AFRINTEL is an open-source Cyber Threat Intelligence (CTI) initiative dedicated to tracking, documenting, and analyzing cyberattacks targeting organizations across Africa.
The project focuses on:
- ransomware operations
- data leaks and extortion campaigns
- initial access broker (IAB) activity
- underground marketplace monitoring
- cybercriminal ecosystem mapping
- Africa-focused CTI reporting
AFRINTEL analysis relies on monitoring:
- ransomware leak sites (dark web)
- underground cybercriminal forums
- data broker marketplaces
- exposed database listings
- public OSINT sources
- Telegram and underground channels
The objective is to provide strategic visibility on cyber threats affecting the African continent.
AFRINTEL tracks publicly claimed cyber incidents affecting African organizations.
- Ransomware leak sites (DLS)
- Underground forums
- Data broker marketplaces
- Telegram channels
- Open-source intelligence (OSINT)
- Ransomware → encryption and extortion activity
- Data Leak → data exposure, database publication or sale
- Access Sale → sale of compromised access to systems/networks
Leak-site publications and underground claims are treated as:
Claim - Unverified
unless corroborated by:
- victim confirmation
- technical evidence
- validated data samples
- multiple trusted sources
| Category | Coverage |
|---|---|
| African countries monitored | 54 |
| Threat actors tracked | 100+ |
| Ransomware groups monitored | 70+ |
| Data leak actors monitored | 50+ |
| Years covered | 2024 - 2026 |
| Intelligence formats | Markdown / STIX / Visual CTI |
- 60 publicly claimed cyber incidents across Africa
- Morocco, Egypt, and South Africa remain primary hotspots
- Surge in data broker and initial access broker activity
- Government and healthcare sectors heavily targeted
- Large-scale KYC and identity document exposure observed
- Kenya Airports Authority claimed compromise (2 TB)
- CNSS Benin mailbox scraping campaign documented
| Month | French | English |
|---|---|---|
| January 2026 | Voir le rapport | View report |
| February 2026 | Voir le rapport | View report |
| March 2026 | Voir le rapport | View report |
| April 2026 | Voir le rapport | View report |
| Month | French | English |
|---|---|---|
| January 2026 | Statistics | Statistics |
| February 2026 | Statistics | Statistics |
| March 2026 | Statistics | Statistics |
| April 2026 | Statistics | Statistics |
| Comparison | French | English |
|---|---|---|
| January vs February 2026 | FR | EN |
| February vs March 2026 | FR | EN |
| March vs April 2026 | FR | EN |
Focus areas:
- ransomware ecosystem evolution
- targeted countries and sectors
- actor operational patterns
- regional threat escalation
- leak market evolution
📊 Visual Intelligence Dashboard
Includes:
- Africa cyber threat maps
- actor → victim → country diagrams
- ransomware vs leak heatmaps
- sector intelligence mapping
- regional exposure visualization
- threat actor ecosystem mapping
AFRINTEL provides structured CTI datasets in STIX 2.1 / OpenCTI-ready format.
| Dataset | File |
|---|---|
| January 2026 | STIX Bundle |
| February 2026 | STIX Bundle |
| March 2026 | STIX Bundle |
| April 2026 | STIX Bundle |
These datasets contain:
- threat actors
- ransomware groups
- victims
- targeted sectors
- geographic intelligence
- contextual MITRE ATT&CK mapping
AFRINTEL
├── comparison/
├── CyberAttackAfrica/
│ ├── 2024/
│ ├── 2025/
│ └── 2026/
├── scripts/
├── statistics/
├── stix/
├── visual-intelligence/
├── workflows/
├── README.md
├── README_FR.md
└── LICENSE
AFRINTEL aims to:
- improve visibility on cyber threats targeting Africa
- document ransomware and extortion ecosystems
- support SOC and CTI teams with actionable intelligence
- facilitate OpenCTI/STIX enrichment workflows
- promote Africa-focused cyber threat research
- strengthen regional cyber threat awareness
MIT License - see LICENSE
Adama ASSIONGBON
Consultant SOC & Cyber Threat Intelligence
AFRINTEL - Open African CTI Monitoring Initiative