South Africa's Digital Infrastructure Is Under Siege, and the Government Isn't Ready

South Africa just lived through one of the most concentrated waves of cyber assault in its history. Three separate attack campaigns, running almost simultaneously over May and June 2026, exposed exactly how vulnerable the country's digital infrastructure, government systems, and private sector are, and how inadequate the response has been at every level. This is not a future threat. It happened. It is ongoing. And the people tasked with protecting this country's digital backbone are still playing catch-up.

On 18 May 2026, South Africa's internet infrastructure started going dark. By the morning of 19 May it was everywhere. Major news websites including BusinessTech and News24 were experiencing outages. SARS eFiling went inaccessible. Businesses across the country couldn't reach their email, their cloud systems, or their customers. Downdetector, the platform that tracks outage reports, showed a surge in complaints from across the country from around 10am.

What had happened was a coordinated, large-scale Distributed Denial of Service attack (a DDoS) targeting multiple South African hosting providers and internet infrastructure companies simultaneously. The victims included Xneelo, 1-Grid, Host Africa, Domains.co.za (Diamatrix), Network Platforms, Liquid Intelligent Technologies, Datakeepers, and Seacom, the undersea cable operator that carries a substantial portion of South Africa's international internet traffic.

The technique used is what security specialists call "carpet bombing." Rather than hitting a single server or IP address, the attackers flooded entire IP address ranges belonging to each company, shifting targets constantly across the network and making mitigation a perpetually moving target. The methods combined IP Fragmentation, Carpet Bombing, and DNS Amplification in a multi-vector assault designed to overwhelm defences from multiple directions at once.

One source reported the assault on Host Africa reached 1 Terabit per second. The attack on Domains.co.za hit 100 Gigabits per second. Seacom confirmed a surge of traffic that temporarily impacted parts of its network. At least five providers were severely disrupted across three days. Tens of thousands of businesses were affected downstream.

The only real mitigation option available to providers was rerouting traffic to scrubbing centres overseas. Network Platforms sent traffic to a facility in London where junk traffic is filtered before clean data is returned to South Africa. That detour added latency and distance to every legitimate connection passing through it. Ordinary internet users felt that as slow speeds, dropped connections, and inaccessible platforms.

The Ransom That Made No Sense

A group calling itself "Black Matter" sent ransom emails to multiple affected companies. The demand in each case was 2.5 Monero, a privacy-focused and nearly untraceable cryptocurrency, equivalent to approximately R16 000 at the time. That figure is the most suspicious element of this entire story.

Dr Manny Corregedor, CEO of Telspace Africa, articulated the theory that security experts keep returning to: the attacks were a smokescreen. A well-funded actor, possibly a nation-state, using the chaos to map South Africa's network dependency trees, locate single points of failure like undersea cable landing stations, and test the latency of international scrubbing centres. The disruption was the product. The R16 000 demand was window dressing.

Specialised Security Services (SSS) explicitly warned that the DDoS attacks may have been running cover for simultaneous data breach attempts. They reported that on 20 May, during the height of the campaign, a sophisticated attack on their own infrastructure combined a high-volume DDoS flood with an active breach attempt designed to exfiltrate sensitive information. They neutralised it within 13 minutes through preparation and protocol. Most organisations in South Africa would not have.

Who Is "Black Matter"?

The name is borrowed. The original BlackMatter ransomware group disappeared years ago, though the name resurfaces periodically in operations since. Jayson O'Reilly, MD at CYBER1 Solutions, described the group as one that is "constantly staging its 'death' and 'rebirth' to shake off law enforcement." He noted the organisation is thought to operate from safe-haven jurisdictions, primarily Russia and the Commonwealth of Independent States, making any physical enforcement response virtually impossible. Transactions run through Monero and obfuscated cryptocurrency mixing services designed to leave no trace.

The American Cyber Defence Agency has documented BlackMatter actors demanding ransoms ranging from $80 000 to $15 million in previous US operations. The R16 000 demand doesn't fit that profile at all, which reinforces the theory that whoever ran this campaign used the BlackMatter name as a flag of convenience, not an accurate identity. None of the affected companies paid.

Running almost simultaneously with the infrastructure bombing, and almost certainly not coincidentally, a politically motivated hacktivist campaign tore through South African government systems.

The trigger was the wave of violent anti-foreigner protests that erupted in early May 2026, targeting Nigerian nationals and other foreign workers across several South African metros. President Cyril Ramaphosa publicly condemned the violence, describing the perpetrators as "opportunists exploiting legitimate grievances." The Nigerian government threatened to cancel licences of South African companies operating in Nigeria. Ghana issued an evacuation notice for its citizens. Human Rights Watch condemned insufficient police response.

A group of hackers decided to fight back in a different arena.

Starting around 17 May 2026, Nullsec Nigeria, also operating as Anonymous Nigeria, posted claims on Telegram and hacker forums under the hashtag #OpSouthAfrica, declaring it had pulled approximately 11 gigabytes of documents out of South African government systems and would keep leaking unless attacks on Nigerians stopped.

The claimed targets were substantial: the South African Civil Aviation Authority, the South African National Space Agency, the South African Social Security Agency, the Department of Human Settlements, the National Housing Finance Corporation, the Department of Correctional Services, and the Ephraim Mogale Local Municipality. Stolen data allegedly included full databases, citizens' personally identifiable information, financial records, and internal employee data.

On 23 May, Nullsec posted claims of breaches at the South African Revenue Service (SARS) and the State Information Technology Agency (SITA). SARS responded on 25 May with a flat denial: "These claims are false and unsubstantiated. At this stage, there is no evidence that SARS's systems have been compromised." SITA issued a similar statement.

Daily Maverick's dark web contacts at DarkNotify could not independently verify the method of attack. The assumption among analysts is that phishing was the primary entry method, not sophisticated zero-day exploits. What the campaign lacked in technical complexity it made up for in coordination, political timing, and visibility.

Whether or not every claim holds up forensically, the material independently viewed, including tender documents from the Department of Correctional Services containing bid invitation notices, awarded contract records, banking details, and internal approval chains, is real. That is exactly the raw material that fuels business email compromise and supplier-impersonation fraud, both of which already drive a significant share of South Africa's annual cyber losses.

Under POPIA, every organisation that held the personal data allegedly exposed carries a continuing obligation to notify the Information Regulator and affected individuals, regardless of whether a government department has issued a denial. That obligation does not wait for a forensic report.

Before the May wave hit, Statistics South Africa was already dealing with its own crisis. Hacker group XP95 claimed to have stolen 154 gigabytes of private data from the national statistics office, demanding $100 000 in ransom. Stats SA confirmed a breach of its HR database, the portal used by job seekers to apply online, and stated clearly it would not pay.

What followed illustrated the most dangerous and underreported pattern in South African cybersecurity: the attacker came back.

Cybersec Clinique CEO Doreen Mokoena explained it directly: "When attackers return two weeks after a breach and exfiltrate more data, it usually means the initial incident response focused on restoring systems rather than removing the attacker. Persistent access, stolen credentials and poor log visibility allow threat actors to walk back in."

The attacker came back a second time to the same organisation. That happens when the first response focuses on restoring systems rather than actually removing the threat. It was a cleanup, not an eviction. This is not an anomaly in South Africa. It is the default outcome when organisations treat breach response as a restoration exercise rather than a forensic investigation.

These three attacks didn't happen in a vacuum. They are the loudest moments in a continuous assault. South African organisations experience an average of 1 450 cyberattacks per week each. Between July and December 2025 alone, the country recorded 171 812 DDoS attacks. NETSCOUT's global rankings place South Africa at number one worldwide for DDoS attacks on insurance agencies, commercial banking, portfolio management services, and computer systems design. Within the EMEA region, South Africa ranks fifth most targeted overall.

INTERPOL reported a 17% rise in AI-assisted cybercrime across Africa in 2025, with South Africa among the worst affected. Cloudflare blocked more than 7.3 million DDoS attacks globally in a single quarter, including attacks peaking at 7.3 Terabits per second. What attackers can do technically keeps growing, and what it costs them to do it keeps shrinking.

Tools for launching DDoS attacks are cheap, accessible, and rentable as a service on underground forums. AI is now being used to automate reconnaissance, map network environments, and tailor attacks at scale before a human operator even gets involved. The attacker no longer needs to be sophisticated. They just need their target to be unprepared. In South Africa’s case, that bar is being cleared regularly.

Up to 95% of South African data breaches are linked to avoidable human error: phishing clicks, weak passwords, no staff training, no incident response protocols. Companies that run major digital transformation programs without building equivalent security capacity are handing attackers a gift. And the financial sector, supposedly the country's most protected vertical, is simultaneously its most targeted.

The Government Response Gap

The most damning finding from the May attacks isn't the scale of the disruption. It's what didn't happen afterwards.

What South Africa got was a minister engaging with the presidency to ensure a "coordinated whole-of-government approach." An engagement. Not a task team. Not a national cyber incident response unit deployed within hours of an attack of this scale. An engagement with the presidency.

The South Africa has the Cybercrimes Act, POPIA, and the Critical Infrastructure Protection Act. The legislation exists. What doesn't exist is the operational muscle to enforce any of it at the speed these attacks move, and the political will to treat cybersecurity as a genuine national security priority rather than an IT department budget line.

While government deliberated, the private sector held the line. Network Platforms refused to pay. Providers rerouted to overseas scrubbing centres at their own cost. SSS neutralised their own breach attempt in 13 minutes. The private sector did what the government couldn't, and that is a problem, because not every organisation in this country has a 13-minute incident response capability sitting ready to go.