South Africa’s National Credit Regulator (NCR) has become the latest state-linked institution to fall victim to a cyberattack, after ransomware group DragonForce claimed responsibility and published more than 42GB of data allegedly taken from the agency on the dark web.
The NCR disclosed in December that it had suffered a cybersecurity incident that disrupted some of its systems. At the time, the regulator did not provide details about the nature or scale of the breach, citing the need for ongoing investigations.
“As is common with cyber incidents of this nature, we do not know the identities of the individuals responsible for this criminal conduct,” the NCR said in a statement.
How the NCR Responded to the Breach
According to the regulator, internal teams acted swiftly after detecting unusual system activity. Immediate steps were taken to isolate affected systems, disable remote access and introduce enhanced security controls aimed at containing the threat and limiting further disruption.
Recognising the seriousness of the incident, the NCR said it brought in independent cybersecurity specialists to assist with both the investigation and recovery process. Efforts are under way to restore systems securely while ensuring the continuity of essential regulatory operations.
The NCR also confirmed that it notified relevant government and regulatory bodies, including the Information Regulator, in line with legal and compliance requirements.
Uncertainty Around Data Exposure
One of the most pressing concerns remains the nature of the data allegedly compromised. The NCR has said its investigation is ongoing and is focused on verifying the claims made by the attackers, including whether personal or sensitive information has been affected.
“This includes determining the extent to which personal information is involved,” the regulator said, adding that safeguarding stakeholders remains a priority.
At the time of publication, the NCR had not responded to requests for comment regarding the appearance of its data on DragonForce’s leak site.
Advice to Consumers and Stakeholders
As a precaution, the NCR has urged all stakeholders to remain vigilant while the full scope of the breach is assessed. The regulator advised consumers to exercise extreme caution with suspicious emails or messages, avoid clicking on unexpected links and be wary of unusual communications claiming to originate from the NCR.
It also suggested that affected individuals consider applying for Protective Registration with the Southern African Fraud Prevention Service (SAFPS). While free, this additional layer of protection against identity fraud can involve administrative requirements.
Who Is DragonForce?
DragonForce is believed to be a ransomware-as-a-service group that first emerged in 2023. Unlike traditional hacking collectives, the group operates an affiliate-based model, offering freelance attackers access to ransomware tools, negotiation platforms, encrypted storage and ready-made leak sites.
Affiliates are required to share a portion of any successful extortion payments with DragonForce, making it a decentralised but highly scalable operation.
The group attracted international attention in June 2025 after being linked to cyberattacks on major UK retailers, signalling its growing reach beyond isolated targets.
Shift to a Ransomware Cartel
According to cybersecurity firm Trend Micro, DragonForce announced a significant operational shift on 19 March 2025, rebranding itself as the DragonForce Ransomware cartel.
Under this model, affiliates were encouraged to create their own brands while continuing to use DragonForce’s infrastructure and tools. Security researchers noted that this marked a strategic change that was quickly followed by further developments in the group’s activities.
Like many modern ransomware gangs, DragonForce relies on a double-extortion strategy. Attackers first exfiltrate sensitive data before encrypting systems, then demand payment both for a decryption key and for withholding the stolen data from public release.
Growing Cybersecurity Risks for Public Institutions
The attack on the NCR highlights the increasing cyber risks facing public sector institutions, particularly those that hold sensitive financial and personal information. As ransomware groups become more organised and commercially driven, state agencies are finding themselves under pressure to strengthen defences while maintaining public services.
For now, the NCR says its focus remains on securing its systems, continuing essential operations and keeping stakeholders informed as the investigation progresses. The publication of alleged data on the dark web has added urgency to those efforts, underscoring how quickly cyber incidents can escalate from technical disruptions into national concerns.
