The Israeli Hackers Who Tried to Hack Kenya’s Election

Israeli hackers accessed the Telegram accounts of senior officials to assist Kenya’s opposition in their campaign to create uncertainty about William Ruto’s 2022 win.

Tal Hanan, a remarkable salesperson, is aware of what captivates clients at the factory he founded for conducting hacking, forgery, and fraudulent operations globally. While bragging about email or Telegram hacking skills may be impressive, leading clients on a live tour of hacked Telegram accounts is on a whole other level.

During July and August, Hanan offered a guided visit of the hacked Telegram and email accounts of five distinct targets in Kenya to three individuals who presented themselves as representatives of a potential client. Hanan was reportedly working for a client in Kenya at the time.

On August 15, 2022, the three representatives recorded him sifting through those accounts. This date coincided with the announcement of the August 9 Kenyan general election results.

All of the targets whose accounts he perused were connected to the effort to promote William Ruto’s candidacy and he was on the verge of being declared as Kenya’s next president.

Two of Hanan’s hacking victims became embroiled in a public and legal scandal, which still agitates Kenya, three days after Ruto’s triumph. The allegation is that the pair hacked the computers of the country’s independent elections committee to manipulate the results and pilfer the presidential election for Ruto, thereby violating the will of the populace.

Before delving into the particulars, let’s review the events previously discussed in our first Story Killers article. Hanan, an Israeli entrepreneur with ties to the intelligence sector, who went by the pseudonym Jorge, and his associates (including some ex-Shin Bet security service personnel) had been communicating with three people who introduced themselves as delegates of a businessman seeking to engage their services for several months.

A group of journalists from various media outlets, including European publications Le Monde, Der Spiegel, Die Zeit, and The Guardian, as well as the investigative journalist group OCCRP and Paris-based organization Forbidden Stories, investigated the comments and presentations made during the meetings with Hanan and his staff.

The investigation was led and organized by Forbidden Stories, which spearheaded the international initiative known as Story Killers. The project brought together a team of approximately 100 journalists from 30 different media organizations worldwide, with a specific focus on the issue of global disinformation.

The group of journalists managed to verify that the five email and Telegram accounts shown by Hanan and his team belonged to the individuals in Kenya whose names, email addresses, and phone numbers were displayed on the screen during the demonstration.

One of the messages sent from the hacked accounts by Hanan was confirmed to have been received by the intended recipient. This message was sent during his presentation to us, where he showcased the hacked accounts.

Real-time hack

The five targets in Kenya were being hacked in real time during the election campaign, which we witnessed. Our association with Hanan began in July of last year, a few weeks before the general election, and persisted in the following months.

On August 15 during a Zoom meeting, Hanan mentioned the recent election in a certain East African country, saying, “As you know, elections were last Wednesday [actually the Tuesday] in a certain country in East Africa.” He went on to direct the attendees’ attention to a name on the upper left side of the screen, referring to Dennis Itumbi, a political adviser who played a prominent role in William Ruto’s presidential campaign.

“While combing through Itumbi’s hacked Telegram account, Hanan stated that “This is live,” and pointed out who Itumbi was talking to, showing the plan of the day, which included discussions about counting of the votes still ongoing. According to Hanan, there could be final results by 3 P.M, although he expressed doubts and decided to wait and see.”

During the Zoom meeting on August 15, Hanan revealed another discovery he had made in the hacked account of the campaign adviser. He presented a link, username, and password for the internal website of the United Democratic Alliance, the political party of Ruto. The website was set up to track the results of the election.

Hanan showcased another revelation that he had uncovered while accessing the hacked account of the political adviser. He displayed a URL, login credentials and password for the internal site of the United Democratic Alliance, Ruto’s political party, which was created to monitor the election results.

“They have developed their own framework,” Hanan stated. “We have detected their confidential website. They created their own platform. This is the extent of real-time intelligence you can gain, and this is just a glimpse.”

Shortly after, Hanan attempted to impress us by displaying the compromised Telegram account of Davis Chirchir, who served as Ruto’s campaign chief of staff during the election and currently holds the position of energy minister in the new administration.

Hanan drew our attention to Davis Chirchir, urging us to look him up on Google. He demonstrated his capability to send messages from the hacked Telegram account.

When the presentation was over, Hanan was asked about his satisfaction with his team’s achievements in Kenya. He replied that he was very pleased but jokingly added that they would have to wait until 3 P.M. for the official announcement of the election results.

The announcement of the election results later that day did not give Hanan any cause for celebration, as Ruto, the candidate whose team Hanan had targeted, was declared the winner.

Prior to the official announcement, a campaign was launched to delegitimize the results, which relied on acts of forgery and fraud.

Arrested election commission staff

In the early 2000s, John Githongo, a former reporter, gained prominence in Kenya for his role as an anti-corruption adviser in the office of then-President Mwai Kibaki. He exposed widespread corruption related to government contracts.

Despite being forced into exile for several years due to his efforts, John Githongo’s actions, which included making public recordings, and the personal sacrifices he made, transformed him into a respected figure, not just in his home country, but also beyond its borders.

Three days after Ruto was declared the winner, on August 18, 2022, an acquaintance approached John Githongo at the Nairobi hotel where he was staying, saying that he wanted to introduce him to a secret source.

Afterwards, a distraught young man, introduced to Githongo as a software engineer, shared a stunning account: the election outcome was a fabrication, misrepresenting the will of the people and the official announcement did not match the actual result.

According to the source, their knowledge was comprehensive because they had participated in the conspiracy themselves.

At first, Githongo attempted to convince the source to disclose their actions. Nevertheless, the source maintained that revealing such information would put their life in peril.

Therefore, Githongo and the source reached an alternative agreement: to rent a hotel room, record their conversation in a manner that would safeguard the source’s anonymity, and subsequently present the recording as evidence to the Supreme Court. Subsequently, they followed through with the plan.

Donning a hood and white gloves to obscure his identity, the man recounted a spine-chilling tale of “the cyber operation to steal the election” as a video camera recorded him from the rear.

According to the source, he described his involvement in a scheme where a group of 56 individuals downloaded forms (referred to as 34As) containing the vote count results from the polling stations. These forms had been obtained through hacking into the elections commission’s portal. The group then proceeded to manipulate the data by inflating the number of votes in favor of Ruto’s supporters, at the expense of his opponent. The falsified forms were subsequently reintroduced into the commission’s computer system.

When questioned by Githongo about the identity of his superiors, the source revealed that two prominent members of Ruto’s campaign team, Itumbi and Chirchir, held the position. Notably, these were the same senior officials whose compromised accounts had been tampered with by Hanan a mere three days prior, which was witnessed firsthand.

According to the source, the two individuals in question had not directly accessed the system themselves. Rather, they had overseen a group of hackers who, as per the source’s statement, carried out the task under their leadership.

Githongo, being a patriotic citizen, found it impossible to remain indifferent to the information he had just received. On August 21, he drafted and signed an affidavit, which subsequently formed the foundation for a petition submitted by the Odinga camp to nullify the election results.

Githongo’s statement included the tale of the young man who approached him, along with the attached video, as well as preliminary forensic evidence in the form of server logs. These logs were provided to Githongo by his anonymous source and documented the server’s activity, providing concrete proof of the hacking and falsification activities detailed in the source’s account.

The allegations made by Githongo, along with the forensic evidence presented by his source, failed to convince Kenya’s Supreme Court.

The court ruled in favor of upholding the election results in the subsequent month, and in its decision, stated that “certain logs submitted as evidence, originating from the 2017 election, or in some cases, being entirely falsified.”

State of turmoil

Despite the court’s ruling, allegations of election rigging have persisted and continue to dominate public discourse in Kenya. As a result, the country has remained in a state of turmoil, with large numbers of individuals taking to the streets to voice their concerns.

Following the election, various anonymous sources have contacted numerous journalists around the globe via untraceable emails, providing information or documents that suggest the election outcome was fraudulent. As a matter of fact, three of the journalists belonging to the consortium that is publishing this investigation were among those who received such emails.

At the beginning of 2023, Jeffrey Smith, the founder of the organization Vanguard Africa, released an article claiming that it was based on documents provided to him by an anonymous whistleblower within the elections commission. In a non-confrontational manner, he stated that the evidence he had reviewed pointed to significant disparities in the commission’s documents that made it impossible to predict a definitive winner, and were adequate enough to question the validity of the final results declared by the commission.

The author did not release the actual documents, which was not the only issue with the article’s transparency.

In his article, Smith portrayed himself as a member of an independent international delegation invited to observe the elections. However, he neglected to mention a significant detail: up until 2018, he was officially registered as Odinga’s representative under the Foreign Agents Registration Act, which applies to representatives of foreign entities seeking to influence policy within the United States.

Shortly after the publication of Smith’s article, a new blog account surfaced under the name “theiebcwhistleblower.org” (referencing Kenya’s IEBC elections commission). The contents of the blog created a commotion within the country. The unknown source behind the blog, who claims to be employed at the commission, made accusations about election fraud, utilizing methods akin to those presented by Githongo’s anonymous informant.

The blog even disclosed what it claimed to be the “original documents” – forms that confirm the “legitimate election results” in the different districts of the country. As per the blog’s statement, the actual victor of the elections was Odinga with 58% of the votes, while Ruto, who was declared the winner, obtained only 42%.

Upon adopting the claims of the anonymous blogger, Odinga’s party launched a public campaign to discredit the election results. Odinga gave an impassioned speech at a crowded rally in Nairobi’s Kamukunji neighborhood, stating that “the election was rigged” and that they did not recognize William Ruto as the legitimate president of Kenya. His words ignited the crowd, who echoed his sentiment.

The message that the election was stolen continues to be pushed by web influencers and Odinga’s supporters, but the opposing camp has been successful in refuting these allegations. The credibility of the anonymous blogger’s claims has been further diminished by the discovery of several apparent forgeries among the documents they published.

For instance, in the Konoin electoral district, the number of valid votes documented in the “genuine” form was 2,000 more than the total votes received by all the candidates combined. Similarly, in the Kiani district, an “authentic” form had a poorly done photo-editing work that was quickly detected.

All the forms lacked any forensic information that could have helped identify their creator, and the owners of the domain name for the blog could not be found.

One of the members of the consortium, Frederik Obermaier of Paper Trail Media, had obtained documents that were almost identical in content to those from the anonymous whistleblower. However, these documents also contained metadata, which provides technical information about the files and details of their history.

Based on the metadata of the files received by one of the journalists in the consortium, Frederik Obermaier of Paper Trail Media, it was discovered that some of the documents were created or saved by a person named Henry Mien. Two sources linked Mien to Odinga’s internal campaign events.

During our series of meetings, Hanan portrayed himself as an expert in carrying out operations that alter people’s perception using false documents.

In a series of meetings, Hanan described himself as having a lot of experience in consciousness-changing operations based on false documents, and claimed that his team was responsible for hacking and publicly leaking the contents of the email account of a former senior person in a major local bank in Kazakhstan. However, as Hanan put it, “someone added salt and pepper” to the leak before it was released publicly.

Hanan mentioned another instance in multiple presentations, concerning Venezuela just before the 2012 presidential election. He and another high-ranking member of his organization, Mashy Meidan, claimed that they had acquired internal presentations from the inner circle of then-President Hugo Chávez, and added false information to them before leaking them to the media.

During one of our meetings, Hanan mentioned that creating websites similar to WikiLeaks is one of the ways he operates.

He mentioned that they occasionally create a website for leaking information, similar to WikiLeaks but under a different name. On this platform, one can post anything without any restrictions, whether it be images, receipts, or emails.

Regarding the compromised accounts of Itumbi and Chirchir, the available information is insufficient to ascertain whether Hanan tampered with the content he discovered in those accounts.

The information gathered during the investigation is inadequate to establish whether he assisted in producing the documents that were delivered to Githongo, or the “genuine” electoral forms that are still stirring up controversy in Kenya’s blogosphere.

Nonetheless, the limited insight provided by the brief exploration Hanan conducted of Chirchir and Itumbi’s compromised accounts primarily pertains to what was not observed. There was no evidence of their participation in any scheme to manipulate the election. However, it was evident from their hacked accounts that the two individuals were closely monitoring the updates on the election commission’s portal.

Interestingly, the accounts Hanan presented to us revealed an indication of a possible plan to tamper with the election commission forms, although it was not attributed to the party under his surveillance.

According to Hanan’s claim, the Ruto team had an informant within their opponent’s camp, who apparently provided Ruto’s advisors with information about their rivals’ plan to manipulate the forms.

During his presentation, Hanan disclosed that Ruto’s campaign staff were receiving intelligence from a source. He presented a photocopy of a printed note that was circulated among Ruto’s team and revealed that the information was originating from someone within the State House, which was considered to be an unfriendly territory for them. It is worth noting that at the time, the State House was under the control of the then-outgoing President, Kenyatta, who had thrown his support behind Odinga.

The document, entitled “Today’s Plan,” detailed a meeting that took place in the State House, which reportedly lasted until after 2 A.M. that morning. The document outlined a multistage strategy that was developed during the meeting, which included the deployment of a team from a crime-fighting unit, known as DCI, to replace all existing “security personnel.” Additionally, the plan called for the removal of all independent agents, observers, and media. Finally, the document suggested attempting to introduce the “doctored forms.”

Tal Hanan declined to respond to inquiries but refuted any allegations of impropriety.

Raila Odinga, Uhuru Kenyatta, and Henry Mien did not provide any comments for this article.

In response, Jeffrey Smith stated, “Vanguard Africa filed FARA in 2017 in compliance with U.S. legislation, as we organized meetings in Washington D.C. for Mr. Odinga, a non-U.S. citizen. Our activities did not include any political or campaign-related work under this arrangement. This information is available to the public. We will continue to conduct our operations with complete transparency and adherence to ethical standards and U.S. laws.”