The attack
On April 28, 2026, ByteToBreach disclosed a ransomware attack against Ikeja Electric Distribution Company (IKEDC), the largest power distribution company in Nigeria. The disclosure followed the actor's established pattern: exfiltrate first, announce publicly, let the target's silence speak for itself.
The intrusion was not superficial. ByteToBreach compromised IKEDC's server infrastructure, penetrated virtual machine environments, and deployed ransomware across dozens of employee workstations. Employee account passwords were extracted and cracked. Internal directory structures were mapped and catalogued. Customer records, employee data, and business system information were exfiltrated before the ransomware was triggered.
The operational impact reached the systems that matter most. Metering platforms and utility management systems — including Siemens-connected infrastructure — were disrupted. For a distribution company serving over a million metered customers across Lagos, this means billing interruptions, metering failures, and a loss of visibility into power consumption and distribution metrics. IKEDC spokesperson Kingsley Okotie told reporters he was "unaware of the hack." That statement, delivered after ByteToBreach had already published evidence of the compromise, captures the state of incident awareness across Nigerian critical infrastructure.
Why this is different
We've tracked ByteToBreach since their first public operation against Sterling Bank in March 2026. Across five confirmed targets — Sterling Bank, CRC Credit Bureau, Remita, CardinalStone Partners, and the Corporate Affairs Commission — the actor operated within a consistent domain: financial services and government registries. The targets shared a profile: data-rich, digitally exposed, and poorly monitored.
Ikeja Electric breaks the pattern. This is the first ByteToBreach attack on critical infrastructure — systems that, when they fail, affect millions of people directly. IKEDC distributes power to residential and commercial customers across six business districts in Lagos: Ikeja, Abule-Egba, Akowonjo, Ikorodu, Oshodi, and Shomolu. A disruption to metering and billing systems does not just create a data breach. It creates a service delivery failure in the most populated city in Africa.
The attack methodology also shifted. At Sterling, ByteToBreach operated as a patient infiltrator — nine days of dwell time, systematic data exfiltration, credential harvesting used to pivot laterally into Remita. The approach was deliberate, focused on maximizing the value of stolen data before detection. At IKEDC, the actor deployed ransomware. That is a different calculus. Ransomware is disruptive by design. It encrypts systems to force payment, not just to steal information. The shift from data-theft-first to ransomware-first suggests either an evolution in ByteToBreach's monetization strategy or a recognition that utility companies are more likely to pay for operational recovery than financial institutions are to pay for data secrecy.
Critical infrastructure has different failure modes. When a bank is breached, customers lose privacy. When a power distributor is breached, customers lose service. The distinction matters for national security planning, and it should matter for every organization that operates infrastructure Nigerians depend on daily.
The ByteToBreach campaign timeline
Our analysis now tracks six confirmed operations over 42 days:
| Date | Target | Method | Impact |
|---|---|---|---|
| March 18, 2026 | Sterling Bank | CVE-2025-55182 exploit via Metasploit, Sliver C2 | 900K customer accounts, 3K+ employee records, BVNs, NINs, source code |
| March 2026 | CRC Credit Bureau | Lateral access via Sterling Bank API integration | Consumer credit profiles accessed via BVN queries |
| April 1, 2026 | Remita (SystemSpecs) | Credentials found in plaintext in Sterling's Git repos | Access to Treasury Single Account payment system |
| April 2026 | CardinalStone Partners | Access via Sterling/Remita connections | Investor and pension custodian data |
| April 2026 | Corporate Affairs Commission | JWT sequential ID enumeration + Burp Suite | 25M+ documents (759.2 GB), director NINs, passports |
| April 28, 2026 | Ikeja Electric (IKEDC) | Server infiltration, VM compromise, ransomware | Metering systems disrupted, employee/customer data stolen |
The timeline tells a story of escalation. The early targets were connected — Sterling led to CRC Credit Bureau through API integrations, to Remita through plaintext credentials in Git, and to CardinalStone through the Remita payment ecosystem. The CAC breach used a different entry vector but the same actor. IKEDC appears to be an independent target, which means ByteToBreach is no longer just exploiting connections between institutions. They are actively selecting new targets in new sectors.
What connects these attacks
ByteToBreach has described their approach as "opportunistic and sporadic." The evidence suggests otherwise. The target selection follows a logic: financial data (Sterling, CRC), payment infrastructure (Remita, CardinalStone), corporate identity records (CAC), and now physical infrastructure (IKEDC). Each category represents a different layer of Nigeria's economic foundation. The progression is methodical even if the timing is opportunistic.
Several operational signatures persist across the campaign:
Disclosure as pressure. ByteToBreach announces breaches publicly after completing exfiltration, using organizational silence as implicit confirmation. Every target in this campaign was publicly named before the target itself acknowledged the incident. Some still have not.
Capability escalation. The Sterling attack used commodity tools — Metasploit for initial access, Sliver for C2. The CAC attack required web application analysis and JWT manipulation. The IKEDC attack involved server-level infiltration, virtual machine compromise, and ransomware deployment. The tools are growing more sophisticated with each operation.
Common defensive failures. Every organization in this timeline shared the same vulnerabilities: unpatched internet-facing systems, plaintext credentials in accessible locations, poor network segmentation between operational and administrative environments, and monitoring gaps that allowed multi-day dwell times without detection.
ByteToBreach has stated publicly: "Protecting Nigerians is not my responsibility. That's the duty of the government." That framing — casting institutional failure as the real story while profiting from the exploitation — has proven effective. The actor controls the narrative because the targets cede it through silence.
What organizations like IKEDC should have had in place
The IKEDC breach was preventable. Not theoretically. Concretely. The controls that would have interrupted this attack are documented, available, and well-understood. Their absence is a choice.
Patch management. CVE-2025-55182, the vulnerability that started the ByteToBreach campaign at Sterling Bank, was known for three months before the first attack. Organizations that patched internet-facing systems against this CVE were not vulnerable to the same entry vector. Patch management with SLA-driven timelines — critical vulnerabilities remediated within 72 hours — is the minimum standard.
Network segmentation. ByteToBreach penetrated IKEDC's virtual machine environments, which means the ESXi or vCenter management plane was accessible from compromised user segments. VM management infrastructure should be isolated on dedicated management VLANs, inaccessible from general-purpose networks. The same principle applies to SCADA and metering systems — Siemens-connected infrastructure should never share a network path with employee workstations.
Credential management. The Sterling-to-Remita pivot was enabled by plaintext passwords stored in Git repositories. At IKEDC, employee passwords were extracted and cracked, indicating either weak password policies, inadequate hashing, or both. Credential hygiene is foundational: no plaintext secrets in source control, enforced complexity requirements, mandatory rotation for service accounts, and privileged access management for administrative credentials.
Endpoint detection and response. Dozens of PCs were infected with ransomware. A functioning EDR deployment with behavioral detection should have flagged mass file encryption operations, lateral credential dumping, and the process chains associated with ransomware execution. The infection of dozens of machines suggests either no EDR was deployed, or deployed agents were not monitored.
SIEM and monitoring. The internal directory structure was mapped before ransomware deployment, meaning the attacker conducted reconnaissance inside the network without triggering alerts. A properly tuned SIEM would flag anomalous Active Directory enumeration, unusual authentication patterns, and bulk data access that deviates from baseline behavior.
Backup isolation. Ransomware reached systems it should not have reached. Backup infrastructure must be air-gapped or stored on immutable storage that cannot be encrypted by an attacker with network access. If backups are accessible from the same network segment as production systems, they are not backups — they are additional targets.
Incident response readiness. "Unaware of the hack" is not a response strategy. Organizations operating critical infrastructure need documented incident response plans, tested through tabletop exercises, with clear escalation paths and communication protocols. Under the Nigeria Data Protection Act and the General Application and Implementation Directive, data controllers must notify the NDPC within 72 hours of becoming aware of a breach. An organization that learns about its own breach from the attacker's public disclosure has already failed this requirement.
How cmdev helps
cmdev works with organizations across financial services, energy, and government to close the gaps that ByteToBreach-class actors exploit. Our engagements start where the threat landscape actually is — not where compliance frameworks assume it should be.
We conduct security posture assessments designed to answer one question: what would a motivated attacker find? This means infrastructure penetration testing scoped for lateral movement, credential audits across source repositories and configuration stores, and network segmentation reviews that map real traffic paths between critical systems. We build detection engineering programs — SIEM deployment, alert tuning, and threat hunting playbooks mapped to the specific TTPs active in the Nigerian threat environment. And we prepare organizations for the incident they hope never comes: tabletop exercises based on real scenarios, response playbook development, and compliance alignment with NDPA notification requirements and CBN CSAT for financial institutions.
If your organization handles customer data or operates infrastructure that people depend on, the question is not whether you'll face a ByteToBreach. It's whether you'll know when it happens.
Sources: Technext24, Nairametrics, Businessday, Security Intelligence Substack, NDPA 2023, GAID 2025, CBN circulars.