By 2024, Egypt had established itself as one of the digital leaders in North Africa and the Middle East. The country's significant investments in digital infrastructure have created a supportive environment for startups and large technology companies alike. These efforts have fueled the rapid growth of Egypt's digital economy, solidifying its position as a regional leader in information technology.

According to DataReportal, as of early 2024, Egypt had 82.01 million internet users, representing 72.2% of the country's total population (113.6 million people). This figure reflects an increase of 6.3 million internet users since the beginning of 2022. This surge in digital adoption can largely be attributed to the implementation of the Digital Egypt initiative, which is part of the broader Vision 2030 development strategy

Egypt also ranks highly on the Global Cybersecurity Index, securing a leading position in cybersecurity both regionally and globally. However, the rapid expansion of the digital environment, the ever-growing number of internet users, and Egypt's geopolitical relationships have made it an attractive target for cybercriminals, hacktivists, and advanced persistent threat (APT) groups.

In 2024, most cyberattacks in Egypt targeted computer systems, mobile devices, and individuals through social engineering tactics. Many of these attacks targeted all of these areas at once.

Mobile operator infrastructure, falling under the category of computer and network equipment, was a notable target. One significant incident occurred in early March 2024, when the hacktivist group Anonymous Sudan launched a series of DDoS attacks that disrupted Egypt's telecom services. Using their InfraShutdown infrastructure, the group targeted two of the country's largest mobile operators—Vodafone Egypt and Etisalat Egypt. The attack lasted over five hours, leaving millions of users without access to communication services.

Attacks on individuals ranked second in frequency. Human error continues to be the weakest link in cybersecurity, and attackers actively exploit this vulnerability.
One widespread attack in 2024 involved a wave of phishing campaigns targeting manufacturing companies in Egypt and other countries. Cybercriminals sent phishing emails impersonating well-known logistics firms, attempting to gain access to sensitive information. These emails informed recipients of a pending shipment for their organization, with accompanying PDF documents available via an attached link. Clicking the link redirected victims to a phishing page, where they were prompted to enter their corporate email credentials to view the documents. This allowed attackers to steal corporate login details, giving them access to other sensitive data, such as contracts, internal processes, and account information. The stolen data was then sold on dark web platforms, used for blackmail, or leveraged to launch further attacks.
Although attacks on mobile devices in Egypt occurred less frequently than other types of cyberattacks, they remained a concern, particularly when carried out by APT groups. For instance, the AridSpy malware, discovered by ESET researchers, was developed by the Arid Viper group for cyberespionage. AridSpy targeted Android devices and was distributed through fraudulent websites that offered users direct downloads of apps, bypassing Google Play. The malware was embedded in anonymous messaging apps like LapizaChat, NortirChat, and ReblyChat. Once installed, and in the absence of antivirus protection, AridSpy downloaded additional spyware components to the compromised device.
 

An analysis of open-source data revealed that social engineering and remote code execution were the most commonly used methods by attackers, with each accounting for 36% of recorded incidents. Together, these made up 72% of all reported cases.

One tactic that gained significant traction in 2024 in Egypt was double extortion. In these attacks, malware encrypted a victim's data while also exfiltrating sensitive information. Hackers then threatened to publish the stolen data if their ransom demands were not met. For example, the Egyptian Tax Authority fell victim to a ransomware attack, during which cybercriminals encrypted and stole approximately 500 GB of data. The attackers threatened to release this information publicly unless a ransom was paid. The hacker group Money Message claimed responsibility for the attack

Another incident involved the FunkSec group, which specializes in encryption, extortion, and blackmail. The group breached EgyptAir's digital infrastructure, gaining access to administrative portals and webmail systems. Although no ransom demands were publicly disclosed, a listing appeared on a dark web platform offering access to EgyptAir's resources for $5,000 in cryptocurrency. The extent of the compromised data remains unclear.

During the reporting period, cybercriminals seeking financial gain showed a heightened interest in high-value data. According to Positive Technologies' 2024 findings, attackers were primarily focused on trade secrets and personal data.

Trade secrets and personal information are particularly valuable to hackers. For example, a post on the hacking forum BreachForums advertised a database containing personal data of 85 million Egyptian citizens. The post claimed that the stolen data included national identification numbers (NIDs), names, family details, insurance numbers, and mobile phone numbers. Dark Entry, a company specializing in dark web analysis, confirmed the authenticity of the stolen data. Preliminary investigations suggest the breach occurred due to a website vulnerability.

However, the figure of 85 million may be exaggerated. Dark Entry explained that data duplication is likely, as many Egyptians hold multiple insurance policies issued by different employers. Each policy may be linked to different phone numbers and contain unique insurance details.

Our research uncovered over 100 listings on the dark web offering databases with sensitive information for sale or free distribution. These findings align with analytics from the SOCRadar platform.
Most listings related to the sale or distribution of stolen information contain compilations of data obtained through phishing attacks or manipulations of payment information belonging to individuals.

By personal data we mean data of Egyptian citizens and users of local services without any connection to specific incidents. This category also includes compromised identification documents, such as passports and combolists—databases compiled from previously leaked information that do not contain complete details about victims.

Personal data is in high demand on the dark web because it is used in fraud schemes, sold to third parties, or merged with other leaked data to enhance its value.
A significant number of listings relates to the e-commerce sector, reflecting the rapid growth of online trade, with a steadily increasing number of customers and businesses. Hackers value personal information such as customer preferences, payment details, contact information, and addresses, which can be resold or used in other crimes. For instance, one dark web platform offered a database of 600,000 customer records from a major dietary supplements retailer. The data included names, home addresses, email addresses, and phone numbers.

Transportation and service companies rank third among organizations whose stolen data was listed for sale on the dark web. Data from restaurants, ride-sharing services, and other businesses are frequently found for sale. As shown in Figure 12, two listings alone accounted for over 1 million compromised records.

Financial sector data is also sold on the dark web. One listing offered a database of 10,000 clients and employees from an Egyptian bank, including names, gender, age, account numbers, and mobile phone numbers. However, the relatively low number of such listings likely reflects the strong security measures in financial institutions.

When comparing the number of reported cybersecurity incidents to dark web data, it becomes clear that hackers remain highly adaptive and resourceful despite the security measures in place. The trend of selling stolen data on the dark web is expected to continue. However, the value and price of such data will depend on its relevance—while older combo lists lose value over time, attackers regularly add fresh information to maintain their allure.

While Egypt has made significant strides in digital transformation and improved its global cybersecurity standing, the country still faces serious challenges. The government's push for digitalization has made Egypt an attractive target for cybercriminals, as evidenced by the range of attack methods and data found on the dark web.
The rise in ransomware activities and dark web operations highlights the urgent need for advanced security measures. One effective strategy is implementing a result-driven approach to cybersecurity, ensuring organizations can withstand and recover from attacks. 
Given that many attacks rely on social engineering, raising awareness about digital hygiene is critical. Training should extend beyond ordinary employees to include cybersecurity professionals, with specialized courses playing a key role in this effort.
The variety of stolen data on the dark web across industries suggests a widespread lack of web resource protection. Implementing web application firewalls (WAFs) can mitigate OWASP Top 10 threats, detect vulnerabilities, and automatically block exploitation attempts. Network traffic analysis (NTA) solutions further enhance protection by detecting hidden malware, identifying suspicious lateral movement within networks, and exposing exploited vulnerabilities.
Achieving strong cybersecurity requires a holistic approach. Alongside WAF and NTA systems, Positive Technologies offers additional solutions to bolster organizational defenses against cyberattacks. By combining the principles of result-driven cybersecurity with modern technical solutions and employee awareness programs, Egypt can reduce cyberincidents and strengthen its position in international cybersecurity rankings.