DAF Senegal Data Leak

BLOG FEBRUARY 17, 2026 Threat Intelligence DAF SENEGAL DATA LEAK IN THIS ARTICLE Executive Summary Victim Profile Threat Actor Overview Overview of the Exposed Data 1. National Identity Card 2. Biometric Identity Card application form 3. Receipt of application for Biometric Identity Card 4. Registration of Birth Certificate 5. Personal Identification Files: 6. Backup Files : Key Details of the Breach Key Recommendations to Prevent Cyber Incidents : Overall Assessment Executive Summary In February 2026, the ransomware group Green Bloods publicly claimed responsibility for a cyber intrusion targeting the Directorate of File Automation (DAF), Senegal. The group alleges exfiltration of national identity records, biometric enrollment data, civil registry documentation, and backup repositories. Sample screenshots were published on the actor’s leak platform; however, no official confirmation has been issued by DAF at the time of reporting. If validated, this incident represents a structural compromise of Senegal’s national identity infrastructure rather than an isolated system breach. Identity authorities serve as foundational trust anchors for governance, financial systems, and border management. Exposure of such systems introduces long-term systemic risk across multiple sectors. Severity: Critical Intelligence Confidence: Moderate (based on actor claims and limited sample disclosures; full scope unverified) Victim Profile The Directorate of File Automation (DAF) is a government authority responsible for national identity card issuance, biometric enrollment and verification, civil registry management, immigration databases, and archival systems. These platforms collectively underpin citizen identification, public service access, banking KYC processes, and immigration enforcement. National identity agencies are increasingly attractive ransomware targets due to the high coercive value of biometric and civil data. Unlike financial systems where credentials can be reset, identity records—particularly biometrics—are persistent and difficult to remediate. A compromise of such infrastructure can therefore generate prolonged operational and reputational impact. The strategic importance of DAF lies in its role as custodian of primary identity data. Disruption or manipulation of this data can cascade into financial fraud, document forgery, immigration abuse, and erosion of trust in digital governance systems. Threat Actor Overview Green Bloods is a ransomware group operating within the broader double-extortion ecosystem. The group publicly attributed the attack to itself and released sample data to increase pressure. While limited technical indicators are available, the operational model appears consistent with financially motivated ransomware campaigns involving data exfiltration prior to potential encryption. The targeting pattern aligns with a broader ransomware trend toward high-impact public sector institutions. Government identity systems present attractive leverage due to reputational risk and the sensitivity of citizen data. Although the initial access vector remains unconfirmed, the alleged access to core databases and backup repositories suggests: Lateral movement within internal networks Privileged credential compromise Potential exploitation of exposed remote services or unpatched systems (intelligence gap) There is currently no evidence indicating state-sponsored or ideological motivation. The available indicators support an assessment of financially driven extortion activity. Assessment of Sophistication: Moderate to High Alleged backend database and backup access suggests structured post-compromise activity rather than opportunistic intrusion. Overview of the Exposed Data Based on the sample data allegedly leaked by Green Bloods, multiple categories of confidential information were compromised. The exposed datasets suggest a deep infiltration into identity management and civil registration systems. Below is a breakdown of the impacted records and their potential consequences. 1. National Identity Card The leaked screenshot reportedly contains detailed information from citizens’ National Identity Cards. Such data typically includes: Full legal name Date and place of birth National identification number Photograph Address details Issuance and expiration dates Potential Impact: Exposure of national ID data significantly increases the risk of identity theft, financial fraud, impersonation, and unauthorized access to government or banking services. 2. Biometric Identity Card application form Another compromised dataset includes biometric identity card application forms. These forms often contain: Fingerprint data Digital photographs Personal demographic details Application tracking information Potential Impact: Biometric data breaches are particularly severe because biometric identifiers—such as fingerprints—cannot be changed like passwords. Unauthorized access to this data may enable long-term identity compromise and cross-border fraud. 3. Receipt of application for Biometric Identity Card The leak also includes receipts issued during the biometric ID application process. These documents may contain: Applicant reference numbers Submission dates Processing center information Partial personal details Potential Impact: Although seemingly less sensitive, such receipts can be used in social engineering attacks, phishing campaigns, and fraudulent claims regarding identity processing. 4. Registration of Birth Certificate Exposure of birth certificate registration data. These records typically include: Child’s full name Date and place of birth Parents’ names Registration numbers Official registry details Potential Impact: Birth certificates form the foundation of legal identity. Their exposure can facilitate identity fabrication, document forgery, and long-term fraud schemes. 5. Personal Identification Files: The breach reportedly includes comprehensive personal identification files, which may aggregate multiple identity documents in a single profile. Potential Impact: When attackers obtain consolidated identity files, they gain a complete profile of individuals. This dramatically increases risks of synthetic identity fraud, passport misuse, and illegal migration schemes. 6. Backup Files : Perhaps most concerning is the exposure of backup systems. Leaked samples allegedly show stored copies of passports and other critical documents. Potential Impact: Backup files often contain archived data from multiple systems, meaning the breach may be broader than initially disclosed. Attackers accessing backup repositories can extract historical records, previously deleted files, and large volumes of sensitive documentation. Key Details of the Breach The incident is assessed as a ransomware operation involving data exfiltration, consistent with a double-extortion model. However, several intelligence gaps remain: Initial access vector unknown Full volume of exfiltrated data unconfirmed No official validation of scope The alleged access to backend databases and archival systems suggests more than perimeter-level compromise. Such access typically requires credential escalation or sustained lateral movement within internal networks. Strategically, compromise of national identity systems carries implications beyond immediate ransom considerations. Identity data underpins financial verification, border controls, telecommunications registration, and public administration. Exposure therefore increases the risk of secondary exploitation by criminal networks and transnational fraud actors. If biometric data exposure is confirmed, remediation options are inherently limited due to the persistent nature of biometric identifiers. Key Recommendations to Prevent Cyber Incidents : Activate Incident Response Immediately– Conduct forensic investigation, contain the breach, and assess full impact. Deploy SIEM & UEBA (Gurucul)– Implement Gurucul for real-time threat detection, user behavior analytics, and insider threat monitoring. Enforce Strong Access Controls– Implement MFA, least-privilege access, and Zero Trust architecture for all critical systems. Network Segmentation– Isolate citizen databases, biometric systems, immigration records, and backup infrastructure. Encrypt Sensitive Data– Apply strong encryption for data at rest and in transit, especially biometric and identity records. Secure & Test Backups– Maintain immutable/offline backups and regularly test restoration processes. Continuous Monitoring & Audits– Conduct regular security audits, penetration testing, and 24/7 monitoring of critical systems. Overall Assessment If validated, the alleged breach of DAF Senegal represents a Critical compromise of sovereign identity infrastructure with prolonged systemic risk. While confirmation of full scope remains pending, the nature of the targeted datasets warrants sustained monitoring and strategic reassessment of identity system protection frameworks.