17 Targets, 3 Campaigns, 0 Arrests: South Africa Under Siege

Table of contents

The Trigger

This story does not start with a breach. It starts with violence.

In April 2026, anti-migrant protests across Johannesburg, Durban, and Pretoria turned violent. Foreign-owned shops were attacked. On April 20, Cameroonian national Amamiro Chidierbere Emmanuel was beaten by South African National Defence Force personnel in Port Elizabeth. He died five days later. Nigerian national Nnaemeka Matthew Andrew was found dead at Pretoria Central Mortuary after an encounter with Tshwane Metro Police on the same day.

The African Commission on Human and Peoples' Rights issued a condemnation on April 27. The UN Secretary General expressed concern. Nigeria's NiDCOM said the situation was "deteriorating" despite government-to-government engagement. On May 4, Nigeria arranged voluntary repatriation flights for 130 citizens.

Then the hacking started.

Nigerian hacktivist groups launched #OpSouthAfrica, a coordinated digital retaliation campaign targeting South African government agencies and organizations. Nullsec Nigeria, the 404 Crew, and Infernalis began hitting targets in early May. By mid-May, data was circulating on forums and Telegram channels.

At the same time, a separate criminal DDoS extortion campaign was carpet-bombing South African hosting providers and telecom infrastructure. And ransomware operators were still working through government targets they had compromised months earlier.

Three campaigns. Different actors. Different motives. All converging on a country that was already struggling to protect its own citizens, let alone its data.

Campaign One: The Hacktivist Wave

Statistics South Africa (March 2026)

The first major breach of the year hit Stats SA in March. A ransomware group called XP95 exfiltrated 154 GB of data containing approximately 453,000 records from the agency's HR system. The data included job-seeker information, national ID numbers, application files, and personal details.

XP95 demanded $100,000 in ransom. Stats SA refused to pay. The data was subsequently published.

This breach was not part of #OpSouthAfrica but it set the tone. South Africa's state agencies were demonstrably vulnerable, and now everyone knew it.

The ANC Breach (Mid-May 2026)

Around May 14-16, a group calling itself Black Axe claimed to have breached the African National Congress, South Africa's governing political party. The alleged haul: approximately 2 million records totaling about 2 GB, including member details, contact information, and photographs.

Black Axe is a well-documented Nigerian organized crime syndicate with a history spanning decades. Their involvement in a politically motivated data breach adds a layer of complexity. This was not just hacktivism. This was organized crime intersecting with geopolitical grievance.

Ephraim Mogale Local Municipality (Mid-May 2026)

Nullsec Nigeria and the 404 Crew claimed to have breached Ephraim Mogale Local Municipality in Limpopo Province. The stolen data reportedly included tender documents, financial records, and council resolutions.

A local municipality. Tender documents. This is not about embarrassing the national government. This is about demonstrating that even the smallest nodes in South Africa's government network are unprotected.

Department of Correctional Services (May 18-19)

Nullsec Nigeria claimed to have exfiltrated approximately 11 GB of documents from the Department of Correctional Services. Government and prison documents. The breach was reported by Daily Maverick as part of the broader #OpSouthAfrica campaign.

11 GB from the prison system. Inmate records, operational procedures, facility details. In a country with one of the highest incarceration rates in Africa, this data has implications beyond embarrassment.

The Five-Agency Hit (May 18-19)

The same wave hit multiple agencies simultaneously:

South African Civil Aviation Authority (CAA) - The body responsible for regulating civil aviation safety.

South African National Space Agency (SANSA) - The national space program.

South African Social Security Agency (SASSA) - The agency that administers social grants to approximately 28 million beneficiaries. This is the most sensitive target in the list. SASSA holds identity documents, bank details, and biometric data for nearly half the country's population.

Department of Human Settlements - Housing and land administration data.

National Housing Finance Corporation (NHFC) - Financial records related to government housing programs.

Five agencies. One wave. The #OpSouthAfrica groups were not picking targets carefully. They were hitting everything they could reach.

SITA and SARS (May 23)

On May 23, Nullsec Nigeria claimed to have breached the State Information Technology Agency (SITA) and the South African Revenue Service (SARS). Samples of names, email addresses, and passwords were posted.

This is where the story gets complicated. SITA is the centralized IT agency for the South African government. If SITA is compromised, every government system it manages is potentially exposed.

SITA's response was categorical denial. Their head of corporate affairs stated there was "no evidence of any unauthorised access to government data or systems, nor has any breach of security occurred through unlawful methods." They claimed to have conducted a "thorough assessment" of their ICT environment.

The denial stands in direct tension with the samples circulating online. Independent researchers have noted that some of the leaked credentials may be recycled from older breaches, repackaged to inflate the apparent scope. But even recycled credentials demonstrate a failure: if those passwords were never rotated after previous breaches, they may still work.

The Smaller Targets (May 24)

The wave continued hitting softer targets:

CERVI digital health platform - Practitioner metadata, BHF numbers, addresses, and geolocation data from a healthcare platform. No mainstream reporting yet, only cyber community documentation.

Silver Lakes Golf and Wildlife Estate - A private residential estate in Pretoria. Resident and member data.

Bellavista School - Student and registration data from a school.

Sheriff of Randburg West - A small sample of names, emails, and phone numbers from a court officer's system.

A golf estate. A school. A local sheriff's office. The attackers were making a point: nothing in South Africa is protected. Not government. Not healthcare. Not where you live. Not where your children go to school.

Campaign Two: The DDoS Carpet Bombing

While the hacktivist data exfiltration was making headlines, a separate and seemingly unrelated criminal campaign was targeting South Africa's internet infrastructure.

Between May 18 and 22, a group calling itself "Black Matter" launched massive distributed denial-of-service attacks against South African hosting providers and telecom companies. The attacks were accompanied by ransom demands.

The name "Black Matter" deserves scrutiny. The original BlackMatter ransomware group ceased operations in late 2021 under law enforcement pressure. This new group may be adopting the name for brand recognition, or it may be entirely unrelated. Either way, the name is likely a false flag.

The Targets and Scale

Host Africa - Peak attack traffic of 1 Tbps (one terabit per second). Major outage lasting approximately 4 hours. This is an enormous volume of traffic, comparable to the largest DDoS attacks recorded globally.

Seacom - Up to 676 Gbps targeting the undersea cable operator. Seacom connects South Africa to the rest of the world via submarine fiber optic cables. Attacking Seacom is attacking South Africa's connection to the global internet.

Xneelo - Hundreds of Gbps. Xneelo is one of the largest hosting providers in South Africa, serving over 300,000 websites. Their control panel and hosting services experienced significant degradation.

Network Platforms - Large-scale attacks causing infrastructure outages.

1-Grid - Over 100 Gbps sustained for multiple days. 1-Grid hosts approximately 32,000 customers. Widespread outages across their entire platform.

Domains.co.za (Diamatrix) - Approximately 100 Gbps causing service disruptions to one of the country's major domain registrars.

Liquid Intelligent Technologies - Large-scale network disruptions affecting the pan-African telecom provider.

Seven infrastructure providers. Collectively, they serve hundreds of thousands of South African businesses and millions of end users. When these providers go down, email stops working, websites go offline, and businesses that depend on cloud services are paralyzed.

The Economics Do Not Add Up

Here is the part that should concern everyone. The ransom demands were reportedly around R16,000 per target. That is approximately $800 USD.

A DDoS attack at 1 Tbps costs significantly more than $800 to execute. Botnet rental at that scale runs into thousands of dollars per hour. The attack on Host Africa alone, sustained for 4 hours at terabit scale, would cost the attacker far more than the ransom demanded from all targets combined.

This math does not work for a financially motivated criminal. You do not spend $20,000+ on attack infrastructure to demand $800.

Security researchers have suggested several explanations:

The ransom demands may be cover for infrastructure mapping. By attacking every major hosting provider and telecom company simultaneously, the attacker learns which providers have DDoS mitigation, how quickly they respond, what their capacity limits are, and where the single points of failure exist. That intelligence is far more valuable than R16,000.

Alternatively, the attacks may be a proof of capability. Demonstrating the ability to take down South Africa's internet infrastructure at will sends a message that no ransom demand can match.

Or the low ransom demands may be deliberate. If even one provider pays, it creates a precedent and a recurring revenue stream. The real money comes from repeat extortion, not the initial demand.

Regardless of the motive, the result is the same: South Africa's internet infrastructure was stress-tested to failure, and the attacker now has a detailed map of its weaknesses.

Campaign Three: The Ongoing Ransomware

The hacktivist wave and DDoS campaign are the headline stories, but they landed on top of an existing ransomware problem that has been building all year.

Land Bank (January 2026): Ransomware attackers demanded 5 Bitcoin (R5.4 million) after exfiltrating corporate governance records, board documents, and HR records. Finance Minister Godongwana confirmed the attack to parliament. Land Bank refused to pay.

Stats SA (March 2026): The XP95 ransomware group exfiltrated 154 GB and demanded $100,000. Stats SA refused to pay. The data was published.

These are state-owned financial institutions and statistical agencies. They hold some of the most sensitive economic and personal data in the country. And they are being ransomed for amounts that would not cover a mid-range sedan.

SITA's Denial and the Credibility Gap

The State Information Technology Agency's response to the May 2026 attacks deserves its own section because it encapsulates everything wrong with South Africa's cyber posture.

SITA's official position: "There is no evidence of any unauthorised access to government data or systems, nor has any breach of security occurred through unlawful methods."

This statement was issued while data samples from SARS were circulating on forums and Telegram channels. While the Department of Correctional Services breach was being reported by credible media outlets. While five government agencies had been named as compromised in the same campaign.

SITA's defense rests on a technicality. If the breached systems were not managed by SITA directly, then SITA can claim no breach of "its" systems occurred. But SITA is the centralized IT agency for the South African government. Its mandate is to coordinate government IT security. Claiming that the breaches do not count because they happened at individual agencies rather than at SITA itself is like a security company saying the building was robbed but the alarm system was not breached.

Independent researchers have raised valid questions about some of the leaked data. Some credentials may indeed be recycled from previous breaches. Some datasets may be inflated or repackaged. But even if 50% of the claims are exaggerated, the remaining 50% still represents a catastrophic failure of government cybersecurity.

The pattern is familiar. South African government agencies have a long history of denial followed by quiet acknowledgment:

  • TransUnion 2022: Initial denial, then confirmation of 54 million records accessed.
  • Experian 2020: Initial downplaying, then confirmation of 24 million South Africans exposed.
  • Transnet 2021: Denial of ransomware, then admission of "disruption to IT applications."

SITA's denial is not unique. It is the default response. And it erodes every shred of public trust in the government's ability to protect citizen data.

The Track Record

May 2026 is not an anomaly. It is the latest chapter in a pattern that stretches back years.

2019: City Power, Johannesburg's electricity utility, hit by ransomware. Power supply disrupted across the city.

2020: Experian South Africa breached via social engineering. 24 million South Africans and 793,749 businesses exposed. The perpetrator, Karabo Phungula, was sentenced to 15 years in March 2023. He remains the only person convicted for a major South African data breach.

2021: Transnet, the state-owned rail, port, and pipeline company, crippled by ransomware. Port operations at Durban, the busiest port in sub-Saharan Africa, were disrupted for days. Economic losses estimated in the billions of rand.

2022: TransUnion South Africa breached by N4aughtysecTU. 54 million personal records claimed, including President Ramaphosa's. $15 million ransom demanded.

2023: N4aughtySecTU returned, targeting both TransUnion and Experian simultaneously. $60 million demanded ($30 million each).

2025: South African Airways, the national weather service, a major chicken producer, and a large telco all breached in separate incidents within weeks of each other.

January 2026: Land Bank ransomware. R5.4 million Bitcoin demand.

March 2026: Stats SA breach. 154 GB exfiltrated.

May 2026: Everything described in this article.

The frequency is accelerating. The targets are getting more sensitive. The government's response has not changed. Deny, delay, quietly acknowledge, promise to do better, repeat.

POPIA Is a Paper Tiger

South Africa's Protection of Personal Information Act (POPIA) has been law for 12 years. It was supposed to be the regulatory backbone that forced organizations to protect personal data.

The numbers tell a different story.

The largest fine the Information Regulator has ever issued is R5 million (approximately $275,000). That was against the Department of Justice in July 2023, for failing to comply with an enforcement notice related to a ransomware incident. Other fines: R500,000 against Blouberg Municipality. R100,000 against FT Rams Consulting. R100,000 against Lancet Laboratories.

The maximum administrative fine under POPIA is capped at R10 million (approximately $550,000). For context, the EU's GDPR allows fines up to 4% of annual global turnover. The R10 million cap is a rounding error for any large organization and meaningless as a deterrent.

In 2025, amended regulations even allowed organizations to pay fines in installments. You can breach millions of citizens' data and pay the fine on layaway.

Meanwhile, 1,947 security compromises were reported to the Information Regulator in the first months of the 2025-2026 financial year. That is an average of 284 per month. A 40% increase year-on-year.

Breach reports are surging. Fines are trivial. Enforcement is rare. POPIA exists on paper but it does not exist in practice.

The Structural Problem

South Africa is trying to fight 2026 threats with a 2019 posture. The structural issues are well documented:

62% of cybersecurity roles in South Africa remain unfilled. 74% of organizations report that cybersecurity skills are scarcer than general IT skills. You cannot defend what you cannot staff.

There is no unified national incident command structure. When multiple agencies are breached simultaneously, each responds in its own silo. There is no coordinated whole-of-government response. The Minister in the Presidency has acknowledged the "exponential increase" in attacks and promised to "speed up implementation" of the National Cyber Security Framework.

That framework is a decade old. It was published in 2015. In 2026, the government is still promising to implement it.

Single points of failure everywhere. Eskom dominates electricity. Telkom underpins telecom. Seacom and a handful of providers carry the country's international connectivity. A successful attack on any one of these entities has outsized national impact. The DDoS campaign just proved it.

The Information Regulator is underfunded and understaffed. It cannot keep pace with the volume of breach reports, let alone proactively enforce compliance.

Identity infrastructure is brittle. SIM-swap fraud already costs South Africa over R5 billion annually. Cloned voice approvals and synthetic interactions are bypassing traditional mobile authentication. The identity layer that millions of South Africans depend on for banking and government services is fundamentally insecure.

What Happens Next

Three campaigns. Different actors. Different motives. All exploiting the same underlying failures.

The hacktivists exploited unpatched, poorly monitored government systems to make a geopolitical statement. The DDoS extortionists exploited the lack of coordinated infrastructure defense to stress-test the country's internet at minimal cost. The ransomware operators exploited the same weak defenses that every previous attacker exploited, because nothing changed after the last breach or the one before that.

SITA is in denial. The Information Regulator is capped at fines that would not cover the cost of the attacks. 62% of cybersecurity roles are empty. The government is promising to speed up a decade-old framework.

Zero arrests have been made in connection with any of the May 2026 attacks.

South Africa is the most digitized economy on the African continent. It has the most to lose. And right now, it is losing.

17 targets hit across three simultaneous campaigns. Government agencies, political parties, hosting providers, telecom companies, healthcare platforms, schools, residential estates. Nothing was off limits because nothing was protected.

The question is not whether this will happen again. The question is how much worse it will be next time, because the structural conditions that enabled every single one of these attacks remain unchanged.

Check your data. Check your providers. And do not wait for the government to protect you. The evidence suggests they cannot protect themselves.

↓ Download carousel