A sophisticated wave of ransomware attacks has remained a threat to Nigerian government agencies and tier-1 financial institutions over the last three weeks, exposing deep-seated systemic fragilities in the nation’s rapidly digitising economy.

Reports from the National Information Technology Development Agency (NITDA) and the Corporate Affairs Commission (CAC) confirmed that ‘coordinated and sophisticated’ threat actors have successfully breached critical infrastructure, leading to service outages and the suspected exfiltration of sensitive citizen data.

To show the severity of the breach, CAC suspended, albeit temporarily, the companies’ registration portal, even as the Nigeria Data Protection Commission (NDPC) has commenced a probe into the attacks.

The fragilities of Nigeria’s cybersecurity landscape have shifted from opportunistic fraud to high-stakes institutional extortion. These gaps have raised serious concerns about the country’s porous cyberspace, especially as Nigeria prepares for the 2027 general elections, considering that the Independent National Electoral Commission (INEC) might become a target.

This is even as reports have revealed that Nigerian organisations are reportedly facing about 4,700 cyberattacks per week, by doing so showing the intensity of the criminals.

Earlier in February, The Guardian, while analysing a report by CheckPoint, a leading cyber security firm, had informed of a possible surge in cyberattacks this year, with major targets being African banks.

The report showed that the global financial sector suffered a staggering 115 per cent surge in cyberattacks last year, and warned banks and institutions, disclosing a rise in surges from 864 cases in 2024 to 1,858 in 2025.

Indeed, last week, news filtered in that approximately 25 million documents have allegedly been exfiltrated from the infrastructure of the CAC of Nigeria, the government agency responsible for company registrations.

Information gathered revealed that the threat actor was ByteToBreach, which unleashed a ransomware attack on the CAC, where some 25 million documents of about 750GB have been breached.

Based on findings, ByteToBreach is a prolific threat actor and data leak trader active since at least June 2025, specialising in exploiting Internet-facing systems to steal, sell, and publish sensitive databases.

On the CAC attack, the threat actor provided seven proof screenshots documenting the attack stages, starting from Breakthrough (Initial access) to Escalation, then Takeover (Domain admin/super admin control) to Portals (Access to internal/external user portals) to Full Access (Exfiltration of sensitive state records), Government Betrayal and Exfil Time (Data staging and download).

About 25 per cent of the files are described as simple corporate signatures, leaving more than 15 million documents of substance. The actor stated they tried to upload as much as possible for free, but server instability limited the free portion to 750GB.

While the actor noted that roughly 25 per cent of the haul is ‘simple corporate signatures,’ the remaining over 15 million documents represent a goldmine of sensitive corporate intelligence, ownership structures, and identity data.

For context, this breach is not occurring in a vacuum. It is the third major strike by ByteToBreach in recent weeks, following attacks on the Remita payment platform and Sterling Bank.

Attacks not isolated to Nigeria

The current wave of attacks is not limited to Nigeria. At the weekend, hackers publicly released data stolen from Standard Bank of South Africa, escalating what appears to be a serious cybersecurity breach and raising urgent concerns over customer privacy and the bank’s digital defences.

The data breach exposed select client records, including “account numbers, limited account information, business names, and ID or registration numbers,” the bank said.

Standard Bank was hacked together with its insurer, Liberty, which said it detected unauthorised third-party access to select data systems and immediately took steps to contain and mitigate the impact.

According to Standard Bank, the affected systems were internal administrative and document filing systems.

Further to the Nigerian breach, and to understand the severity of the CAC breach, a cybersecurity expert familiar with the operations of the Federal Government, who preferred anonymity, but has been monitoring proceedings lately, told The Guardian that one must look at the actor behind the keyboard. He said the ByteToBreach has rapidly ascended from a forum nuisance to a systemic threat to Nigeria’s economic security.

According to him, in late March 2026, ByteToBreach claimed responsibility for hitting Sterling Bank, allegedly accessing 900,000 customer accounts and 3,000 employee records, including Bank Verification Numbers (BVNs), National Identity Numbers (NINs), and passports. However, the real prize was the pivot from the bank to Remita, the fintech backbone that processes salaries, taxes, and payments for the Nigerian government.

He disclosed that the Remita breach allegedly involved a misconfigured Amazon S3 cloud storage bucket, exposing roughly three terabytes of data. This specific technical detail, cloud misconfiguration—is often the result of human error rather than sophisticated hacking. It suggests a systemic failure in data asset management within Nigeria’s digital supply chain.

Already, the CAC issued a public notice via X, saying it is reviewing its system. Signed by its management, the CAC said it is currently reviewing a cybersecurity incident involving unauthorised access to limited aspects of its information systems.

A pattern and history of attacks

Targets on government agencies are not new but have been intensified lately. Recall that in March and June 2024, Paradigm Initiative (PIN) revealed that several unauthorised websites—most notably AnyVerify.com.ng and XpressVerify.com.ng claimed to provide access to the personal data of Nigerians for as little as N100.

The websites allegedly offered access to NIN, BVN, international passport details, and Tax Identification Numbers (TIN). It was suggested that these sites were either pulling data directly from NIMC’s ecosystem or utilizing access granted to third-party verification agents.

NIMC consistently denied that its central database was hacked or “breached” in the traditional sense. The Commission stated that while they work with licensed verification partners, many of the sites mentioned (like XpressVerify) were never authorised partners.

In early 2024, the Director-General, Abisoye Coker-Odusote, ordered a full-scale investigation to see if any licensed “Tokenisation verification agents” had violated their licensing agreements by sub-leasing access to unauthorised entities.

NIMC had attributed the availability of some data to ‘data harvesting,’ where Nigerians inadvertently provide their details to phishing sites or unauthorized “business centers” while seeking services.

Experts have since called for tightening the Digital Public Infrastructure (DPI) to guard against persistent data breaches in the country.

Indeed, activities of ByteToBreach are fast spreading and not limited to Africa alone. For instance, ByteToBreach has also claimed responsibility for a sophisticated attack on Sweden’s e-government infrastructure, leaking source code and API keys. This international footprint indicated the actor is not merely a local operator but a highly capable threat operator with a specific interest in humiliating state institutions and selling access to state-backed economic data.

Stakeholders react

Speaking with The Guardian, a cybersecurity expert, Allen Aliogwo, said that while the CAC is the Registrar of Companies, its database contains the legal identity of every entity doing business in Nigeria. He said the loss of 25 million documents does not just mean leaked addresses; it means the exposure of Beneficial Ownership structures.

Explaining the geopolitical implications, he said Nigeria has been under international pressure to crack down on money laundering and the use of shell companies. The CAC, under Registrar-General Hussaini Magaji, has recently been vocal about cleaning up the register, handing over 248 fake company registrations to the EFCC and promising transparency reforms. He said this breach essentially undermines those efforts entirely.

According to him, fraudsters now have a ‘master key’ to see exactly how legitimate (and illegitimate) companies are structured, allowing them to craft believable identity theft rings or blackmail corporate executives.

For nation-states, he said, rival nations or intelligence services can map out the ownership of critical infrastructure (oil, gas, telecoms) to identify vulnerabilities or leverage points.

The timing is particularly brutal. Aliogwo, who said the breach on CAC, confirmed a failure of digital stewardship.

He further raised concerns about the attacks on Remita, Sterling Bank, and now the CAC, saying they have put the Nigeria Data Protection Commission (NDPC) in the hot seat.

According to him, following the financial sector breaches, the NDPC launched a full-scale investigation, serving formal notices on April 1, 2026. However, the CAC breach demonstrated that the vulnerability is not isolated to banking Application Programming Interface (APIs) but is systemic within government infrastructure.

He disclosed that other arms of the government are also showing signs of digital decay, stressing that the NDPC and other security operatives must work to close Nigeria’s porous online space.

Aliogwo said if the think-tank responsible for strategic planning cannot secure its digital correspondence, what hope is there for the commission registering millions of businesses?

“The CAC breach is not just about lost files; it is about digital sovereignty. A foreign (or hostile) actor now potentially possesses the blueprint of Nigeria’s formal economy. The “GOV_BETRAYAL” screenshot in the proof package suggests the actor feels they have exposed a state that failed to protect its citizens.

“For business owners, the risk is existential: your company’s registration details are now commodities. For the government, the question is no longer just about punishment but about survival. How can any digital ID or tax reform proceed when the central registry is compromised? ByteToBreach has fired a shot across the bow of the Nigerian state,” he stated.

According to a Digital Strategist and Cyber security expert, Emeka Orjiani, who frowned at the state of Nigeria’s cyber security architecture, which to him, have become archaic, “It should be noted that the Internet is just a free world of interconnected computers, hackers learn how to obtain and bypass archaic software, poor frameworks, poor infrastructures. When a system is built and never patched, fixed, replaced or the right thing done, the wicked “Actors” would always breach and cart away digital assets.

“Information is power, this tells you that there’s a lot more to come should the whole NDPC commission and the whole technology agencies and ministries not come together to hire the right people, teach their people, train the staff who use this system and begin to evaluate our infrastructure as a nation. This is not the time to smoothen a party member to become a minister, the time to bring people to fight for the sovereignty of the country is here.”

He revealed that states and nations engage in cyber warfare, where they pay certain people to defend or even attack other nations, “I won’t mention names, but it’s been a thing, breach upon breaches would continue to happen and if our Government doesn’t do the right thing. One day, we won’t have anything secured to boast about.

“Losing 750GB of nations’ data is serious and some people should begin to resign and face shame or music. The said data or company housing the infrastructure should be investigated and the right thing done.”

A member of the ICT Elders Forum, who preferred anonymity, raised concerns about the security of the Independent National Electoral Commission (INEC) ahead of the 2027 general elections.

Frowning on the CAC breach, he said for Nigeria heading into 2027, deepening security has to happen on two fronts at once: physical election security and online/digital security. He said both should get attention now because the risks are already showing up.

According to him, the CAC breach and others within the financial ecosystem are pointers to what may likely come in the months to come.

He said INEC’s systems like IReV and BVAS are targets for ransomware, DDoS, data theft, or upload failures that erode trust.

He recalled that during 2023, IReV had unexplained downtime during uploads. He warned that “subtle threats like slowdowns, upload failures, or disinformation spikes” are harder to trace but very effective at undermining trust.

According to him, INEC should start running cyber hygiene workshops for ICT staff to practice strong passwords, MFA, software updates, backups, and network security.

Further on the CAC alleged breach, the ICT expert said it should be noted now that there has been an exposure, “If you are registered in Nigeria, assume your CAC data is compromised. Criminals will use the stolen corporate data to trick finance teams into fraudulent payments. Expect the NDPC to levy historic fines against the CAC and its vendors if the breach is confirmed, following the precedent set by the banking sector probes.”

Innovation and Technology Policy Advisor and Founder, Jidaw.com, Jide Awe, said the CAC attack is not an isolated incident, but part of a broader pattern that emerges when digitization moves faster than the systems meant to secure it.

Awe said while agencies have rapidly invested in ICT and expanded digital services, the underlying infrastructure, human capabilities, and security culture have not kept pace, reflecting the typical imbalance between “innovation-first” and “security-by-design.”

He said these incidents are evidence of the exploitation of that gap and represent a growing national security concern in the digital era.

According to him, attackers may increasingly see Nigeria as a more attractive target than more mature economies if they perceive that valuable and sensitive government data and platforms are less protected. He said this creates opportunities for exploitation, including impersonation and financial crimes.

The Jidaw.com Founder said deepening security across government systems requires adopting a “security-by-design” culture from the top, where security is embedded in how systems are designed, managed, and governed. The current reactive approach is outdated and harmful.

“Given the potential impact on trust, revenue, and national stability, cybersecurity must be treated not just as an IT function but as a leadership and agency-wide priority. It requires innovative cybersecurity leadership that demonstrates genuine, practical, and institutional commitment to enforcement, monitoring (through testing and assessments), accountability, and continuous learning and adaptation.

“For MDAs, the NDPC must ensure strong enforcement of the Nigeria Data Protection Act, with real consequences for non-compliance and violations.

“Deepening security is not possible without adequate and competent human capacity. There is a clear need to strengthen expertise in cybersecurity, data protection, and privacy within the public sector, alongside improving awareness and practices among staff and users.

“A ‘zero trust’ approach, where no user or system is automatically trusted, even within government networks, should be adopted. MDAs should be held to the same cybersecurity and data protection standards as the private sector, if not higher.

“Finally, transparency around cyber security incidents is essential. Open communication helps build trust and maintain public confidence, even in the face of challenges,” Awe noted.

In its “Nigeria Cyber Security Outlook 2026” report, Deloitte highlighted a growing risk of ransomware and phishing attacks as Nigeria’s digital economy expands and more services move online.

The report noted that the economic impact of cybercrime has been significant, with Nigeria losing more than $3 billion between 2019 and 2025, and yearly losses estimated at around $500 million. The rapid migration of payments, data, and critical services online is expected to drive further increases in cyber threats in 2026.

Deloitte emphasised that organisations do not necessarily need expensive or complex solutions to build resilience. Recommended measures include human-AI collaboration for better threat detection, adopting a Zero Trust security architecture to verify every access request based on identity and intent, and implementing basic cybersecurity hygiene, such as staff training, stronger account protection, and clear recovery plans.

While it had started an investigation into the CAC breach, the NDPC, in a notice over the weekend, issued an advisory on the escalating threats to data security architecture in the country.

In a public notice published on its X handle and signed by Head, Legal, Enforcement and Regulations, Babatunde Bamigboye, NDPC said its technical assessment showed that some shadowy threat actors have engaged in coordinated operations targeting financial systems and some key digital infrastructure in Nigeria.

As such, the Commission strongly advises that data controllers and processors (including MDAs) urgently step up their technical and organisational measures to ensure the privacy of all Nigerians and other data subjects in line with the NDP Act, 2023.

According to it, these measures include, but are not limited to: Appointment of duly trained and certified Data Protection Officers; Development and effectual implementation of Privacy Policies, and information security standards; Carrying out Data Privacy Impact Assessments; Deployment of robust identity and access controls, including Multi-Factor Authentication (MFA).

Others are implementation of zero-trust security architecture and network segmentation; immediate remediation of identified system vulnerabilities and continuous patch management; Securing cloud infrastructure, APIs, databases, and access credentials; Implementation of encryption, key management, and secure credential handling; conduct of Vulnerability Assessment and Penetration Testing (VAPT) on critical systems, and Regular backup, recovery, and resilience testing. (The Guardian)