SYS::ONLINE
Wasteland.
Briefs1244
Issues19
SinceFeb 2026
LIVE
█ Ransomware KENYA-STATE-HOUSE 2026-07-18

Kenya State House: Website Defacement and Bitcoin Extortion

"Here is the complete intel brief and tweet."

Here is the complete intel brief and tweet.


title: "Kenya State House: Website Defacement and Bitcoin Extortion" date: 2026-07-18 slug: kenya-state-house-website-hack-ransom


Kenya State House: Website Defacement and Bitcoin Extortion

Kenya's official Presidential website, president.go.ke, was compromised and defaced early Saturday morning, with attackers demanding a ransom of 5 Bitcoin (roughly Ksh41 million, or about USD 320,000 at prevailing rates) in exchange for not leaking unspecified information targeting President William Ruto. State House confirmed the breach in a statement to Kenyans.co.ke, which broke the story and captured the only known screenshots before the site was pulled offline. The incident marks another confirmed compromise of a high-value Kenyan government digital asset.

What Happened

On the morning of Saturday, 18 July 2026, journalists at Kenyans.co.ke discovered that the homepage of the President's official website had been replaced with defacement content targeting the Head of State. In place of official government material, the page displayed allegations against President Ruto, a Bitcoin wallet address, and a time-bound extortion demand.

The defacement message read, in part: "This message is the third time for you; before we leak everything about you. Do a payment of 5 bitcoins to the Bitcoin wallet... If you want peace before 6 o'clock this evening." The reference to a "third time" suggests prior contact or prior attempts that were not previously made public.

The attackers also altered the site's banner, inserting a message referencing the names of three individuals while leaving the official State House branding visible in the background. State House acknowledged the hack and said its ICT team was managing the situation. Shortly after the story broke, the government took the website offline entirely.

What Was Taken

No data exfiltration has been confirmed at the time of reporting. The visible impact was limited to homepage and banner defacement. However, the attackers explicitly threatened to "leak everything," implying they claim to hold sensitive material, though no sample or proof was published.

Critically, it remains unclear whether the compromise was confined to the website's front end or extended into back-end systems, databases, or connected infrastructure. Until State House completes a forensic review, the true scope, including any unauthorized access to internal records, must be treated as unknown rather than contained.

Why It Matters

The defacement of a sitting president's official website is a direct blow to state credibility and a signal of weak security posture across government digital infrastructure. Public-facing government portals are trust anchors; when one is visibly defaced with extortion demands, it undermines citizen confidence and hands adversaries a propaganda win regardless of whether any data was actually stolen.

This is not an isolated event. In November 2025, a coordinated attack defaced multiple Kenyan government websites, including those of the Ministries of Health, Education, Labour, Environment, ICT, Tourism, Interior, and State House itself, with several portals rendered inaccessible and some displaying extremist slogans. The recurrence at the highest level of government points to systemic gaps in how public sector web assets are hardened, monitored, and patched. Notably, the Ministry of Defence and the National Treasury reportedly withstood that earlier wave, suggesting security maturity is uneven across agencies.

The Attack Technique

The exact intrusion vector has not been disclosed. The observable behavior, homepage and banner replacement paired with a ransom note, is consistent with common defacement techniques: exploitation of an unpatched content management system or plugin, compromised administrative credentials, an exposed admin panel, or an insecure file-upload or injection flaw.

The extortion framing and the "third time" reference may indicate a targeted campaign rather than an opportunistic scan-and-deface. The rapid decision to take the site fully offline suggests responders could not immediately isolate the malicious content or were uncertain about the depth of access, both of which are typical when back-end compromise cannot be ruled out.

What Organizations Should Do

Sources: President's Official Website Hacked, Hackers Demand Ksh41 Million Ransom - Kenyans.co.ke