South Africa's ruling African National Congress (ANC) has launched a formal investigation into a claimed breach of its "Black X" system after the hacker group of the same name advertised what it says is private data on ANC members. The party is now coordinating with the South African Police Service (SAPS) and the State Security Agency (SSA), warning that exposed records "may include senior executive members in cabinet and state." An independent cybersecurity firm reviewed the leaked samples and assessed them as authentic, while a separate infostealer intelligence report tied a malware infection to the ANC's own internet domain.
What Happened
On 14 May, MyBroadband reported that the threat actor known as Black X was claiming a breach of ANC systems and circulating data samples it said were private records of party members. Dimitri Fousekis, chief technology officer and co-founder of South African firm Bitcrack Cyber Security, reviewed the material and told MyBroadband the leak "appeared to be authentic," though he cautioned that the full scope could not be determined. Black X is reported to have demanded a substantial sum for the database, framing the incident as an extortion play rather than a pure leak.
The ANC's initial public response was outright denial. Rather than answer media queries, the party posted on X/Twitter that the reports were "fake news" and "sensationalist," and cautioned against "reckless speculation and the circulation of unverified claims designed to create unnecessary panic, fear, and political mischief."
That position shifted after infostealer intelligence firm Hudson Rock reported a malware infection linked to the ANC's internet domain. Responding to follow-up questions, the ANC acknowledged it was aware of Black X's claims and confirmed that its service provider, Emperio, had conducted a Preliminary Security Incident Assessment in the immediate aftermath. That report went to the Office of the Secretary General and was then briefed to the National Working Committee.
Emperio's preliminary finding was qualified. The provider "identified no conclusive evidence of unauthorised access to the current production database under Emperio's management," and assessed the activity as "more consistent with an opportunistic threat or extortion attempt, or with possible historical data exposure predating Emperio's current hosted environment, than with a verified breach."
What Was Taken
The exact volume and contents of the dataset remain unconfirmed. Black X claims to hold private data on ANC members, and the samples shared publicly were consistent with that claim per Bitcrack's review. The ANC's own statements escalate the stakes considerably: the party warned that affected data "may include senior executive members in cabinet and state," meaning the exposure could extend to individuals holding national political and government office.
Because the leak could not be fully measured, defenders should treat the data as potentially including personally identifiable information (PII) on party members and high-value political figures. The presence of a linked infostealer infection raises the additional possibility that harvested credentials, session tokens, and other sensitive authentication material are in play, beyond whatever resides in the claimed database itself.
Why It Matters
This incident sits at the intersection of cybercrime and national political risk. A confirmed extortion actor holding data on cabinet-level and state officials creates exposure that goes well past ordinary identity theft: targeted phishing, blackmail, surveillance enablement, and influence operations all become realistic follow-on threats. For a ruling party, the breach is also a governance and trust problem, amplified by an initial public denial that the party later had to walk back.
The case is a clean example of the gap between "no conclusive evidence in the current production database" and "no breach occurred." Emperio's careful wording leaves open historical data exposure predating its environment and a separate infostealer compromise on an endpoint touching the ANC domain. Defenders should note how easily an organization can issue a technically accurate "no confirmed breach" statement while live stolen data circulates and a malware infection sits unaddressed.
The Attack Technique
Two distinct vectors are in view. The first is the extortion claim itself: Black X advertised a database and demanded payment, a model that may rely on legacy or migrated data rather than a fresh intrusion into the live system. Emperio's assessment explicitly raised "possible historical data exposure predating Emperio's current hosted environment" as a leading explanation, which would point to data carried over or left behind during a hosting or platform transition.
The second is the Hudson Rock finding. Infostealers are malware that infect endpoints and harvest sensitive data, ranging from saved login credentials to crypto wallet private keys and financial information. A stealer infection associated with the ANC's domain means at least one machine with access to party resources was compromised, and any credentials it captured could grant an attacker direct, authenticated access that bypasses perimeter defenses entirely. Stolen credentials of this kind are routinely traded and reused, making this a plausible bridge between an individual endpoint compromise and a larger data exposure.
What Organizations Should Do
- Treat infostealer hits as active incidents. Any credential or session token harvested from an infected endpoint should be considered compromised. Force password resets and invalidate active sessions for affected users immediately.
- Subscribe to infostealer and stealer-log intelligence feeds (such as Hudson Rock and equivalents) so credential exposure tied to your domains is detected early, not via a press inquiry.
- Audit historical and migrated data. Breaches often originate in legacy databases, backups, or pre-migration environments outside current management. Inventory where old member and executive data still lives and decommission or secure it.
- Enforce phishing-resistant multi-factor authentication (MFA) across all member, staff, and executive accounts so stolen passwords alone cannot grant access.
- Prepare incident communications before you need them. Reflexive public denial that is later reversed damages credibility; align legal, technical, and communications teams on a measured holding statement.
- Provide elevated protection and monitoring for high-value individuals (senior executives, cabinet, and state officials) whose exposure carries outsized targeting and blackmail risk.
Sources: ANC investigates Black X hack — "Senior executive may be included" – MyBroadband