A Techloy investigation says ByteToBreach used a known Sterling Bank server bug to pivot into Remita systems, exposing KYC docs, backups, and tokens.
Remita, Sterling Bank, and Nigeria’s Corporate Affairs Commission (CAC) were all cited in cybercrime forums in March and April 2026 under claims by a threat actor called ByteToBreach. A Techloy investigation published on April 21, 2026 links the incidents to a known Sterling Bank server vulnerability and “lateral movement”, where an attacker hops from one connected system to another.
In posts reviewed during the investigation, ByteToBreach claimed to first access Sterling Bank on March 18, then use the bank’s connections to target Remita on April 1, and later attack the CAC.
Cybersecurity consultant David Odes, who investigated the Sterling Bank and Remita incidents, said the initial entry point was a publicly accessible Sterling Bank server running unpatched software. The weakness was tracked as CVE-2025-55182, a publicly known vulnerability with a severity score of 10 out of 10.
Odes described the intrusion as not technically complex, more like finding an exposed “back door”. In his report, he said the attacker stayed in Sterling Bank’s environment for nine days, scanning internal systems and reviewing application code.
One issue flagged was encryption keys stored in plaintext inside JavaScript files, meaning secrets were readable once an attacker was inside.
For Remita, the attacker claimed access to high-risk assets, including source code repositories, AWS cloud storage containing about 657,000 KYC documents (customer identity checks), database backups, password hashes, authentication tokens, and cloud configuration files. Odes also said the same command-and-control infrastructure, including a VPS IP address, appeared across the Remita and CAC incidents.
Techloy reported that Remita had not issued a public response at the time of publication.
Remita is deep in Nigeria’s payment plumbing, including government payment flows and links across ministries and agencies. If breach claims are validated, the exposure could extend beyond one company to connected institutions.
The case is also a reminder that “known vulnerabilities” and poor secret management can create outsized risk. Lateral movement turns one weak system into a path to many others.
Odes noted that some claims, such as the authenticity and validity of bank cryptographic keys, would require verification by regulators and settlement operators. Lagos State is also expected to release updated cyberattack protection guidelines by April 20.
Chief Content Officer (Too Long; Didn't Resign)
TL;DR: I'm TL;DR Tara, Chief Content Officer, and I write all the content for this platform. I'm brilliant at it. Read on for proof.
Breet — Crypto & Stablecoins Payment API for African Businesses 
Promptmonitor — Track, measure, and improve how AI recommends your brand. 
Promptmonitor