David Odes

Three weeks ago, a threat actor called ByteToBreach walked through Nigeria’s financial infrastructure using a single unpatched vulnerability at Sterling Bank as the door. What followed was nine days of undetected access with core banking data, sensitive customer information and employee records exfiltrated before the actor pivoted into Remita, Nigeria’s government payment backbone. From Remita they took everything. 3TB of data. Including sensitive and personal information of over a million Nigerians (across both breaches). I spent the last week reconstructing the full attack chain from the artefacts the actor published. I have now produced a narrative investigation on my new substack and a technical analysis on @WebSecurityLab covering the complete breach from the first CVE exploit to the published HSM key directory. This was published in the hope that the lessons from these events prove more durable than the events themselves. Security failures of this scale are painful. They are also, when documented carefully and honestly, among the most valuable contributions one can make to an ecosystem that is still maturing. Nigeria’s banking story is one of the most compelling in the world. It deserves a security culture to match. Read the full investigation here: securityintelligence.substack.com/p/sterling-ban…

Anthropic's Claude Mythos isn't a sentient super-hacker, it's a sales pitch — claims of 'thousands' of severe zero-days rely on just 198 manual reviews tomshardware.com/tech-industry/…

It’s hard to overstate how bad a decision this is. The EFF’s mission deserves full support, but walking away from the world’s most important communication channel for flimsy reasons raises real questions about how serious they are about that mission.

Vive la France!

Warning🚨 CPU-Z and HWMonitor websites have been hacked and are delivering malware downloads. Do not download CPU-Z or HWMonitor right now. Reports confirm the official CPUID website was compromised and some downloads were replaced with malware-infected installer files. If you downloaded or updated either app recently, run a full antivirus scan immediately.

What??

@Promythious Happy Birthday man!

Today is my birthday, so I wrote a Substack about the struggles of fixing my iPhone 13 (blue, no bumps) in Lagos. Please retweet. open.substack.com/pub/elewa/p/a-…

10 what?

Realised my command retention was becoming poor lately (AI) so I am trying to reduce pasting as much as I can.

lmao

On the infrastructure details, those are documented information the attacker had already published across criminal communities. Yes, I get the access concern but the public interest in documenting exactly how this breach happened, so other institutions can recognise and fix the same failures, outweighs the marginal amplification risk of already-public information. More importantly, Sterling Bank was breached March 18. The attacker published these infrastructure details publicly on March 27. It is now April 8. If that infrastructure is still live twelve days after public disclosure, we have an even bigger problem. On the 900K, your subnet analogy is fair for a port scan. The Temenos situation is different and that distinction is important. The actor did not show us servers existed and leave it there. They demonstrated live unrestricted API calls returning complete financial records for any account queried. Focus was just instead on the banks leadership. That could have been any one of the banks 900K customers. The 900K is the actors claim and I have clarified as such but unrestricted functional access to customer-level banking APIs is a materially different evidentiary position than a network scan. On the S3 bucket, yes, access versus exfiltration is a valid distinction. The report draws it. The social post compressed it. We’ll never get access to confirmation logs. I agree with you there.! Also would try and engage tomorrow if my schedule permits.!

Alright, based on what was published , the internal recon section captured all the subnet on which the Kubernetes sit, the naming convention in use, and at the same time some specific service names, which I am aware was extracted from the images the attacker posted. Just as it is not that easy to change infrastructure detail for an attacker so it is not for victims, some of these information will still continue to be in use internally even after the recovery from the incident. And anyone can come up back to you website to look it up for whatever they are planning next. On the amplification issue, permit me to ask you a simple question at this point. Can you point out a single customer record from the data you analyzed as released by the attacker? The attacker claimed 900K without a single sample to be presented! Samples was given for the employees because he truly had it. Samples was given for the CEO's financial record, and others. Records targeted was that of the bank leadership at Sterling with their financials, and PII, no single evidence in file or screenshot indicates record of other customer ( the attacker having this remain an hypothesis). And in addition 3010 employees data was exfiltrated with evidence provided. Note that attacker's claim most time is to add pressure and I can show you evidence right here on X where the attacker asserted to this hypothesis. Record count is good but not great, but let us put it like this, an attacker show us you have 40 servers on a subnet during internal scan of your network. Can you tell from that alone that all 40 servers was accessed and compromised by mere looking at a screenshot. For the S3 bucket 🪣, a 588.25GB file size of KYC service with 657,242 items was shown to us in a screenshot, the question of how much data the attacker access and took from the bucket can only be validated from an internal log which is only available to the affected organization. Hence from here the amount of accessible data, exfiltrated data from the bucket remain an hypothesis that needs to be validated. And to put this in a story now depends on how we want people to see it. On the VM program coverage, if we are out to judge, that can fly, but if we are out to analyze the data based on available information provided by the attacker, no evidence support this - experience also suggest that successful exploitation doesnt mean the program doesn't exist . The bank may also have additional information that we don't about this environment and it govenance program. In cyber we say things only when we are sure to ensure we don't put ourselves and people in trouble. And when we are not sure, we report it as such, especially when we have less evidence corroborating those statements. On the aspect of peer review, we have a similar session tomorrow and I invite you to join by 3PM WAT.

Three weeks ago, a threat actor called ByteToBreach walked through Nigeria’s financial infrastructure using a single unpatched vulnerability at Sterling Bank as the door. What followed was nine days of undetected access with core banking data, sensitive customer information and employee records exfiltrated before the actor pivoted into Remita, Nigeria’s government payment backbone. From Remita they took everything. 3TB of data. Including sensitive and personal information of over a million Nigerians (across both breaches). I spent the last week reconstructing the full attack chain from the artefacts the actor published. I have now produced a narrative investigation on my new substack and a technical analysis on @WebSecurityLab covering the complete breach from the first CVE exploit to the published HSM key directory. This was published in the hope that the lessons from these events prove more durable than the events themselves. Security failures of this scale are painful. They are also, when documented carefully and honestly, among the most valuable contributions one can make to an ecosystem that is still maturing. Nigeria’s banking story is one of the most compelling in the world. It deserves a security culture to match. Read the full investigation here: securityintelligence.substack.com/p/sterling-ban…

It appears @Microsoft is actively suspending developer accounts with no warning or reason of various security tools like VeraCrypt, WireGuard and also Windscribe. We've had this VERIFIED account for 8+ years to sign our drivers. We've been trying to resolve this for over a month, and getting nowhere. Support is non-existent. Anyone know a human with a brain that still works at Microsoft and can help?

Hamzah, thank you. I appreciate the engagement and the points raised. On victim information: the piece contains no PII. Names, addresses, BVN numbers and identifying details are not in the text. The images are blurred. Could you clarify what you mean based on what was published? On the amplification concern, I think the tension is real and worth acknowledging. The position I have taken is that the public interest in people knowing their data was compromised outweighs the amplification risk, particularly given that neither Sterling Bank nor Remita has notified anyone. It’s a judgement call. On the evidentiary points though, here’s some clarity: On the record count. Over 900,000 Sterling Bank customers affected plus 657,242 confirmed KYC files from Remita’s S3 bucket equals over 1.5 million records across the campaign. The figures are sourced directly from the actor’s published artefacts and the verified dump files. On the point about Sterling Bank having a vulnerability management program, the evidence of absence is the successful exploitation itself. CVE-2025-55182 had a public patch. The server was unpatched and internet-facing. A functioning VM program covering non-prod environments would have caught that. The peer review is genuinely appreciated. Happy to discuss further.

David, you are doing a great work and I recommend you keep it up professionally. You may have given out too much information about the victims that can make them become victim again in your analysis - remember those extra info used in your analysis was lifted from the dark web post and you brought it up now to the surface web. Enough redaction on assets list may be better. I saw those disclaimers but to be very honest it doesn't work like that, so many claims in your writeup, and from the evidence released by the attacker, you may not be able to prove them all. For example, no evidence he took everything in the case of Remitta but you said so, no evidence of the bank not having a VM program covering non-prod environment? No evidence of over 1 million personal record of Nigerians may have been impacted across both breaches. Except you are looking at another data other than what the attacker published himself. This is just to point out a few up there, and to note that in our course to educate and create awareness, we don't let sensationalism take over and misinformation to become the order of the day. This can further damage the digital trust left within the ecosystem and create fear 😨. Thank you.

Sterling Bank and Remita were not the only victims. Cardinal Stone, majority shareholders in Sterling Bank and one of Nigeria’s leading asset management firms got hit as well as a result of their relationship with the bank.

How it happened:

Didn’t cover this as much in the substack piece but ByteToBreach posted every personal information you can imagine of Sterling Bank’s CEO including his home address and the loans he had collected.

We’ve published Volume I of our ByteToBreach campaign analysis: a full technical post-mortem of the Sterling Bank Plc breach. This report reconstructs the complete attack chain from initial access (March 18, 2026) through to the Cardinal Stone pivot.

When I was a kid in the late 2000s and early 2010s, there were Facebook groups of Nigerian hackers defacing foreign websites. Some did it as hacktivism. For most, it was just fun and competition. Foreigners were doing the same thing too. It was a whole scene. Now, some of those guys are big egbons. Others are hardened cybercriminals.

Here is a video of a North Korean IT worker being stopped dead in their tracks upon being required to insult Kim Jong Un. It won't work forever, but right now it's genuinely an effective filter. I'm yet to come across one who can say it.

Norm MacDonald