Government identity systems under ransomware siege

Overview

Senegal's entire population of 19.5 million people may have had their biometric data stolen in a ransomware attack on the government agency that issues national ID cards and passports. A newly emerged group called Green Blood claims it exfiltrated 139 gigabytes of citizen records—including fingerprints, photographs, and identity documents—from the Directorate of File Automation, forcing the agency to suspend operations in early February 2026.

The attack follows a pattern that has intensified since 2022: criminal groups targeting the identity infrastructure that governments depend on to verify who their citizens are. Costa Rica declared a national emergency after ransomware shut down 27 ministries. Argentina saw its entire national ID database offered for sale on the dark web. Albania severed diplomatic ties with Iran after state-backed hackers crippled its government systems. For countries racing to digitize citizen services, these attacks expose a vulnerability at the heart of modern governance—the databases that make populations legible to their own states.

12 Sources:

Key Indicators

19.5M

Potentially affected citizens

Senegal's entire population relies on DAF for identity documents

139 GB

Data allegedly stolen

Includes biometric records, immigration documents, and citizen database

322

Government ransomware attacks in 2024-2025

A 235% increase over the previous year globally

$84M

Digital ID contract value

IRIS Corporation's contract to produce Senegal's biometric ID cards

Interactive

Exploring all sides of a story is often best achieved with Play.

Ever wondered what historical figures would say about today's headlines?

Debate Arena

Two rounds, two personas, one winner. You set the crossfire.

People Involved

Quik Saw Choo

Senior General Manager, IRIS Corporation Berhad (Alerted Senegalese officials to the breach)

Organizations Involved

Directorate of File Automation (DAF)

Government Agency

Status: Operations suspended following cyberattack

Senegal's government office responsible for issuing national ID cards, passports, and managing biometric citizen records.

Green Blood Group

Ransomware Gang

Status: Active threat actor with multiple claimed victims

A newly emerged ransomware operation using double-extortion tactics against targets in Africa, the Middle East, and South Asia.

IRIS Corporation Berhad

Technology Contractor

Status: Contract dispute with Senegal over unpaid invoices

Malaysian company contracted to manufacture and supply 10 million biometric identification cards for Senegal.

Timeline

Senegal confirms breach, suspends ID card production
Response

The Senegalese government acknowledges the cyberattack and temporarily closes the DAF to assess the breach's impact on 19.5 million residents while working to restore services.
February 10th, 2026
Green Blood claims responsibility for DAF breach
Escalation

The Green Blood ransomware group publishes evidence of the breach on its dark web site, claiming to have stolen 139 gigabytes of biometric and citizen data.
February 5th, 2026
IRIS Corporation alerts Senegalese officials
Response

Senior general manager Quik Saw Choo emails Senegalese officials warning of the breach, noting that network access was cut and passwords changed on affected servers.
January 20th, 2026
Hackers breach Senegal's national ID servers
Breach

Attackers penetrate two servers at Senegal's Directorate of File Automation, stealing card personalization data from one server. IRIS Corporation detects the intrusion.
January 19th, 2026
Malawi passport system hit by ransomware
Precedent

Malawi's Department of Immigration and Citizenship Services suffers an attack compromising its ePassport issuance system, suspending passport services for at least two weeks.
July 1st, 2024
India's Aadhaar breach exposes 815 million records
Precedent

A hacker claims to have stolen personal information of 815 million Indians from the Aadhaar biometric ID system, including identity numbers, passport details, and addresses.
October 9th, 2023
Iran-linked hackers attack Albania
Precedent

Iranian state-backed hackers shut down Albanian government websites and services using ransomware and disk-wiping malware, leading Albania to sever diplomatic ties with Iran.
July 15th, 2022
Costa Rica declares national emergency over ransomware
Precedent

President Rodrigo Chaves declares the first-ever national emergency caused by a cyberattack after Conti cripples tax collection, payroll, and social security systems.
May 8th, 2022
Conti ransomware hits Costa Rica
Precedent

Russian ransomware group Conti attacks Costa Rica's Ministry of Finance, beginning a campaign that would affect 27 government ministries and prompt a national emergency declaration.
April 17th, 2022

Scenarios

Biometric Data Appears on Criminal Markets

Discussed by: Cybersecurity researchers at Foresiet and Cyble analyzing Green Blood's double-extortion model

If ransom negotiations fail, Green Blood follows through on threats to publish the data. Biometric records—fingerprints, photographs, identity documents—appear on dark web markets. Unlike passwords, biometric data cannot be reset, creating permanent identity security risks for millions of Senegalese citizens. The data could enable identity fraud, illegal border crossings, and financial crimes for years.

Senegal Restores Systems Without Ransom Payment

Discussed by: Government officials and IRIS Corporation cybersecurity team working on recovery

Following the Costa Rica playbook, Senegal refuses to pay ransom and works with Malaysian and international cybersecurity experts to restore systems from backups. Services resume within weeks, but the government faces difficult questions about whether stolen biometric data remains in criminal hands. The incident prompts a national cybersecurity review.

Contract Dispute Complicates Recovery

Discussed by: Senegalese media reporting on IRIS Corporation payment standoff

The ongoing dispute between Senegal and IRIS Corporation over unpaid invoices delays full cooperation on incident response. Recovery efforts stall as both parties negotiate terms. The breach becomes entangled with the commercial relationship, prolonging service disruptions and exposing governance gaps in outsourced identity infrastructure.

Copycat Attacks Target Other African ID Systems

Discussed by: INTERPOL and African cybersecurity analysts tracking regional threat trends

Green Blood's success inspires similar attacks on identity infrastructure across Africa, where government ransomware attacks increased 235% in 2024-2025. Kenya, Nigeria, and South Africa—which saw 12,281 ransomware detections in 2024—face elevated risk as criminal groups recognize that biometric databases are high-value, poorly defended targets.

Historical Context

Costa Rica National Emergency (2022)

April-May 2022

What Happened

The Russian ransomware group Conti attacked Costa Rica's Ministry of Finance on April 17, 2022, eventually compromising 27 government ministries. The attackers stole 672 gigabytes of data from the Finance Ministry alone and demanded $10 million in ransom. Tax collection, government payroll, and social security payments ground to a halt.

Outcome

Short Term

President Rodrigo Chaves declared a national emergency on May 8—the first ever caused by a cyberattack. After he refused to pay, Conti published 97% of the stolen data. Daily economic losses were estimated at $30 million.

Long Term

Costa Rica rebuilt with help from the United States, Israel, Spain, and Microsoft. The attack demonstrated that ransomware could effectively hold an entire government hostage and set a precedent for national emergency declarations in response to cyberattacks.

Why It's Relevant Today

Like Senegal, Costa Rica faced an attack that shut down citizen-facing government services. The key difference: Costa Rica's attack targeted financial systems, while Senegal's targets identity infrastructure—data that cannot be 'reset' like tax records.

Argentina National Registry Breach (2021)

September-October 2021

What Happened

A hacker penetrated Argentina's RENAPER (National Registry of Persons) using a compromised VPN account from the Ministry of Health. The attacker published ID card photos of 44 celebrities—including Lionel Messi and the president—on Twitter as proof, then offered the entire database of 45 million citizens for sale on dark web forums.

Outcome

Short Term

The government initially denied any breach occurred, claiming only 19 photos were accessed. The hacker contradicted this, stating they possessed a copy of the entire RENAPER database and would continue selling access.

Long Term

The incident exposed vulnerabilities in Argentina's identity infrastructure and raised questions about government transparency when national ID systems are compromised. Unlike ransomware attacks, no systems were encrypted—the data was simply stolen.

Why It's Relevant Today

Argentina's breach showed that national ID databases are vulnerable even without ransomware. Both incidents expose biometric data for entire populations, but Senegal faces a more aggressive adversary using double-extortion tactics.

Albania-Iran Cyberattack and Diplomatic Break (2022)

July-September 2022

What Happened

Iranian state-backed hackers identifying as 'HomeLand Justice' attacked Albanian government systems in July 2022, deploying ransomware and disk-wiping malware. The FBI determined Iran had maintained access for 14 months before striking. A second attack in September targeted Albania's border control system.

Outcome

Short Term

Albania expelled all Iranian diplomats and severed diplomatic ties on September 6, 2022—the first time any country had cut relations over a cyberattack.

Long Term

The attack demonstrated that government systems could be targeted for political retaliation, not just profit. It also showed that sophisticated attackers often maintain long-term access before launching visible operations.

Why It's Relevant Today

The Albania case shows government identity systems (border control, citizen records) are targets for both criminal and state actors. While Senegal's attackers appear financially motivated, the vulnerability is the same: once inside, attackers can steal or destroy data that citizens depend on.

Government identity systems under ransomware siege

Overview

Key Indicators

Related Media

Interactive

Ever wondered what historical figures would say about today's headlines?

Preview Voice

Generating Voice

Choose a Historical Figure

Albert Einstein

Ambrose Bierce

Andrew Carnegie

Andrew Mellon

Ayn Rand

Benjamin Franklin

Cecil Rhodes

Charles Darwin

Cornelius Vanderbilt

Dorothy Parker

Eleanor Roosevelt

Frederick Douglass

G. K. Chesterton

George Orwell

H. L. Mencken

Hannah Arendt

J. P. Morgan

James Baldwin

Jamsetji Tata

Jane Addams

John Locke

Jonathan Swift

Madam C. J. Walker

Mark Twain

Mary Wollstonecraft

Niccolo Machiavelli

Oscar Wilde

Rachel Carson

Samuel Johnson

Simone Weil

Sojourner Truth

Thomas Hobbes

Thomas Jefferson

Thomas Paine

Voltaire

Winston Churchill

Debate Arena

People Involved

Organizations Involved

Timeline

Senegal confirms breach, suspends ID card production

Green Blood claims responsibility for DAF breach

IRIS Corporation alerts Senegalese officials

Hackers breach Senegal's national ID servers

Malawi passport system hit by ransomware

India's Aadhaar breach exposes 815 million records

Iran-linked hackers attack Albania

Costa Rica declares national emergency over ransomware

Conti ransomware hits Costa Rica

Scenarios

Biometric Data Appears on Criminal Markets

Senegal Restores Systems Without Ransom Payment

Contract Dispute Complicates Recovery

Copycat Attacks Target Other African ID Systems

Historical Context

Costa Rica National Emergency (2022)

What Happened

Outcome

Why It's Relevant Today

Argentina National Registry Breach (2021)

What Happened

Outcome

Why It's Relevant Today

Albania-Iran Cyberattack and Diplomatic Break (2022)

What Happened

Outcome

Why It's Relevant Today

Related Stories

DOGE's unauthorized access to federal data systems

Niger's pivot from the West

African governments expand social media shutdowns during unrest