n4ughtysec

N4ughtySec

also known as: N4ughtySecTU N4aughtySecGroup claimed origin: Brazil (self-reported) ideology: Pro-Palestine

A group that emerged under the N4ughtySecTU alias targeting South African financial infrastructure — breaching TransUnion SA in March 2022 and exfiltrating data on 5 million consumers, then demanding $15 million in cryptocurrency. When TransUnion refused to pay on principle, the group released the data and claimed sustained access to credit bureau and financial systems. The group returned in 2023 as N4aughtySecGroup demanding $30 million each from TransUnion and Experian, and again in 2024 claiming to have used credit bureau backend access to breach South African banks and fraudulently extract R175 million from the South African Social Security Agency (SASSA). Claims vary widely in verified impact — the 2022 TransUnion breach is confirmed; subsequent bank and government system claims are disputed by all named institutions.

claimed originBrazil (self-reported); pro-Palestinian ideology

first observedMarch 2022 (TransUnion SA breach)

primary motivationFinancial extortion + political statement (pro-Palestine)

confirmed breachTransUnion SA — 5M consumer records (March 2022)

extortion demands$15M (2022) → $30M each (2023) → apology only (2024)

initial accessSFTP brute force — password "Password" on client account

target geographySouth Africa — credit bureaus, banks, government systems

data claim54M records claimed by group; 5M confirmed by TransUnion

current statusACTIVE — claims ongoing; disputed by named institutions

Overview

N4ughtySec first appeared publicly in March 2022 under the alias N4ughtySecTU when it claimed responsibility for a breach of TransUnion South Africa — one of the country's major credit bureaus. The initial access method was straightforward and embarrassing for the target: the group brute-forced an SFTP server belonging to one of TransUnion's clients whose account was protected by the literal password "Password." From this foothold the group claimed to have exfiltrated 4TB of data and up to 54 million records.

The confirmed scale of the breach was substantially smaller than claimed. TransUnion's own investigation found that data relating to approximately 5 million consumers was potentially affected by the incident, with a further 5.2 million consumers having only their ID numbers exposed. The company also stated that 54 million records claimed by the group were largely drawn from separate data breaches dating back to 2017 that the group had combined with whatever TransUnion data they actually accessed. South Africa's Information Regulator separately criticized TransUnion's breach response as inadequate under the Protection of Personal Information Act (POPIA).

TransUnion's position on the $15 million extortion demand was public and principled: paying would set a bad precedent, incentivize further attacks, and provide no guarantee the data would not be published anyway. When the deadline passed without payment, N4ughtySecTU posted the data online and apparently went quiet. This pattern — breach, demand, non-payment, data release, disappearance — is characteristic of hacktivist extortion operations that are more motivated by the public statement than by financial return.

The group then operated a secondary extortion scheme targeting companies whose data appeared in the TransUnion breach — demanding "insurance fees" from third parties in exchange for exclusion from the data publication. This dual-track extortion model (paying the primary target for non-publication and simultaneously monetizing from data subjects' associated organizations) is a sophisticated escalation from single-target ransomware.

In November 2023, a group identifying as N4aughtySecGroup — assessed as the same entity or a continuation operating under a new alias — re-emerged demanding $30 million each from TransUnion and Experian, claiming it had maintained persistent access to both credit bureaus since the 2022 breach. In 2024, the group made more expansive claims: that it had used credit bureau backend access to penetrate South African banks (Absa, FNB, Nedbank, Discovery, TymeBank), fraudulently registered over 100,000 Social Relief of Distress grant accounts at SASSA by opening mule bank accounts using stolen credit bureau identity data, and extracted approximately R175 million. The group simultaneously claimed to have over 80 access points across government and financial backend systems.

All named banks denied evidence of breaches in their own systems. TransUnion, Experian, and XDS each stated they found no evidence of new unauthorized access. SASSA's grant administration head did confirm that SASSA systems had been compromised and acknowledged weaknesses in bank account opening verification — a partial corroboration of the mechanism claimed, if not the full scale. The Democratic Alliance raised the claims in parliamentary proceedings. The group notably dropped financial demands in the 2024 wave, instead demanding only a public apology and acknowledgment of security failures — a shift from extortion toward reputation pressure and reputational activist goals consistent with hacktivist rather than purely criminal motivation.

Target Profile

N4ughtySec's targeting is focused on South African financial and government infrastructure, with credit bureaus as the strategic entry point for downstream access.

Credit Bureaus (primary entry point): TransUnion South Africa was the confirmed initial target in March 2022. The group has repeatedly claimed sustained access to TransUnion and Experian through 2023 and 2024, and has included XDS as a claimed target in later waves. Credit bureaus are strategically valuable as targets because they hold comprehensive consumer financial data — ID numbers, credit scores, banking relationships, loan balances, addresses — that can be used both for direct extortion and as the foundation for downstream attacks on financial institutions that serve the same consumer base.
South African Banks: In 2024, the group claimed to have used credit bureau backend access to penetrate five major South African banks: Absa, FNB, Nedbank, Discovery Bank, and TymeBank. The claimed mechanism was using stolen consumer identity data from credit bureau breaches to open fraudulent mule accounts within the banks' systems — exploiting FICA compliance gaps in account opening verification. All named banks denied evidence of breaches in their core banking systems, though Absa acknowledged that the data set presented appeared identical to a set reviewed in 2023, and all confirmed ongoing anti-mule-account monitoring.
South African Social Security Agency (SASSA): The group claimed to have exploited SASSA's system vulnerabilities — using credit bureau identity data to fraudulently register over 100,000 Social Relief of Distress (SRD) grant accounts at R370 per month, directing payments to fraudulently opened mule bank accounts. SASSA's head of grant admissions confirmed that SASSA systems had been compromised and that weaknesses at three South African banks in FICA compliance made fraudulent account opening easier. The R175 million figure claimed by the group is disputed but the underlying SASSA vulnerability was independently confirmed by Stellenbosch University researchers.
High-Profile Individual Data — Political and Judicial Targets: The group specifically organized exfiltrated data into categories including political parties, government officials, parliament members, judges, and prosecutors. South African President Cyril Ramaphosa's ID number was released via Telegram as a demonstration of the scope. The CEO of TransUnion was contacted on his personal cellphone using data found in the breach — a demonstration of access to executive personal information.

Tactics, Techniques & Procedures

N4ughtySec's documented TTPs reflect a combination of opportunistic credential exploitation and a sustained multi-year engagement model focused on a single geographic market.

mitre id	technique	description
T1110.001	Brute Force — Password Guessing	The confirmed initial access to TransUnion in March 2022 was a brute force attack against an SFTP server, ultimately succeeding with the password "Password" on a client account. The group reported to BleepingComputer that they did not steal any credentials through phishing or other means — they simply guessed a weak password on an internet-exposed server. This is the simplest possible initial access technique and highlights the exposure created by internet-facing services protected by weak credentials, regardless of how sophisticated the data they serve is.
T1078	Valid Accounts — Client Credential Abuse	TransUnion confirmed that a "criminal third-party obtained access to its South African server through misuse of an authorised client's credentials." The SFTP account compromised belonged to a legitimate TransUnion client — giving the attacker authenticated access to TransUnion's data environment as if they were a legitimate business partner. This framing — the attack was on a client account, not TransUnion's own credentials — is significant: it means TransUnion's own authentication systems functioned as designed; the vulnerability was in a third party's credential hygiene.
T1530	Data from Cloud Storage — SFTP Server Exfiltration	The confirmed exfiltration occurred from an SFTP server — a file transfer service — that TransUnion operated for client data exchange. The group claimed to have exfiltrated 4TB of data. TransUnion confirmed the server was isolated and held limited South African data, with the much larger 54-million-record claim including externally sourced data from prior breaches dating to 2017. The group appears to have aggregated multiple data sources and presented the combination as a single TransUnion exfiltration to maximize the apparent scale of the breach.
T1657	Financial Extortion — Dual-Track Ransom Model	N4ughtySecTU operated a two-track extortion scheme simultaneously. The primary track demanded $15 million from TransUnion not to publish the data. The secondary track — unusual in documented hacktivist operations — offered "insurance fees" to third-party companies whose data appeared in the breach: pay an undisclosed fee and be excluded from the data release. This secondary market for extortion against data subjects rather than just the breached organization represents a sophistication in monetization strategy beyond standard ransomware models.
T1589	Identity Data Weaponization — Downstream Fraud	In the group's 2024 claims, the breach data from credit bureaus was repurposed as the foundation for downstream financial fraud: using stolen identity data to open mule bank accounts, then using those accounts to fraudulently register SRD grant applications at SASSA. This multi-step fraud chain — credit bureau breach → identity data → fraudulent bank accounts → government benefit fraud — demonstrates how comprehensive consumer financial identity data from a credit bureau enables cascading downstream attacks across the financial ecosystem that serves those consumers.
T1491	Public Data Leak — Pressure and Proof of Access	When TransUnion declined to pay, N4ughtySecTU publicly released the stolen data — a standard hacktivist pressure tactic that also serves as proof of the breach's reality. In 2024, the group demonstrated access to current financial data of two MyBroadband journalists (including insurance company and policy number data from recent months) to prove the ongoing currency of their access rather than relying on years-old static data. This demonstration of data recency is a sophisticated proof-of-access technique that distinguishes ongoing system access from one-time historical data sets.

claims vs confirmed impact — analyst caution required

N4ughtySec's claims vary dramatically from confirmed impact. The March 2022 TransUnion breach is confirmed — 5 million consumer records confirmed affected, weak credentials on an SFTP server confirmed as the entry point. The broader claims — 54 million records, ongoing access to multiple credit bureaus, penetration of five South African banks, R175 million extracted from SASSA — are disputed by all named institutions who report no evidence of fresh unauthorized access. The 2024 data demonstrations (current insurance and financial data for journalists) were compelling but could reflect aggregated data sets rather than live system access. Analysts should treat the 2022 breach as high-confidence confirmed and treat subsequent claims with appropriate skepticism pending independent corroboration.

Known Campaigns

TransUnion South Africa — SFTP Breach and Data Extortion March 2022

N4ughtySecTU first made contact with TransUnion on March 11, 2022, informing the company of the breach. The group gained access via brute force of an SFTP server protected by a client account using the password "Password." The group claimed 4TB of data and 54 million records including 200 corporate client datasets. TransUnion's investigation confirmed approximately 5 million consumers were affected, with an additional 5.2 million having only ID numbers exposed. The company confirmed the 54-million-record figure consisted mostly of data from external breaches dating to 2017 that the group combined with the TransUnion-specific data. The group demanded $15 million (R223 million) in Bitcoin within seven days. TransUnion declined, citing expert advice that payment would incentivize future attacks. The group released the data after the deadline, published President Ramaphosa's ID number on Telegram, and contacted TransUnion's CEO on his personal cellphone using data found in the breach. South Africa's Information Regulator criticized TransUnion's POPIA response as inadequate.

Secondary Extortion — "Insurance Fees" for Third Parties March–April 2022

Simultaneously with the primary extortion demand against TransUnion, N4ughtySecTU ran a secondary scheme targeting companies whose data appeared in the breach. The group offered an "insurance fee" payment to third parties — businesses, banks, insurers, and automotive companies — in exchange for exclusion from the public data release. Organizations that paid would be safe; those that refused would have their client data exposed when TransUnion's non-payment triggered the release. The amounts demanded for these secondary fees were not publicly disclosed. This parallel monetization of breach data against secondary parties rather than just the breached organization represents an unusual sophistication in the group's extortion model.

N4aughtySecGroup — $30M Demands, Experian Expansion November 2023

Operating under the N4aughtySecGroup alias, the group re-emerged in November 2023 claiming to be back inside TransUnion and Experian's systems and demanding $30 million from each organization — double the 2022 TransUnion demand — or facing complete data exposure within 24 hours. The group claimed it had never left South African financial systems since the 2022 breach and had been monitoring access continuously. TimesLIVE reported direct communication with the group, which stated: "You were mistaken by not paying us the first time we harvested all your data and clients' data." TransUnion and Experian both responded that they found no evidence of fresh unauthorized access.

Bank and SASSA Claims — No Ransom, Apology Demanded October–November 2024

In October and November 2024, N4aughtySecGroup made its largest and most expansive claims — alleging penetration of five South African banks (Absa, FNB, Nedbank, Discovery, TymeBank) via credit bureau backend systems, fraudulent opening of over 100,000 mule accounts, and extraction of R175 million from SASSA by registering fraudulent SRD grants at R370 per month. The group demonstrated access to current financial data for two MyBroadband journalists including insurance and loan data from recent months. Notably, no ransom demand accompanied these claims — the group stated it only wanted a public apology and acknowledgment of security failures. All named banks denied evidence of breaches. SASSA's head of grant admissions confirmed SASSA systems had been compromised and acknowledged FICA compliance gaps at several banks that enabled fraudulent account opening. The Democratic Alliance raised the matter in South African parliament, and SASSA was scheduled to present to parliament on the issue in November 2024.

Techniques and Methods

N4ughtySec's documented technical methods are relatively basic — the group's impact derives from the sensitivity of the data in weakly secured environments rather than from technical sophistication.

SFTP Brute Force: The confirmed initial access to TransUnion was a brute force attack against an internet-exposed SFTP server. The group reported to BleepingComputer that they did not steal credentials through phishing or other means — they guessed a weak password ("Password") on a client account. This represents the simplest possible initial access vector and a failure in TransUnion's client security standards rather than a sophisticated attack on TransUnion's own systems.
Data Aggregation from Multiple Breach Sources: The group's claimed 54-million-record data set appears to have been assembled by combining the actual TransUnion SFTP exfiltration with data from other South African data breaches dating to 2017. TransUnion explicitly stated the 54-million figure included data "from separate data breaches dating back to 2017." This aggregation technique allows the group to present a much larger apparent breach than actually occurred, maximizing pressure on the target.
Telegram for Communication and Data Release: The group communicates with media and targets through Telegram channels, releasing proof-of-access samples, ransom demands, and ultimately the full stolen data through this platform. Ramaphosa's ID number was posted to a Telegram group chat. Direct communication with journalists occurred via Telegram.
Identity Data Reuse for Downstream Fraud: The group's claimed 2024 operations describe using comprehensive credit bureau identity data to open mule accounts at South African banks — exploiting FICA compliance gaps in account verification. This downstream weaponization of stolen identity data against the financial ecosystem represents the most serious potential operational capability if the claims are accurate.
Proof-of-Access Demonstrations: When challenging skepticism about ongoing access, the group demonstrated current financial data for specific journalists — insurance company details, loan balances, and policy information updated within months of the demonstration. This approach proves data recency without revealing operational details and is a technique for maintaining credibility despite institutional denials.

Indicators & Detection Notes

N4ughtySec's confirmed attack vector was a basic credential-based SFTP intrusion. Detection and prevention centers on hardening internet-facing file transfer services.

initial access indicators — sftp credential compromise

vectorSFTP server exposed to internet — brute force via weak client account credentials

indicatorSFTP login success from unfamiliar IP following repeated failed authentication attempts

indicatorLarge volume SFTP download from authenticated client session outside normal business hours or geography

indicatorClient account IP address change to unrecognized country or hosting provider

commsGroup communicates via Telegram — aliases N4ughtySecTU, N4aughtySecGroup

Mitigation & Defense

The TransUnion breach was preventable with elementary credential security controls on an internet-exposed service. The downstream identity fraud claims — if accurate — are harder to prevent as they exploit systemic gaps in identity verification across South Africa's financial sector.

Enforce strong password policy on all client-facing API and SFTP accounts: N4ughtySec's entire initial access hinged on the password "Password" being in use on an SFTP account. Any internet-facing service that allows client authentication must enforce minimum password complexity requirements, reject common passwords programmatically, and detect this failure before deployment. TransUnion's client account security standards failed to prevent a client from setting a completely trivial password on an account with access to millions of consumer records.
Require MFA on all internet-facing file transfer services: SFTP brute force attacks succeed only when credentials alone are sufficient to authenticate. Adding a second factor — even a shared TOTP or certificate-based authentication — eliminates brute force as a viable initial access vector regardless of password weakness.
Implement IP allowlisting and geofencing for SFTP client accounts: Legitimate business partners accessing SFTP services do so from known IP ranges. Restricting SFTP authentication to pre-approved IP addresses — or alerting on authentication from unexpected locations — would have flagged or blocked the TransUnion access immediately, since the brute force originated from an attacker-controlled IP rather than the legitimate client's infrastructure.
Monitor for unusual download volume from authenticated SFTP sessions: A client account downloading gigabytes or terabytes of data in a single session is anomalous behavior regardless of credential validity. Data transfer anomaly detection on file transfer services — alerting on sessions that download significantly more data than the account's historical baseline — would have detected the exfiltration in progress.
Harden FICA account opening verification to prevent identity fraud at scale: The group's 2024 SASSA fraud claims — if accurate — relied on FICA compliance gaps at South African banks that allowed over 100,000 accounts to be opened using stolen identity data without sufficient verification. Strengthening identity verification requirements for new account opening, particularly for accounts in unusual patterns (volume, geography, data source), addresses the downstream fraud vector that credit bureau breaches enable. SASSA's head of grant admissions explicitly confirmed that non-compliant bank account opening practices at three institutions made fraudulent registration easier.
Treat extortion refusal as the correct policy baseline: TransUnion's decision not to pay the $15 million demand — despite the data being released — is the appropriate industry posture. Paying extortion guarantees that future attackers will target the same organization again with the demonstrated knowledge that payment is possible, while providing no guarantee of non-publication. TransUnion explicitly stated this principle. The group returned in 2023 and 2024 regardless of the non-payment — confirming that payment would not have prevented the ongoing engagement.

analyst note — evolving demands and the apology shift

The progression of N4ughtySec's demands across 2022 to 2024 is analytically interesting: $15 million (2022) → $30 million each (2023) → no money, only a public apology (2024). The shift from financial extortion to reputational pressure suggests a group whose primary objective may never have been purely financial — or one that recognized the payment non-viability of its target pool and pivoted to the reputational damage model that hacktivism achieves even without payment. The 2024 demand for a public acknowledgment of security failures is a distinctly activist outcome rather than a criminal one, and the group's stated claim — "We did warn them" — frames the entire multi-year engagement as a disclosure effort that the institutions failed to take seriously. Whether this narrative is self-justifying post-hoc rationalization or reflects genuine motivations, it shapes how the group presents its activity and how it may evolve in future operations.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile