South Africa has seen its increases in social upheaval and other political struggles. Cyber-attacks are an additional concern for South Africans to worry about. South Africa has experienced 110 cybercrime incidents involving extortion, ransomware, and state hacking in the past five years, according to Orange Cyberdefense’s inaugural Security Navigator Africa report. This is the highest number in Africa and more than double that of Egypt, which ranked second with 46 incidents between 2020 and September 2025. However, while Africa faces increased digital threats, countries on the continent are also proving resilient, defying narratives that constrained resources would lead to higher levels of cybercrime.[1]
Charl van der Walt, head of security research at Orange Cyberdefense, said that reliable and objective data on the scope and scale of cybercrime on the African continent remains scarce. “Our Security Navigator Africa 2025 report seeks to improve our collective understanding of the issue,” he said. “We approach this mission with a narrow focus on cybercrime itself, as opposed to cyber-enabled crime, impacting organizations in Africa, as opposed to individuals.”
Van der Walt added that they documented 340 reports of cyber incidents between 2020 and September 2025 from two sources. “The first source includes reliable media, government, academic or research reports describing incidents that are publicly available online,” he said. “Although each entry was carefully verified through the identification of a victim, a perpetrator, and a country in Africa, the possibility of errors, duplicate reports, or misclassification cannot be entirely ruled out.”
They found and analyzed 74 reported unique incidents of this first type for the report. The remaining 266 incidents were extracted from an enriched set of cyber extortion victims. These were collected from threat actor leak sites on the dark web. Van der Walt noted that the veracity of the threats and leaks posted by those threat actors could not be individually confirmed. However, he said they estimate the margin of error this introduces would be small, considering that the threat actors themselves communicate the data on a global scale. “It adds an objective element which can be benchmarked in ways that media or vendor-reported incidents cannot.” This also helps compensate for high levels of disclosure and media reporting about breaches in a country like South Africa, which could otherwise skew the results.
Given the number of incidents that can be inferred from leak sites compared to those tracked through public reporting, Orange Cyberdefense felt confident in asserting that cyber incidents in Africa are significantly underreported.
Cybercrime incidents in Africa
Orange Cyberdefense explained that the map infographic in its report represents the two overlapping datasets. The orange markers indicate victims of cyber extortion as observed from double extortion data leak sites. Therefore, these figures are thus independent of any third-party data source. The yellow markers indicate apparent ransomware or cyber extortion (Cy-X) incidents as reported publicly in the media. “Some of these will overlap with the recorded Cy-X incidents, but since identifying these is inconsistent, both datapoints are included,” Orange Cyberdefense stated. “Other forms of cybercrime incidents reported publicly in the media are shown as purple markers.”
Orange found that cybercrime incidents were experienced across the continent, with the exception of central Africa. Countries of every language, size, and ICT/cyber maturity were affected.
Its analysis found that more mature countries suffer the brunt of incidents, not the less mature ones, as shown by the high volume of incidents involving South African organizations. “Relative to the size of their economies, the less mature countries suffer from cybercrime more than the raw figures suggest, but the more mature countries still appear to suffer the most,” the report stated. “Larger economies tend to be more mature, but also attract and enable more cybercrime by volume.”
Maturity, as expressed by the ITU indexes, acts as a proxy indicator for economic strength, which in turn leads to higher volumes of cybercrime. “The final factor shaping the state of cybercrime on the continent is language,” Orange Cyberdefense stated. “Language can act as a barrier to many actors who optimize their operations around the more commonly spoken languages globally.” Therefore, countries where English, French, or Portuguese are spoken are impacted proportionally more than countries like Egypt, where Arabic is the primary language.
Challenging assumptions - “For years, a familiar narrative suggested that Africa’s lower cyber maturity would naturally lead to higher crime. Our findings challenge that assumption,” said Orange Cyberdefense global ethical hacking director Dominic White. “Across 38 countries covered in the report, the data shows no simple correlation between maturity and incident volume.”
White, who is also managing director of Orange Cyberdefense South Africa, said many nations with emerging cyber frameworks face fewer incidents than their more advanced peers. “This is because Africa’s story is not one of weakness, but of adaptation, thanks to the ingenuity, collaboration, and resilience that often compensate for limited resources,” said White. “For those of us who live and work here, this perspective is long overdue. Africa has always been larger than it appears on most maps, a fact that many Africans are already aware of. Our size, diversity, and potential are immense.”
White continued that scale is starting to show digitally: in data, devices, and millions of connected lives, from fintech to e-government and energy to education. “Digital adoption has long been happening here at a different pace with potential to leapfrog legacy technologies,” he said. “But with rapid connection comes growing exposure and a responsibility to defend what we build.”
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://mybroadband.co.za/news/security/615523-south-africa-is-under-cyber-attack.html
Comments