Here is the complete intel brief and tweet.
title: "Kenya State House: Website Defacement and Bitcoin Extortion" date: 2026-07-18 slug: kenya-state-house-website-hack-ransom
Kenya State House: Website Defacement and Bitcoin Extortion
Kenya's official Presidential website, president.go.ke, was compromised and defaced early Saturday morning, with attackers demanding a ransom of 5 Bitcoin (roughly Ksh41 million, or about USD 320,000 at prevailing rates) in exchange for not leaking unspecified information targeting President William Ruto. State House confirmed the breach in a statement to Kenyans.co.ke, which broke the story and captured the only known screenshots before the site was pulled offline. The incident marks another confirmed compromise of a high-value Kenyan government digital asset.
What Happened
On the morning of Saturday, 18 July 2026, journalists at Kenyans.co.ke discovered that the homepage of the President's official website had been replaced with defacement content targeting the Head of State. In place of official government material, the page displayed allegations against President Ruto, a Bitcoin wallet address, and a time-bound extortion demand.
The defacement message read, in part: "This message is the third time for you; before we leak everything about you. Do a payment of 5 bitcoins to the Bitcoin wallet... If you want peace before 6 o'clock this evening." The reference to a "third time" suggests prior contact or prior attempts that were not previously made public.
The attackers also altered the site's banner, inserting a message referencing the names of three individuals while leaving the official State House branding visible in the background. State House acknowledged the hack and said its ICT team was managing the situation. Shortly after the story broke, the government took the website offline entirely.
What Was Taken
No data exfiltration has been confirmed at the time of reporting. The visible impact was limited to homepage and banner defacement. However, the attackers explicitly threatened to "leak everything," implying they claim to hold sensitive material, though no sample or proof was published.
Critically, it remains unclear whether the compromise was confined to the website's front end or extended into back-end systems, databases, or connected infrastructure. Until State House completes a forensic review, the true scope, including any unauthorized access to internal records, must be treated as unknown rather than contained.
Why It Matters
The defacement of a sitting president's official website is a direct blow to state credibility and a signal of weak security posture across government digital infrastructure. Public-facing government portals are trust anchors; when one is visibly defaced with extortion demands, it undermines citizen confidence and hands adversaries a propaganda win regardless of whether any data was actually stolen.
This is not an isolated event. In November 2025, a coordinated attack defaced multiple Kenyan government websites, including those of the Ministries of Health, Education, Labour, Environment, ICT, Tourism, Interior, and State House itself, with several portals rendered inaccessible and some displaying extremist slogans. The recurrence at the highest level of government points to systemic gaps in how public sector web assets are hardened, monitored, and patched. Notably, the Ministry of Defence and the National Treasury reportedly withstood that earlier wave, suggesting security maturity is uneven across agencies.
The Attack Technique
The exact intrusion vector has not been disclosed. The observable behavior, homepage and banner replacement paired with a ransom note, is consistent with common defacement techniques: exploitation of an unpatched content management system or plugin, compromised administrative credentials, an exposed admin panel, or an insecure file-upload or injection flaw.
The extortion framing and the "third time" reference may indicate a targeted campaign rather than an opportunistic scan-and-deface. The rapid decision to take the site fully offline suggests responders could not immediately isolate the malicious content or were uncertain about the depth of access, both of which are typical when back-end compromise cannot be ruled out.
What Organizations Should Do
- Patch and inventory public web assets: maintain a live inventory of all government-facing sites, and apply security updates to CMS platforms, plugins, and underlying servers on a strict schedule.
- Lock down administrative access: enforce multi-factor authentication on all admin accounts, restrict admin panels to VPN or allowlisted IPs, and eliminate default or shared credentials.
- Deploy monitoring and integrity checks: implement file-integrity monitoring and automated defacement detection so unauthorized homepage changes trigger alerts within minutes, not hours.
- Prepare and rehearse incident response: maintain tested backups, a documented takedown-and-restore playbook, and clear escalation paths so a defacement can be contained without an uncoordinated full shutdown.
- Do not pay, and preserve evidence: treat extortion demands as non-negotiable, capture forensic images before remediation, and engage national CERT and law enforcement.
- Assume back-end exposure until proven otherwise: after any defacement, rotate credentials and secrets, and conduct a full forensic review to confirm whether the breach extended beyond the front end.
Sources: President's Official Website Hacked, Hackers Demand Ksh41 Million Ransom - Kenyans.co.ke