One Hacker, Three Pillars of Nigeria’s Economy: Inside the ByteToBreach Crisis

In the last three weeks, a single threat actor has walked through Nigeria’s banking sector, its federal payment rails, and its national business registry — and walked out with roughly three terabytes of data. The attacker, who goes by ByteToBreach, did not use zero-day exploits or nation-state tooling. They used an unpatched test server, production credentials left in a public-facing Git repository, and an API endpoint that counted upward through integer user IDs.

This is not a hypothetical. The data is already published. And as of this week, Nigeria’s data protection regulator has three open investigations, the Corporate Affairs Commission has formally admitted the breach, and Lagos State has hurriedly issued new cybersecurity guidelines. Here is what happened, what it means, and why it matters far beyond the three institutions involved.

The Cascade: Sterling Bank → Remita → CAC

What makes the ByteToBreach campaign different from the ransomware headlines Nigeria has grown used to is that it was not three separate attacks. It was one chain.

Step 1: Sterling Bank’s forgotten test server

ByteToBreach’s entry point into Nigeria’s financial system was an internet-facing test server belonging to Sterling Bank. The server carried an unpatched vulnerability that had been publicly known — and publicly exploitable — for three months before the breach. No phishing was needed. No insider was required. The front door was propped open.

From that foothold, the attacker moved deeper into Sterling’s internal infrastructure, eventually extracting KYC documents, transaction logs, internal source code, API keys, and password hashes. As proof, the attacker publicly released the personal details, home address, and transactions of the bank’s Managing Director.

Step 2: Remita, reached through Sterling

Remita is not just a payment processor. It is a critical artery of the Nigerian federal government — the platform that handles the Treasury Single Account, salary payments for federal workers, and revenue collection for multiple MDAs.

ByteToBreach did not break into Remita from the outside. They reached it through Sterling Bank’s network, which Remita trusted. Once inside, they discovered something that should not have existed in 2026: production database credentials stored in plaintext inside a Git repository configuration file.

The result: terabytes of KYC records, financial statements, and system backups extracted from a platform that sits underneath the Nigerian federal budget.

Step 3: The Corporate Affairs Commission

If Sterling and Remita were the financial arteries, the Corporate Affairs Commission (CAC) is the economy’s address book. Every registered company in Nigeria — from startups to multinationals — lives in its database, along with the directors, shareholders, addresses, dates of birth, passport numbers, and NIN numbers associated with them.

The CAC breach was almost embarrassingly simple. The authentication system at authapp.cac.gov.ng generated JWT tokens via an endpoint that accepted an integer user ID (/api/v1/back_office/jwt/{userId}) — with no password, no second factor, and no rate limiting. ByteToBreach iterated upward through the integers until the system returned a valid staff token for user 4705317.

From there, they created a staff account literally named bytetobreach with 474 administrative roles and pivoted to the CAC’s document management system (edmsapp.cac.gov.ng), where — in the attacker’s own words — “no login, no token, no credentials” were required. If you knew the filename, you could download the file.

The attacker initially claimed roughly 25 million CAC documents. Later, they stated the real number “could be much higher.” The publicly available archives total 759.2 GB across four compressed files.

The Timeline

Date	Event
Late March 2026	Sterling Bank test server exploited
March 27 – April 1	ByteToBreach begins publishing stolen data on cybercrime forums
April 1	Nigeria Data Protection Commission (NDPC) serves official notices to Remita and Sterling Bank
April 5	Sterling Bank CEO’s personal details publicly released as proof of access
April 9	Reports emerge of ~900,000 Sterling Bank customers at risk
April 15	CAC quietly advises users to update credentials
April 16	CAC formally confirms the breach
April 17	NDPC opens formal investigation into CAC
April 18	The Shadow Unit group claims attack on Lower Niger River Basin Development Authority
April 19	Lagos State rolls out new cybersecurity guidelines

The Ransom That Never Came

ByteToBreach has claimed they contacted all three victim organisations before publishing any data. Two ignored the outreach. Sterling Bank reportedly engaged, with a discussed ransom of €250,000, then — according to the attacker — “kept postponing indefinitely.” The data was published regardless.

When asked whether ordinary Nigerians whose identity documents are now circulating on cybercrime forums deserved any consideration, the attacker responded plainly:

“Protecting Nigerians is not my responsibility. That’s the duty of the government.”

That answer, uncomfortable as it is, points at the real story here.

Why This Is a Systemic Failure, Not Three Incidents

It would be convenient to treat Sterling, Remita, and CAC as three separate organisations with three separate failures. They are not. Each breach exposed a class of vulnerability that is endemic across Nigerian enterprises:

1. Forgotten internet-facing test/staging servers. Many Nigerian organisations stand up temporary environments for development and never decommission them. They sit exposed on the public internet, running old software, with real credentials.
2. Secrets in source control. Plaintext production credentials in Git repositories — whether private or accidentally public — remain alarmingly common in Nigerian fintech, government, and SaaS stacks. One leaked repo is often all it takes.
3. IDOR (Insecure Direct Object Reference) in authentication flows. The CAC breach is a textbook IDOR: sequential user IDs, no authorization check, no rate limiting. This is the kind of flaw that basic automated testing catches — if anyone is testing.
4. Implicit trust between networks. Remita fell because it trusted Sterling. Inter-organisational trust without strong authentication at every boundary is how lateral movement becomes trivial.
5. No detection. In all three cases, the organisations learned they had been breached when the data showed up on forums — not from their own monitoring. Detection and response remain the weakest link.

The Broader Landscape: Nigeria Is Under Sustained Fire

The ByteToBreach campaign is the loudest story of April 2026, but it is not the only one.

• April 18, 2026: A group calling itself The Shadow Unit claimed to have compromised the servers of the Lower Niger River Basin Development Authority (lnrbda.gov.ng), exfiltrating project records, employee files, and internal communications.
• Dark web listing: A threat actor is advertising the full source code, database, and email access of a Nigerian welfare organisation for just $200.
• Attack volume: Per Check Point Research’s March 2026 data, Nigerian organisations are absorbing 4,090 cyberattacks per week, the highest rate in Africa — nearly double the continental average, and more than twice the global average of 1,995.
• Ransomware pressure: ngCERT has flagged an escalation in Phobos ransomware operations targeting cloud service providers that host government agencies, financial institutions, telecoms, and healthcare organisations. The 2025–2026 ransomware victim list for Nigeria includes Midwestern Oil & Gas, Leadway Assurance, Fidelity Pension Managers, and others.

The Regulatory Response

Nigeria’s regulators are moving, though the pace is being dictated by breaches rather than strategy.

• NDPC investigations are now formally open against Sterling Bank, Remita, and CAC. Under the Nigeria Data Protection Act 2023, violations can trigger significant fines and corrective enforcement actions.
• NDPC regulatory advisory (April 16) instructs all data controllers and processors to urgently implement multi-factor authentication, zero-trust architecture, regular DPIAs, and the appointment of certified Data Protection Officers.
• National Cybersecurity Coordination Council: Communications Minister Bosun Tijani announced a new multi-stakeholder body to coordinate CISOs, tech firms, law enforcement, and government. NITDA, NCC, Galaxy Backbone, and NDPC have been directed to form a technical secretariat. A national roundtable is planned for this month.
• Lagos State cybersecurity guidelines (April 19): Published yesterday, these guidelines target SMEs, large organisations, and MDAs with a tiered framework aligned to the Cybercrime Act, the NDP Act, and the National Cybersecurity Policy. They are advisory rather than regulatory, but they signal where mandatory rules are heading.

What Leaders Should Be Doing Now

If you run an organisation in Nigeria — whether a fintech, a traditional bank, a government agency, or an SME — the ByteToBreach campaign is a rehearsal for what is coming. Five questions worth answering this week:

1. Do you know every internet-facing asset you own? Including test, staging, demo, legacy, and acquired environments? If not, attackers will find them first.
2. Are there secrets in your Git repositories? A proper scan of current and historical commits (across all branches) is a one-day exercise that every CTO should authorize immediately.
3. Does your authentication layer assume its input is trustworthy? IDOR, missing authorization checks, and sequential identifiers are still everywhere. Independent penetration testing — not just vulnerability scanning — catches these.
4. What happens when a trusted partner is compromised? Lateral movement from a compromised supplier is the Remita story. Zero-trust network segmentation is no longer a nice-to-have.
5. Who would notice if you were breached right now? If the answer is “a journalist” or “a forum post,” your detection and response capability needs immediate attention.

The Hard Truths

The uncomfortable truth of the ByteToBreach campaign is that none of the vulnerabilities exploited were novel. Unpatched servers, secrets in Git, IDOR, and implicit trust are cybersecurity 101 — and they took down three of Nigeria’s most important institutions in a matter of weeks. The organisations that will weather 2026 are not the ones with the biggest security budgets. They are the ones who take the basics seriously, test them honestly, and assume they are already targets.

Because as ByteToBreach put it, protecting Nigerians is a responsibility that someone has to take — and so far, too few organisations have stepped forward.

Sources & Further Reading

• CAC confirms cybersecurity breach affecting millions — Daily Post Nigeria
• NDPC investigates Corporate Affairs Commission — Daily Post Nigeria
• Sterling Bank, Remita and CAC: Why the institutions said nothing — TechNext
• Interview with ByteToBreach — Security Intelligence
• Sterling Bank CEO data exposed by hacker — WeeTracker
• Nigerian regulator opens probe into data leak (Remita/Sterling) — ITWeb Africa
• Lagos rolls out cybersecurity guidelines — PM News Nigeria
• NDPC issues data protection advisory — Daily Post Nigeria
• Nigeria to establish Cybersecurity Coordination Council — TechAfrica News
• Nigeria records 4,200 weekly cyber attacks — The Guardian Nigeria
• Africa’s digital infrastructure under attack — Ogun Security

6030 Technologies provides cybersecurity services including penetration testing, security assessments, NDPA compliance support, and continuous monitoring for organisations in Nigeria, the US, and the UK. This brief is part of an ongoing series tracking cyber threats to Nigerian entities. Interested in knowing how we can help you? Reach out by Contacting Us.