March 2026 changed everything
Between March and April 2026, a threat actor operating under the handle ByteToBreach executed a coordinated campaign that compromised three of Nigeria's most critical institutions in rapid succession. The attacks exposed 900,000 bank accounts, 25 million government files, and the cryptographic keys underpinning the country's largest payment settlement system.
These were not isolated incidents. They were linked — each breach enabling the next through lateral movement, credential reuse, and infrastructure that had never been tested against a determined adversary.
Sterling Bank: 900,000 accounts, 9 days undetected
The campaign began with CVE-2025-55182, a vulnerability in Sterling Bank's internet banking infrastructure. ByteToBreach exploited the flaw using Metasploit for initial access, then deployed Sliver C2 for persistent command and control.
The attacker maintained access for nine days before detection. During that window, they exfiltrated:
- 900,000 customer account records
- Bank Verification Numbers (BVNs) and National Identification Numbers (NINs)
- Source code from internal repositories
- API keys and service credentials
The dwell time — nine days inside a Tier 1 bank's core infrastructure — points to gaps in monitoring and detection. Sterling's T24 core banking system was accessed directly, meaning the attacker had visibility into real-time transaction processing.
As of this writing, Sterling Bank has not issued a public customer notification.
Remita: 46 HSM keys and the settlement system
The Sterling breach was not contained. ByteToBreach moved laterally from Sterling's network into Remita, the payment platform operated by SystemSpecs that processes salary payments for federal and state government employees and handles interbank settlements.
The pivot was enabled by plaintext credentials stored in Git repositories and a misconfigured S3 bucket — basic hygiene failures that gave the attacker a bridge between two supposedly isolated systems.
The Remita exfiltration was larger and more consequential:
- 3 TB of data including 800+ GB of KYC documents
- Transaction logs spanning government salary disbursements
- 46 Hardware Security Module (HSM) keys used by major Nigerian banks for cryptographic operations in the settlement system
The HSM key exposure is the most significant finding. HSM keys protect the cryptographic integrity of financial transactions. With these keys, an attacker could theoretically sign fraudulent transactions that appear legitimate to the settlement infrastructure. The full blast radius of this exposure has not been publicly assessed.
CAC: 25 million files, 474 self-assigned admin roles
The Corporate Affairs Commission — the federal agency responsible for company registration — was breached through a different vector but by the same actor.
ByteToBreach exploited JWT enumeration combined with sequential user IDs to escalate privileges. The investigation revealed 474 self-assigned administrator roles in the system, suggesting either a long-running compromise or fundamentally broken access controls.
The exfiltration included:
- 25 million files totaling approximately 750 GB
- National identity cards submitted for company registration
- Company resolutions, shareholder documents, and board minutes
- Internal password repositories
This is not just a data breach. The CAC database is the authoritative record of corporate identity in Nigeria. Compromised company registration data enables identity fraud, corporate impersonation, and fraudulent filings at a national scale.
EFCC and Fast Credit: the pattern continues
In April 2026, the Economic and Financial Crimes Commission (EFCC) was breached by a separate actor — Nullsec Nigeria / ki4t. The breach exposed agent names, phone numbers, and operational codes. For a law enforcement agency investigating financial crime, the exposure of operative identities creates real physical risk.
Fast Credit Finance was breached around the same time. The actor iProfessor exfiltrated 870 GB of customer data — 940,000 records including government-issued IDs and loan applications — and offered it to five buyers before public disclosure.
The silence
The most striking pattern across these breaches is what did not happen: none of the affected organizations issued timely customer notifications.
Sterling Bank customers whose BVNs and NINs were exposed were not informed. Remita users — millions of government employees whose salary records were exfiltrated — received no alert. CAC registrants whose national identity documents are circulating on dark web forums were not contacted.
This silence is no longer just a reputational choice. Under the Nigeria Data Protection Act (NDPA) 2023 and the General Application and Implementation Directive (GAID) which took effect September 19, 2025, data controllers are required to notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of a breach.
Regulatory response
The breaches have accelerated regulatory enforcement:
NDPC has begun investigating multiple 2026 incidents for GAID compliance failures. Fines under NDPA can reach 2% of annual gross revenue or N10 million, whichever is higher.
CBN issued a mandatory Cybersecurity Self-Assessment Tool (CSAT) requirement for all regulated financial institutions. Deposit Money Banks (DMBs) faced an April 20, 2026 deadline; Other Financial Institutions (OFIs) must submit by May 4, 2026. The assessment covers governance, risk management, incident response, and technical controls.
NCC has published a Cyber Resilience Framework requiring telecommunications companies to report incidents within 4 hours to NCC CSIRT and notify affected customers within 48 hours. Compliance deadline: February 2027.
Lagos State issued cybersecurity guidelines in April 2026, driving demand for security assessments among state-level entities.
What organizations should do now
The breaches reveal a consistent set of failures: unpatched public-facing systems, plaintext credentials in code repositories, misconfigured cloud storage, broken access controls, and inadequate monitoring. These are not sophisticated attack techniques — they are hygiene failures exploited by a motivated actor.
Immediate priorities:
- Patch management — Audit all internet-facing applications for known CVEs. The Sterling breach started with a single unpatched vulnerability.
- Credential hygiene — Scan all Git repositories for hardcoded credentials, API keys, and connection strings. The Remita pivot was enabled by plaintext passwords in source control.
- Cloud configuration — Review S3 bucket policies, IAM roles, and network segmentation. Misconfigured storage was a bridge between Sterling and Remita.
- Access control audit — Review all admin and privileged accounts. The CAC breach revealed 474 self-assigned admin roles that should never have existed.
- Detection and monitoring — Deploy or tune SIEM rules. A nine-day dwell time in a Tier 1 bank means detection capabilities were either absent or not functioning.
- Incident response — Develop or update IR plans with GAID 72-hour notification workflows. Organizations that cannot notify within 72 hours face regulatory action.
- CBN CSAT compliance — If you are a regulated financial institution, the deadline is imminent. Treat this as the starting point of a continuous security program, not a checkbox exercise.
The 2026 breaches are not anomalies. Nigeria's cybersecurity market is projected to reach USD 414.92 million by 2031, growing at 10.32% CAGR. That growth is driven by threat reality, not aspiration. Organizations that treat security as a cost center rather than a survival function are choosing to learn this lesson the hard way.
Sources: Technext24, Nairametrics, Businessday, Security Intelligence Substack, CBN circulars, NDPC enforcement notices, NCC regulatory publications.