Rising Cyber Threats to Rwanda: Hacktivists and Data Breaches
Executive Summary
Between January and October 2025, Rwanda’s government infrastructure faced multiple coordinated cyberattacks involving data leaks, credential theft, and website defacements.
Incident Timeline and Details
- February–March 2025: Archives of .gov.rw domains reappeared on dark web and Telegram channels linked to Babuk Locker affiliates.
- January 2025: Defacements occurred on subdomains of naeb.gov.rw and minagri.gov.rw.
- May 2025: The Rwandan Ministry of Health was targeted twice:
- First by Vasa Locker affiliates, claiming a theft of 52 GB of data.
- Later by a dark web actor known as “koko,” offering a 53 GB data package for $2,500.
- May 2025: A Telegram-based DDoS attack solicitation targeted the National Bank of Rwanda.
- August–October 2025: Credential compromises were exposed in stealer logs from Acreed, Rhamadanthys, and Vidar, affecting key government systems like irembo.gov.rw, rra.gov.rw, and mifotra.gov.rw, signaling deep network infiltration.
Threat Actor Claims
On 23 September 2025, a threat actor using the alias “koko” advertised a 53 GB data dump, allegedly from the Government of Rwanda Ministry of Health, on a dark web forum (Seller’s Place). The package was linked to hmis.moh.gov.
Note: The authenticity of these claims remains unverified, as they come solely from cyber threat actors.
Summary
Rwanda's government faces escalating cyber threats with multiple data breaches and network intrusions revealing vulnerabilities in critical public sector systems.
Would you like the summary to be more technical or accessible for a general audience?