La Cour des Comptes du Sénégal Data Breach

Alleged

Ransomware claim involving La Cour des Comptes du Sénégal.

Published: Jun 17, 2026
Threat Level
High
Confidence: High

Quick Summary

Company
La Cour des Comptes du Sénégal
Industry
Public Sector
Date of Incident
Jun 17, 2026
Status
Alleged

Executive Summary

La Cour des Comptes du Sénégal, a public sector organization in Senegal, was listed as a victim on the Krybit ransomware group’s dark web portal on June 17, 2026. This listing was identified by SOCRadar’s Dark Web Monitoring service. While Krybit primarily targets European entities, this incident highlights their pattern of also targeting public sector organizations outside their usual geographic focus. In the 60 days leading up to this listing, Krybit claimed 28 other victims, with a significant focus on the business services, public sector, and technology sectors. Geographically, victims are predominantly in Germany, Austria, and Paraguay. The listing of the Senegalese audit institution aligns with Krybit’s secondary focus on public sector entities, occurring outside their core European targeting.

Technical Analysis

Initial access analysis correlated with SOCRadar’s stealer-log telemetry revealed a potential exposure for the courdescomptes.sn domain. Sixteen records were found containing corporate usernames, but these were captured on third-party travel and visa-processing portals, not the organization’s own infrastructure. The data suggests a limited number of compromised employee endpoints or password reuse, rather than a broad organizational compromise, as only two distinct corporate accounts were observed with credentials reused across external services. The presence of corporate accounts on third-party services over a ten-month window (August 2025 to mid-June 2026) indicates a credential hygiene gap that initial access brokers commonly exploit. For ransomware groups like Krybit, credentials harvested by info-stealers serve as a common initial access vector. Threat actors or initial access brokers acquire fresh logs from underground markets, validate corporate credentials, and use them to gain access to systems like Microsoft 365, VPNs, or remote access portals before deploying ransomware. While the exposed records in this instance did not directly compromise the institution’s own systems or identity provider, the long duration of credential capture points to persistent risks. Recommended actions include continued monitoring, credential rotation for affected accounts, and endpoint forensics.

Is Your Organization Exposed on the Dark Web?

Enter your company domain to get a free dark web exposure report instantly.