A sophisticated wave of ransomware attacks has remained a threat to Nigerian government agencies and tier-1 financial institutions over the last three weeks, exposing deep-seated systemic fragilities in the nation’s rapidly digitising economy.
Reports from the National Information Technology Development Agency (NITDA) and the Corporate Affairs Commission (CAC) confirmed that ‘coordinated and sophisticated’ threat actors have successfully breached critical infrastructure, leading to service outages and the suspected exfiltration of sensitive citizen data.
To show the severity of the breach, CAC suspended, albeit temporarily, the companies’ registration portal, even as the Nigeria Data Protection Commission (NDPC) has commenced a probe into the attacks.
The fragilities of Nigeria’s cybersecurity landscape have shifted from opportunistic fraud to high-stakes institutional extortion. These gaps have raised serious concerns about the country’s porous cyberspace, especially as Nigeria prepares for the 2027 general elections, considering that the Independent National Electoral Commission (INEC) might become a target.This is even as reports have revealed that Nigerian organisations are reportedly facing about 4,700 cyberattacks per week, by doing so showing the intensity of the criminals.
Earlier in February, The Guardian, while analysing a report by CheckPoint, a leading cyber security firm, had informed of a possible surge in cyberattacks this year, with major targets being African banks.
The report showed that the global financial sector suffered a staggering 115 per cent surge in cyberattacks last year, and warned banks and institutions, disclosing a rise in surges from 864 cases in 2024 to 1,858 in 2025.
Indeed, last week, news filtered in that approximately 25 million documents have allegedly been exfiltrated from the infrastructure of the CAC of Nigeria, the government agency responsible for company registrations.
Information gathered revealed that the threat actor was ByteToBreach, which unleashed a ransomware attack on the CAC, where some 25 million documents of about 750GB have been breached.Based on findings, ByteToBreach is a prolific threat actor and data leak trader active since at least June 2025, specialising in exploiting Internet-facing systems to steal, sell, and publish sensitive databases.
On the CAC attack, the threat actor provided seven proof screenshots documenting the attack stages, starting from Breakthrough (Initial access) to Escalation, then Takeover (Domain admin/super admin control) to Portals (Access to internal/external user portals) to Full Access (Exfiltration of sensitive state records), Government Betrayal and Exfil Time (Data staging and download).
About 25 per cent of the files are described as simple corporate signatures, leaving more than 15 million documents of substance. The actor stated they tried to upload as much as possible for free, but server instability limited the free portion to 750GB.
While the actor noted that roughly 25 per cent of the haul is ‘simple corporate signatures,’ the remaining over 15 million documents represent a goldmine of sensitive corporate intelligence, ownership structures, and identity data.
For context, this breach is not occurring in a vacuum. It is the third major strike by ByteToBreach in recent weeks, following attacks on the Remita payment platform and Sterling Bank.
READ THE FULL STORY IN THE GUARDIAN
NEWS NOW:
- Hackers mock Nigeria after leaking 15m company documents in massive CAC data breach
- Boko Haram issues 72-hour ultimatum to execute 416 captives in Borno
- #AmupitanMustGo: ADC youths to occupy INEC offices in Lagos, Ogun, Jigawa
- Terrorists kill four soldiers, abduct residents in deadly Kwara community raid