A Nigerian hacktivist group claims it broke into the South African Revenue Service (SARS) and the State Information Technology Agency (SITA). Both entities say that didn’t happen.
Nullsec Nigeria, which also operates under the name Anonymous Nigeria, posted links to alleged stolen data on the Breached hacker forum (a black hat–hacking crime forum) on 23 May 2026.
The group claimed to have accessed names, email addresses, and passwords from SARS systems, along with names, passwords, and service entry details from SITA.
SARS breach
SARS issued an official statement on 25 May 2026, calling the claims false. “These claims are false and unsubstantiated,” the revenue service said in a media release.
“At this stage, there is no evidence that SARS’s systems have been compromised.”
SARS said it had conducted a thorough investigation in response to the reports and continuously monitors its systems for suspicious activity. It urged members of the public to verify information before sharing it and to rely on official SARS channels only.
What SITA says about the data breach
SITA was equally firm in its denial. Spokesperson Tlali Tlali told MyBroadband that the entity’s infrastructure remained fully intact.
“There is no evidence of any unauthorised access to government data or systems, nor has any breach of security occurred through unlawful methods,” Tlali said.
SITA added that its security operations teams work on a continuous 24/7 basis and that all systems had been tested and verified as fully operational. “No anomalies indicative of a cyberattack have been identified,” it said.
The agency warned that misinformation about government system security posed a risk to public confidence and to the integrity of national digital infrastructure.
Nullsec Nigeria: What we know
Nullsec claims it is part of #OpSouthAfrica, a campaign motivated by xenophobic attacks on Nigerians in South Africa. They’ve made similar claims against other South African government entities (like the Department of Correctional Services).
At the time of the DCS attack, Nullsec said via Telegram: “They (the DCS) call themselves correctional services, but they can’t correct the citizens. What a shame. They killed a lot of Nigerians while the so-called correctional services watched and the ministry of justice.”
Nullsec also issued a warning to the SA government: “Unless the government of South Africa ends these xenophobic attacks on Nigeria, we’ll expose everything about you, your evil deeds will be exposed, and the world shall know.”
The group might be connected to Nullsec Philippines, but this has yet to be confirmed. They typically post on hacker forums like Breached, and share sample data (e.g., tender documents, usernames/passwords). They have in the past also provide download links via services like LimeWire.
Many of their “breaches” appear to involve compromised credentials, leaked password dumps, or possible insider access rather than sophisticated remote exploits.
SAPS website downtime
The SAPS website was inaccessible at various points over the weekend of 23 and 24 May, which fuelled speculation given that Nullsec Nigeria had threatened to target SAPS earlier in the week.
SITA’s Tlali addressed this directly, saying the downtime was the result of a scheduled maintenance window involving system upgrades intended to improve performance and security.
An independent South African cybersecurity researcher who reviewed the posted data said hey did not believe the breach claims were substantiated, noting there was not enough information to confirm them.
Alleged Sars data breach: Nullsec’s motive
Nullsec Nigeria says its actions against South African entities are in response to recent xenophobic attacks against African and Asian immigrants in the country.
The group has maintained its activity is aimed at “exposing” governance failures, and pushed back on reports that it had demanded payment for unlocking compromised files. This is a deviation from the usual ransomware-style tactics.
South Africa has seen a sharp international response to the recent xenophobic violence. Ghana issued an evacuation notice for its citizens in South Africa on 18 May 2026 and pledged to fund return flights for hundreds of Ghanaians.
Human Rights Watch has condemned what it described as insufficient police response to the attacks and has called for vigilante groups to be held criminally accountable.
