In the span of a few weeks, three major Nigerian institutions appeared in cybercrime forums under the same name. First came Sterling Bank on March 18. Then, Remita, one of the country's most important payment platforms, on April 1. And then later, Nigeria’s Corporate Affairs Commission (CAC) itself.
Each breach followed the same pattern: detailed technical evidence, large claims of stolen data, and a single threat actor, ByteToBreach, claiming responsibility.
By Monday, 20 April, the Lagos government will release fresh guidelines for companies to protect themselves from cyberattacks.
But who did these attacks happen in the first place, and why are they happening now?
According to David Odes, a cybersecurity consultant who conducted an in-depth investigation into the Sterling Bank and Remita breaches, the incidents are linked through lateral movement, a technique where attackers enter one system and then move through connected systems to reach more valuable targets.
“The threat actor, ByteToBreach, was very chatty and very talkative for a threat actor,” Odes told Techloy. “They not only showcased their methodology, but they also talked about it. They described how they got into Remita through their relationship with Sterling Bank. This hack could have gone from Sterling Bank to Access Bank or any other financial institution. Remita was simply the one who turned out to be vulnerable.”
Odes traced the first confirmed intrusion to March 18, 2026, when a publicly accessible server belonging to Sterling Bank responded to a connection it should never have allowed.
The system was running unpatched software with a known vulnerability. The flaw, CVE-2025-55182, had already been publicly disclosed and assigned the highest possible severity rating.
“The vulnerability had a CVE score of 10, which is the highest score you can possibly get. So this attacker did not do anything particularly sophisticated to get into Sterling Bank’s system,” Odes said.
“This was like walking into a house with the back door wide open.”
According to Odes' report on the incident, the attacker remained inside the bank’s infrastructure for nine days, during which time they scanned internal systems, mapped services, and searched through application code.
One discovery proved particularly damaging. Encryption keys were stored in plaintext inside JavaScript files, making them visible to anyone already inside the environment.
“There are some basic dos and don’ts in software engineering,” Odes said. “One of those don’ts is storing encryption keys in plain text bundled into JavaScript code.” “In my opinion, the engineering discipline at Sterling Bank was not really up to global standards.”
Multiple local news reports claimed that the hacker could have accessed employee records, customer information, and internal banking systems. However, Odes cautions that, as an independent investigator, he cannot make absolute claims about the full scope of the breach, but he added that "the data does not look good.”
Remita operates mostly behind the scenes, but its role in Nigeria’s financial system is significant. The platform processes government payments, manages the Treasury Single Account, and connects hundreds of ministries, departments, and agencies to the Central Bank of Nigeria.
According to the threat actor’s own statement on a cybercrime forum,
“All of this is happening thanks to Sterling Bank. Their servers were very helpful in conducting the attacks on Remita.” Odes said he found evidence suggesting the same infrastructure was used in the Remita and CAC attacks that followed it.
One VPS IP address — 206.217.216.145 — appeared as the command-and-control server in both incidents. Inside Remita’s systems, the attacker allegedly accessed extremely sensitive infrastructure components.
These included the platform’s Git source code repository, AWS cloud storage containing 657,000 KYC documents, database backups containing user accounts and payment records, password hashes and authentication tokens, and configuration files containing cloud access credentials.
Perhaps most concerning were cryptographic key files associated with major Nigerian banks that could have been compromised. These keys are used to authenticate financial instructions between institutions. If authentic and still valid, such keys could theoretically allow forged payment instructions.
Odes notes that confirming their authenticity requires investigation by regulators and settlement infrastructure operators.
Much of the exposed data relates to identity verification requirements for financial services. CBN mandates that banks verify their customers. That requires documents like BVN, international passports, NIN numbers, driver’s licenses, and similar identity records.
Odes says that the lack of clear communication after the breach from Remita creates another issue. “A Remita user today does not know whether their data is in the hands of threat actors because there is an information gap," he said. His advice to affected users is blunt: “Given the depth of what the attacker uncovered, just assume that whatever documents you submitted to Sterling Bank or Remita may have been compromised.”
The CAC maintains the official registry of companies, business names, and incorporated trustees in Nigeria. Its records form the legal foundation for corporate ownership and business registration across the country. The threat actor claims they accessed the system using a weakness in its authentication design.
According to the investigation, the CAC login infrastructure relied on sequential user IDs rather than random identifiers. By repeatedly sending requests to an authentication endpoint, the attacker could generate valid login tokens without needing a password.
Using this access, the hacker reportedly created an administrative account and assigned themselves 474 system roles, effectively granting access to nearly every administrative portal in the CAC system.
The attacker later claimed to have downloaded about 25 million documents from the registry. The publicly shared data archive alone totals 759 gigabytes.
The ethical hacker known as H4RUK7 KIRA, who has also been researching the group, says that the CAC breach may not have come as a surprise. “We saw this vulnerability last year and reported it,” he told Techloy.
According to him, the exposed records could include passports, signatures, corporate registration documents, and identity records tied to company directors.
The motivation behind ByteToBreach’s campaign remains unclear. But H4RUK7 KIRA added it was most likely done by “an organised cybercrime group” and not a single person.
H4RUK7 says the actor has been active since late 2025 but became far more aggressive this year.
Experts believe the incidents raise serious questions about regulatory oversight. “Data privacy and security should be taken seriously,” H4RUK7 said. “There should be fines of around five million dollars for breaches to ensure compliance.”
Unlike Sterling Bank and Remita, the CAC has acknowledged the incident publicly. “The Corporate Affairs Commission is currently reviewing a cybersecurity incident involving unauthorised access to limited aspects of its information systems,” the agency said in a statement.
The commission added that it activated its response protocols and is working with NITDA and other government agencies to assess the situation.
Sterling Bank and Remita have not issued public responses addressing the claims.
Oyinebiladou Omemu
