BUJUMBURA, March 3rd (ABP) – The Burundian law on cybercrime adopted and enacted two years ago to regulate and punish offenses committed online, marks a crucial step in the digital protection of the country. At a time when the judicial police (PJ) are recording an increase in reported cases, a digital law expert denounces legislative gaps that hinder the effectiveness of prosecutions. At the same time, victims testify to the sometimes-dramatic consequences of cybercrime. Sextortion, identity theft, computer data theft, cyber-harassment, to name but a few, are forms of cybercrime that are increasingly taking on a worrying pace in Burundi. What is the real status of the fight against cybercrime in Burundi?
Cybercrime is defined by the UN as any illegal behavior involving electronic operations that target the security of information systems and the data processing.
With the development of cyber-attacks and the multiplicity of its mechanisms and tools, preventive policy is more effective than their curative counterparts. The international trend is based on strengthening cyber-attack prevention indicators and improving digital cyber-security indicators, but not at the individual level.
Dr. David Kwizera, an expert in digital law and professor at the University of Burundi (UB), emphasizes that like all other States, Burundi faces the growing demand to adopt digital technologies. According to him, digital technology is now ubiquitous in the daily lives of Burundians. “The State implements policies to integrate digital technology into different sectors. Certainly, compared with other countries, Burundi is lagging behind, but it is on the right track. The adoption of digital technologies is progressing, and we hope that it will accelerate soon so that the country can take full advantage of it,” he said. According to him, these technologies have already proven their positive impact on society, human relations, the economy or development in general. In addition, Dr. Kwizera specifies that digital law is a branch of law, just like criminal law, civil law or commercial law. Digital law is the law related to information and communication technologies that covers all legal aspects relating to these technologies, he explains. He notes that this branch covers several areas: “On the criminal level, we talk about cybercrime. On the commercial level, there is e-commerce. In civil matters, we find electronic contracts and many other aspects. In summary, digital law takes into account the use of Information and Communication Technologies (ICT) in legal relations, among individuals, companies or institutions, in areas as varied as civil, commercial, criminal or business law.”
Dr. Kwizera first commends the implementation of this law before commenting on the question of whether it fully addresses the initial concerns: “Before even saying whether or not the law has fully addressed all the concerns we encountered, we must, from now on, be pleased that we were able to adopt this law. We had been looking for a legal framework for a constantly evolving field for years.” According to this expert in digital law, the figures speak for themselves. “If we look at the data, particularly those from the police, and more specifically from the section responsible for cybercrime, we noted an increase in cybercrime in Burundi. However, there was no specific law to regulate them. Of course, the criminal code included some provisions to punish certain offenses related to cybercrime, but this was still insufficient. The situation was all the more complex because whether civil or criminal judges had difficulty in punishing these behaviors by applying a general text to offenses that are specific,” he explains.
He emphasizes that a special law was needed, specifying in a clear and technical manner which offenses can be committed in cyberspace, while disclosing the competent authorities and bodies authorized to deal with these issues. “This law has provided solutions to the problems we were facing. Of course, there is no rose without a thorn, it has imperfections, and I will come back to that. But it at least has the merit of existing and acting as a safeguard to dissuade malicious offenders, because they are now aware of the existence of a law.”
© 2025 Jean de Dieu NdikumasaboAlthough Dr. Kwizera praises the implementation of the law on cybercrime in Burundi, some imperfections remain to be noted: “We cannot say that this law is perfect or that it responds to all concerns. It is perfectible and must be improved. This is also the first observation. It establishes fundamental principles, but does not sufficiently deepen the technical aspects necessary to effectively repress cybercrime.”
The university professor believes that Burundi is currently facing ordinary cybercriminals who are not yet professionals in the field. He highlights the need to take the bull by the horns by revising this law on cybercrime. “Today, we are facing ordinary cybercriminals, even charlatans, if I may say so. But there are also professionals: hackers, those who send viruses, spam, Trojan horses, and many other threats. Some are capable of demolishing an entire bank, disrupting an information system or even threatening a State. There are cyber terrorists, real experts in the field.”
According to him, these profiles of cybercriminals have not been sufficiently taken into account in the said law; hence the law should be reviewed to integrate those aspects.
Certain aspects need to be integrated into the law to face new digital threats
As an expert in digital law, Dr. David Kwizera suggests that certain aspects should be integrated into the revised law on cybercrime. “If improvements are made, there should also be a revised version of the law. In its current status, I would say that it remains simplistic. I have clearly emphasized that it does not cover certain essential aspects. Indeed, this law has only 70 articles, and among them, only four categories of offenses have been addressed.”
He emphasizes that in the first category mentioned in Title III of the law, there are offenses that undermine the confidentiality, integrity and availability of data in the information system. Dr. Kwizera believes that this is a step forward, but he emphasizes that it should be noted that these concepts have not been sufficiently developed: “For example, talking about confidentiality or data integrity is one thing, but these are broad concepts that required more in-depth treatment,” he explains.
He also mentions that the Burundian law on cybercrime also mentions terrorism-related offenses, but it should be noted that they are addressed in a very limited manner, with few dedicated articles. It does not deal in depth with cyber-terrorism and its many forms. The expert believes that it would have been crucial to examine all possible threats in this area.
Concerning attacks on State security via computer systems, the law provides for fairly clear and strict sanctions, Dr. Kwizera appreciates. However, he says, another worrying aspect is the issue of privacy protection. “Articles 61 and 63 talk of it, but this subject was only addressed in two short articles, while it is of paramount importance. The law should have paid more attention to the protection of personal data and gone even further by providing a specific legislative and institutional framework.”
According to Dr. Kwizera, the Cybercrime Law should take into account the notion of advertising. “I don’t know if you have already experienced it like me, but have you also been harassed by advertisements and companies? Every time you switch on your phone, you come across thousands of messages that you don’t need. This is just cybercrime, because the well-being of citizens is disturbed,” he emphasizes. For him, this law should also cover this aspect of electronic advertising, those broadcast via digital technologies. He also insists on the notion of consent: “To receive these messages, I would have to have voluntarily subscribed, that I would have given my prior consent,” he said.
The expert in Digital Law reveals that the current law on cybercrime does not protect the cyber-consumer while it is supposed to ensure their well-being. He considers that the law should then focus on the protection of the cyber-consumer and provide mechanisms for their protection, mechanisms to sanction and repress, in an exemplary manner, any person who would try to undermine their well-being and freedom. “There comes a time when I buy an internet package, but because of reasons that do not come from me, I cannot use the internet; but after 24 hours, a message comes saying that the package has expired, while I have never used it”.
Regarding the issue of consumers of telephone or internet services who are subject to exorbitant rates for poor quality, Dr. Kwizera notes that it is necessary to have a law to protect cyber-consumers. According to him, telephone operators and internet service providers sometimes take advantage of their monopoly, sometimes of the power and strength they hold to impose an offer that, in principle, should be negotiated.
A look at foreign legislation
Dr. Kwizera points out that when the law on cybercrime came out; he noticed that it came with gaps and shortcomings that will have to be filled. “Regarding the laws of other countries, I may not say that we should always compare with other countries, because it is said that comparison is not reason. The law, of course, takes into consideration the Burundian context, but it should draw inspiration from the laws of other countries to bring in improvement. These aspects that I have just mentioned, particularly on privacy, the protection of personal data, intellectual property, the institutional framework for protection, cyber-security, privacy, and so on, and many other elements are taken into account under other issues. In other legislations, these are elements that should not be missing in a law that wants to prevent and repress cybercrime. So the law should in principle do a small benchmarking study in order to know what is proposed in other laws to draw inspiration from them.”
According to Dr. Kwizera, the author of the Burundian law on cybercrime should have drawn inspiration from international conventions. “You know, there is an African convention on cybercrime that takes into account all these aspects that the Burundian legislator should revisit to improve its legislative framework. There are also other international conventions. I am talking here about the Budapest Convention on Cybercrime that Burundi should consider studying and from which it could draw inspiration, taking into account the different aspects provided for in this text of law.”
Current trends in cybercrime in Burundi and profiles of cybercriminals
With a mobile penetration rate of 55%, approximately 6.5 million Burundians have access to this means of communication. As for the Internet, with a penetration rate of 8.5%, Burundi has more than one million Internet users.
According to Police Brigadier General Joseph Kenyatta, General Commissioner of the Judicial Police (PJ), cybercrime in Burundi is a complex and emerging phenomenon, influenced by a combination of cultural, social and economic factors. The most frequent offenses in Burundi include identity theft to extort sensitive information, online scams, the dissemination of illicit content as well as the sharing of hateful or defamatory content. He also mentions account hacking, digital espionage, social engineering and electronic theft.
From January to December 30, 2024, 4,270 phone thefts were recorded. Of these stolen devices, 480 were seized and returned to their owners. Added to this is the money stolen via Lumicash or Eco Cash transfers. A total of 157,488,200 Burundi francs (BIF) was reported stolen. Of this amount, 111,332,900 BIF was recovered and returned to the owners. Kenyatta points out that among the perpetrators of cybercrimes, some are perfectly proficient in computer tools, while others know how to exploit the features of a phone. He further specifies that victims are only identified when they file a complaint or make a declaration to the police. However, he believes that many victims do not report the facts. He therefore encourages the people of Burundi to adopt a culture of reporting to the PJ in the event of theft of computers or smartphones: “In the event of loss or theft of your phone or laptop, it is essential to immediately report the incident to the Judicial Police. This prevents your number or device from being used for criminal purposes. Secondly, it is crucial to be vigilant and never send money electronically to a person whose identity is distrustful. Furthermore, it is recommended to report the theft to the police and, at the same time, to go to the agencies of the mobile phone operators where you purchased your SIM card in order to have it replaced. Finally, protect your personal data by using complex and difficult to guess passwords”.
The witnesses interviewed indicate that they do not report the thefts of their phones despite the risks they may run. They explain that the reporting procedures and steps are complex. “The reporting process is complicated. You must first go to the mobile phone operator that provided the SIM card, then to the Telecommunications Regulation and Control Agency (ARCT), before reporting to the Judicial Police (PJ). This procedure can take about a week.”
However, the General Commissioner of the PJ specifies that the reporting procedures are not complicated at all. Rather, he calls on the people of Burundi to adopt this habit of reporting cases of theft of their phones or computers.
The PJ authority recognizes that supporting measures are necessary to ensure the effective application of the law on cybercrime. According to him, it is essential to conduct awareness campaigns using available communication channels such as radio, television, social media, posters, etc. These actions would help inform the population about the risks associated with cybercrime and the best practices to adopt, he believes. It is also crucial to build the capacities of law enforcement, particularly the police and judicial police officers (OPJ). He added that it is essential to involve private sector actors, including businesses and financial institutions, by raising their awareness of the risks associated with cybercrime and training them on preventive measures. Kenyatta believes that it would be relevant to integrate this theme into the school curriculum so that young people become aware of cybercrime-related offences from an early age.
Online scam: When cybercriminals exploit the naivety of Internet users
With digitalization constantly progressing in Burundi, cybercrime is growing. Online fraud, financial scams, identity theft, account hacking and sextortion are on the rise. In Burundi, cybercriminals take advantage of the innocence and ignorance of Internet users to trap the victims in their nets.
In Burundi, the most widespread form of cybercrime is to infiltrate users’ Lumicash accounts in order to steal electronic money from them. Indeed, “Lumicash” is an electronic money transfer system. The latter allows transfers to be made among banks, communication companies and distribution agents. It also allows various operations to be carried out, including payments and purchases. In Burundi Lumicash is perceived as an electronic wallet that allows customers, telecom subscribers and, when necessary, Lumitel subscribers to access the electronic wallet from their mobile phones. In this case, an individual’s phone becomes their bank account where they can carry out various transactions including depositing, withdrawing or paying out money. With the Lumicash service, a person can make money transfers to other Lumicash subscribers or other numbers not registered in the Lumicash service. With this electronic wallet, an individual can buy airtime. They can also stock up on supplies and pay bills using Lumicash. An individual can also import, that is, transfer money from a Lumicash account to a bank account and vice versa. When it comes to stealing money, scammers pretend to be technicians from the Lumitel operator in order to trap citizens and withdraw money from their Lumicash accounts. Their scheme is based on the My Lumicash Chanel, an application that can be downloaded from the Play store or App store and the use of the OTP (One-Time Password) code. The modus operandi is well-established. The victim receives a WhatsApp call from a supposed Lumitel technician, who claims to be conducting an investigation to improve the quality of the internet connection and reduce the cost of data plans. The scammer then asks the targeted individual to check a message containing an OTP code sent to the SIM card they use for Lumicash service. The scammer asks the victim to provide him with the six-digit code sent, claiming that it is necessary to finalize the transaction. If the victim obeys and sends him the 6-digit code, the scammer gains full access to their mobile account and can thus withdraw all of their money. “To protect oneself against this type of scam, it is crucial to never share your OTP code with anyone, even if the scammer poses as an employee of a telephone operator.” This alert message was launched some time ago by the mobile telephone operator Lumitel, after noting that this form of cybercrime was taking on an increasingly worrying scale.
Indeed, according to Professor Gilbert Niyongabo, the unemployment rate in Burundi is 1.1% and the broader one is 2.8% (potential workforce). In the broader sense, it is 1.1% in rural areas and 17.2% in urban areas. It is 18.2% for people with a higher degree against 1.1% for those without a level of training. The unemployment rate in Bujumbura City is 24.5%, followed by the provinces of Rumonge (4.2%), Bujumbura (3.3%) and Gitega (2.2%).
This is a fake job scam. The scammers create fake accounts in the name of certain high authorities of the country, using the images of these dignitaries as their profile pictures. The most frequently targeted persons in authority are the President of the Republic, his wife, the Prime Minister, the Secretary General of the ruling party, the Speaker of the National Assembly and the President of the Senate, as well as the leaders of the country’s major companies.
“My son, you are lucky to meet with me on this social media. If I give you a capital of 2.5 million, would you use it for your investment?”, is one of the first messages that scammers send to their targets.
There are other messages with fake jobs: Some cybercriminals pose as renowned business leaders and claim to launch a recruitment process, insisting on the fact that places are limited. They present this opportunity as an unexpected chance for the victim, asking them to keep the steps secret.
Faced with the pressure of unemployment, the victim, often vulnerable, does not take the time to verify the veracity of the offer or to seek advice. Gradually, the scammer introduces the idea that a processing fee is required to finalize the application. This is when the victim falls into the trap. The cybercriminal then sets a place and date to meet for the payment of these fees and the submission of the file. Once the money has been paid, the cybercriminal disappears without a trace, sometimes taking considerable sums with him.
Burundian businessman Adrien Ntigacika, alias Ziranotse, owner of the organo-mineral fertilizer production plant (FOMI), does not use Facebook. However, several Facebook accounts and pages have been created by malicious individuals under his name. These scammers act with full knowledge of the facts: FOMI is a rapidly expanding factory, regularly looking for new employees. In addition, its salaries are considered attractive compared to other industries operating in Burundi. Faced with this situation, many young unemployed graduates dream of being recruited by this company. Fraudsters exploit this hope by using fake accounts to scam potential candidates, promising them a job in exchange for financial compensation.
Sextortion is another form of cybercrime that is present in Burundi. It is a form of blackmail in which a person is threatened with seeing sexual images, videos or sex-related messages that may be disclosed if they do not comply with the extortionist’s requirements. These requirements can include paying a sum of money, sending new intimate content or even performing illegal services. The most common form of sextortion is based on manipulation and deception. Scammers pose as romantic partners online in order to gain the trust of their victims and encourage them to share compromising content, which they then use to blackmail them.
These forms of cybercrime are just a few examples of many that occur on a daily basis, trapping many Burundian Internet users. It is essential that they be aware of the risks and be vigilant, as the scammers are constantly on the lookout.
Cybercrime: a security challenge here as elsewhere
In West Africa, there is a phenomenon of grazers; a term that comes from Côte d’Ivoire, designating scammers specialized in online scams. They manipulate their victims by playing on their feelings and emotions, particularly through romantic impostures. Qemal Affagnon, regional coordinator for West Africa within the organization Internet without Borders, explains the extent of this phenomenon. He spoke on France 24. He emphasizes that this phenomenon originates from West Africa, especially in Nigeria, and has spread to Côte d’Ivoire, Benin and Burkina Faso. Affagnon mentions a whole range of scams that are developing from West Africa in particular. “Apart from the romance scam, the love scams, we find for example the fake job scam and the fake housing scam. You also have sextortion, which is increasingly practiced and which allows victims to be targeted today on the African continent”. According to him, these are practices that affect a wide range of scams and which allow victims to be targeted both in Africa and outside the African continent. Speaking about the profile of these scammers, Affagnon emphasizes that they are often in precarious situations. However, they are very proficient in digital tools and social engineering. This skill allows them to gain the trust of their victims. Then, they use clever arguments to convince them to give money. Their ability to manipulate in the long term is based on specific psychological skills.
In some African countries, scammers risk, for example, to be imprisoned. However, Affagnon doubts the effectiveness of this sanction, because these scammers continue to commit their crimes even behind bars: “In Benin, for instance, many scammers find themselves behind bars. However, the problem goes much deeper. Despite the strong repression carried out by the authorities to limit this phenomenon, as well as arrests and imprisonments, some scammers still manage to continue their scams from prisons in some African countries.” Affagnon points out that the organization Internet without Borders is campaigning, for example, for certain laws to be revised and updated: “Today, for instance, in the Republic of Benin, when you take the digital code that helps fight this phenomenon, the term cybercrime is not even defined in the law.”
He asks Internet users to be much more careful, even very suspicious of everything they see being spread on the Internet: “Today, phishing campaigns are carried out by these scammers, which allows them to acquire data. It is thanks to this information that they will target their victims.”
By Jean de Dieu Ndikumasabo