Government identity systems under ransomware siege

Overview

Senegal's entire population of 19.5 million people may have had their biometric data stolen in a ransomware attack on the government agency that issues national ID cards and passports. A newly emerged group called Green Blood claims it exfiltrated 139 gigabytes of citizen records—including fingerprints, photographs, and identity documents—from the Directorate of File Automation, forcing the agency to suspend operations in early February 2026.

The attack follows a pattern that has intensified since 2022: criminal groups targeting the identity infrastructure that governments depend on to verify who their citizens are. Costa Rica declared a national emergency after ransomware shut down 27 ministries. Argentina saw its entire national ID database offered for sale on the dark web. Albania severed diplomatic ties with Iran after state-backed hackers crippled its government systems. For countries racing to digitize citizen services, these attacks expose a vulnerability at the heart of modern governance—the databases that make populations legible to their own states.

Play on this story Voices Debate Predict

Key Indicators

19.5M

Potentially affected citizens

Senegal's entire population relies on DAF for identity documents

139 GB

Data allegedly stolen

Includes biometric records, immigration documents, and citizen database

322

Government ransomware attacks in 2024-2025

A 235% increase over the previous year globally

$84M

Digital ID contract value

IRIS Corporation's contract to produce Senegal's biometric ID cards

Voices

Curated perspectives — historical figures and your fellow readers.

Ever wondered what historical figures would say about today's headlines?

Play

Exploring all sides of a story is often best achieved with Play.

Predict 4 ways this could play out. Contrarian picks score more — points lock when the scenario resolves. Log in to play

Timeline Five events from this story — drag them oldest to newest. Log in to play

Connections Sixteen names from the news. Find the four hidden groups of four. Log in to play

People Involved

Quik Saw Choo

Alerted Senegalese officials to the breach

Organizations Involved

Directorate of File Automation (DAF)

Government Agency

Operations suspended following cyberattack

Senegal's government office responsible for issuing national ID cards, passports, and managing biometric citizen records.

Green Blood Group

Ransomware Gang

Active threat actor with multiple claimed victims

A newly emerged ransomware operation using double-extortion tactics against targets in Africa, the Middle East, and South Asia.

IRIS Corporation Berhad

Technology Contractor

Contract dispute with Senegal over unpaid invoices

Malaysian company contracted to manufacture and supply 10 million biometric identification cards for Senegal.

Timeline

April 2022 February 2026

9 events Latest: February 10th, 2026 · 3 months ago

Tap a bar to jump to that date

February 2026
Senegal confirms breach, suspends ID card production
Latest Response

The Senegalese government acknowledges the cyberattack and temporarily closes the DAF to assess the breach's impact on 19.5 million residents while working to restore services.
February 10th, 2026
Green Blood claims responsibility for DAF breach
Escalation

The Green Blood ransomware group publishes evidence of the breach on its dark web site, claiming to have stolen 139 gigabytes of biometric and citizen data.
February 5th, 2026
January 2026
IRIS Corporation alerts Senegalese officials
Response

Senior general manager Quik Saw Choo emails Senegalese officials warning of the breach, noting that network access was cut and passwords changed on affected servers.
January 20th, 2026
Hackers breach Senegal's national ID servers
Breach

Attackers penetrate two servers at Senegal's Directorate of File Automation, stealing card personalization data from one server. IRIS Corporation detects the intrusion.
January 19th, 2026
July 2024
Malawi passport system hit by ransomware
Precedent

Malawi's Department of Immigration and Citizenship Services suffers an attack compromising its ePassport issuance system, suspending passport services for at least two weeks.
July 1st, 2024
October 2023
India's Aadhaar breach exposes 815 million records
Precedent

A hacker claims to have stolen personal information of 815 million Indians from the Aadhaar biometric ID system, including identity numbers, passport details, and addresses.
October 9th, 2023
July 2022
Iran-linked hackers attack Albania
Precedent

Iranian state-backed hackers shut down Albanian government websites and services using ransomware and disk-wiping malware, leading Albania to sever diplomatic ties with Iran.
July 15th, 2022
May 2022
Costa Rica declares national emergency over ransomware
Precedent

President Rodrigo Chaves declares the first-ever national emergency caused by a cyberattack after Conti cripples tax collection, payroll, and social security systems.
May 8th, 2022
April 2022
Conti ransomware hits Costa Rica
Precedent

Russian ransomware group Conti attacks Costa Rica's Ministry of Finance, beginning a campaign that would affect 27 government ministries and prompt a national emergency declaration.
April 17th, 2022

Historical Context

3 moments from history that rhyme with this story — and how they unfolded.

April-May 2022

Costa Rica National Emergency (2022)

The Russian ransomware group Conti attacked Costa Rica's Ministry of Finance on April 17, 2022, eventually compromising 27 government ministries. The attackers stole 672 gigabytes of data from the Finance Ministry alone and demanded $10 million in ransom. Tax collection, government payroll, and social security payments ground to a halt.

Then

President Rodrigo Chaves declared a national emergency on May 8—the first ever caused by a cyberattack. After he refused to pay, Conti published 97% of the stolen data. Daily economic losses were estimated at $30 million.

Now

Costa Rica rebuilt with help from the United States, Israel, Spain, and Microsoft. The attack demonstrated that ransomware could effectively hold an entire government hostage and set a precedent for national emergency declarations in response to cyberattacks.

Why this matters now

Like Senegal, Costa Rica faced an attack that shut down citizen-facing government services. The key difference: Costa Rica's attack targeted financial systems, while Senegal's targets identity infrastructure—data that cannot be 'reset' like tax records.

September-October 2021

Argentina National Registry Breach (2021)

A hacker penetrated Argentina's RENAPER (National Registry of Persons) using a compromised VPN account from the Ministry of Health. The attacker published ID card photos of 44 celebrities—including Lionel Messi and the president—on Twitter as proof, then offered the entire database of 45 million citizens for sale on dark web forums.

Then

The government initially denied any breach occurred, claiming only 19 photos were accessed. The hacker contradicted this, stating they possessed a copy of the entire RENAPER database and would continue selling access.

Now

The incident exposed vulnerabilities in Argentina's identity infrastructure and raised questions about government transparency when national ID systems are compromised. Unlike ransomware attacks, no systems were encrypted—the data was simply stolen.

Why this matters now

Argentina's breach showed that national ID databases are vulnerable even without ransomware. Both incidents expose biometric data for entire populations, but Senegal faces a more aggressive adversary using double-extortion tactics.

July-September 2022

Albania-Iran Cyberattack and Diplomatic Break (2022)

Iranian state-backed hackers identifying as 'HomeLand Justice' attacked Albanian government systems in July 2022, deploying ransomware and disk-wiping malware. The FBI determined Iran had maintained access for 14 months before striking. A second attack in September targeted Albania's border control system.

Then

Albania expelled all Iranian diplomats and severed diplomatic ties on September 6, 2022—the first time any country had cut relations over a cyberattack.

Now

The attack demonstrated that government systems could be targeted for political retaliation, not just profit. It also showed that sophisticated attackers often maintain long-term access before launching visible operations.

Why this matters now

The Albania case shows government identity systems (border control, citizen records) are targets for both criminal and state actors. While Senegal's attackers appear financially motivated, the vulnerability is the same: once inside, attackers can steal or destroy data that citizens depend on.