Qilin claims ransomware attack on the Central Bank of Libya

On 22 June 2026, the Qilin ransomware group publicly claimed responsibility for a cyberattack on the Central Bank of Libya (CBL), Libya's monetary authority, and threatened to release confidential banking data unless its demands were met. The claim escalated an incident the bank had first disclosed earlier in the month, and drew attention because of the institution's central role in the country's financial system.

What happened

The CBL first disclosed the cyberattack on 9 June 2026, saying it had affected a limited number of systems and technical services. Preliminary investigations indicated the incident involved ransomware and targeted parts of the bank's virtual infrastructure and several internal systems, including components supporting operations related to the SWIFT interbank messaging system. The bank said its cybersecurity teams detected the incident and responded under approved emergency-response and business-continuity plans, working with international cybersecurity experts on forensic analysis.

On 22 June 2026, Qilin listed the Central Bank of Libya on its dark-web leak site, claiming to have stolen data and threatening publication — consistent with the group's double-extortion model of demanding payment both for a decryptor and to prevent the release of exfiltrated files.

Impact

The bank stated that the impact was limited to a small number of systems and that remaining services — including bank card services and its LyPay platform — continued to operate normally. As of its statements, the CBL said investigations and technical reviews had not revealed any breach or leakage of customer, correspondent-bank or partner-institution data. Qilin's claim of stolen data had not been independently verified at the time of disclosure, and the bank did not confirm any ransom demand or payment.

Why it matters

An attack on a national central bank touches the core of a country's financial plumbing, and any disruption to SWIFT-linked systems carries outsized risk for cross-border payments and confidence in the banking sector. Even where customer accounts are reported unaffected, a credible extortion threat against a monetary authority — in a country already navigating institutional fragmentation — illustrates how ransomware groups increasingly target high-leverage public institutions for maximum pressure.