The court, in its wisdom, did not issue a stay on the NDPC's orders, but it did agree to hear the case, which set up a head-to-head legal battle. The NDPC, for its part, filed a preliminary objection, arguing that Meta's lawsuit was incompetent and that the court didn't even have jurisdiction.

The lawyers got into a whole back-and-forth about procedural rules, with one side saying the other's filings were "grossly incompetent." It was a classic legal showdown, setting up what looked to be a precedent-setting ruling on digital regulation in Africa. 

Then, just as the court was preparing to deliver a ruling, lawyers on both sides told the court they had reached an "advanced stage of settlement discussions" and were concerned that a court ruling might "jeopardize" negotiations.

Why would Meta, a company with famously deep pockets and a history of fighting these battles, suddenly want to settle? And why would the NDPC, an agency that has been very public about its mission to enforce data protection, agree?

For Meta, this settlement is a business decision. A bad ruling could set a painful precedent, not just for Nigeria, but for other African countries looking to follow suit. A public and drawn-out fight could also create negative publicity. By settling, Meta gets to control the outcome. It can pay a fine (or a portion of it) and agree to specific, manageable changes to its operations, all while avoiding a potentially damaging court decision. 

For the NDPC, a settlement is also a win. It gets a big, public victory without the risk of losing in court, which could have undermined its authority. It also gets to set a powerful precedent. The fact that a company as large as Meta, which has faced similar regulatory issues all over the world, is willing to negotiate with a new African regulator sends a strong signal to other tech giants. 

The final details of the settlement are expected to be presented to the court by the end of October. It won't just be about the money. It will also include the corrective actions the NDPC demanded, like a revised privacy policy and new data protection assessments. The outcome will likely serve as a blueprint for how Big Tech handles data privacy in Nigeria and in the rest of Africa.

FEATURE:

• How Nigeria's cybercrimes act betrayed journalists and free speech in 2025

HEADLINE

• DCI warns Kenyans about some passwords amid surge in cyber crimes

• Why space technology matters for Ghana's sustainable future

• Senegal to roll out satellite internet nationwide by the end of 2025

• CyberHub inaugurated in Rwanda

• 3rd East Africa digital leaders workshop: Uganda highlights its digital public infrastructure

• Ghana's cybersecurity authority blocks more than 1,300 SIM cards tied to online scams in 2025

• Starlink commits to South Africa compliance, pledges R2.5 billion investment

• Electronic card scandal: 2 billion FCFA stolen from trade in Cameroon

• Ivory Coast unveils UXP platform for secure government data sharing

• Nigeria’s lower house eyes tighter oversight of POS and crypto, cites rising fraud and cybercrime

ACROSS THE WORLD

• Dozens of organizations had data stolen in Oracle-linked hacks

• Discord breach of 70,000 customer IDs, exposes cracks in 3rd party age verification services, experts say

• Germany will not support Chat Control's message scanning in the EU

OPPORTUNITIES

• RightCon 2026

• National broadband mapping system workshop in Ethiopia 

• Enhance call by PoliRuralPlus to validate AI chatbot Grant

IMAGE OF THE WEEK

See you next week.