On the 15th day of April 2026, Nigeria’s Corporate Affairs Commission (CAC) the agency responsible for registering and maintaining records of all businesses, business names, and incorporated trustees suffered a major cyber attack.
Threat actor ByteToBreach claimed responsibility, exfiltrating approximately 25 million documents (around 750 GB of data publicly released for free download, with more allegedly held back).
The ransomware group known as ByteToBreach carried out the attack. They took around 25 million files in total, about 750 gigabytes of data. The group posted proof online, including seven screenshots that show every step of the hack.
These screenshots start from the first break-in and end with full control of the system. One screenshot is labelled ‘GOV_BETRAYAL’, as if the hackers are mocking the Nigerian government for failing to protect its own data.
The CAC quickly shut down its company registration portal to stop more damage. It also warned people to be careful about fake messages. The Nigeria Data Protection Commission (NDPC) has now opened a full investigation.
The attack has badly damaged the government’s push to fight money laundering and clean up fake businesses.
This is not the first time ByteToBreach has hit Nigeria. In recent weeks, the same group attacked Sterling Bank and the Remita payment platform. Remita handles salaries, taxes, and payments for the whole government. Together, these attacks show a clear pattern: the hackers are going after Nigeria’s most important digital systems one by one.
ByteToBreach is a threat actor and data leak operator, highly active in the first quarter of 2026, known for targeting financial institutions, government agencies, and critical infrastructure across Nigeria and globally.
ByteToBreach is a financially motivated data leak trader and access broker who trades under a single, consistent handle across multiple underground platforms. Its activity at dates as far back as June 2025, when it began advertising large corporate datasets and access on Dark Forums.
Outside the forums, BytetoReach reuses his contact details on a public WordPress site named “Pentesting Ltd.” The site mimics the appearance of a small security company, but in practice, it functions as a victim-shaming page. It lists hacked organizations as “very angry clients,” shows their logos, and invites new targets to “get hacked,” which suggests more trolling and attention-seeking than any real service.
Nigeria is already under huge cyber pressure. Reports show Nigerian organisations face about 4,700 cyberattacks every week. A CheckPoint study earlier this year warned of a 115 percent rise in attacks on the global financial sector, with African banks especially at risk.
The Latest CAC hack exposed over 15m company documents, undermining Nigeria’s anti-money laundering reforms.
ByteToBreach is not a conventional hacking group with a visible structure, ideology, or leadership hierarchy. It operates as a pseudonymous entity, likely comprising a small, highly efficient unit or even a single orchestrator supported by a loose network of collaborators.
Their model is built around stealing, packaging, and monetising sensitive information, often without visibly disrupting the victim’s operations.
The group has claimed responsibility for several sensitive data thefts and breaches in the past involving organisations like ICICI Prudential Mutual Fund, RDP (a PayU company), University of California, Ministry of Health of Panama, Nokia, Seychelles Commercial Bank, PKO Bank Polski (the largest bank in Poland), Uzbekistan Airways, euroAtlantic Airways, Avatel Telecom, Broadband Tower, Universidad Nacional Autonoma de Mexico, National Oil Eithopia, etc.
The CAC is the official registry for every company, business name, and incorporated trustee in Nigeria. Its database holds legal identities, ownership details, directors’ information, and company structures.
Experts say more than 15 million of the leaked files contain real substance, not just simple signatures. These files include beneficial ownership records, which show who really owns and controls each company.
For years, Nigeria has faced strong international pressure to stop the use of shell companies for hiding dirty money, corruption, and financial crimes. The CAC, under registrar-general Hussaini Magaji, has been leading major reforms. It recently handed over 248 suspected fake company registrations to the Economic and Financial Crimes Commission (EFCC) and promised greater transparency in the register.
The goal was to build a clean beneficial ownership database so banks, courts, and investigators could easily check who truly controls a business.
The CAC breach has now torpedoed much of that progress.
Fraudsters now have a master key to Nigeria’s entire formal economy. It means they can see exactly how both legitimate and fake companies are structured. This makes it easy to copy real setups and create more convincing shell companies, commit identity theft, blackmail directors, or divert funds through fake invoices.
Even rival nations or intelligence services could use the leaked data to map ownership in critical sectors such as oil, gas, and telecommunications.
The CAC breach is the third big strike carried out by ByteToBreach on Nigerian Firms in just a few weeks.
First came Sterling Bank, where the hackers claimed access to 900,000 customer accounts and 3,000 staff records, including Bank Verification Numbers (BVNs), National Identity Numbers (NINs), and passports.
Next, they moved to Remita. That breach happened because of a simple mistake, a misconfigured Amazon cloud storage bucket that left three terabytes of data open. No fancy hacking was needed; it was basic human error in how data was stored and protected.
ByteToBreach has been active since at least June 2025. The group specialises in stealing and selling large databases from government and company systems. It is not just targeting Nigeria. The same actor also claimed a sophisticated attack on Sweden’s e-government systems, leaking source code and API keys.
Between 2019 and 2025, cybercrime cost Nigeria more than $3 billion, roughly $500 million every year, according to Deloitte’s “Nigeria Cyber Security Outlook 2026” report.
The Corporate Affairs Commission (CAC) of Nigeria stores a vast repository of sensitive business, financial, and personal information crucial to the legal identity of companies. Recent reports highlight that this data includes, but is not limited to, the following types:
* Director/Shareholder Details: Full names, residential addresses, and phone numbers.
* National Identification Numbers (NIN): Details linked to registered users and business owners.
*Passport Photographs: Used for verification of identities.
*Signatures: Official signatures used on incorporation documents.
*Bank Verification Number (BVN) Information: Details of owners often linked for identification.
*Financial Reports & Audited Accounts: Sensitive annual financial performance records.
*POS/Agent Banking Data: Information on agents and merchants submitted for regularization.
*Internal Emails and Logins: User credentials, including passwords and email addresses.
*Memorandum and Articles of Association: Defines the company’s internal regulations and activities.
*Shareholding Structure: Information on company ownership and equity distribution.
*Board Resolutions: Records of sensitive company decisions.
These sensitive business information is gold in the hands of CyberHackers and CyberCriminals.
Armed with login credentials and passwords of business, hackers can easily access proprietary business data without getting noticed.
Once an unauthorized person has access to personal or financial information, they can delete, alter, or prevent access to it
The CAC after confirming the incident, says it is reviewing limited aspects of its systems. The Nigerian Data Protection Commission NDPC has issued a strong advisory to all government agencies and companies. It tells them to act fast: appoint trained data protection officers, use multi-factor authentication (MFA), update software regularly, run security tests, encrypt data, and make proper backups. The commission warned that weak security puts every Nigerian’s privacy at risk.
The timing of this Cyber Attacks makes the problem worse as Nigeria is preparing to head to the Polls to elect new leaders come 2027.
Going by the scale and success of this CAC data breach, hackers could target the Independent National Electoral Commission (INEC) next, especially systems like the IReV portal and BVAS machines used to electronically transmit election results and this could erode public trust possibly resulting in post-election violence.
The CAC breach is more than just lost files. It is a warning that Nigeria’s rapid move to digital services has created big weaknesses.
Cloud mistakes, unpatched systems, weak passwords, and poor staff training have left the country open.
For ordinary Nigerians and businesses, the message is simple: change your passwords, enable two-factor authentication, and stay alert.
For the government, the message is Louder: Treat cybersecurity as a national priority, not an afterthought. Hire the right people, train staff properly, and build systems with security from the start, before the next election or the next big attack makes things even worse.
A run down of the Stolen CAC Business Data shows, about 25% were described as corporate signatures, leaving over 15 million substantive documents containing sensitive business and personal information. CAC confirmed unauthorized access to “limited aspects” of its systems, shut down parts of its portal temporarily, and launched an investigation with the National Information Technology Development Agency (NITDA) and the Nigeria Data Protection Commission (NDPC).
ByteToBreach operates as a data exfiltrator and broker financially motivated rather than purely destructive.
Here’s how 25 Million Stolen CAC Data be Weaponized:
* Identity Theft and Impersonation
Fraudsters can use directors’ details (NIN, BVN, addresses, signatures) to impersonate business owners. They could pose as directors when contacting banks, suppliers, or partners, enabling unauthorized transactions or account takeovers.
* Corporate Fraud and Forgery
With access to ownership structures, signatures, and filings, criminals can forge documents to:
* File fake changes (e.g., adding/removing directors, transferring shares, or altering addresses).
* Create convincing shell companies that mimic legitimate ones for money laundering, tax evasion, or advance-fee scams.
* Generate fraudulent contracts or invoices using real corporate signatures.
* Carry out CEO Fraud and Business Email Compromise (BEC): Detailed knowledge of company structures and key personnel makes phishing and CEO Business Email Compromising Scams easy to carry out.
* Attackers can craft convincing emails or calls pretending to be executives, tricking employees or partners into wiring funds or sharing more data.
* Blackmail and Extortion
Sensitive personal or financial details (home addresses, linked IDs) could be used to blackmail directors or expose irregularities in company records.
* Criminal networks can cross-reference CAC info with other breached datasets (e.g., from banks or payment platforms) to build comprehensive profiles for fraud rings, human trafficking facilitation, or terrorist financing.
*Selling Access or Data
The actor as he has previously done in the past, can auction portions of Sensitive Nigerian Business Informations on dark web markets or use it to gain initial access to interconnected systems (e.g., banking platforms that rely on CAC Verification.
Vulnerable groups include Nigerian Businesses with prominent directors, those in high-value sectors (import/export, fintech, oil & gas), or companies with complex ownership. Even well-protected firms could suffer indirectly as BytetoReach exploits the Nigerian Business ecosystem.
ByteToBreach’s attacks on Nigerian institutions (Sterling Bank, Remita, now CAC) reveal a pattern of opportunistic exploitation of internet-facing systems with inadequate safeguards.
Nigeria’s rapid digitization has outpaced security in many government agencies, turning national registries into high value targets.
This incident isn’t just a technical failure it’s a wake-up call for businesses, regulators, and the government. Without urgent investments in cybersecurity (segmentation, zero-trust models, regular audits, and skilled personnel), more breaches will follow, eroding trust in the formal economy.
Leave a Reply