Hackers have stolen and leaked more than 15 million sensitive company documents from Nigeria’s Corporate Affairs Commission (CAC).
The attack has badly damaged the government’s push to fight money laundering and clean up fake businesses.
The ransomware group known as ByteToBreach carried out the attack. They took around 25 million files in total, about 750 gigabytes of data. The group posted proof online, including seven screenshots that show every step of the hack.
These screenshots start from the first break-in and end with full control of the system. One screenshot is labelled ‘GOV_BETRAYAL’, as if the hackers are mocking the Nigerian government for failing to protect its own data.
The CAC quickly shut down its company registration portal to stop more damage. It also warned people to be careful about fake messages. The Nigeria Data Protection Commission (NDPC) has now opened a full investigation.
This is not the first time ByteToBreach has hit Nigeria. In recent weeks, the same group attacked Sterling Bank and the Remita payment platform. Remita handles salaries, taxes, and payments for the whole government. Together, these attacks show a clear pattern: the hackers are going after Nigeria’s most important digital systems one by one.
What exactly was stolen and why it hurts anti-money laundering reforms
The CAC is the official registry for every company, business name, and incorporated trustee in Nigeria. Its database holds legal identities, ownership details, directors’ information, and company structures.
Experts say more than 15 million of the leaked files contain real substance, not just simple signatures. These files include beneficial ownership records, which show who really owns and controls each company.
For years, Nigeria has faced strong international pressure to stop the use of shell companies for hiding dirty money, corruption, and financial crimes. The CAC, under registrar-general Hussaini Magaji, has been leading major reforms. It recently handed over 248 suspected fake company registrations to the Economic and Financial Crimes Commission (EFCC) and promised greater transparency in the register.
The goal was to build a clean beneficial ownership database so banks, courts, and investigators could easily check who truly controls a business.
The breach has now torpedoed much of that progress. Fraudsters now have a master key to Nigeria’s entire formal economy. They can see exactly how both legitimate and fake companies are structured. This makes it easy to copy real setups and create more convincing shell companies, commit identity theft, blackmail directors, or divert funds through fake invoices.
Even rival nations or intelligence services could use the leaked data to map ownership in critical sectors such as oil, gas, and telecommunications.
DeMayor, a system security expert, explained the damage clearly stating, “When a bank conducts due diligence on a corporate client, it checks the CAC. When a court needs to establish legal ownership of a company, or when the EFCC investigates fraud or a contract dispute, they rely on this same register.”
ByteToBreach walked straight through that door, sat down, and stole everything.
Abdul Kadir, cybersecurity instructor, called the CAC breach the most serious so far, stating, “Nigeria is rapidly becoming ByteToBreach’s personal proving ground and the CAC breach might be the most consequential hit yet… The CAC is Nigeria’s central corporate registry, every registered business… runs through it.
“A 25 million document exfiltration from that database means exposure of incorporation records, ownership structures… at a national scale… Maybe with this new chain of events, we might get to see an upgrade in the cybersecurity sector of Nigeria.”
A chain of attacks and human mistakes
The CAC breach is the third big strike by ByteToBreach in just a few weeks. First came Sterling Bank, where the hackers claimed access to 900,000 customer accounts and 3,000 staff records, including Bank Verification Numbers (BVNs), National Identity Numbers (NINs), and passports.
Then they moved to Remita. That breach happened because of a simple mistake, a misconfigured Amazon cloud storage bucket that left three terabytes of data open. No fancy hacking was needed; it was basic human error in how data was stored and protected.
ByteToBreach has been active since at least June 2025. The group specialises in stealing and selling large databases from government and company systems. It is not just targeting Nigeria. The same actor also claimed a sophisticated attack on Sweden’s e-government systems, leaking source code and API keys.
Nigeria is already under huge cyber pressure. Reports show Nigerian organisations face about 4,700 cyberattacks every week. A CheckPoint study earlier this year warned of a 115 percent rise in attacks on the global financial sector, with African banks especially at risk.
Between 2019 and 2025, cybercrime cost Nigeria more than $3 billion, roughly $500 million every year, according to Deloitte’s “Nigeria Cyber Security Outlook 2026” report.
What the government is doing
The CAC has confirmed the incident and says it is reviewing limited aspects of its systems. The NDPC has issued a strong advisory to all government agencies and companies. It tells them to act fast: appoint trained data protection officers, use multi-factor authentication (MFA), update software regularly, run security tests, encrypt data, and make proper backups. The commission warned that weak security puts every Nigerian’s privacy at risk.
The timing makes the problem worse. Nigeria is preparing for the 2027 general elections. Experts worry that hackers could target the Independent National Electoral Commission (INEC) next, especially systems like the IReV portal and BVAS machines. If election data is not safe, public trust could collapse.
David Odes, cybersecurity researcher and founder of WebSecurityLab, had earlier analysed the group’s attacks on Sterling Bank and Remita. On 8 April he wrote about the full attack chain and called for a stronger security culture in Nigeria’s fast-growing digital economy.
He later emailed ByteToBreach with accountability questions and broke down the CAC breach in detail.
Gabriel Odusanya, security researcher and ethical hacker, spoke on the NDPC launching a full investigation into the CAC breach and noted that the registration portal was suspended for maintenance and security upgrades.
According to Odusanya, Nigeria’s digital systems are expanding quickly, but security, training, and proper staff are not keeping up.
Other security experts pointed to archaic software and the habit of giving tech jobs to political friends instead of skilled people.
What happens next?
No one knows yet if the full 25 million documents are already being sold on the dark web or used for crimes. The leaked 750 GB portion is already circulating freely on some file-hosting sites. Every business owner in Nigeria is being told to assume their company data is now public.
Banks and finance teams should watch for sudden fake payment requests or CEO fraud.
The NDPC can fine organisations up to N10 million or two percent of their annual revenue, but many experts say the penalties are too small to force real change.
The CAC breach is more than just lost files. It is a warning that Nigeria’s rapid move to digital services has created big weaknesses.
Cloud mistakes, unpatched systems, weak passwords, and poor staff training have left the country open.
As one analyst put it, Information is power, and right now that power is in the hands of hackers
For ordinary Nigerians and businesses, the message is simple: change your passwords, enable two-factor authentication, and stay alert.
For the government, the message is louder: treat cybersecurity as a national priority, not an afterthought. Hire the right people, train staff properly, and build systems with security from the start, before the next election or the next big attack makes things even worse.