Government identity systems under ransomware siege

Overview

Senegal's entire population of 19.5 million people may have had their biometric data stolen in a ransomware attack on the government agency that issues national ID cards and passports. A newly emerged group called Green Blood claims it exfiltrated 139 gigabytes of citizen records—including fingerprints, photographs, and identity documents—from the Directorate of File Automation, forcing the agency to suspend operations in early February 2026.

The attack follows a pattern that has intensified since 2022: criminal groups targeting the identity infrastructure that governments depend on to verify who their citizens are. Costa Rica declared a national emergency after ransomware shut down 27 ministries. Argentina saw its entire national ID database offered for sale on the dark web. Albania severed diplomatic ties with Iran after state-backed hackers crippled its government systems. For countries racing to digitize citizen services, these attacks expose a vulnerability at the heart of modern governance—the databases that make populations legible to their own states.

Play on this story Voices Debate Predict

Key Indicators

19.5M

Potentially affected citizens

Senegal's entire population relies on DAF for identity documents

139 GB

Data allegedly stolen

Includes biometric records, immigration documents, and citizen database

322

Government ransomware attacks in 2024-2025

A 235% increase over the previous year globally

$84M

Digital ID contract value

IRIS Corporation's contract to produce Senegal's biometric ID cards

Interactive

Exploring all sides of a story is often best achieved with Play.

Ever wondered what historical figures would say about today's headlines?

People Involved

Quik Saw Choo

Alerted Senegalese officials to the breach

Organizations Involved

Directorate of File Automation (DAF)

Government Agency

Operations suspended following cyberattack

Senegal's government office responsible for issuing national ID cards, passports, and managing biometric citizen records.

Green Blood Group

Ransomware Gang

Active threat actor with multiple claimed victims

A newly emerged ransomware operation using double-extortion tactics against targets in Africa, the Middle East, and South Asia.

IRIS Corporation Berhad

Technology Contractor

Contract dispute with Senegal over unpaid invoices

Malaysian company contracted to manufacture and supply 10 million biometric identification cards for Senegal.

Timeline

Senegal confirms breach, suspends ID card production
Response

The Senegalese government acknowledges the cyberattack and temporarily closes the DAF to assess the breach's impact on 19.5 million residents while working to restore services.
February 10th, 2026
Green Blood claims responsibility for DAF breach
Escalation

The Green Blood ransomware group publishes evidence of the breach on its dark web site, claiming to have stolen 139 gigabytes of biometric and citizen data.
February 5th, 2026
IRIS Corporation alerts Senegalese officials
Response

Senior general manager Quik Saw Choo emails Senegalese officials warning of the breach, noting that network access was cut and passwords changed on affected servers.
January 20th, 2026
Hackers breach Senegal's national ID servers
Breach

Attackers penetrate two servers at Senegal's Directorate of File Automation, stealing card personalization data from one server. IRIS Corporation detects the intrusion.
January 19th, 2026
Malawi passport system hit by ransomware
Precedent

Malawi's Department of Immigration and Citizenship Services suffers an attack compromising its ePassport issuance system, suspending passport services for at least two weeks.
July 1st, 2024
India's Aadhaar breach exposes 815 million records
Precedent

A hacker claims to have stolen personal information of 815 million Indians from the Aadhaar biometric ID system, including identity numbers, passport details, and addresses.
October 9th, 2023
Iran-linked hackers attack Albania
Precedent

Iranian state-backed hackers shut down Albanian government websites and services using ransomware and disk-wiping malware, leading Albania to sever diplomatic ties with Iran.
July 15th, 2022
Costa Rica declares national emergency over ransomware
Precedent

President Rodrigo Chaves declares the first-ever national emergency caused by a cyberattack after Conti cripples tax collection, payroll, and social security systems.
May 8th, 2022
Conti ransomware hits Costa Rica
Precedent

Russian ransomware group Conti attacks Costa Rica's Ministry of Finance, beginning a campaign that would affect 27 government ministries and prompt a national emergency declaration.
April 17th, 2022

Scenarios

Predict which scenario wins. Contrarian picks score more — points lock in when the scenario resolves.

Predictions leaderboard

Biometric Data Appears on Criminal Markets

If ransom negotiations fail, Green Blood follows through on threats to publish the data. Biometric records—fingerprints, photographs, identity documents—appear on dark web markets. Unlike passwords, biometric data cannot be reset, creating permanent identity security risks for millions of Senegalese citizens. The data could enable identity fraud, illegal border crossings, and financial crimes for years.

Discussed by: Cybersecurity researchers at Foresiet and Cyble analyzing Green Blood's double-extortion model

Consensus —

Senegal Restores Systems Without Ransom Payment

Following the Costa Rica playbook, Senegal refuses to pay ransom and works with Malaysian and international cybersecurity experts to restore systems from backups. Services resume within weeks, but the government faces difficult questions about whether stolen biometric data remains in criminal hands. The incident prompts a national cybersecurity review.

Discussed by: Government officials and IRIS Corporation cybersecurity team working on recovery

Consensus —

Contract Dispute Complicates Recovery

The ongoing dispute between Senegal and IRIS Corporation over unpaid invoices delays full cooperation on incident response. Recovery efforts stall as both parties negotiate terms. The breach becomes entangled with the commercial relationship, prolonging service disruptions and exposing governance gaps in outsourced identity infrastructure.

Discussed by: Senegalese media reporting on IRIS Corporation payment standoff

Consensus —

Copycat Attacks Target Other African ID Systems

Green Blood's success inspires similar attacks on identity infrastructure across Africa, where government ransomware attacks increased 235% in 2024-2025. Kenya, Nigeria, and South Africa—which saw 12,281 ransomware detections in 2024—face elevated risk as criminal groups recognize that biometric databases are high-value, poorly defended targets.

Discussed by: INTERPOL and African cybersecurity analysts tracking regional threat trends

Consensus —

Historical Context

Costa Rica National Emergency (2022)

April-May 2022

What Happened

The Russian ransomware group Conti attacked Costa Rica's Ministry of Finance on April 17, 2022, eventually compromising 27 government ministries. The attackers stole 672 gigabytes of data from the Finance Ministry alone and demanded $10 million in ransom. Tax collection, government payroll, and social security payments ground to a halt.

Outcome

Short Term

President Rodrigo Chaves declared a national emergency on May 8—the first ever caused by a cyberattack. After he refused to pay, Conti published 97% of the stolen data. Daily economic losses were estimated at $30 million.

Long Term

Costa Rica rebuilt with help from the United States, Israel, Spain, and Microsoft. The attack demonstrated that ransomware could effectively hold an entire government hostage and set a precedent for national emergency declarations in response to cyberattacks.

Why It's Relevant Today

Like Senegal, Costa Rica faced an attack that shut down citizen-facing government services. The key difference: Costa Rica's attack targeted financial systems, while Senegal's targets identity infrastructure—data that cannot be 'reset' like tax records.

Argentina National Registry Breach (2021)

September-October 2021

What Happened

A hacker penetrated Argentina's RENAPER (National Registry of Persons) using a compromised VPN account from the Ministry of Health. The attacker published ID card photos of 44 celebrities—including Lionel Messi and the president—on Twitter as proof, then offered the entire database of 45 million citizens for sale on dark web forums.

Outcome

Short Term

The government initially denied any breach occurred, claiming only 19 photos were accessed. The hacker contradicted this, stating they possessed a copy of the entire RENAPER database and would continue selling access.

Long Term

The incident exposed vulnerabilities in Argentina's identity infrastructure and raised questions about government transparency when national ID systems are compromised. Unlike ransomware attacks, no systems were encrypted—the data was simply stolen.

Why It's Relevant Today

Argentina's breach showed that national ID databases are vulnerable even without ransomware. Both incidents expose biometric data for entire populations, but Senegal faces a more aggressive adversary using double-extortion tactics.

Albania-Iran Cyberattack and Diplomatic Break (2022)

July-September 2022

What Happened

Iranian state-backed hackers identifying as 'HomeLand Justice' attacked Albanian government systems in July 2022, deploying ransomware and disk-wiping malware. The FBI determined Iran had maintained access for 14 months before striking. A second attack in September targeted Albania's border control system.

Outcome

Short Term

Albania expelled all Iranian diplomats and severed diplomatic ties on September 6, 2022—the first time any country had cut relations over a cyberattack.

Long Term

The attack demonstrated that government systems could be targeted for political retaliation, not just profit. It also showed that sophisticated attackers often maintain long-term access before launching visible operations.

Why It's Relevant Today

The Albania case shows government identity systems (border control, citizen records) are targets for both criminal and state actors. While Senegal's attackers appear financially motivated, the vulnerability is the same: once inside, attackers can steal or destroy data that citizens depend on.