In West Africa, Digital Transformation is Fueling Cybercriminals’ Appetite
After the tax authority in October, then the agency responsible for issuing national identity cards earlier this year, now it was the Public Treasury’s turn to be targeted. In less than six months, three Senegalese public institutions have been hit by major cyberattacks.
“Africa is becoming the new playground for cybercriminals,” observes Clément Domingo, a cybersecurity expert and whistleblower known on X under the nickname SaxX. The reason is simple: the continent is digitizing rapidly but is often poorly secured. “The more a country digitizes, the more it increases its attack surface,” Domingo adds.
Senegal illustrates this paradox. Committed to the rapid modernization of its public services, the country launched a “Technological New Deal” in 2026 built around four pillars: digital leadership, development of the digital economy, digitization of public services, and digital sovereignty. In practical terms, Senegalese daily life is gradually moving online.
With offerings such as Sénégal Services, it is now possible to obtain a birth certificate or renew identity documents online. In a country where banking penetration remains low, the growth of mobile payments has also enabled a large share of the population to access financial services. Electricity bills, tolls, and telephone services can now be paid through applications such as Wave or Orange Money.
This digitization, though still incomplete, represents undeniable progress. It simplifies administrative procedures, reduces costs, and promotes economic inclusion, particularly in rural areas. It also opens the door to new uses, notably through artificial intelligence, which could eventually make public services available in local languages. But it also exposes still-nascent infrastructures, where cybersecurity is not systematically built in.
In Senegal, several structural weaknesses remain, Clément Domingo notes: heterogeneous and sometimes obsolete IT systems, a shortage of local expertise in key positions, and an inadequate legal framework. The law on personal data protection dates back to 2008, and no comprehensive cybersecurity legislation yet fully structures the national response.
In this context, attacks are multiplying in an environment where awareness remains low. Across the continent, experts point to a massive lack of awareness of digital risk. Businesses and government agencies have become prime targets. Sub-Saharan Africa is the most exposed region, according to Kaspersky, the cybersecurity company known for its antivirus solutions, and phishing attempts number in the tens of millions. The three countries most affected by such attacks are Kenya, South Africa, and Morocco.
Senegal is no exception to this trend. The attacks may be carried out by lone hackers, organized criminal networks, or groups linked to states. “It is extremely difficult to formally attribute an attack,” recalls Franck Kié, founder of the Cyber Africa Forum. The motives are varied. They may be financial, political, or strategic. “Targeting public institutions allows attackers to make a name for themselves, but also to destabilize a country,” the expert notes.
For Anas Chanaa, founder of Nucleon Security, a company that designs and deploys automated cybersecurity solutions in Africa, such attacks can be part of geopolitical dynamics. In this context, African actors are increasingly seeking to diversify their technology partners. “There is a desire to no longer depend solely on certain powers,” he observes, with greater attention being paid to the origin of technologies and control over data.
But beyond these strategic issues, the consequences can be immediate. Stolen data can be resold, used in phishing campaigns—fraudulent messages impersonating institutions or companies to extract confidential information—or employed in financial fraud. In some cases, they can even feed networks involved in forging official documents.
These attacks are also reviving the debate over digital sovereignty. Where is citizens’ data stored? Who controls the infrastructure? Which technology partners are involved? “Sovereignty is not autarky, but the ability to choose one’s partners and control one’s data,” insists Franck Kié. Yet in many African countries, critical infrastructure still relies heavily on foreign technologies.
Senegal aims to become a technological hub in West Africa, alongside Côte d’Ivoire and Benin. But it remains vulnerable, as recent attacks have demonstrated. Faced with these growing risks, the authorities have begun to respond by strengthening certain institutions and expressing their intention to build a national strategy. But the task remains immense.
For Gérald Da Costa, a cybersecurity professional and author of a white paper on digital sovereignty in Senegal, the challenges are primarily structural. “There needs to be a strong, independent authority capable of steering the national strategy and overseeing its implementation,” he argues. He also calls for closing the skills gap through large-scale training efforts and the creation of a structured sector.
Finally, digital sovereignty cannot be achieved without sustained local investment. “As long as we depend on external funding and solutions, we will not be fully in control of our cybersecurity,” he warns. It is a major challenge in a country already facing a debt crisis that weighs heavily on public finances.
