Threat actor ByteToBreach has claimed responsibility for a significant breach of Nigeria's Sterling Bank Plc, allegedly exposing more than 9 million records tied to roughly 900,000 customer accounts and over 3,000 employee records. The claim, first reported by NewsTimes.com.ng and tracked by threat intelligence firm KELA Cyber, surfaced on the English-language dark web platform DarkForum last week. Sterling Bank declined to comment when contacted on April 2, 2026.

What Happened

ByteToBreach published what it described as a multi-terabyte trove of stolen data on DarkForum, a known clearinghouse for leaked databases, malware, and hacking tools. The actor claims the compromised systems sat inside Sterling Bank's internal network as defined by the bank's autonomous system number (ASN), suggesting a direct intrusion into the bank's environment rather than a third-party supplier compromise. The actor further alleges that access obtained from the Sterling Bank intrusion was leveraged to pivot into external systems, including the Remita payment platform and CRC Credit Bureau, one of Nigeria's largest credit reporting agencies. A separate dataset attributed to investment firm Cardinal Stone was also referenced. None of the named organizations have publicly confirmed the incident.

What Was Taken

According to ByteToBreach's claims, approximately 3 terabytes of data were exfiltrated from cloud storage, including over 800 gigabytes tied specifically to Know Your Customer (KYC) services. The dataset reportedly contains:

• Personally identifiable information (PII) for roughly 900,000 customer accounts
• Over 3,000 employee records
• KYC identity documents: passports, photographs, bank statements, and utility bills
• MySQL and PostgreSQL database dumps
• System logs and container registries
• Auxiliary data linked to Cardinal Stone, Remita, and CRC Credit Bureau

The combination of identity documents, financial records, and back-end database content represents a near worst-case exposure profile for a retail bank.

Why It Matters

A confirmed compromise at this scale would be one of the most consequential financial sector incidents in West Africa to date. The blast radius extends well beyond Sterling Bank itself: Remita is embedded in government and corporate payment workflows across Nigeria, while CRC Credit Bureau holds credit files for a substantial share of the country's banked population. If the pivot claims are accurate, downstream identity theft, account takeover, and synthetic identity fraud could ripple through the Nigerian financial ecosystem for years. The KYC document trove is particularly damaging: passports and utility bills do not rotate the way passwords do, and they fuel high-trust fraud against any institution relying on document-based onboarding.

The Attack Technique

ByteToBreach has not publicly disclosed the initial access vector, but the technical claims point to deep internal access rather than a perimeter scrape. Compromise of cloud storage buckets, exfiltration of relational database backups, and access to container registries collectively suggest the actor obtained credentialed access to DevOps or cloud administration tooling. The reported ability to pivot from Sterling Bank into Remita and CRC Credit Bureau implies either reused credentials, trusted network paths between integrated financial systems, or harvested API keys and service tokens. KELA Cyber has tracked ByteToBreach since at least June 2025 across multiple continents and verticals, including a prior incident involving Uzbekistan Airways passenger data, indicating an experienced operator rather than an opportunistic intruder.

What Organizations Should Do

1. Audit cloud storage and registry exposure. Inventory S3-equivalent buckets, container registries, and database backup locations. Enforce least-privilege IAM, block public access by default, and enable detailed object-level logging.
2. Rotate secrets and revoke long-lived credentials. Treat any API key, service account, or database credential potentially exposed in source repos, CI logs, or container images as compromised. Move to short-lived tokens.
3. Hunt for lateral movement between integrated financial systems. Banks integrated with payment switches, credit bureaus, or KYC providers should review authentication logs for anomalous access from partner-facing service accounts.
4. Tighten KYC document handling. Encrypt identity documents at rest with customer-scoped keys, enforce strict access logging, and segment KYC stores from general application infrastructure.
5. Monitor DarkForum and adjacent leak sites. Engage threat intelligence providers tracking ByteToBreach to obtain sample data and validate exposure of your own customers, vendors, or staff.
6. Prepare customer notification and fraud controls. Pre-stage step-up authentication, transaction monitoring rules, and customer communications in case downstream fraud emerges from leaked PII and KYC documents.

Sources: 900,000 accounts at risk as hacker claims breach of Sterling Bank's Data - NewsTmes.com.ng