A report by Security Intelligence alleges that a global threat actor, ByteToBreach, exploited an unpatched vulnerability on a Sterling Bank testing server in March 2026, triggering a chain of intrusions that ultimately reached Remita, Nigeria’s central government payment platform.
According to the report, the attacker gained access through a known flaw (CVE-2025-55182) on a public-facing Sterling Bank environment. From there, they allegedly maintained persistence for days, extracted internal credentials, mapped infrastructure, and accessed sensitive systems including employee records, customer banking data, and integrations with credit and investment platforms.
The report further claims that the breach at Sterling Bank became a “pivot point,” enabling lateral movement into interconnected financial systems. This eventually led to alleged compromise of Remita, the infrastructure responsible for federal payroll, revenue collection, and inter-agency government payments.
It states that attackers accessed source code repositories, cloud storage, and databases containing large volumes of Know Your Customer (KYC) documents, transaction records, and authentication data. It also raises concerns about exposed cryptographic keys linked to multiple Nigerian banks, though their authenticity has not been independently verified.
Authorities, including Nigeria’s Data Protection Commission, are reported to have opened investigations, while affected institutions have yet to issue comprehensive public disclosures at the time of publication.
The report concludes that the incident underscores systemic risk in interconnected financial systems, where a vulnerability in one institution can potentially cascade across national payment infrastructure.
