cmdev
Threat Assessment

Nigeria's 2026 Cyber Crisis: What the Breaches Reveal

cmdev8 min read
Nigeria's 2026 Cyber Crisis: What the Breaches Reveal
Share
~12 min

Key takeaways

  • Between March and April 2026, a single actor (ByteToBreach) chained breaches across Sterling Bank, Remita, and CAC — 900,000 bank accounts, 25 million government files, and 46 HSM keys for the settlement system.
  • The attack chain was enabled by basic hygiene failures: plaintext credentials in Git, a misconfigured S3 bucket, JWT enumeration with sequential user IDs, and 474 self-assigned admin roles inside CAC.
  • Sterling's nine-day dwell time inside a Tier 1 bank's core (T24) means monitoring and detection were either absent or non-functional — not that the attacker was sophisticated.
  • None of the affected organizations issued timely customer notifications, in apparent breach of NDPA + GAID's 72-hour requirement to NDPC.
  • Regulatory response is now in flight: NDPC investigations underway, CBN CSAT deadlines hit (DMBs Apr 20, OFIs May 4), NCC Cyber Resilience Framework demanding 4-hour incident reporting by Feb 2027.

March 2026 changed everything

Between March and April 2026, a threat actor operating under the handle ByteToBreach executed a coordinated campaign that compromised three of Nigeria's most critical institutions in rapid succession. The attacks exposed 900,000 bank accounts, 25 million government files, and the cryptographic keys underpinning the country's largest payment settlement system.

These were not isolated incidents. They were linked — each breach enabling the next through lateral movement, credential reuse, and infrastructure that had never been tested against a determined adversary.

Sterling Bank: 900,000 accounts, 9 days undetected

The campaign began with CVE-2025-55182, a vulnerability in Sterling Bank's internet banking infrastructure. ByteToBreach exploited the flaw using Metasploit for initial access, then deployed Sliver C2 for persistent command and control.

The attacker maintained access for nine days before detection. During that window, they exfiltrated:

  • 900,000 customer account records
  • Bank Verification Numbers (BVNs) and National Identification Numbers (NINs)
  • Source code from internal repositories
  • API keys and service credentials

The dwell time — nine days inside a Tier 1 bank's core infrastructure — points to gaps in monitoring and detection. Sterling's T24 core banking system was accessed directly, meaning the attacker had visibility into real-time transaction processing.

As of this writing, Sterling Bank has not issued a public customer notification.

Remita: 46 HSM keys and the settlement system

The Sterling breach was not contained. ByteToBreach moved laterally from Sterling's network into Remita, the payment platform operated by SystemSpecs that processes salary payments for federal and state government employees and handles interbank settlements.

The pivot was enabled by plaintext credentials stored in Git repositories and a misconfigured S3 bucket — basic hygiene failures that gave the attacker a bridge between two supposedly isolated systems.

The Remita exfiltration was larger and more consequential:

  • 3 TB of data including 800+ GB of KYC documents
  • Transaction logs spanning government salary disbursements
  • 46 Hardware Security Module (HSM) keys used by major Nigerian banks for cryptographic operations in the settlement system

The HSM key exposure is the most significant finding. HSM keys protect the cryptographic integrity of financial transactions. With these keys, an attacker could theoretically sign fraudulent transactions that appear legitimate to the settlement infrastructure. The full blast radius of this exposure has not been publicly assessed.

CAC: 25 million files, 474 self-assigned admin roles

The Corporate Affairs Commission — the federal agency responsible for company registration — was breached through a different vector but by the same actor.

ByteToBreach exploited JWT enumeration combined with sequential user IDs to escalate privileges. The investigation revealed 474 self-assigned administrator roles in the system, suggesting either a long-running compromise or fundamentally broken access controls.

The exfiltration included:

  • 25 million files totaling approximately 750 GB
  • National identity cards submitted for company registration
  • Company resolutions, shareholder documents, and board minutes
  • Internal password repositories

This is not just a data breach. The CAC database is the authoritative record of corporate identity in Nigeria. Compromised company registration data enables identity fraud, corporate impersonation, and fraudulent filings at a national scale.

EFCC and Fast Credit: the pattern continues

In April 2026, the Economic and Financial Crimes Commission (EFCC) was breached by a separate actor — Nullsec Nigeria / ki4t. The breach exposed agent names, phone numbers, and operational codes. For a law enforcement agency investigating financial crime, the exposure of operative identities creates real physical risk.

Fast Credit Finance was breached around the same time. The actor iProfessor exfiltrated 870 GB of customer data — 940,000 records including government-issued IDs and loan applications — and offered it to five buyers before public disclosure.

The silence

The most striking pattern across these breaches is what did not happen: none of the affected organizations issued timely customer notifications.

Sterling Bank customers whose BVNs and NINs were exposed were not informed. Remita users — millions of government employees whose salary records were exfiltrated — received no alert. CAC registrants whose national identity documents are circulating on dark web forums were not contacted.

This silence is no longer just a reputational choice. Under the Nigeria Data Protection Act (NDPA) 2023 and the General Application and Implementation Directive (GAID) which took effect September 19, 2025, data controllers are required to notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of a breach.

Regulatory response

The breaches have accelerated regulatory enforcement:

  • NDPC has begun investigating multiple 2026 incidents for GAID compliance failures. Fines under NDPA can reach 2% of annual gross revenue or N10 million, whichever is higher.

  • CBN issued a mandatory Cybersecurity Self-Assessment Tool (CSAT) requirement for all regulated financial institutions. Deposit Money Banks (DMBs) faced an April 20, 2026 deadline; Other Financial Institutions (OFIs) must submit by May 4, 2026. The assessment covers governance, risk management, incident response, and technical controls.

  • NCC has published a Cyber Resilience Framework requiring telecommunications companies to report incidents within 4 hours to NCC CSIRT and notify affected customers within 48 hours. Compliance deadline: February 2027.

  • Lagos State issued cybersecurity guidelines in April 2026, driving demand for security assessments among state-level entities.

What organizations should do now

The breaches reveal a consistent set of failures: unpatched public-facing systems, plaintext credentials in code repositories, misconfigured cloud storage, broken access controls, and inadequate monitoring. These are not sophisticated attack techniques — they are hygiene failures exploited by a motivated actor.

Immediate priorities:

  • Patch management — Audit all internet-facing applications for known CVEs. The Sterling breach started with a single unpatched vulnerability.
  • Credential hygiene — Scan all Git repositories for hardcoded credentials, API keys, and connection strings. The Remita pivot was enabled by plaintext passwords in source control.
  • Cloud configuration — Review S3 bucket policies, IAM roles, and network segmentation. Misconfigured storage was a bridge between Sterling and Remita.
  • Access control audit — Review all admin and privileged accounts. The CAC breach revealed 474 self-assigned admin roles that should never have existed.
  • Detection and monitoring — Deploy or tune SIEM rules. A nine-day dwell time in a Tier 1 bank means detection capabilities were either absent or not functioning.
  • Incident response — Develop or update IR plans with GAID 72-hour notification workflows. Organizations that cannot notify within 72 hours face regulatory action.
  • CBN CSAT compliance — If you are a regulated financial institution, the deadline is imminent. Treat this as the starting point of a continuous security program, not a checkbox exercise.

The 2026 breaches are not anomalies. Nigeria's cybersecurity market is projected to reach USD 414.92 million by 2031, growing at 10.32% CAGR. That growth is driven by threat reality, not aspiration. Organizations that treat security as a cost center rather than a survival function are choosing to learn this lesson the hard way.

FAQs

How did one actor chain three of Nigeria's most critical institutions in weeks?

By exploiting predictable hygiene failures rather than novel techniques. CVE-2025-55182 gave initial access to Sterling; Sliver C2 maintained persistence for nine days; plaintext credentials in Git and a misconfigured S3 bucket bridged into Remita; JWT enumeration plus sequential user IDs escalated privileges in CAC. None of this is sophisticated — it's what an unmonitored network looks like under sustained attack.

Why is the Remita HSM-key exposure the most consequential finding?

Because HSM keys protect the cryptographic integrity of interbank settlement. With them, an attacker could theoretically sign transactions that appear legitimate to the settlement infrastructure used by major Nigerian banks. The full blast radius — which transactions could be forged, which banks must rotate, how long the exposure has existed — has not been publicly assessed.

Why has no breached organization notified customers?

Historically, the calculus was reputational — quiet breach handling was viewed as protective. Under NDPA + GAID, that calculus has changed: the 72-hour notification to NDPC is mandatory, and failure to notify is a separate offense from the underlying security failure. The silence in 2026 likely reflects organizations betting that enforcement won't catch up — a bet NDPC has signalled it intends to settle.

Is CBN's CSAT a checkbox exercise?

Treating it as one is the failure mode. CSAT covers governance, risk management, incident response, and technical controls — the same areas where the 2026 breaches revealed gaps. Organizations that submit CSAT as compliance theatre and don't operationalize the controls will face the same hygiene-failure incidents that started this crisis.

What's the single most impactful change a Nigerian organization can make this quarter?

Tighten detection and monitoring so dwell time falls below 72 hours. The patch management, credential hygiene, and cloud configuration fixes are necessary but slow. Detection is the control that turns a future breach into a contained incident with timely NDPC notification rather than a nine-day catastrophe. Sterling's gap wasn't the unpatched CVE — it was nine days of unmonitored access.

Sources: Technext24, Nairametrics, Businessday, Security Intelligence Substack, CBN circulars, NDPC enforcement notices, NCC regulatory publications.

nigeriacybersecuritydata-breachthreat-intelligencefinancial-sector

Ready to strengthen your security posture?

We help organizations across Africa build resilient infrastructure, deploy AI at scale, and navigate complex regulatory environments.

Start a conversation
← PreviousFederated AI: When to Keep Models On-Prem, When to Send Data to the FrontierNext →OpenClaw in Practice: AI Agents Across Law, Insurance, and E-Commerce