Quick Summary
Executive Summary
La Cour des Comptes du Sénégal, a public sector organization in Senegal, was listed as a victim on the Krybit ransomware group’s dark web portal on June 17, 2026. This listing was identified by SOCRadar’s Dark Web Monitoring service. While Krybit primarily targets European entities, this incident highlights their pattern of also targeting public sector organizations outside their usual geographic focus. In the 60 days leading up to this listing, Krybit claimed 28 other victims, with a significant focus on the business services, public sector, and technology sectors. Geographically, victims are predominantly in Germany, Austria, and Paraguay. The listing of the Senegalese audit institution aligns with Krybit’s secondary focus on public sector entities, occurring outside their core European targeting.
Technical Analysis
Initial access analysis correlated with SOCRadar’s stealer-log telemetry revealed a potential exposure for the courdescomptes.sn domain. Sixteen records were found containing corporate usernames, but these were captured on third-party travel and visa-processing portals, not the organization’s own infrastructure. The data suggests a limited number of compromised employee endpoints or password reuse, rather than a broad organizational compromise, as only two distinct corporate accounts were observed with credentials reused across external services. The presence of corporate accounts on third-party services over a ten-month window (August 2025 to mid-June 2026) indicates a credential hygiene gap that initial access brokers commonly exploit. For ransomware groups like Krybit, credentials harvested by info-stealers serve as a common initial access vector. Threat actors or initial access brokers acquire fresh logs from underground markets, validate corporate credentials, and use them to gain access to systems like Microsoft 365, VPNs, or remote access portals before deploying ransomware. While the exposed records in this instance did not directly compromise the institution’s own systems or identity provider, the long duration of credential capture points to persistent risks. Recommended actions include continued monitoring, credential rotation for affected accounts, and endpoint forensics.