Senegal's government has confirmed a cyber incident affecting IT systems at the Public Treasury beginning 10 May 2026, with unnamed hackers claiming responsibility and threatening to leak 70 gigaoctets (gigabytes) of sensitive data. This marks the third confirmed attack on a Senegalese public institution in under six months, following intrusions at the national tax authority and the Interior Ministry's identity card division.
What Happened
On 10 May 2026, IT systems at Senegal's Public Treasury began experiencing disruption, with users continuing to report outages in the days that followed. The government officially acknowledged "an incident" affecting the institution. Media reports indicate that an unidentified threat actor has claimed responsibility for the intrusion and is leveraging stolen data as extortion leverage, threatening public release if demands are not met. The Treasury incident is the latest in a rapid escalation of attacks against Senegalese government infrastructure that began in October 2025 with the Black Shrantac group's compromise of the tax authority, followed by the Green Blood Group's claimed breach of identity card systems in January 2026.
What Was Taken
The threat actor behind the Treasury attack claims to hold 70 gigabytes of sensitive data exfiltrated from Public Treasury systems. While the specific contents have not been publicly itemized, treasury systems typically contain payment records, vendor and payroll data, fiscal transaction logs, and citizen financial information. Set against prior breaches in Senegal, the volume is comparatively modest: Black Shrantac claimed nearly one terabyte from the tax authority and demanded a $10 million ransom, while Green Blood Group claimed 139 terabytes from the Interior Ministry, allegedly including national identity records, biometric data, electoral rolls, and immigration files, portions of which have already surfaced on dark web forums.
Why It Matters
The Treasury intrusion confirms a pattern of sustained targeting of Senegalese state institutions and reflects a continent-wide surge in attacks on African governments. Check Point research cited by RFI places African organizations at an average of 2,940 attacks per week, roughly 700 above the global average, with financial services, government, and consumer goods and services topping the most-attacked sectors in the firm's April Global Threat Intelligence report. Senegal in particular has become a high-visibility target due to its international football profile, recently discovered oil and gas resources, and its 2024 political transition, according to Dakar-based cyber defence specialist Gérard Joseph Francisco Dacosta. Earlier regional incidents underscore the operational and financial stakes: a 2024 cyberattack on the Bank of Uganda resulted in nearly $17 million in stolen deposits, and a January 2025 attack on South Africa's national weather service disrupted aviation and marine forecasts across the region.
The Attack Technique
Specific initial access, lateral movement, and exfiltration techniques used against the Public Treasury have not been disclosed by Senegalese authorities or the threat actor at time of writing. The pattern of recent attacks against Senegalese institutions, however, is consistent with double-extortion playbooks favored by emerging cyber extortion crews: gain initial access to government networks, conduct bulk data exfiltration, and use the threatened release of stolen records as leverage for ransom or notoriety. Both Black Shrantac and Green Blood Group followed this model, with Green Blood Group already releasing sample data publicly to substantiate its claims. Rapid digitalization paired with uneven security maturity across African public-sector environments continues to provide a permissive operating environment for these groups.
What Organizations Should Do
- Audit external attack surface for public-sector systems handling financial, identity, or biometric data, prioritizing internet-exposed portals, file transfer appliances, and legacy web applications commonly targeted for initial access.
- Implement and validate offline, immutable backups of treasury, tax, and identity systems, and rehearse restoration to bound the impact of destructive or extortion-driven incidents.
- Deploy egress monitoring and data loss prevention controls capable of detecting bulk exfiltration in the tens to hundreds of gigabytes, with alerting tuned to anomalous transfers to cloud storage and anonymization services.
- Enforce phishing-resistant multi-factor authentication on all administrative and remote access, and segment treasury and citizen-data systems from general-purpose government networks.
- Establish a national or sector-level incident response capability and information-sharing mechanism so that indicators from one breached ministry quickly inform defenses across other institutions.
- Pre-arrange legal, communications, and law enforcement playbooks for extortion scenarios, including dark web monitoring for leaked data tied to government identifiers.
Sources: As Africa rapidly goes digital, it becomes a prime target for hackers - RFI