The catastrophic data breach initially reported as allegations has been confirmed. Threat actor “ByteToBreach” successfully infiltrated and published sensitive data from over 30 Nigerian organizations, including Remita, Sterling Bank, Zenith Bank, Oyo State Government, Leadway Assurance, GetBumpa, Ahmadu Bello University Zaria, and numerous government institutions. The total data haul exceeds 3 terabytes, now publicly accessible across VPS servers, Google Drive, Dropbox, and Sync.
The Confirmed Victims
According to threat intelligence platform VECERT Analyzer and security researchers tracking the incident, ByteToBreach exploited vulnerabilities in Sterling Bank’s servers as the initial attack vector, then pivoted to compromise Remita’s Amazon S3 storage infrastructure. The breach exposed critical national payment infrastructure that processes trillions of naira for Nigeria’s Treasury Single Account.
Sterling Bank alone saw approximately 900,000 customer accounts compromised, along with over 3,000 employee records. The attacker’s dark web post on March 27, 2026 detailed the full scope—far beyond initial estimates.
What Was Actually Published
The 3TB data trove includes 800GB of Know Your Customer documentation — passports, national IDs, photographs, bank statements, utility bills, and business registration documents. Complete MySQL and Postgres database dumps containing financial transaction records, account details, and customer profiles are now publicly available. Over 35,000 password hashes were released for free on dark web forums.
Intellectual property theft includes complete source code repositories, Docker registries, and configuration files with API keys. Perhaps most alarming, government Hardware Security Module keys—which protect cryptographic operations for sensitive systems—were exposed. GitKraken logs revealing repository access patterns and internal development workflows complete the haul.
The Broader Victim List
While Remita and Sterling Bank dominate headlines, ByteToBreach’s Nigerian campaign extended far beyond financial services. Zenith Bank, one of Nigeria’s largest commercial banks, suffered undisclosed breaches. The Oyo State Government’s systems were compromised, raising concerns about exposed citizen records and internal government communications.
Leadway Assurance, a major Nigerian insurance provider, saw customer policy data and personal information exfiltrated. GetBumpa, a fintech platform serving small businesses, lost merchant and transaction data. Ahmadu Bello University Zaria’s student and administrative records were compromised. Additional victims span government institutions, educational bodies, healthcare providers, and commercial enterprises—over 30 organizations in total.
The Attack Vector Confirmed
ByteToBreach’s methodology followed established patterns documented by threat intelligence firm KELA Cyber since June 2025. The attacker exploited cloud infrastructure vulnerabilities, reused credentials harvested from infostealer malware, and leveraged misconfigurations in Amazon S3 buckets. Sterling Bank’s servers proved the critical pivot point, described by the attacker as “very helpful” in conducting lateral movement attacks.
Once inside Sterling’s network, ByteToBreach gained access to interconnected systems including Remita’s payment infrastructure. The breach methodology mirrors previous attacks on Seychelles Commercial Bank, Viking Line, and Swedish e-government systems—all attributed to the same actor.
Official Silence and Legal Violations
As of April 2, 2026, none of the breached organizations have issued public breach notifications. This silence violates Nigeria’s Data Protection Act 2023, which requires data controllers to notify the Nigeria Data Protection Commission within 72 hours of becoming aware of breaches posing risk to individuals’ rights. The law also mandates immediate communication to affected data subjects when breaches pose high risk.
The Nigeria Data Protection Commission has not publicly acknowledged the breaches or announced enforcement actions. Sterling Bank has not confirmed or denied the 900,000 account compromise. Remita’s parent company SystemSpecs remains silent. The Central Bank of Nigeria, which just mandated cybersecurity self-assessments for all banks on March 30, has issued no statement.
Who Is ByteToBreach?
ByteToBreach operates as a sophisticated, internationally active cybercriminal tracked by multiple security firms. KELA Cyber’s investigation linked the alias to infostealer-infected machines originating from Algeria, with credentials reused across communication channels including ProtonMail, Telegram, Signal, and dark web forums like DarkForums and Dread.
Confirmed previous targets include Uzbekistan Airways (leaked U.S. government employee travel data), Seychelles Commercial Bank (customer banking data), Viking Line (passenger and payment records), and organizations across Ukraine, Kazakhstan, Cyprus, Poland, Chile, and the United States. The actor’s modus operandi combines technical skill with aggressive self-promotion and data monetization.
Immediate Risks for Nigerians
The exposure of 800GB of KYC documents enables sophisticated identity theft, fraudulent loan applications using genuine ID copies, and highly targeted phishing campaigns referencing specific personal details. Bank account credentials and password hashes allow direct account takeover attempts. Business registration documents facilitate corporate identity fraud.
Government HSM key exposure compromises cryptographic security for systems relying on those keys. Source code leaks provide roadmaps for future attacks against the same platforms. The combination creates a cascading risk profile where initial identity theft enables financial fraud, which funds further criminal operations.
What Nigerians Must Do Now
Assume your data is compromised if you’ve ever used Remita, hold accounts at Sterling or Zenith banks, conducted business with any affected organizations, or reside in Oyo State. Change passwords immediately for all financial accounts—use unique passwords for each service. Enable Multi-Factor Authentication on every account that supports it, especially banking, email, and government services.
Monitor bank statements daily for unauthorized transactions, even small amounts. Contact your bank to request heightened security alerts. Place fraud alerts on credit reports if available. Be hypervigilant for phishing attempts that reference specific personal details—the hallmark of attacks following KYC data exposure.
Consider freezing accounts or requesting temporary blocks on new credit applications if your identification documents were likely exposed. Document everything for potential legal action or compensation claims when regulators eventually respond.
The Systemic Failure
This breach represents catastrophic failure across multiple layers: cloud security misconfigurations that allowed 3TB exfiltration, interconnected systems creating pivot opportunities from Sterling to Remita, absence of real-time breach detection despite months-long intrusion windows, and complete regulatory silence violating mandatory notification laws.
Nigeria’s financial infrastructure, already under strain with 119,000 breaches in Q1 2025 alone, now faces its largest confirmed incident. The Central Bank’s March 30 cybersecurity directive came too late to prevent what may be the most damaging data breach in Nigerian history.
Follow us on Bluesky, LinkedIn, X, and Telegram to Get Instant Updates
