ANC investigates Black X hack — “Senior executive may be included”
The African National Congress (ANC) has launched an investigation following claims its systems were breached by the hacker group known as Black X.
It said that it was engaging with the South African Police Service (SAPS) and the State Security Agency (SSA) as the affected data “may include senior executive members in cabinet and state.”
On 14 May, MyBroadband reported on claims made by Black X, and data samples the group shared were purported to be private data of ANC members.
Dimitri Fousekis, chief technology officer and co-founder of South African cybersecurity firm Bitcrack Cyber Security, told MyBroadband that the leak appeared to be authentic.
However, he said it was impossible to say how much data had been acquired, since the full extent of the leak could not be determined. Black X demanded a hefty sum for the database.
When we initially reported on the alleged breach, we contacted the ANC for comment. The party did not respond to our queries and instead publicly denied the breach in a post on X/Twitter.
In the post, the ANC said that reports about the breach were “fake news” and called them “sensationalist.”
“The ANC cautions against reckless speculation and the circulation of unverified claims designed to create unnecessary panic, fear, and political mischief,” it said at the time.
A report by infostealer intelligence firm Hudson Rock then suggested that a malware infection had been linked to the ANC’s Internet domain.
Infostealers are viruses that infect computers and harvest sensitive user data. Some just steal login credentials, while others may exfiltrate private keys for crypto wallets and other financial information.
Responding to a follow-up query about the Hudson Rock report, the ANC told MyBroadband that it was aware of Black X’s claims of a data breach.
“The ANC’s service provider, Emperio, undertook a Preliminary Security Incident Assessment in the immediate aftermath of the claim,” it said.
Emperio completed the report and sent it to the Office of the Secretary General, after which the office considered the report and briefed the National Working Committee on the findings.
“Emperio’s preliminary investigation identified no conclusive evidence of unauthorised access to the current production database under Emperio’s management,” the ANC said.
“The threat claim is more consistent with an opportunistic threat or extortion attempt, or with possible historical data exposure predating Emperio’s current hosted environment, than with a verified breach.”
The ANC said it had been in communication with the Information Regulator of South Africa since 15 May about the potential breach of private member data.
“The Regulator recorded that it became aware of a possible security compromise on or about 15 May 2026 and set in motion the standing engagement protocol on its side,” the party said.
“Engagement extends, on the ANC’s instance to SAPS report and SSA alert as the past data may include senior executive members in cabinet and state.”
ANC in communication with the Information Regulator
The Information Regulator told MyBroadband that the party had not formally reported a security compromise as required in section 22 of POPIA.
This section states that custodians of private data must inform the regulator if outside actors have potentially compromised people’s data.
However, the party and the regulator were engaged in ongoing communications related to the Black X breach claims.
“The ANC, following our communication to them, responded extensively, and we are still processing and considering their submission,” the regulator said.
“We will thereafter determine the way forward or the course of action we will take.”
The party said that, through Emperio, its ICT provider, it has taken measures to strengthen its standing security architecture.
This began with rotating passwords and credentials and applying additional security patches on its official domain, which the hacker group said it targeted.
“Administrative access exposure, including Remote Desktop Protocol (RDP) access, has been reviewed with a focus on restricting access to trusted sources only,” the ANC said.
“Server and database configuration areas associated with higher risk have been reviewed — privileged access, SQL logins, suspicious changes, backup and export indicators, and high-risk features.”
Emperio was also engaged in ongoing monitoring and log review to identify any new evidence or indicators of compromise that may arise.
Existing vulnerabilities on the ANC’s systems
At the same time, the Office of the Secretary General commissioned a separate External Risk Assessment scan of the party’s public-facing domains and IP addresses.
“That scan, dated 15 May 2026, has surfaced a discrete set of pre-existing hygiene exposures — historical credentials drawn from old third-party breaches,” it said.
It also found typo-squatting domains targeting the ANC’s brand, and outdated security configurations across parts of the public-facing estate. “These exposures are being remediated,” it said.
However, it said these exposures are unrelated to claims made by Black X, as they are separate from the membership system the hacker group said it breached.
An independent analysis by cybersecurity firm Hudson Rock found at least two infostealer malware programs on the ANC’s domain.
In addition to harvesting login credentials, infostealers can hide on computers and quietly collect other data to send to attackers, such as member records.
Hudson Rock indicated that it identified two infostealers: one called DarkCrystal and the other generic. DarkCrystal is a notable infostealer delivered by a trojan.
Trojans require victims to install malware on their own machines. Much like the mythological Trojan Horse, attackers trick victims into running the malicious software in some way.
Security researchers at SOC Prime explained that the DarkCrystal Remote Access Trojan, also known as DCRat or DCR, was used by Russia-linked hackers to target Ukrainian businesses in 2022.
However, it also indicated a potential problem with the Hudson Rock analysis, as DarkCrystal has only been associated with targeting end-user machines, not servers.
The ANC said that Hudson Rock’s analysis does not immediately indicate a breach of the Membership Management System and is more likely to point to a compromise of an individual user.
Fousekis said that the presence of infostealers could be potentially related to the breach claims by Black X, but could not confirm this.
“A leaked credential can give access into an application, thus creating an initial foothold required to exploit the system further, following which they could have got access through a vulnerability of some kind,” he said.
He said that it was unlikely an infostealer like DarkCrystal was on the ANC’s servers, and that, as the ANC indicated, the most common occurrence is user device compromise.
“However, if someone is using the server for ‘Desktop’ type activities, they could have infected it as well,” said Fousekis.
“Our threat intelligence tool ThreatVue shows leaked credentials as current as June 2026 for this domain, which means that there are stealers active on users’ devices who have access to this domain.”
Loading ...