Cyberthreats/Incidents

Shadows of the pyramids: Egypt's cyberthreat landscape in 2025

Vybornov Alexey

Vybornov Alexey

Analyst, International Analytics Group of PT Cyber Analytics

About the report

Egypt's digital economy is expanding rapidly, fueled by steady economic growth and a stance of geopolitical neutrality. Today, Egypt is a cornerstone of the MENA (Middle East and North Africa) digital ecosystem and one of the leading driving forces for regional digitalization. The country is modernizing its telecom sector, rolling out e-government services, and digitizing core industries. However, technological leadership comes with inherent risks, making Egypt an increasingly lucrative target for cybercriminals, particularly financially motivated groups. At the same time, shifting geopolitical dynamics across the broader Middle East threaten to activate other adversaries, including hacktivists and advanced persistent threat (APT) groups.

This report offers a comprehensive analysis of Egypt's digital ecosystem, providing a deep dive into its 2025 cyberthreat landscape and forecasts for 2026.

Study objectives

  • Analyze Egypt's 2025 digital footprint and identify key drivers of the country's technological growth.

  • Map Egypt's cyberthreat landscape for the past year.

  • Identify cyberthreat trends and forecast future adversary behavior.

  • Provide recommendations to strengthen the country's cybersecurity.

To map this threat landscape, we synthesized open-source intelligence (OSINT) with data from the dark web. This included monitoring the most popular underground forums, illicit Telegram channels, and platforms tracking ransomware leaks and website defacements.

Fusing public data with dark web insights allows us to accurately chart Egypt's current cybersecurity challenges, alongside both emerging and established threat trends. Given the country's rapid digital expansion, we can accurately forecast the near-term trajectory of its threat landscape.

The data and findings presented in this report are based on Positive Technologies own expertise, as well as analysis of publicly available resources, including government and international publications, research papers, and industry reports.

We estimate that most cyberattacks are not made public due to reputational risks. As a consequence, it is impossible to calculate the precise number of incidents. This study is designed to alert organizations, cybersecurity specialists, and other stakeholders to the most prevalent tactics and motives of modern threat actors, while highlighting major shifts in the threat landscape.

Executive summary

  • Bridging two continents, Egypt has cemented its role as a critical digital transit hub. The country's information and communication technology (ICT) sector is currently valued at approximately $23.6 billion (roughly 6% of GDP) and is projected to hit $60 billion by 2031. Fintech and AI remain top strategic priorities.
  • Egypt is building a cyber resilient infrastructure tailored to regional threats. Cybersecurity is now deeply integrated into all major initiatives under the Digital Egypt and Egypt Vision 2030 national programs.
  • In 2025, most attacks targeted financial institutions (19%), IT companies (14%), the public sector (10%), and telecommunications (10%). This distribution reflects the country's economic structure, its role as a digital hub, and the prevalence of profit-driven attacks focused on data extortion and resale.
  • Malware (45%) and social engineering (26%) were the most common methods used in cyberattacks. This aligns with global trends, reflecting the high efficacy of these techniques as initial access vectors.
  • Due to the absence of significant hacktivist triggers, Egypt accounted for a mere 3% of all DDoS incidents targeting organizations in the Middle East. Because the country largely maintains neutrality in regional conflicts, it remains off the radar for most hacktivists and state-sponsored APT groups.
  • Egypt is highly vulnerable to supply chain attacks. This is explained by its advanced IT infrastructure, deep integration of digital services, and heavy reliance on third-party technology vendors. In this highly connected ecosystem, compromising a single member can provide attackers with a backdoor for attacking much larger organizations.
  • In the near term, Egypt's burgeoning AI sector is likely to become a primary target for threat actors. The rapid adoption of AI introduces new attack vectors, including the compromise of training data, the exfiltration of sensitive information from corporate generative models, and the manipulation of AI outputs. Such attacks could lead to severe consequences, potentially derailing strategic objectives at both the organizational and national levels.

Egypt's digital landscape: current state and strategic priorities

A country's threat landscape mirrors its technological maturity. The more advanced a country's digital assets, the more attractive it becomes to threat actors—a dynamic further shaped by external factors like geopolitics.

In recent years, the MENA tech sector has experienced a massive boom, with Egypt at the forefront of regional digitalization. The digital transformation is guided by Egypt Vision 2030, a national sustainable development strategy that prioritizes the digitalization of the economy and public administration. Under this strategy, numerous initiatives are driving the country's technological capabilities, with the ICT sector serving as the foundation for modern digital services.

For the past several years, Egypt has been a major global hub for data storage and transmission. With approximately 15 internet cables running through the country—including the massive 2Africa line—Egypt holds a strategic position in the digital supply chain, powering high-speed connectivity across Europe, Asia, and Africa.

Figure 1. Egypt's submarine cable map
Figure 1. Egypt's submarine cable mapsource: Submarine Cable Map 2024

Industry analysts estimate Egypt's ICT sector reached $23.6 billion in 2025, accounting for 6% of the national GDP. By 2031, this figure is expected to surpass $60 billion (at an average annual growth rate of 17.3%).

According to Egypt's Ministry of Communications and Information Technology, the number of active mobile internet users hit 90.3 million in the first half of 2025, compared to just 11.9 million fixed broadband (ADSL) subscribers. This contrast highlights a critical reliance on mobile networks for everyday connectivity. Consequently, the rollout of 5G networks in June 2025 was a highly strategic milestone. 5G allows to scale cloud services, deploy IoT-based solutions, and launch smart city projects, fundamentally strengthening Egypt's digital backbone.

Cairo and Alexandria are the nation's primary tech hubs. These cities house the core telecom infrastructure, data centers, and major tech firms. Because infrastructure, investment, and top talent are concentrated here, these cities are always the first to adopt new technologies. In contrast, remote regions still struggle with a limited tech presence and lower digital literacy, creating a digital divide between urban centers and the provinces. To bridge this gap, the government is spearheading major infrastructure projects, such as New Administrative Capital, and creating tech clusters like Smart Village. These new digital clusters are designed to decentralize technological growth by pushing resources, expertise, and investments beyond traditional city limits. These projects perform several functions at once:

  • Stimulate private capital flow into regions.
  • Create high-tech and telecom jobs.
  • Expand IT infrastructure to deliver digital services to remote populations.

At the same time, expanding tech hubs into the provinces boosts digital literacy. As technology arrives, so do educational programs, training centers, and initiatives designed to integrate citizens into the digital economy. Long-term, this strategy aims to ensure an equitable distribution of digital opportunities across Egypt.

Another pillar of Egypt's digital infrastructure is the expansion of data centers, which support both government platforms and commercial enterprises. In recent years, the government has heavily invested in building a national data storage infrastructure. In 2024, the Government Data and Cloud Computing Center was launched. Positioned as the largest government data center in the MENA region, it hosts state information systems and digital governance platforms. Later in 2025, the Egyptian Prime Minister announced plans to construct three additional data centers to further integrate government operations and collaborate with private sector.

However, telecom and data centers are only part of the story. Egypt is also pursuing other initiatives that align with global tech trends and drive economic digitalization. Let's examine a few of these key areas.

The startup ecosystem

One of the strongest indicators of Egypt's digital growth is its startup ecosystem. According to the Global Startup Ecosystem Index 2025, Egypt ranks 65th globally and retains its leading position as the top startup hub in the MENA region for the second consecutive year.

The government supports this ecosystem, largely through Egypt Ventures—a state-backed venture capital fund established with the support of the Ministry of International Cooperation (MOIC) and the General Authority for Investment and Free Zones (GAFI).

According to market data, Egyptian startups secured approximately $614 million in equity and debt financing in 2025, a 51% year-over-year increase from 2024. Investor capital was concentrated in the following sectors:

  • FinTech. As in many other countries, fintech remains a primary focus for investors due to the high scalability of digital financial services, increasing demand for cashless payments, and rapid ROI. Success stories include PayMob, a digital payment aggregator for emerging markets, and Telda, a digital finance platform targeting younger audience with mobile financial services. Combined, these two companies have raised over $110 million.
  • PropTech. Driven by shifting real estate dynamics and massive state-sponsored new city construction projects, Property Technology (PropTech) has seen a flurry of investment activity. Notably, the digital real estate platform Nawy secured $75 million ($52 million in Series A and $23 million in debt financing), marking one of the largest Series A rounds in the history of Egypt's tech sector.
  • Healthcare and logistics. Among the notable startups catching investor attention are the pharmaceutical application Chefaa and the courier delivery service Bosta. While their combined funding is currently under $20 million, StartupBlink ranks both companies among the top five most promising startups nationally and regionally, outpacing heavily funded competitors. This is because, in addition to investment volume, the ranking methodology factors in team size and user base.

The growing funding for tech startups in Egypt, combined with regional recognition, underscores the government's commitment to digital transformation. However, the concentration of capital within this rapidly expanding tech sector acts as a magnet for financially motivated cybercriminals, making robust cybersecurity critical.

National AI strategy

In 2025, Egypt secured the 5th spot in the MENA region's AI readiness index, highlighting the government's strong commitment to integrating artificial intelligence into public administration and the broader economy. This ambition is formally outlined in the Egypt National Artificial Intelligence Strategy 2025–2030. Designed to complement the Egypt Vision 2030 digital transformation program, the strategy aims to use AI as a vital tool for economic, technological, and social advancement.

The strategy is built on six pillars:

  • Governance. Establishing fair regulations and ethical rules for AI use.
  • Technology. Developing local tools, including a national large language model).
  • Data. Ensuring fair access to high-quality information for researchers and machine learning enterprises.
  • Infrastructure. Expanding the hardware and high-speed connectivity required for advanced data processing.
  • Ecosystem. Supporting small businesses, startups, and researchers in securing funding and strategic partnerships.
  • Talent. Building the nation's workforce by improving digital literacy, technical competencies, and AI skills.

As this strategy rolls out, AI is already making an impact across the following critical sectors:

Through the combined efforts of Egypt Vision 2030 and the updated National AI Strategy, the government has set several ambitious targets:

  • Increase the ICT sector's contribution to the national GDP to 7.7%.
  • Democratize access to technology and AI tools, ensuring a level playing field in the labor market.
  • Incubate and scale organizations specializing in AI development.
  • Solidify Egypt's position as the main regional hub for AI research.

Egypt's growing focus on AI is backed by robust government support. The country has made remarkable progress in cultivating an AI-friendly ecosystem, demonstrating a clear intent to become a major regional center for artificial intelligence. However, the rapid adoption of AI brings a corresponding surge in cyberthreats. AI has lowered the barrier to entry for cybercriminals, equipping them with tools to easily generate highly convincing phishing lures and deepfake audio or video, increasing the scale and sophistication of attacks. According to analysts at DeepStrike, the use of AI in phishing campaigns has driven the increase of such attacks by 1,265%, allowing threat actors to rapidly generate highly personalized content for mass campaigns. AI is not just a weapon; it is increasingly becoming a target. Adversaries are performing (data poisoning) attacks against training datasets to manipulate model outputs, achieve malicious objectives, and create new attack vectors.

The regulatory environment

The foundation of Egypt's digital regulatory framework was laid over two decades ago with the introduction of the 2003 Telecommunications law. Since then, the legal landscape has been continuously expanded and refined to address new challenges, including cybersecurity, data privacy, and the digital economy. These evolving laws highlight Egypt's commitment to securely expanding its technological capabilities. Today, the nation's digital ecosystem is governed by the following laws and regulatory acts:

LAW

DESCRIPTION

Fintech Law of 2022Regulates digital payments, e-wallets, and online lending, establishing a legal framework for the use of innovative non-banking financial products. The law mentions the use of AI technologies in the processing of consumer data
Data Centers Regulatory Framework, 2021Establishes the standards for the licensing, operation, and physical and information security of data centers within the country
The Egyptian Data Protection Law No. 151 of 2020Defines the requirements for the collection, processing, storage, and cross-border transfer of personal data. It mandates obtaining explicit consent from data subjects and establishes strict liability and penalties for violations
The Egyptian Anti-Cyber and Information Technology Crimes Law No. 175 of 2018Provides the legal foundation for implementing the National Cybersecurity Strategy, defines specific violations, and establishes both financial penalties and criminal liability
The Telecommunication Regulation Law No. 10 of 2003)Establishes the legal framework for the operation of the telecommunications sector and defines the mandate and powers of the National Telecommunications Regulatory Authority (NTRA)

Table 1. Key legislation governing Egypt's digital space

As Egypt's digital footprint rapidly expands, state institutions are taking a systematic approach to managing this growth—instituting frameworks, rules, and boundaries designed to foster a sustainable and secure digital environment.

As expected, an expanding digital perimeter attracts more cyberthreats. In response, Egypt has proactively developed a regulatory framework that mandates strict digital defense requirements, laying the groundwork for national cyber resilience. Beyond mere compliance, the country is executing a series of practical, operational measures to defend against attacks in a highly volatile regional threat landscape. Let us explore these measures in detail.

Key drivers of cyber resilience

According to data compiled by Positive Technologies researchers, the number of successful cyberattacks against organizations in 2025 rose by 6% year-over-year.

Figure 2. Successful attacks on organizations worldwide in 2022–2025
Figure 2. Successful attacks on organizations worldwide in 2022–2025

This upward trend is explained by a combination of geopolitical turbulence and rapid technological advancement. The World Economic Forum's 2025 report highlights the weight of these factors: 60% of companies now factor geopolitical tensions into their cybersecurity strategies, while 47% identify the use of generative AI in attacks as their top security challenge.

Recently, the MENA region has faced immense pressure from cybercriminals. On one hand, escalating Middle Eastern conflicts have increased attacks by hacktivists and APT groups targeting critical infrastructure, the public sector, and strategic industries like energy, logistics, and telecommunications. On the other, Interpol has reported a spike in fraud and cybercrime across North Africa. Interestingly, an analysis of 2025 cyberattacks reveals that Egypt remains somewhat insulated from broader regional trends, maintaining a unique position within the regional threat landscape.

Despite a complex geopolitical situation, Egypt is rapidly strengthening its cybersecurity landscape. The country has shown consistent upward movement in the Global Cybersecurity Index (GCI) published by the International Telecommunication Union (ITU). In the 2024 GCI report, Egypt achieved Tier 1 (Role-modelling) status, securing top marks across all key maturity metrics.

Figure 3. Egypt's cybersecurity profile according to the ITU
Figure 3. Egypt's cybersecurity profile according to the ITU

Industry researchers value Egypt's cybersecurity market at over $230 million, with a compound annual growth rate (CAGR) of 12%. This momentum is driven by a growing demand for information security solutions, fueled by the global escalation of cyberthreats and the rapid digitalization of local government services and critical infrastructure.

A cornerstone of the nation’s cyber defense strategy is the Egyptian Computer Emergency Readiness Team (EG-CERT), operating under the National Telecom Regulatory Authority (NTRA). Beyond the standard tasks of security monitoring, incident response, and public-private coordination, EG-CERT engages in proactive defense measures, including vulnerability hunting, penetration testing, and national cyber exercises.

EG-CERT's high level of expertise has been repeatedly proven on the global stage. EG-CERT secured first place at the ITU Global CyberDrill 2025, a major exercise that brought together over 260 experts from 130 countries. During the drill, teams were challenged to defend critical infrastructure, government services, and financial systems against complex simulated attacks.

Another critical function of EG-CERT is providing early warnings for large-scale attacks targeting the nation's telecom infrastructure. To support the ICT sector, the Ministry of Planning, economic development, and international cooperation allocated 13 billion EGP (approximately $250 million) to upgrade telecom infrastructure and enhance its cyber resilience.

Another major catalyst for Egypt's cybersecurity evolution is the integration of AI. The government views AI as a core component of its digital transformation, a stance formalized in the National AI Strategy 2025–2030.

Under this strategy, both the public and private sectors are developing AI-driven security solutions. AI technologies significantly enhance the nation's cyber defense by enabling organizations to:

  • Detect threats and anomalous behavior at early stages.
  • Reduce the number of false positives in security alerts.
  • Automate incident response and threat investigation.

Alongside technological upgrades in cybersecurity, Egypt is heavily investing in human capital and international collaboration. In 2025, the Ministry of Communications and Information Technology (MCIT) expanded its cybersecurity training initiatives through the Creativa network of digital talent hubs. Backed by EG-CERT, Middle East Information Technology Services (MCS), and leading industry players, training programs for emerging talent were rolled out across 14 provinces. This initiative has democratized access to professional cybersecurity education, paving the way for local graduates to enter regional and global job markets.

Cyberthreat landscape

Targeted sectors

In 2025, most cyberattacks in Egypt targeted financial institutions (19%), IT companies (14%), the public sector (10%), and telecommunications (10%).

A year-over-year comparison reveals a shift in adversary focus, moving away from government entities toward the financial sector. Notably, the top three most targeted industries remained consistent, underscoring the appeal of these sectors even as attacker priorities change.

Figure 4. Victim categories: 2024 vs. 2025 comparison

In Egypt, the most targeted sectors differ from broader Middle East trends, where the primary targets are government agencies, the industrial sector, and trade. These three sectors are high-priority targets, as hacktivists and APTs aim to inflict maximum damage on the strategic interests of leading regional powers. Government institutions are viewed as symbols of sovereignty, while industry and trade are closely tied to the oil and gas sector—the economic lifeblood of the Middle East.

Conversely, Egypt's threat landscape is skewed toward its digital economy, indicating a dominance of financially motivated threat actors. The finance and IT sectors are highly lucrative targets due to their high volume of financial transactions, massive concentrations of sensitive data, and deep integration with other economic sectors. Meanwhile, telecom and the public sector are targeted because they operate critical information infrastructure (CII)—disrupting these systems can trigger widespread socio-economic consequences.

Financial organizations

Globally, the financial sector is a primary target for cybercriminals, and Egypt is no exception, with attacks on financial organizations accounting for 19% of all attacks in the country in 2025. The sheer volume of financial transactions and access to large amounts of confidential data make these organizations highly attractive to all types of attackers.

Incident analysis reveals a growing trend of supply chain and ecosystem attacks targeting Egyptian financial institutions. Because top-tier banks and financial holdings are strongly secured, threat actors are pivoting to softer targets, such as subsidiaries, branch offices, and third-party contractors. Compromising these weaker links allows attackers to indirectly breach highly secure parent organizations and trigger cascading failures across the financial sector.

A prime example is the BlackShrantac group's attack on a leasing subsidiary of the National Bank of Egypt, the country's largest commercial bank. According to claims posted on the group's site, they exfiltrated 6 TB of data, including client asset and fund details, employee HR records, and social security numbers. While the attack did not cause immediate damage, the stolen dataset contained highly sensitive information that could be used to launch targeted phishing campaigns against the main bank.

Figure 5. Hacker announcement regarding the upcoming release of stolen data
Figure 5. Hacker announcement regarding the upcoming release of stolen data

Beyond the subsidiaries of major companies, attackers also targeted microfinance organizations. These entities often lack regulatory oversight and robust security budgets of larger firms, yet they still hold valuable financial data, making them highly vulnerable. In May 2025, the NightSpire group breached Future Microfinance Association, a non-profit providing microloans and financial consulting. The attackers claimed to have stolen 8 GB of data and listed it for sale, though the specific contents of the leak were not disclosed.

In most cases of extortion in the financial sector, ransomware operators do not publicly list a price for the stolen data. This suggests their primary goal is not to sell the information on the open market, but rather to exert psychological pressure on the victim. The mere public announcement of a breach acts as a powerful extortion tool, as data leaks expose financial institutions to severe reputational damage, regulatory penalties, and a loss of client trust. As a member of the global Counter Ransomware Initiative (CRI), Egypt adheres to a policy of refusing to negotiate with or pay threat actors, recognizing that paying ransoms only fuels the cybercrime economy and rarely guarantees data recovery. This stance aligns with global trends: according to DeepStrike analysts, despite the rising volume of ransomware attacks, 64% of victims now refuse to pay, signaling a growing culture of resistance against hackers.

The main driver of cyberthreats in the financial sector remains the concentration of high-value assets, which attracts financially motivated criminals. However, this threat landscape may change. Should regional conflicts escalate, the financial sector could face renewed pressure from state-sponsored APTs and hacktivist groups.

IT companies

Egypt's IT sector ranks as the second most targeted industry, accounting for 14% of all attacks.

The country's position as the region's primary digital and telecom hub naturally attracts threat actors of all types. IT companies are highly profitable and hold vast amounts of sensitive data, drawing the attention of financially motivated hackers. APT groups target the IT sector to exploit trusted network connections and inject backdoors into software supply chains. A single successful breach can grant attackers access to countless other organizations across multiple industries.

For instance, in August 2025, a massive phishing campaign hit companies across various sectors, including IT firms. To deliver the UpCrypter malware, attackers used fake voice messages and fabricated purchase orders. UpCrypter functioned as a conduit for various remote access tools (RATs), granting the attackers total control over the infected machines. This established a path for lateral movement within the victim's infrastructure and, by extension, their partner networks.

Shortly after, security researchers detected activity from MuddyWater, an APT group known for targeting state and corporate entities. This campaign focused on the tech and industrial sectors in Israel and Egypt. The attack was notable for its malware delivery mechanism: rather than sending standard phishing emails with malicious PDFs, the group used a tool dubbed Fooder, disguised as the classic game "Snake." Once launched, it silently loaded the MuddyViper backdoor into the system's memory. This backdoor allowed attackers to perform system reconnaissance, remotely execute commands, exfiltrate files, and harvest Windows and browser credentials.

Figure 6. MuddyViper backdoor infection chain
Figure 6. MuddyViper backdoor infection chain

In addition to targeted phishing attacks, Egypt's IT companies have also been targeted by ransomware operators. On December 5, 2025, the Dragonforce ransomware group claimed responsibility for a cyberattack on a national IT service provider and software developer. The group published a threat to leak over 33 GB of stolen data. By withholding the price and the details of the leak, the attackers clearly aimed to maximize psychological pressure on victims.

Figure 7. Breach claim by Dragonforce
Figure 7. Breach claim by Dragonforce

The IT sector is strategically vital, drawing the attention of both financially motivated threat actors looking for profit and APT groups seeking to disrupt other industries via supply chain attacks. As a result, Egypt's IT sector is the backbone of the country's digital ecosystem—its resilience determines the security of the entire digital landscape.

Government agencies

Government agencies accounted for 10% of all attacks targeting Egyptian organizations. While the public sector is a frequent target for hacktivists, the majority of attacks were carried out by financially motivated groups. This not only confirms the absence of typical hacktivist triggers but also aligns with broader global trends. For cybercriminals, the motivation is clear: government institutions process vast amounts of sensitive data and run essential services. Breaching them can severely undermine the trust of both citizens and international partners.

For example, the threat group FunkSec claimed to have breached Egypt's Maritime Transport & Logistics Sector. They allegedly demanded a $1 million ransom for the complete exfiltrated dataset, alternatively offering partial access for $50,000.

Figure 8. A dark web listing selling access to the stolen information
Figure 8. A dark web listing selling access to the stolen information

Shortly after, a dark web forum post leaked a portion of this data. The information included vessel and cargo tracking reports, crew manifests, financial records, and internal documents.

Figure 9. A dark web post offering the stolen data for free
Figure 9. A dark web post offering the stolen data for free

We also uncovered listings offering free databases and documents allegedly belonging to the Egyptian Civil Aviation Authority (ECAA), including navigation charts, safety inspection reports, and corporate emails.

Figure 10. A listing offering ECAA data for free
Figure 10. A listing offering ECAA data for free

Another underground listing offered the personal data of Egyptian military personnel and cadets. In the context of regional conflicts, this intelligence could facilitate highly targeted future attacks.

Figure 11. Details on the stolen data of military personnel and cadets
Figure 11. Details on the stolen data of military personnel and cadets

Beyond posts offering access to leaked data, we observed threat actors in closed Telegram channels claiming responsibility for DDoS attacks against Egyptian government websites.

Figure 12. Telegram posts claiming DDoS attacks
Figure 12. Telegram posts claiming DDoS attacks

The attackers provided links to a site-monitoring service showing the attacked websites as offline. While expired logs prevent definitive verification, public claims of successful attacks—even unverified ones—often inspire copycat activity by highlighting perceived vulnerabilities, raising the overall threat level for targeted networks.

Both OSINT and dark web intelligence confirm a consistent interest from cybercriminals in Egypt's public sector. Additionally, regular mentions of Egypt in hacktivist Telegram channels indicate the country remains an appealing target.

Currently, the government sector is primarily targeted by financially motivated attackers who rely on extortion and the sale of stolen data on the dark web.

Telecommunications

Telecommunications accounted for 10% of attacks, indicating that criminals recognize it as a sector of critical national importance. Hacktivists often target telecom because compromising a single node can trigger cascading failures across multiple dependent industries. In March 2025, for example, the hacktivist group DieNet launched ideologically driven DDoS attacks against critical infrastructure in the U.S., Egypt, Israel, and the Netherlands. In Egypt, the attackers targeted Orange (formerly known as Mobinil), the country's major ISP. Although the provider did not issue a statement, monitoring tools recorded temporary downtime for the ISP's IP addresses.

Figure 13. Website uptime monitoring results
Figure 13. Website uptime monitoring results

We also found a dark web listing selling access to the provider's internal network for $12,000. The seller claimed the package included corporate VPN access, user data, and control panel access for both the website and telecom equipment.

Figure 14. A dark web listing selling access to the telecom provider
Figure 14. A dark web listing selling access to the telecom provider

Because the broader economy relies on stable internet access, disrupting a major provider could trigger widespread outages across government services and financial systems, causing cascading effects in adjacent industries.

However, even cyberattacks in this sector have not caused disruptions as severe as last year's physical infrastructure incident.A fire at a facility belonging to Telecom Egypt, the country's central telecommunications provider, damaged critical equipment, dropping national internet access to 40%. Mobile networks went down, and internet-dependent sectors like banking and transportation faced severe disruptions.

This event highlighted the vulnerability of the nation's digital infrastructure and its reliance on specific nodes, making the telecom sector a single point of failure (SPOF) of the entire country. Because a large volume of global internet traffic routes through Egypt, securing this infrastructure is a matter of international security, affecting internet stability across multiple continents.

Methods and consequences of attacks

Malware infections (45%) and social engineering (26%) were the main vectors for successful attacks on Egyptian organizations. Attackers frequently combine these tactics, for example, by delivering malware through phishing emails with malicious attachments or links to malicious websites. Kaspersky GReAT analysts recently found a phishing site impersonating DeepSeek. The fake page offered a supposed local Windows version of the DeepSeek-R1 AI model. Instead, victims downloaded BrowserVenom, a malware designed to monitor network activity and intercept traffic.

Figure 15. Methods of attacks on organizations

In attacks on organizations, criminals mainly used ransomware (33%) and spyware (25%), which are standard tools for financially motivated groups. Remote Access Trojans (RATs) made up a smaller share at 8%. The lower share of RATs likely reflects the effectiveness of modern corporate security in detecting and blocking known malicious signatures. In response, threat actors continually develop new variants to evade these defenses.

Trellix researchers discovered a campaign using phishing links to covertly install NetBird, a legitimate WireGuard remote access tool. The phishing campaign targeted finance departments and top executives at energy companies, banks, and investment firms across Europe, Africa, Canada, and Egypt. The attackers' primary goal was likely to establish persistent remote access to corporate networks for data theft. This long-term persistence allows compromised networks to function as ongoing revenue sources on the dark web.

Figure 16. Types of malware used in successful cyberattacks

Data leakage was the most common fallout from cyberattacks on Egyptian organizations, accounting for 65%. Operational downtime followed at 11%, aligning with the heavy reliance on ransomware.

Figure 17. Consequences of cyberattacks on Egyptian organizations

On the dark web, threat actors showed significant interest in data from Egyptian healthcare providers, in addition to PII and credentials. This indicates that criminals actively hunt for highly sensitive information that carries severe implications for both organizations and patients. An example is the Gunra threat group's ransomware attack on Dar Al Teb, an Egyptian medical provider. The attackers claimed the breach exposed confidential data and directly impacted patient safety.

Figure 18. Categories of data stolen in Egypt in 2025

In addition to open-source intelligence (OSINT), we analyzed data and listings on the dark web and in private Telegram channels. This analysis revealed that most posts involved data sales (39%) and free data distribution (31%). Although the gap between paid and free data leaks is relatively small, the predominance of commercial listings confirms that hacktivist activity remained low during the reporting period.

Figure 19. Categories of dark web listings

Egypt's dark web market demonstrates a high monetization rate for stolen data and compromised access. Most listings targeting Egyptian organizations sell databases (59%) containing PII, corporate credentials, and payment details. The rapid turnover and consistent demand motivate threat actors to maintain their operations.

Listings offering initial access to Egyptian corporate networks are also prominent (29%). Initial access brokers (IABs) sell this access to ransomware operators and APT groups, allowing them to bypass the infiltration phase and save valuable time and resources.

Figure 20. Contents of dark web sales listings

A breakdown of these sales listings by industry shows that retail was the most targeted sector (14%), followed by science and education (12%), and manufacturing and transportation (8% each). Financially motivated cybercriminals target these sectors primarily due to the sheer volume, high value, and liquidity of the data for resale.

Figure 21. Sales listings by industry

Open-source data and dark web analysis reveal that financially motivated threat actors dominate Egypt's cyberthreat landscape. This is primarily due to a lack of the high-profile events that normally drive hacktivism.

Forecasts and recommendations

Taking into account Egypt's technological development and broader cyberattack trends, we have identified the main drivers of the country's cyberthreat landscape:

  1. Forecast difficulty. Egypt's cyberthreat landscape remains relatively stable, standing in contrast to the broader Middle East, which is currently experiencing a surge in hacktivist and APT activity. However, given how quickly the geopolitical situation has shifted in recent months, this peace should not be treated as permanent.
  2. Supply chain attacks. The rise in supply chain attacks remains a major global trend. Recent years have shown that even well-protected organizations can suffer significant damage if attackers find a weak link in their partner or vendor networks. Egypt's digital landscape is constantly expanding, which means a large number of partners and suppliers are involved. This creates complex, multilayered webs where any single participant could become the entry point that attackers are looking for.
  3. Increased attacks on the ICT sector. Egypt is a vital telecommunications hub connecting Europe, Asia, and Africa through a network of submarine cables in the Mediterranean and Red Seas. The country plays a critical role in routing international internet traffic. However, this is exactly what makes Egypt's telecom infrastructure a prime target for cyberattacks, especially as geopolitical tensions rise in the region.
  4. AI adoption and associated risks. Artificial intelligence is now used just as much by threat actors as by cybersecurity professionals. Hackers are exploiting the growing use of large language models (LLMs) in corporate environments. Experts point to the following risks:

    • Prompt injection: manipulating input prompts to bypass a model's restrictions or access sensitive information.
    • Data poisoning: injecting malicious data into training sets to corrupt how the model works.

    As a regional leader in AI adoption, Egypt's is particularly vulnerable to these threats.

  5. Ransomware activity As we have noted before, ransomware attacks continue to be a major threat to Egypt. As the fintech sector grows and processes more data, Egypt becomes a prime target for ransomware gangs. Ransomware operators typically target organizations that provide essential services or hold critical data, since severe disruption increases the likelihood of a ransom payment.

To enhance the resilience of Egypt's digital landscape against current cyberthreats, we recommend the following measures to strengthen its digital perimeter:

Develop regulatory frameworks for third-party risk management.
Government agencies and regulators should establish unified security requirements for companies involved in state projects or critical infrastructure. This could include mandatory third-party cyberrisk assessments, strict compliance with security standards, and regular supply chain security audits.

Implement robust infrastructure security solutions.
While major government resources are strongly protected, individual organizations continue to fall victim to cyberattacks. This is corroborated by dark web activity, particularly the high volume of malicious listings. To quickly identify and patch flaws, organizations should deploy vulnerability management systems. These tools monitor infrastructure security and prioritize the vulnerabilities that are actively exploited in real-world attacks.

Raise public cybersecurity awareness.
As Egypt's digital landscape expands and online services become more accessible—especially in remote areas—infrastructure development must be backed by digital literacy programs that educate the public on current cyberthreats.

Conclusion

Egypt is experiencing impressive technological growth, with information and communication technology (ICT) and artificial intelligence now standing as strategic national priorities. The rapid expansion and modernization of data centers highlight the country's drive to meet growing domestic demand while attracting international clients, cementing its role as a regional tech leader.

However, this rapid digitalization—combined with massive data volumes and heavy financial activity—makes the country a prime target for financially motivated threat actors, as recent incident data shows.

Ransomware consistently remains one of the top cyberthreats. Attackers typically target organizations that manage essential services or critical data, knowing that severe disruption increases the likelihood of a ransom payout. In Egypt, this trend is highly visible: a significant portion of attacks target the financial and IT sectors, usually involving data theft followed by extortion.

Finally, Egypt's unique geostrategic position cannot be overlooked. Situated at the heart of the MENA region, the country is a vital global transport and telecommunications hub. Because the Suez Canal and its coastal submarine cables are critical to both global internet traffic and international trade, Egypt will continue to attract sustained attention from organized cyberthreat groups.