The cybercriminal group Black Axe has posted a database containing 2 million African National Congress (ANC) member records on a hacker forum, exposing ID numbers, phone numbers, email addresses, physical addresses, and photographs. The breach, believed to have occurred on August 28, 2025, targets South Africa's largest political party and has not been publicly acknowledged by the ANC.
What Happened
Black Axe listed a database of 2 million ANC member records for sale on a hacker forum. The dataset appears to have been exfiltrated from an internal ANC tool used to track membership fees, meeting attendance, and other party activities. The intrusion is believed to have occurred on August 28, 2025, but only surfaced publicly in May 2026 when the threat actor began advertising the data. The ANC has been approached for comment and has not publicly acknowledged the incident.
What Was Taken
The leaked database contains 2 million records of ANC members with highly sensitive personally identifiable information, including:
- South African ID numbers
- Telephone numbers
- Email addresses
- Physical residential addresses
- Photographs of members
The combination of government-issued ID numbers, contact details, and member photographs creates a high-fidelity profile dataset suitable for identity theft, SIM-swap fraud, targeted phishing, and political intimidation.
Why It Matters
This is the second major exposure of ANC member data in four years. In 2022, an estimated 1.2 million ANC member records were leaked following the TransUnion credit bureau breach. The recurrence signals that ANC membership data is a recurring target, both directly and through third-party processors. Beyond the immediate fraud risk to individuals, the political sensitivity is significant: a complete roster of a ruling-party membership base can be weaponized for voter intimidation, doxxing of activists, and foreign influence operations. For defenders in the public sector and political organizations, this incident underscores that membership management systems are high-value intelligence targets, not merely administrative tools.
The Attack Technique
The initial intrusion vector has not been publicly disclosed. Based on the nature of the compromised system, an internal membership tracking tool storing fees, attendance, and member records, the most likely access paths are credential compromise of an administrator account, exploitation of an exposed web application, or third-party vendor compromise. Black Axe is historically associated with Nigerian-origin financial fraud operations, and the group has expanded into data brokerage on underground forums, which aligns with the for-sale listing pattern observed here.
What Organizations Should Do
- Audit membership and CRM platforms: Treat internal "operational" tools that aggregate PII as crown-jewel systems. Enforce MFA, least-privilege access, and detailed audit logging on all administrative accounts.
- Monitor underground forums: Subscribe to threat intelligence feeds tracking Black Axe and related forum listings to detect leaked organizational data early.
- Review third-party data processors: The 2022 TransUnion incident shows downstream vendors are a recurring exposure point. Inventory who holds your member data and validate their security posture.
- Notify and protect affected individuals: ANC members should be warned of phishing, SIM-swap attempts, and identity fraud risks; banks and telcos should be alerted to apply additional verification on affected identities.
- Implement DLP and egress monitoring: A 2-million-record exfiltration leaves significant network artifacts. Detection controls on bulk database queries and outbound transfers would have shortened dwell time.
- Engage regulators proactively: South Africa's POPIA mandates breach notification to the Information Regulator and affected data subjects. Silence carries both legal and reputational cost.
Sources: ANC data breach exposes 2M member records! ID numbers, phone numbers, addresses & photos leaked.