The Reveal Platform
In February 2026, the ransomware group Green Bloods publicly claimed responsibility for a cyber intrusion targeting the Directorate of File Automation (DAF), Senegal. The group alleges exfiltration of national identity records, biometric enrollment data, civil registry documentation, and backup repositories. Sample screenshots were published on the actor’s leak platform; however, no official confirmation has been issued by DAF at the time of reporting.
If validated, this incident represents a structural compromise of Senegal’s national identity infrastructure rather than an isolated system breach. Identity authorities serve as foundational trust anchors for governance, financial systems, and border management. Exposure of such systems introduces long-term systemic risk across multiple sectors.
Severity: Critical
Intelligence Confidence: Moderate (based on actor claims and limited sample disclosures; full scope unverified)
The Directorate of File Automation (DAF) is a government authority responsible for national identity card issuance, biometric enrollment and verification, civil registry management, immigration databases, and archival systems. These platforms collectively underpin citizen identification, public service access, banking KYC processes, and immigration enforcement.
National identity agencies are increasingly attractive ransomware targets due to the high coercive value of biometric and civil data. Unlike financial systems where credentials can be reset, identity records—particularly biometrics—are persistent and difficult to remediate. A compromise of such infrastructure can therefore generate prolonged operational and reputational impact.
The strategic importance of DAF lies in its role as custodian of primary identity data. Disruption or manipulation of this data can cascade into financial fraud, document forgery, immigration abuse, and erosion of trust in digital governance systems.
Green Bloods is a ransomware group operating within the broader double-extortion ecosystem. The group publicly attributed the attack to itself and released sample data to increase pressure. While limited technical indicators are available, the operational model appears consistent with financially motivated ransomware campaigns involving data exfiltration prior to potential encryption.
The targeting pattern aligns with a broader ransomware trend toward high-impact public sector institutions. Government identity systems present attractive leverage due to reputational risk and the sensitivity of citizen data.
Although the initial access vector remains unconfirmed, the alleged access to core databases and backup repositories suggests:
There is currently no evidence indicating state-sponsored or ideological motivation. The available indicators support an assessment of financially driven extortion activity.
Assessment of Sophistication: Moderate to High
Alleged backend database and backup access suggests structured post-compromise activity rather than opportunistic intrusion.
Based on the sample data allegedly leaked by Green Bloods, multiple categories of confidential information were compromised. The exposed datasets suggest a deep infiltration into identity management and civil registration systems. Below is a breakdown of the impacted records and their potential consequences.
The leaked screenshot reportedly contains detailed information from citizens’ National Identity Cards. Such data typically includes:
Potential Impact:
Exposure of national ID data significantly increases the risk of identity theft, financial fraud, impersonation, and unauthorized access to government or banking services.
Another compromised dataset includes biometric identity card application forms. These forms often contain:
Potential Impact:
Biometric data breaches are particularly severe because biometric identifiers—such as fingerprints—cannot be changed like passwords. Unauthorized access to this data may enable long-term identity compromise and cross-border fraud.
The leak also includes receipts issued during the biometric ID application process. These documents may contain:
Potential Impact:
Although seemingly less sensitive, such receipts can be used in social engineering attacks, phishing campaigns, and fraudulent claims regarding identity processing.
Exposure of birth certificate registration data. These records typically include:
Potential Impact:
Birth certificates form the foundation of legal identity. Their exposure can facilitate identity fabrication, document forgery, and long-term fraud schemes.
The breach reportedly includes comprehensive personal identification files, which may aggregate multiple identity documents in a single profile.
Potential Impact:
When attackers obtain consolidated identity files, they gain a complete profile of individuals. This dramatically increases risks of synthetic identity fraud, passport misuse, and illegal migration schemes.
Perhaps most concerning is the exposure of backup systems. Leaked samples allegedly show stored copies of passports and other critical documents.
Potential Impact:
Backup files often contain archived data from multiple systems, meaning the breach may be broader than initially disclosed. Attackers accessing backup repositories can extract historical records, previously deleted files, and large volumes of sensitive documentation.
The incident is assessed as a ransomware operation involving data exfiltration, consistent with a double-extortion model. However, several intelligence gaps remain:
The alleged access to backend databases and archival systems suggests more than perimeter-level compromise. Such access typically requires credential escalation or sustained lateral movement within internal networks.
Strategically, compromise of national identity systems carries implications beyond immediate ransom considerations. Identity data underpins financial verification, border controls, telecommunications registration, and public administration. Exposure therefore increases the risk of secondary exploitation by criminal networks and transnational fraud actors.
If biometric data exposure is confirmed, remediation options are inherently limited due to the persistent nature of biometric identifiers.
If validated, the alleged breach of DAF Senegal represents a Critical compromise of sovereign identity infrastructure with prolonged systemic risk. While confirmation of full scope remains pending, the nature of the targeted datasets warrants sustained monitoring and strategic reassessment of identity system protection frameworks.
