Authority handoff

KCFR is a public registry, not a law-enforcement agency. When a Kenyan investigator (DCI, ODPP, CBK, KE-CIRT) or an accredited security-research team has an active case that overlaps with reports we hold, we will produce a structured export — full identifier values, narratives, moderation history, and chain-of-custody metadata — on request from a verified contact.

What you get

Each export is a JSON document that includes, per report:

• The report ID, status, modus operandi, narrative, reported amount, and incident date.
• All identifiers cited (M-Pesa Pochi/till/phone, wallet, social handle, domain) in their normalized form.
• Every moderator review on the record — decision, notes, moderator name, timestamp.
• The requesting admin's identity (name, email, moderator ID) so the receiving authority can verify chain of custody.

We do not include reporter IPs, user-agent strings, or any field that could deanonymize a victim. Those are excluded from public DTOs and excluded from exports alike — see our methodology.

How to request one

Contact KCFR moderation at moderation@kcfr.ke with:

• Your case reference (DCI OB number, court order ID, CERT ticket, etc.).
• The narrowing filter — specific report IDs you are interested in, or an identifier (wallet / phone / handle) you are tracking, or a date range.
• A short rationale describing the active investigation. This is recorded verbatim in our audit log.

A KCFR admin reviews the request and, if it satisfies the criteria below, files the export through our admin tooling. The result is delivered back to the verified contact channel as a signed JSON file.

Criteria

• Active investigation only. We do not produce exports for fishing expeditions, journalistic interest without a specific subject, or ad-hoc due diligence requests.
• Narrow scope. The request must scope to specific report IDs, a specific identifier, or a tight date range. We do not export the whole database.
• Verified contact. We respond only to the authority's published channel (e.g. an @dci.go.ke address, an issued court order). We will not deliver to a free-mail address.
• Auditable. Every export — even one to a verified authority — writes anEXPORT_REQUESTED row in our audit log with the case ref, the requesting admin, and the resulting report count. The trail is reviewable by other admins after the fact.

For other admins (operational reference)

The export endpoint is POST /v1/admin/exports. ADMIN role required. Rate- limited to 5 per hour. A typical body:

{
  "caseRef": "DCI/OB/2026/0481",
  "rationale": "Fraud sweep tied to wallet 0xab… seized 06 May 2026.",
  "filters": {
    "identifier": {
      "kind": "WALLET_ADDRESS",
      "value": "0xab12cd34…"
    }
  }
}

The response contains the matching reports plus an exportId that correlates the payload with the audit row. Cap is 500 reports per export — tighten your filter if you hit it.

What we will not do

• Tip off the subject of an investigation.
• Identify the reporter who filed any specific record.
• Take the report down because an authority asked us to. Removal goes through the right-to-reply path like everyone else — see Right to reply.