Starlink kits are a cybercriminal’s best friend

CybAfriqué is a space for news and analysis on cyber, data, and information security on the African continent.

HIGHLIGHTS

Starlink kits are a cybercriminal’s best friend

You probably need the internet for good, important things, like watching streaming services or doom-scrolling Twitter. Cybercriminals need the internet too, to do I suppose less good, but otherwise important things too.

Which brings us to Starlink.

SpaceX recently went public with a major action, announcing they had “proactively identified and disabled over 2,500 Starlink Kits in the vicinity of suspected 'scam centers” in Myanmar. It was a victory for network hygiene, but it also underscored Starlink's central paradox: the same features that make it a lifeline for remote villages and conflict zones also make it a cybercriminal's best friend.

Since launching in Africa and the broader global south, Starlink has provided high-speed internet (whether that is affordable or not is an entirely different coversation) to regions where telco ISPs have provided unstable, expensive connection. Starlink has been welcomed by both threat and non-threat actors. 

If you were a criminal mastermind operating a global scam, your most important operational security task would be ensuring your legitimate identity that drives the nice car and enjoys the proceeds remains entirely disconnected from your criminal identity, which is doing the actual cybercrime. 

You do this through a number of means, including through VPNs, proxies, and perhaps most critically, anonymous customer sign-ups. You want to hide this criminal identity from your internet service provider (ISP) too, because, well, they are in bed with the law.

For years, the partnership between law enforcement and ISPs has been the bottleneck for cybercrime. Interpol, for example, lists unnamed telco ISPs as some of their AFJOC (African Joint Operation against Cybercrime) partners. This is enabled in part because many African countries in recent years have enforced strict Know-Your-Customer (KYC) mandates. When you register for a SIM card, for example, the provider has to cross-reference that the ID you provided is real, yours, and duly linked to the SIM you're buying. This process turns the ISP into a key intelligence resource. When a crime is detected, authorities can issue a warrant to the local telco to find the name and physical address linked to the IP address.

It is slightly different with Starlink.

The satellite internet provider operates a minimal ID philosophy. By default, registering your Starlink in many markets requires your name, a billing address, and card details. In countries with stricter KYC requirements, which includes many of the aforementioned African countries, Starlink is also required to ask for an image of your identification card and confirm if the ID is valid and (fingers crossed) matches with the name provided.

Starlink does not perform the comprehensive digital cross-referencing and biometric checks that many modern financial institutions and telcos now mandate.

Say X is a cybercriminal in Lagos. He can, in theory, subscribe to Starlink using a stolen or manipulated ID picture and a prepaid debit card registered to a fake address without Starlink having a mechanism to verify that the ID picture actually belongs to the person activating the dish. This is not a theoretical risk. Identity fraud remains the most dominant fraud trend in Africa. In Kenya, for example, reports show that 87% of identity fraud is linked to telecom products, often involving stolen IDs used to facilitate SIM-swap fraud.

If local Telcos struggle to verify identity despite mandatory, in-person SIM registration, a digitally-led, global provider like Starlink operating on a minimal verification model creates an inherent risk of being co-opted by bad actors.

Starlink offers criminals another layer of operational security. Data privacy.

Starlink, following its philosophy of end-to-end encryption, is inherently more secure than most legacy telco ISPs in Africa. Telcos can, and sometimes are required by law to, keep users’ browsing logs for some time. While traffic to HTTPS sites is encrypted, the metadata (who you connected to, when, for how long) is still logged, and unencrypted traffic is entirely visible.

Starlink, by contrast, states that it does not process the content of traffic. While Starlink can decrypt your traffic if legally compelled or if they suspect a grave threat (the decryption keys are managed on their network), there is no example of them having done that yet—except, perhaps, in the Myanmar case, where the technical means of identifying the specific nature of the fraud remains undisclosed.

Even before Starlink’s very specific problem, access to the internet presents a moral quandary and a classic dual-use problem.

The ethical line between maintaining open access for human rights and commerce, and preventing the use of the internet to enable heinous crimes and the abuse of the rights of others (like human trafficking and scam centers) is a treacherous one. 

In Myammar, it is likely that geo-fencing played a huge role in the crackdown. They can easily reference the location of dishes (which are also clustered) with publicly disclosed locations of scam centers. I assume the cybercriminals are already shopping for their next, more anonymous, Starlink device.

Kenya revisits amended cybercrime law

Kenya’s high court has suspended parts of its newly amended Computer Misuse and Cybercrimes (Amendment) Act, 2024, just one week after it was quietly signed into law. Critics cried foul over provisions that would effectively criminalize online dissent.

The halted provisions criminalize intentional communication that harms another person’s reputation, privacy, or mental well-being, including actions “likely to cause them to commit suicide.” They also cover similar electronic transmissions and prescribe penalties of up to KES 20 million or a ten-year prison term. This is a modification of the original 2018 statute, which already criminalized unauthorized access, false information, and cyber harassment.

The amendment does several other things, including:

• Criminalizing SIM-swap fraud with a penalty of up to ten years in prison.

• Mandating owners of Critical Information Infrastructure (CII) (like banks and telcos) to report security incidents within 24 hours and store sensitive data locally.

• Granting the National Computer and Cybercrimes Coordination Committee (NC4) sweeping authority to order the blocking or removal of websites, apps, or content deemed to promote illegal activities without judicial oversight.

Advocates who advocated for the law to be changed, including activist Reuben Kigame and the Kenya Human Rights Commission (KHRC), argued that the language is "dangerously vague" and gives the government unchecked power to determine what constitutes "truth" online, effectively setting up a framework for digital censorship. The court's temporary suspension of the contentious clauses marks a significant (though not permanent) victory for free expression.

This legal battle follows a predictable pattern of times when the law had been used to stifle dissent in cases in Kenya. For instance, in 2020, social media activist Edwin Mutemi Kiama was arrested and charged under the Computer Misuse and Cybercrimes Act for publishing infographics critical of government policies on social media. The penalty provisions were so severe they were seen to have a "chilling effect" on journalists and bloggers.

As we’ve covered before, cybercrime laws are a problem across Africa. The broad, vague language is consistently weaponized against government critics. Senator Natasha Akpoti-Uduaghan, a Nigerian politician, was recently charged for cybercrime for allegedly misinforming the public with comments about her suspension from parliament. Others who have faced this law include Rose Njeri, a software developer and civic activist who was arrested in Kenya after creating a platform for the public to email parliament with views on a controversial bill.

Apart from Uganda, where a court ruled the cybercrime law as unconstitutional and a threat to free speech, only Kenya has made an attempt to revisit its cybercrime law through judicial challenge. The need for these laws, however, is clear for governments seeking to protect national infrastructure and fight actual fraud.

In the past five years, cybercrime legislations like Kenya’s and Nigeria’s have been passed in Zambia, Zimbabwe, and Tanzania among others, often taking inspiration from the harmonizing principles of the Budapest Convention.

FEATURE

• Cyber warfare has become an integral and preceding component of kinetic conflict in Africa, particularly referencing the Sudan civil war. Before the physical fighting intensified, factions like the Rapid Support Forces (RSF) used spyware (like Predator) to mine data, track cellphones, and organize influence campaigns to manipulate public opinion. This new reality sees combatants add keyboards, hackers, and Artificial Intelligence (AI) tools to their arsenals. – Read War Waged in Keystrokes

HEADLINE

• Ethiopia targets black-market money transfers as central bank vows tough sanctions

• INTERPOL crackdown leads to 83 arrests across six African countries, exposes $260 million in terrorism financing

• Tanzania, Uganda, Rwanda rank poorly in global fraud protection

• Cyber threats put South African home buyers at risk

• Kenya: Tether invests in Kotani Pay to accelerate crypto adoption

• Cybersecurity, training and expertise: Rwanda joins forces with Slovakia

• Online Fraud: CERT.tg warns of new online scam in Togo

• Beninese scammer caught after tragic death of Dutch victim

• Cyberattacks surge in Ghana: country to lose over 19 million cedis by 2025

• National Cybercrime Week in Burkina Faso: Authorities officially launch the event

• Microsoft warns of rising cyber Threats across Africa

• Telecom fraud attempts drop 10pc amid higher awareness

• Alleged Cybercrime: Court fixes Nov 24 for Senator Natasha’s trial

ACROSS THE WORLD

• Notorious cyber scam hub linked to Chinese mafia raided

• Meta launches campaign to protect seniors from online scams

• Scotland faces cyber threat from 'bad actors' such as Iran amid social media bot claims

OPPORTUNITIES

• NITDA/CISCO free cybersecurity training program 2025 for young Nigerians.

• Internet society cybersecurity grant: Supporting projects focusing on practical solutions around resiliency & security

• State and Local Cybersecurity Grant Program

• U.S. National Science Foundation funding

IMAGE OF THE WEEK

See you next week.