Point AI

Powered by AI and perfected by seasoned editors. Every story blends AI speed with human judgment.

EXCLUSIVE

Hackers take over Kenya’s president’s website, demand 5 Bitcoins ransom 

The website was defaced with demeaning messages targeting the president.
Kenya president website hacked |techpoint.africa
Subject(s): ,

Psst… you’re reading Techpoint Digest

Every day, we handpick the biggest stories, skip the noise, and bring you a fun digest you can trust.

Digest Subscription (In-post)

Hackers gained control of the official website of Kenyan President William Ruto (president.co.ke) on Saturday, July 18th, and defaced the president’s official website with demeaning messages.

The unknown group responsible for the cyber attack targeted President Ruto, threatening to release ‘uncomfortable’ information if its ransom demand of 5 Bitcoins (approximately $317,215) wasn’t met.

“This message is the third time for you; before we leak everything about you,” the message on the homepage reads. “Do a payment of 5 bitcoins to the Bitcoin wallet…. If you want peace before 6 o’clock this evening.”  

The Kenyan government, through a response filed by the Information and Communication Technology Cabinet Secretary, William Kabogo, confirmed the attack but assured Kenyans that no official or sensitive data was compromised.

He also clarified that emergency measures had been put in place to curtail the attack.    

“At this time, there is no evidence of unauthorised access to sensitive data, data exfiltration, or loss of information,” Kabogo says. “Government systems and digital services remain secure and operational. As a precautionary measure, access to the Presidential website was temporarily restricted to facilitate containment, forensic analysis, and restoration efforts.”

One attack too many: Why are government websites easy targets?

The recent attack marks the second time within one year that this has happened. In November 2025, a cyber breach affected the president’s website and four other major ministries, including Education, Health, Interior, and Information and Communication Technology.

Some state platforms, including the Immigration Department, the Directorate of Public-Private Partnerships, the Directorate of Criminal Investigations (DCI), and the State House website, were also affected in the breach.

Nick Thiong’o, a Nairobi-based AI and cybersecurity practitioner, argues that the hackers’ motive extends beyond financial gain.

Victoria Fakiya – Senior Writer

Techpoint Digest

Stop struggling to find your tech career path

Discover in-demand tech skills and build a standout portfolio in this FREE 5-day email course

“I don’t think whoever is targeting the president has only financial motives in mind; it’s also for show,” Thiong’o notes. “For you to target the head of state, you know you’d actually get the attention that you’re seeking.”

Victoria Robinson, Cybersecurity Research Analyst at Ethnos Cyber Limited, believes that a mix of low cost-to-attack and high visibility payoff explains why government websites are sweet spots for attackers.

“A .go.ke or any state domain gives instant credibility to whatever message you deface it with, Robinson explains. “You get press coverage, public panic, and leverage for extortion in one shot, which is exactly why this incident got the ‘pay 5 BTC, or we leak everything’ framing.”

In contrast, when a random small or medium-sized enterprise website is compromised, nobody writes about it, and there is no pressure on the target. Robinson says government websites are soft targets because they are usually built by whichever contractor won a tender, then left to run with minimal in-house ownership.

Many government websites still run vulnerable CMS builds (Drupal, WordPress, Joomla, etc), default admin creds that were never rotated, or exposed admin panels sitting on the open internet with no IP allow-listing or Multi-Factor Authentication (MFA). So it’s not that they’re always vulnerable by design; it’s that the operational hygiene around them— patching, access control, monitoring—tends to lag badly behind.

“So, there’s likely no continuous patch cycle, no one really ‘owning’ the box after go-live,” Robinson explains.

Artificial Intelligence has lowered the barrier

Thiong’o says he doesn’t entirely blame Artificial Intelligence for this recent attack; the tools at hackers’ disposal today are frightening, and his worry is where these attackers will target next.

Thiong’o says AI has lowered the barrier for attackers and that available AI tools should scare us. He argues that Large Language Models (LLMs) can be easily jailbroken to ignore their safety training and employed to cause havoc.  

Hackers no longer need to be experts in programming languages; with the right prompts, they can leverage AI to write code that produces malware and viruses to attack vulnerable websites.  

“We’re on the cusp of something that would be recurring,” Thiong’o says, “because we don’t know where the attackers would focus on next; the tools to create malware and prompt injections are easily available.”

Proactive measures African governments adopt to curtail attacks

Thiong’o’s counsel to African governments is twofold.

First, he advocates the urgent need to assemble the best tech brains to develop local models. Also, African governments should collaborate with their Western counterparts to understand the vulnerabilities of AI models built by tech giants, while also investing more in AI security tools and intelligence systems to counter emerging threats.

Robinson advocates that before any countermeasures can be put in place, African governments should get the basics right, because that’s usually what’s missing.

She offers the following practical tips:

  • Enforce phishing-resistant MFA: Enforcing MFA for every admin and content-management login was once the standard advice, but times have changed. Basic SMS- or push-based MFA is now routinely defeated by adversary-in-the-middle phishing kits, SIM swapping, and push bombing. What actually holds up is phishing-resistant MFA on every admin/CMS login, keeping the CMS core and plugins patched on a real schedule. Cloudflare or similar services catch a huge chunk of defacement attempts before they ever reach the origin server.
  • Segregate environments: Separating the public web tier from anything sensitive on the back end (proper network segmentation) limits how far a front-end compromise can spread, which matters enormously in cases like this, where nobody outside the response team yet knows how deep the breach went.
  • Add file integrity monitoring: So unauthorised changes trigger alerts immediately, centralised logging with real eyes on it around the clock for high-value targets, regular independent penetration testing, and a legitimate vulnerability disclosure channel so researchers who spot a flaw have somewhere responsible to report it instead of leaving it for an attacker to find first.

Robinson says none of these would work without a rehearsed incident response plan; the difference between a five-minute takedown-and-restore and a multi-hour public scramble usually comes down to whether the runbook was ever actually practiced.

African governments need to realise that the pattern isn’t unique to any one country. Kenya has now had multiple public defacement incidents in under a year; similar stories have played out in Nigeria, South Africa, Ghana, and elsewhere.

The common thread across all is structural: government digital infrastructure tends to get funded and secured as a one-off project, ‘build the website’ rather than as an ongoing capability with a maintenance and security budget attached for its entire operational life.

So, what needs to change structurally is treating government digital infrastructure like critical national infrastructure, not a marketing brochure. Changing that outcome means changing how these assets are governed, not just how they’re built.

“Centralise security ownership under something like a national CERT with actual authority (not just advisory),” Robinson advises. “Mandate baseline security certifications before any ministry site goes live, and fund ongoing monitoring contracts the same way you’d fund physical security for a ministry building.”

Without that shift, the cycle is predictable: a defacement happens, a brief statement follows, a quiet fix gets applied, and the same story repeats within a matter of months.

Support independent tech journalism on Techpoint Africa

Help us tell more independent stories about the evolution of tech in Africa

Donate now
Support Techpoint Africa
You’re donating ₦0.00

Follow Techpoint Africa on WhatsApp!

Never miss a beat on tech, startups, and business news from across Africa with the best of journalism.

Follow

Read next

Events

|


|


|


No events for now. Check back soon.