BANKS UNDER SIEGE

Commercial banks are the operational core of Africa's financial system. They hold retail and corporate deposits, run the card and mobile-money rails that hundreds of millions of Africans touch every day, connect to SWIFT for cross-border settlement, and increasingly deliver services through internet and mobile channels exposed to the entire planet. That combination - large balances, mass-market customer bases, and a fast-expanding digital attack surface - has made African commercial banks a priority target for nation-state heist groups, organised criminal networks, ransomware affiliates, and their own privileged insiders. The May 2016 cash-out attack on South Africa's Standard Bank, in which a criminal network used forged cards to withdraw over USD 19 million from roughly 1,400 ATMs across Japan in under three hours, demonstrated how a single compromise of a bank's card-issuance and authorisation systems can be monetised at continental scale. [1]

The pattern recurs across the continent. In January 2018 an organised criminal group stole at least KSh 29 million - with anecdotal reporting suggesting closer to KSh 340 million (~USD 3 million) - from the National Bank of Kenya after compromising its internal network. [2] The Kenyan group tracked as SilentCards, active since 2019, has stolen approximately USD 174 million from Kenyan banks by purchasing dormant accounts and co-opting serving bank employees to move and withdraw funds. [3] In February 2021 the operators of REvil ransomware compromised the Union Bank of Nigeria, disrupted availability, and leaked confidential customer and business data; [4] three months earlier, in November 2020, Egregor ransomware took Zimbabwe's Steward Bank offline for several days. [5] In June 2020, employees at a South African bank stole a master key used to decrypt bank operations and generate customer-card keys, made fraudulent transactions, and took over USD 3.2 million - an incident that ultimately cost the bank over USD 58 million in remediation. [6] Between 2018 and 2022 the criminal cluster tracked by Group-IB as OPERA1ER conducted more than 30 successful attacks on banks, financial-services providers, and telecoms across 12 African countries, stealing at least USD 11 million. [7]

The World Bank's 2022 assessment of cyber threats to the African financial sector is unambiguous: institutions face theft of funds, extortion and disruption, and espionage and data theft simultaneously - and the indirect cost of an incident routinely dwarfs the direct loss. Its own headline example is the USD 3.2 million theft from a South African bank that required over USD 58 million in investigation and mitigation - an 18× multiplier between loss and total impact. [8] For a commercial bank, that figure is only the beginning: customer attrition, regulatory penalty under POPIA, the NDPR, and Kenya's Data Protection Act, correspondent-banking scrutiny, and the slow erosion of depositor trust compound it further. The conclusion is the same one global banking has already reached: for an institution this exposed, prevention - blocking attackers before they reach core systems - is the only economically rational posture.

Section 01 · Threat Landscape 01

The Scale of the Threat§

Africa’s commercial banks sit at the intersection of large balances, mass-market customer bases, and a fast-growing digital attack surface. Nation-state cash-out crews, organised cybercrime, ransomware affiliates, and - distinctively - privileged insiders have all successfully attacked them in the last decade.

USD 19MStandard Bank ATM cash-out across Japan, 2016 [1]

USD 174MStolen from Kenyan banks by SilentCards since 2019 [3]

USD 11MOPERA1ER theft across 12 African countries [7]

30+Successful OPERA1ER bank attacks [7]

Commercial banks combine three characteristics that attract the most capable adversaries on earth: very large monetary flows, mass-market customer bases that turn any card or channel compromise into thousands of simultaneous victims, and a digital footprint that now reaches every internet user on the planet. The result is a target that is attacked continuously - and, because disclosure is often reluctant, a publicly documented record that almost certainly undercounts actual activity.

African banks face the global threat environment with three structural pressure points. First, the SWIFT and card-payment rails - through which banks settle cross-border, correspondent, and ATM transactions - are the most lucrative targets on the planet for state-aligned cash-out groups, and post-2016 SWIFT Customer Security Programme (CSP) maturity is uneven across the continent. Second, the supplier ecosystem for core banking, card issuance, and payment switching is concentrated in a small number of vendors, so a single product vulnerability can expose many banks at once. Third - and most distinctively - the insider: small, highly-privileged operations and card-management teams whose access, if abused, bypasses every perimeter control the bank has bought.

Beyond direct theft, three other vectors recur. Ransomware: REvil took down the Union Bank of Nigeria in February 2021 and leaked its data; [4] Egregor disrupted Zimbabwe's Steward Bank for several days in November 2020. [5] Data breach and resale: the August 2020 Experian South Africa breach exposed the personal information of 24 million South Africans and almost 800,000 businesses. [13] And hacktivist or ransom DDoS: in October 2019 SABRIC reported a coordinated DDoS campaign against multiple African banks' public-facing assets, accompanied by ransom demands and timed to coincide with payday. [16]

USD 245MFinancial-sector losses across Kenya, Rwanda, Uganda, Tanzania, Zambia since 2011 [8]

18×Multiplier between direct theft and total impact (SA bank case, World Bank) [8]

USD 4B/yrEstimated annual cyber-loss exposure across Africa [7]

Section 02 · Attack Vectors 02

How Africa’s Banks Are Being Attacked§

Six attack categories account for almost every documented incident against African commercial banks - SWIFT & card-payment fraud, ransomware & data extortion, the privileged insider, third-party & supply-chain compromise, card skimming & consumer-facing fraud, and hacktivist DDoS. They are frequently combined in a single operation.

A motivated adversary against a commercial bank - whether a state-aligned cash-out crew, an organised-crime cluster, a ransomware affiliate, or a co-opted employee - will typically combine several of the six categories below. The through-line is that the bank's own trusted rails, software, and people are the attack surface; the malware is often incidental.

SWIFT itself has not been compromised in any publicly documented incident; what is compromised, repeatedly, is the bank-side environment around it - and, just as often, the card-authorisation and ATM-switch environment. The canonical African case is the May 2016 attack on Standard Bank: an organised group compromised the bank's card systems and operational safeguards and used forged cards to withdraw over USD 19 million from roughly 1,400 ATMs across Japan in under three hours, before more than 260 suspects were eventually arrested. [1] US-CERT's "FASTCash" alert documents the same pattern industrialised: APT38 manipulates ISO 8583 payment-switch servers to approve fraudulent withdrawals, enabling cash-out fraud against banks in Africa and Asia totalling tens of millions of dollars. [9][10]

Ransomware against a commercial bank threatens both availability and confidentiality. In February 2021 the operators of REvil compromised the Union Bank of Nigeria, disrupted system availability, and stole and leaked confidential customer and business data - a double-extortion model in which paying to decrypt does nothing to recover already-exfiltrated data. [4] Three months earlier, in November 2020, Egregor ransomware caused several days of system disruption at Zimbabwe's Steward Bank. [5] The continent's central-bank precedent - the Bank of Zambia's May 2022 Hive incident, in which the bank segregated core systems and publicly refused to pay - is the template every commercial bank board should study before an incident, not during one.

This is the commercial bank's distinctive exposure. In June 2020, employees at a South African bank stole a master key used to decrypt bank operations, access and modify banking systems, and generate keys for customer cards; they used it to make fraudulent transactions and steal over USD 3.2 million, costing the bank over USD 58 million in remediation. [6] In January 2019, an employee at another South African bank used privileged access to approve replica cards in an attempt to move approximately R 100 million (~USD 6.6 million) to accomplices. [18] The Kenyan SilentCards group has built an estimated USD 174 million theft operation entirely on co-opted staff. [3] A study cited by the World Bank found that 81% of malicious-insider incidents were motivated by money. Zero Trust per-request verification, strict separation of duties, dual control on outgoing and card-related transactions, and continuous monitoring of privileged sessions are the controls that bound this risk.

A bank's security is only as strong as the vendors inside its trust boundary. In February 2020 Nedbank disclosed that a breach at a third-party marketing contractor, Computer Facilities, had exposed the personal information of up to 1.7 million clients. [14] In October 2020, attackers compromised Pegasus Technologies, a fintech processor used by mobile operators including MTN and Airtel, stealing about USD 1 million from Uganda's digital-payments system and affecting 20 million people in the subsequent shutdown. [12] In November 2018, Mozambique's banking system - ATMs and card machines included - was offline for several days after a Portuguese fintech provider cut off services in a billing dispute. [17] Concentration in core-banking, card, and payment-switch suppliers means a single product or provider failure can expose many banks at once - which is why third-party risk is now a SWIFT CSP requirement and a Basel operational-resilience principle.

Mass-market customer bases make banks a high-volume fraud target. In March 2021 the OCG FIN7 was found conducting attacks on point-of-sale systems in South Africa to steal customer card data for counterfeit cards. [20] In September 2019, a card-skimming script on Garmin South Africa's e-commerce site harvested customers' full payment-card and billing data. [20] The Bank of Ghana reported a 584% year-on-year increase in card fraud affecting its customers from 2019 to 2020. [21] These incidents rarely make headlines individually, but in aggregate they drive reimbursement costs, chargebacks, and the slow erosion of customer trust in a bank's digital channels.

Public-facing services - the bank's website, internet- and mobile-banking front ends, and payment APIs - are the most predictable DDoS targets. In October 2019 SABRIC reported a coordinated DDoS campaign against multiple African banks' public-facing assets, accompanied by ransom demands and timed to coincide with payday for maximum disruption. [16] The continent-scale capability was underlined by Anonymous Sudan in July 2023, when a single campaign took M-Pesa, the eCitizen platform, and dozens of Kenyan institutions offline simultaneously - proof that any African financial institution with a civilian profile is a viable target, regardless of whether it is the intended one.

Section 03 · Documented Incidents 03

Commercial Banks & Financial Institutions Under Attack§

A representative catalogue of publicly reported cyber incidents against African commercial banks and the financial-services providers closest to them - eighteen cases spanning theft, ransomware, insider abuse, third-party compromise, and data breach.

The incidents below are drawn from publicly available reporting - the World Bank's Cyber Threats to the Financial Sector in Africa, US-CERT, Group-IB, SABRIC, banks' own disclosures, and reputable media. They are presented to give leadership a concrete picture of the patterns to defend against - not to single out any one institution. Because the geographic record is dense, the map opposite is presented on its own page.

CASE STUDY  |  South Africa  |  May 2022 SEVERITY 4/5 Standard Bank - Coordinated ATM Cash-Out Across Japan
Attack Type	Card-systems compromise → forged cards → coordinated mass ATM cash-out [1]
Impact	In May 2016 an organised criminal group compromised South Africa's Standard Bank, defeating internal banking systems, customer databases, and operational safeguards. Using forged cards encoded with valid account data, roughly 100 operatives withdrew over USD 19 million from approximately 1,400 ATMs across Japan in under three hours - before the bank could detect and freeze the affected cards. More than 260 suspects were eventually arrested. The scale and choreography highlight the extensive infrastructure now available to sophisticated criminal groups targeting African banks. [1]
Key Lesson: A card-authorisation environment that can be manipulated to approve mass fraudulent withdrawals is an existential card-channel risk. The controls are real-time transaction-velocity and geolocation anomaly detection on card authorisations, hard limits and dual control on bulk card operations, segregation of the card-management system from general IT, and the ability to freeze a card BIN range within minutes - not hours. Against a three-hour cash-out, detection latency is the whole game.

CASE STUDY  |  Francophone Africa  |  2018–2022 SEVERITY 4/5 OPERA1ER - Sustained Multi-Country Cybercrime Campaign
Attack Type	Spear-phishing → off-the-shelf tooling → SWIFT-interface access in commercial banks [7]
Impact	Group-IB attributed 30+ successful attacks against banks, financial-services providers, and telecommunications companies in 12 African countries - Côte d'Ivoire, Mali, Burkina Faso, Benin, Cameroon, Gabon, Niger, Nigeria, Senegal, Sierra Leone, Togo, Uganda - to a single organised-crime cluster. At least USD 11 million directly stolen; assessed total damage USD 30–50 million. In at least two incidents, the group reached the SWIFT Alliance Access interface inside victim banks (SWIFT itself was not compromised).
Key Lesson: OPERA1ER's tooling was not advanced - Metasploit, Cobalt Strike, Mimikatz, and high-quality French-language spear-phishing. The campaign succeeded because baseline security hygiene at many regional banks was missing: phishing-resistant MFA, network segmentation, EDR on critical hosts, and prompt detection of commodity tradecraft. The implication is uncomfortable: defending against a nation-state heist group requires advanced tradecraft, but defending against OPERA1ER required only the baseline hygiene that many regional banks did not yet have - which is precisely why it succeeded 30+ times.

CASE STUDY  |  Kenya  |  January 2018 SEVERITY 3/5 National Bank of Kenya - Internal Network Compromise
Attack Type	Internal-network compromise → fraudulent payment instructions [2]
Impact	According to public reporting compiled in the World Bank's "Cyber Threats to the Financial Sector in Africa", an organised criminal group stole approximately KSh 29 million (~USD 261,000) from the National Bank of Kenya in January 2018, with anecdotal reporting suggesting the actual sum may have been closer to KSh 340 million (~USD 3 million). The bank cited a compromise of its internal network as the underlying cause. [2]
Key Lesson: An attacker who reaches the internal network of a bank can issue fraudulent instructions in ways that the bank's outbound controls were not designed to catch. The remedy is Zero Trust per-request access control for every internal system, prompt detection of lateral movement, and dual control on outgoing financial instructions - controls that every commercial bank should treat as non-negotiable on any internal system that can touch the money rails.

CASE STUDY: COORDINATED DDoS  |  Multi-Country  |  October 2019 SEVERITY 3/5 SABRIC-Reported DDoS Campaign Against African Banks
Attack Type	Coordinated ransom DDoS, payday-timed [16]
Impact	In October 2019 the South African Banking Risk and Information Centre (SABRIC) reported a series of DDoS attacks against multiple African banks' public-facing assets. The attacks were accompanied by a ransom note demanding payment to stop the attacks, and were timed to coincide with payday to cause maximum disruption. The campaign coincided with a separate ransomware attack against the City of Johannesburg's network, which shut down all electronic services, including bill-payment mechanisms, during the same month-end window.
Key Lesson: The public-facing services of any bank - website, internet- and mobile-banking front ends, payment APIs - are the most predictable DDoS targets. Always-on volumetric DDoS protection at a global edge, paired with sector-coordinated threat sharing (the SABRIC role), materially raises the cost of mounting credible campaigns against the regional banking community.

CASE STUDY  |  South Africa  |  June 2020 SEVERITY 4/5 South African Bank - Insider Master-Key Theft
Attack Type	Privileged insider → theft of cryptographic master key → fraudulent card transactions [6]
Impact	In June 2020, employees at a South African bank stole a master key used to decrypt bank operations, access and modify banking systems, and generate keys for customer cards. They used the key to access customer accounts, make fraudulent transactions, and steal over USD 3.2 million. The incident forced the bank to reissue a large volume of customer cards and ultimately cost over USD 58 million in remediation - an 18× multiplier over the direct theft - alongside harder-to-measure reputational damage and loss of customer trust. [6][8]
Key Lesson: The most damaging losses at African banks have repeatedly been insider-driven, and they bypass every perimeter control the bank has bought. Cryptographic key material must be held under split-knowledge and dual control inside hardware security modules, with no single employee able to extract or use a master key alone. Privileged sessions must be continuously recorded and independently reviewed, and separation of duties enforced between those who hold keys and those who can issue cards or move money.

CASE STUDY  |  Nigeria  |  February 2021 SEVERITY 4/5 Union Bank of Nigeria - REvil Ransomware & Data Leak
Attack Type	Ransomware-as-a-service → double extortion (encryption + data leak) [4]
Impact	In February 2021 the operators of REvil ransomware compromised the Union Bank of Nigeria, disrupted system availability, and stole and leaked confidential customer and business data, as documented in public reporting compiled by the World Bank. REvil's double-extortion model means data is exfiltrated and published regardless of whether a decryption ransom is paid - so customer PII, account data, and corporate records were exposed irrespective of any recovery decision the bank made. [4]
Key Lesson: For a commercial bank, ransomware is a confidentiality breach as much as an availability one. Defence must pair ransomware-resilient, segmented, tested backups with the assumption that any data reachable by the attacker is already lost: strong network segmentation, least-privilege access to customer databases, encryption of data at rest under controlled keys, and rapid detection of exfiltration through egress monitoring at the network edge - before terabytes leave the building.

CASE STUDY  |  South Africa  |  2020–2022 SEVERITY 3/5 Third-Party & Data Breaches - Nedbank, Experian, TransUnion
Attack Type	Supply-chain compromise & bulk data theft feeding downstream bank fraud [14][13][15]
Impact	Three South African breaches in three years show how customer data is compromised without a bank's core ever being touched. In February 2020 Nedbank disclosed that a breach at a third-party marketing contractor, Computer Facilities, exposed the personal data of up to 1.7 million clients. [14] In August 2020 a breach at Experian South Africa exposed the personal information of 24 million South Africans and almost 800,000 businesses. [13] In March 2022 a threat group breached TransUnion South Africa and demanded a ransom, exposing the credit data of millions. [15] None of the three required compromising a bank's transaction systems - yet all three directly enable phishing, account takeover, and synthetic-identity fraud against banks.
Key Lesson: A bank inherits the risk of every vendor and credit bureau inside its trust boundary. Third-party risk management must be contractual and continuous - security attestation, least-privilege data sharing, and encryption or tokenisation of any PII shared with partners - on the assumption that bureau data will eventually leak. At the customer channel, that means authentication strong enough (phishing-resistant MFA, device binding) that leaked PII alone can never authorise a transaction.

Section 04 · Impact 04

The Cost of Inaction§

Direct theft, remediation, regulatory penalty, customer attrition, lost deposits, and correspondent-banking standing - for a commercial bank, every layer of cost compounds the next.

The direct loss in a successful bank heist is open-ended. Standard Bank lost USD 19 million in a single three-hour ATM cash-out. [1] OPERA1ER's cumulative direct theft across Francophone Africa was at least USD 11 million across 30+ attacks. [7] US-CERT attributed more than USD 100 million in confirmed thefts to APT38 against banks in Africa and Asia. [9] Across East Africa, World Bank-cited Deloitte research records over USD 245 million in financial-sector losses across Kenya, Rwanda, Uganda, Tanzania, and Zambia since 2011. [8]

Recovering from a successful financial-sector incident requires forensic investigation, supplier-led system restoration, comprehensive review of every internal system, SWIFT re-certification (where the SWIFT environment was involved), and significant security re-engineering. The 18× multiplier the World Bank documented is consistent with patterns elsewhere: investigation, system replacement, control re-architecture, regulatory response, customer notification, and litigation all add cost, all at the same time.

Unique to commercial banking: customers can leave. A serious breach - particularly one that exposes customer data or funds - drives account closures, deters new customers, and erodes the deposit base that funds the bank's lending. The World Bank notes that the average victim of cyber-enabled crime experiences a 15% drop in share value, and that a single 2013 retail breach in the US produced a 46% fall in the following quarter's earnings. For a bank competing for retail and SME deposits, trust is the product; once damaged, it is expensive and slow to win back.

Since 2016, SWIFT has mandated the Customer Security Programme (CSP) and the Customer Security Controls Framework (CSCF). Compliance is now a precondition for continued SWIFT access. A serious incident - particularly one involving SWIFT-based theft - can prompt correspondent banks to reduce or withdraw relationships. For an African bank already navigating de-risking pressure from global correspondents, losing a US-dollar clearing relationship can be more damaging than the original theft, cutting the bank off from trade finance and cross-border payments for its customers.

POPIA in South Africa, the NDPR in Nigeria, Kenya's Data Protection Act, and equivalent regional frameworks impose direct fines for breach - applied to the bank itself. Beyond fines, a breached bank faces regulatory restrictions, mandatory customer notification, class-action exposure, and the durable reputational consequence of being the bank that lost its customers' money or data.

Section 05 · The Defence Gap 05

Why Traditional Defences Are Failing§

Perimeter firewalls, signature-based antivirus, and on-premise scrubbing appliances remain necessary baselines - but the adversaries banks face have moved beyond what those controls were designed to defend against.

Every bank has firewalls, an enterprise antivirus deployment, SIEM tooling, and some form of perimeter DDoS protection. These are necessary baseline controls. They are no longer sufficient on their own, because the threat landscape and the operating reality of a modern bank have both moved on.

A modern bank operates across cloud platforms, internet- and mobile-banking channels, fintech and payment-partner integrations, KYC/AML providers, a mobile workforce, hybrid data centres, and connections to card schemes, national payment switches, RTGS, and SWIFT. Legacy firewall-based segmentation protects a boundary that no longer corresponds to where sensitive operations actually live. Zero Trust per-request access verification is the only architecture compatible with this reality.

Documented bank heists repeatedly trace back to a SWIFT or card-payment environment that was allowed to share network infrastructure with general IT, with no firewall between them. SWIFT CSP / CSCF now codify a stricter architecture: SWIFT-connected infrastructure must be air-gapped or network-isolated from the broader bank, operator workstations must be dedicated and hardened, and outgoing instructions must be subject to dual control. Compliance attestation is mandatory and audited - but many regional institutions are still completing CSP maturity.

Public-facing bank services - the website, internet- and mobile-banking front ends, customer portals, and payment APIs - face the same volumetric DDoS landscape as any high-profile civilian site. On-premise scrubbing appliances cannot absorb attacks of the size and complexity now routinely commissioned via DDoS-for-hire services. Defending these surfaces requires a global anycast edge with hundreds of points of presence, including the African PoPs that Cloudflare maintains in major cities across sub-Saharan Africa.

Zero-day vulnerabilities are unknown until exploited. Even when patches are issued, bank IT operations - constrained by change-control processes and the need to preserve transaction-processing stability - cannot realistically patch all systems within the window between disclosure and active exploitation. Virtual patching at the Web Application Firewall edge bridges that gap.

The adversaries banks face - APT38, OPERA1ER, ransomware affiliates, hacktivist DDoS collectives, and sophisticated insiders - are professional, well-resourced, and operate at industrial scale. Many African banks' security teams are small relative to that threat. Expecting an in-house team of that size to detect, contain, and respond to a coordinated, multi-vector attack without an enterprise-grade global security platform is unrealistic. The practical answer is leverage: operate the team you have on top of a global network that does the heavy lifting at the edge.

Section 06 · Action 06

Twelve Recommendations for African Banks§

A prescriptive checklist drawn from SWIFT CSP, Basel operational-resilience principles, and the lessons of every incident catalogued in Sections 01–03. Vendor-neutral. Sequenced by impact and dependency.

The recommendations below are stated in deliberately operational language. Each maps to one or more documented incidents in this report; each corresponds to a recognised control in SWIFT CSP, Basel committee guidance, NIST CSF, or the SABRIC sector framework. They are the controls a peer institution would expect to see in place at any SWIFT-connected bank in 2026.

01

Achieve and maintain SWIFT CSP/CSCF attestation SWIFT Customer Security Programme attestation is mandatory and audited. Engage an independent CSP assessor at least annually; close every gap in the Customer Security Controls Framework within the publicly stated remediation window. CSP compliance is the floor, not the ceiling.

02

Segregate SWIFT, RTGS, card-issuance, and ATM-switch infrastructure from the general network Documented heists repeatedly trace to a SWIFT, RTGS, or card environment sharing infrastructure with the general network, with no firewall between them. Air-gap or strictly segment every critical operations environment. No shared print, file, or directory services with general office IT.

03

Deploy phishing-resistant MFA on every privileged workstation FIDO2 / WebAuthn (hardware tokens, not SMS, not push) on every operator workstation with access to SWIFT, RTGS, payment switches, card-management, or treasury systems. Phishing is the proximate cause of nearly every documented bank heist on the public record - this control breaks the chain.

04

Enforce dual control and multi-person approval on outbound instructions Every outgoing SWIFT and RTGS instruction must require a second, independently-credentialed approver on a separate device. Tamper-resistant logging of every action, with logs streamed off-host in real time. This is the control that catches a fraudulent outbound instruction before it settles.

05

Adopt Zero Trust per-request access for all internal systems Replace VPN-based implicit trust with per-request identity-and-device verification for every internal system - core banking, card-management, treasury, and KYC platforms. Continuous session monitoring on privileged sessions, automatic revocation on anomaly.

06

Move public-facing services behind a global anycast edge On-premise scrubbing appliances cannot absorb modern volumetric DDoS. The bank's website, internet- and mobile-banking front ends, and payment APIs must sit behind a global edge with always-on volumetric and application-layer protection. The SABRIC October 2019 campaign is the case in point. [16]

07

Inspect every inbound email; train every operator AI-driven email security in front of every staff inbox, scanning for impersonation of SWIFT, correspondent banks, card schemes, regulators, and payment partners. Quarterly phishing exercises with measurable failure-rate KRIs. Outstanding remedial training mandatory.

08

Run a formal vendor-risk programme for the supplier ecosystem Continuous third-party risk assessment for every supplier with access to critical infrastructure: core banking, RTGS, SWIFT interface vendors, KYC/AML platforms, national payment-switch operators. Contractual obligation for vendor disclosure of CVEs and breach. Alignment to SWIFT CSP and Basel operational-resilience principles.

09

Participate actively in sectoral threat-intelligence sharing SABRIC (Southern Africa), regional CERTs, FS-ISAC, and peer-bank direct sharing. Transparent disclosure and shared indicators of compromise raise the cost for every adversary operating across the continent - one bank's detection becomes every bank's defence.

10

Define, document, and test an incident-response plan A bank-specific IR playbook covering SWIFT/card-fraud incident, ransomware, DDoS, data exfiltration, insider abuse, and supplier compromise. Pre-negotiated retainer with an external IR firm. Tabletop-tested at the board level at least annually; full technical exercise at least semi-annually.

11

Report cyber risk to the board at every meeting A defined dashboard of Key Risk Indicators reviewed at every board sitting: SWIFT CSP attestation status, mean time to patch critical vulnerabilities, phishing-test failure rate, privileged-access reviews completed, ransomware-recovery tabletop status, vendor-risk red-flags. Cyber as a board agenda item, not an annexure.

12

Extend your controls to fintech partners and the payment ecosystem OPERA1ER's campaign showed that attackers pivot through the weakest connected institution. The fintechs, payment processors, agent networks, aggregators, and switches a bank integrates with are part of the bank's own threat surface. Contractually require security attestation, share threat intelligence, and monitor those integrations as if they were internal systems. [7]

Section 07 · Defence 07

Built for Scale, Available for African Banks§

Cloudflare operates one of the largest global networks in the world, with extensive edge presence across the African continent - the same infrastructure used by global tier-one banks and government agencies, available to African banks through LockDown IT.

Cloudflare operates one of the largest global networks in the world - 330+ points of presence across more than 120 countries, processing tens of millions of HTTP requests per second and blocking billions of cyber threats every day. The same infrastructure protecting global tier-one banks, regulated financial institutions, and national governments can protect your bank's public-facing services, internet- and mobile-banking channels, and customer-facing applications.

Eleven products organised into three layers of commercial-bank protection. Read this with Section 06 (Recommendations) open in the other hand - the mapping is deliberate.

A one-page checklist a bank's CISO office can complete in ten minutes. Each item maps to one of the twelve recommendations in Section 06. The goal is not a score - it is a defensible answer to the question "where are we exposed today?"

Acronyms used throughout this report. Listed alphabetically.

APT38 / BeagleBoyz

North Korean state-aligned threat group operating under the DPRK Reconnaissance General Bureau; uniquely focused on the theft of money from financial institutions. Tracked under US-CERT "Hidden Cobra" umbrella; overlaps the wider Lazarus Group.

CSCF

SWIFT Customer Security Controls Framework - the specific control set audited under the CSP attestation regime.

CSP

SWIFT Customer Security Programme - the post-2016 framework codifying mandatory security controls for all SWIFT-connected institutions. Compliance attestation is mandatory and audited.

DDoS

Distributed Denial of Service - an attack that floods a target with traffic from many sources to make services unavailable.

DPRK

Democratic People's Republic of Korea (North Korea).

ECOWAS

Economic Community of West African States.

EDR

Endpoint Detection and Response - software running on operator workstations and servers, detecting malicious activity in real time.

FASTCash

US-CERT designation for the North Korean campaign that compromised ISO\u00a08583-based payment switches to enable cash-out fraud against banks in Africa and Asia.

FIDO2 / WebAuthn

Open authentication standards for phishing-resistant multi-factor authentication, typically using hardware security keys (YubiKey, Titan).

FS-ISAC

Financial Services Information Sharing and Analysis Center - global threat-intelligence sharing community for the financial sector.

ISO\u00a08583

International standard for financial-transaction card-originated messages; the message format used by most card networks and ATMs.

KRI

Key Risk Indicator - a measurable metric reviewed by management or the board to monitor risk levels.

KYC / AML

Know Your Customer / Anti-Money Laundering - the regulatory framework requiring financial institutions to verify customer identity and screen transactions.

MFA

Multi-Factor Authentication - requiring more than one verification method to log in. "Phishing-resistant MFA" specifically means FIDO2 / WebAuthn, not SMS or push.

NDPR

Nigeria Data Protection Regulation.

OPERA1ER

Group-IB designation for the organised-crime cluster that conducted 30+ successful attacks against banks, FSPs, and telecoms across 12 African countries between 2018 and 2022.

PoP

Point of Presence - a physical edge location in a global network. Cloudflare operates PoPs across major cities in sub-Saharan Africa and 320+ cities worldwide.

POPIA

South Africa's Protection of Personal Information Act - the country's data-protection law.

RaaS

Ransomware-as-a-Service - the operator model under which Hive and similar groups operate, recruiting affiliates who carry out attacks in exchange for a share of ransom proceeds.

RTGS

Real-Time Gross Settlement - the system through which a central bank settles interbank payments individually and in real time, typically for large-value transactions.

SABRIC

South African Banking Risk Information Centre - sector body coordinating threat intelligence and risk information across South African banks.

SADC

Southern African Development Community.

SIEM

Security Information and Event Management - system that aggregates and analyses log data from across IT infrastructure to detect threats.

SWIFT

Society for Worldwide Interbank Financial Telecommunication - the global messaging network through which banks and central banks settle interbank, correspondent, and reserve-management transactions.

WAF

Web Application Firewall - inspects HTTP/HTTPS requests to a web application and filters malicious or anomalous traffic before it reaches the origin server.

About LockDown IT LockDown IT is a specialist Africa-based cybersecurity company and a Cloudflare Enterprise Services Partner. We design, implement, and manage enterprise cybersecurity solutions for commercial banks, central banks, financial authorities, and other institutions of systemic importance across Sub-Saharan Africa. [email protected] | +27 11 024 5696 | www.lockdownit.co.za

About Cloudflare Cloudflare, Inc. (NYSE: NET) is the leading connectivity cloud company on a mission to help build a better internet. Cloudflare's platform protects and accelerates any internet application online, with Points of Presence throughout Africa. cloudflare.com

© 2026 LockDown IT (Pty) Ltd. All incident data is drawn from public sources.

All statistics and incident data cited in this report are drawn from the following publicly available sources. Reference numbers correspond to citation markers in the body text.

[1]

Standard Bank - ATM Cash-Out Across Japan (May 2016) An organised group compromised Standard Bank’s card systems and used forged cards to withdraw over USD 19 million from ~1,400 ATMs across Japan in under three hours; 260+ suspects later arrested. Documented in the World Bank report (Carnegie Endowment for International Peace 2021). World Bank, “Cyber Threats to the Financial Sector in Africa” (2022)

[2]

National Bank of Kenya - Internal-Network Compromise (January 2018) An OCG stole at least KSh 29M (~USD 261K), with anecdotal reporting suggesting ~KSh 340M (~USD 3M), after compromising the bank’s internal network. Documented in the World Bank report (PC Tech Magazine 2018). World Bank, “Cyber Threats to the Financial Sector in Africa” (2022)

[3]

SilentCards - Insider-Enabled Theft from Kenyan Banks (since 2019) A Kenyan group that buys dormant accounts and co-opts serving bank employees to move and withdraw funds via ATMs; the World Bank reports ~USD 174 million stolen from Kenyan banks (Niba 2019). World Bank, “Cyber Threats to the Financial Sector in Africa” (2022)

[4]

Union Bank of Nigeria - REvil Ransomware & Data Leak (February 2021) REvil operators compromised the bank, disrupted availability, and stole and leaked confidential customer and business data. Documented in the World Bank report (Hack Notice 2021). World Bank, “Cyber Threats to the Financial Sector in Africa” (2022)

[5]	Steward Bank (Zimbabwe) - Egregor Ransomware (November 2020) Egregor ransomware operators caused several days of system disruption at Zimbabwe’s Steward Bank. Documented in the World Bank report. World Bank, “Cyber Threats to the Financial Sector in Africa” (2022)

[6]

South African Bank - Insider Master-Key Theft (June 2020) Employees stole a master key used to decrypt operations and generate customer-card keys, made fraudulent transactions, and took over USD 3.2 million; remediation cost over USD 58 million. Documented in the World Bank report (Cimpanu / ZDNet 2020). ZDNet (Cimpanu 2020) · World Bank, “Cyber Threats to the Financial Sector in Africa” (2022)

[7]	OPERA1ER - Multi-Country Cybercrime Campaign (2018-2022) Group-IB attributed 30+ successful attacks against banks, FSPs, and telecoms across 12 African countries to a single criminal cluster; at least USD 11M stolen, assessed total damage USD 30-50M. Group-IB / Quartz Africa, 2022

[8]

World Bank - “Cyber Threats to the Financial Sector in Africa” (2022) Primary source for the 18× theft-to-impact multiplier, the USD 245M East-Africa financial-sector loss figure (Deloitte), the July 2021 attack on Angola’s largest state-owned bank (Lusa / Ver Angola 2021), and much of the incident catalogue in this report. World Bank, “Cyber Threats to the Financial Sector in Africa” (2022)

[9]

US-CERT - APT38 / BeagleBoyz & FASTCash US authorities attribute over USD 100 million in bank thefts across Africa and Asia to North Korea’s APT38 / BeagleBoyz, including the FASTCash payment-switch cash-out campaign (Alert AA20-239A). Operative Park Jin Hyok was named in US federal charges. CISA / US-CERT AA20-239A

[10]	US-CERT - FASTCash Payment-Switch Cash-Out Campaign US-CERT documented the North Korean “FASTCash” campaign, which compromised ISO 8583 payment-switch servers to authorise fraudulent ATM withdrawals against banks in Africa and Asia, totalling tens of millions of dollars. CISA / US-CERT AA20-239A

[11]

Trust Bank (The Gambia) - Insider-Assisted Fraud (May 2020) Gambian authorities arrested 12 suspects linked to an attack on Trust Bank; evidence suggested they worked with insiders to attempt fraudulent transactions. Documented in the World Bank report (The Point 2020). World Bank, “Cyber Threats to the Financial Sector in Africa” (2022)

[12]

Pegasus Technologies - Mobile-Money Processor Breach (October 2020) Attackers compromised Pegasus Technologies, a fintech processor used by MTN and Airtel, stealing ~USD 1 million from Uganda’s digital-payments system and affecting 20 million people in the shutdown. Documented in the World Bank report (Kasemiire & Ajuna 2020). World Bank, “Cyber Threats to the Financial Sector in Africa” (2022)

[13]	Experian South Africa - Data Breach (August 2020) A breach exposed the personal information of 24 million South Africans and almost 800,000 businesses. Documented in the World Bank report (Times Live 2020). World Bank, “Cyber Threats to the Financial Sector in Africa” (2022)

[14]	Nedbank - Third-Party Breach via Computer Facilities (February 2020) Nedbank disclosed that a security breach at a third-party marketing contractor, Computer Facilities, exposed the personal information of up to 1.7 million clients. ITWeb / Nedbank statement, 2020

[15]	TransUnion South Africa - Breach & Extortion (March 2022) A threat group accessed TransUnion SA systems and demanded a ransom, in a breach affecting millions of consumers and businesses whose credit data underpins bank lending and KYC decisions. Reuters, 2022

[16]

SABRIC - Coordinated DDoS Against African Banks (October 2019) The South African Banking Risk and Information Centre reported DDoS attacks against multiple African banks’ public-facing assets, accompanied by ransom demands and timed to coincide with payday. Documented in the World Bank report (Paton 2019). World Bank, “Cyber Threats to the Financial Sector in Africa” (2022)

[17]

Mozambique - Banking-System Outage via Vendor Cut-Off (November 2018) Mozambique’s banking system, including ATMs and card machines, was offline for several days after a Portuguese fintech provider cut off services in a billing dispute. Documented in the World Bank report (Verdade 2018). World Bank, “Cyber Threats to the Financial Sector in Africa” (2022)

[18]

South African Bank - Attempted R100M Card Fraud (January 2019) An employee used privileged access to approve replica cards in an attempt to move ~R 100 million (~USD 6.6M) from a customer’s account to accomplices for ATM withdrawal. Documented in the World Bank report (Hlungwani 2019). World Bank, “Cyber Threats to the Financial Sector in Africa” (2022)

[19]

TA505 - Phishing Against South African FSIs (September 2019) A reported intelligence source indicated the TA505 OCG was actively targeting large South African financial institutions with phishing campaigns to obtain employee credentials and establish network footholds. Documented in the World Bank report. World Bank, “Cyber Threats to the Financial Sector in Africa” (2022)

[20]

FIN7 & Card-Skimming - POS and E-Commerce (2019-2021) FIN7 conducted attacks on South African point-of-sale systems to steal card data (March 2021), and a card-skimming script on Garmin South Africa’s e-commerce site harvested customers’ full payment-card and billing data (September 2019). Documented in the World Bank report (Seals 2021; Karabus 2019). World Bank, “Cyber Threats to the Financial Sector in Africa” (2022)

[21]	Bank of Ghana - Card-Fraud Surge (2019-2020) The Bank of Ghana reported a 584.1% year-on-year increase in card fraud affecting its customers. Documented in the World Bank report (Ghanaian Times 2020). World Bank, “Cyber Threats to the Financial Sector in Africa” (2022)