A single hacker named “ByteToBreach” has claimed three cyberattacks on the Nigerian financial sector within one week.
First, the attacker targeted Sterling Bank. Then, they went after Remita, the country’s government payment platform and FCMB. As a result, regulators have ordered urgent security checks across the industry.
Nigerian Financial Sector Hack: Timeline of Events
The first breach occurred on March 27. ByteToBreach claimed to have broken into Sterling Bank and stolen 900,000 customer accounts plus thousands of employee records. The stolen data reportedly included Bank Verification Numbers (BVN) and passport images. However, the bank did not confirm nor deny the claim.
Days later, the same hacker struck again. This time, they targeted Remita, Nigeria’s main platform for government salaries and tax payments. ByteToBreach admitted that they used Sterling Bank’s systems as a stepping stone to access Remita. They then stole data that allegedly included KYC documents, source code and password hashes.
Meanwhile, FCMB entered the picture through a separate but similar incident. The bank blocked a N2.4 billion fraud attempt in December 2025 but N677 million still reached the criminals.
Nigerian Financial Sector Hack: What Links the Attacks
Three factors connect these incidents. First, the same attacker, ByteToBreach, appears in every case. Second, the hacker themselves stated that they pivoted from Sterling Bank into Remita. This reveals deliberate planning rather than random attacks.
Third, the speed of the claims matters. ByteToBreach announced each breach within days of the last one. As a result, victims had no time to investigate before the next claim surfaced.
The Alleged Hacker: ByteToBreach
ByteToBreach has operated since mid-2025 on Telegram and similar underground forums. They sell stolen databases and broker access to compromised systems. For example, financial services make up most of their known victims.
In November 2025, Eurofiber confirmed a breach that ByteToBreach claimed. Despite this, not all of their claims have independent verification. Some researchers warn that they exaggerate to build their reputation.
What Remains Unclear
Despite the hacker’s claims, no Nigerian bank or regulator has publicly confirmed any breach. Remita blamed only “some hitches” when it forced partners to regenerate API keys.
Similarly, the Central Bank issued a cybersecurity self-assessment directive on March 30 but did not mention the attacks by name. Furthermore, ByteToBreach has not released verifiable samples of the Remita data.
Also, the FCMB incident might have no links to this current attack. Until the organizations speak publicly, the full truth remains unknown.
