Introduction

Have you ever read about a data breach and thought, "okay… but what does this actually have to do with us?" It is a fair question. Most of the time these incidents are reported like distant news or buried in technical language that never quite connects to the decisions you make every day — and that gap makes it easy to dismiss patterns that are already inside your organisation waiting to be found.

That is exactly why we are introducing The Security Drop, starting with this very first edition.

Every month, we will cut through the noise on cyber breaches, ransomware attacks, emerging threats, and the cybersecurity developments worth paying attention to across Africa and around the world. Not just the incidents that make headlines, but the ones that should, the policy moves that will reshape how organisations defend themselves, and the threat intelligence that tells you what is coming before it arrives at your door.

We break it all down practically: what actually happened, why it matters beyond the press release, and what your organisation should quietly be doing about it before things escalate.

Nigeria's Corporate Affairs Commission Hacked, Millions of Company Records Exposed

On April 15, Nigeria's Corporate Affairs Commission (CAC) confirmed that hackers had broken into parts of its information systems; the database that holds the registration records of nearly every company doing business in Nigeria. A threat actor known as ByteToBreach claimed to have walked off with about 25 million documents (roughly 750GB), including ownership structures, director identities, and submitted ID documents like passports and NIN cards.

The CAC suspended its registration portal for three days, urged users to change their login details, and called in the National Information Technology Development Agency (NITDA) to help with the investigation. Nigeria's Data Protection Commission has since opened a formal probe. Same hacker, same playbook; find an unlocked door, walk through it, dump the contents online.

Do not assume your data is safe just because it is not in your system; know where it lives and limit what you share. Get the basics right: tighten access, monitor activity, and have a clear response plan before anything goes wrong.

Sterling Bank and Remita Breach Investigation Opens

On April 1, Nigeria's Data Protection Commission served a Notice of Investigation to Sterling Bank and Remita — the platform that processes federal salary payments and the Treasury Single Account — after the same ByteToBreach hacker dumped roughly 3TB of data on a cybercrime forum. The data included around 900,000 customer records, BVNs, passports, and identity documents.

The hacker got in through Sterling Bank in March via a known, unpatched vulnerability the bank had ignored for three months. Once inside, they found Remita's login credentials sitting in plaintext inside a code repository — meaning Remita was hit not because it was targeted, but because Sterling Bank had effectively left a key to its neighbour's office hanging on the wall. Neither Sterling nor Remita has issued a public statement to customers.

One weak link can expose more than just your own systems, so patch known vulnerabilities quickly and never leave credentials lying around, especially in shared environments. Also, silence does not reduce impact, so be ready to communicate clearly and early when incidents affect people’s data.

Lagos State Releases Its First Cybersecurity Guidelines

On April 19, the Lagos State Government released "Lagos CyberSafe 2026" — the state's first dedicated set of cybersecurity guidelines for businesses, public institutions, and residents. The framework is tiered: simple basics for small businesses (strong passwords, MFA, automatic updates, the 3-2-1 backup rule, a 72-hour breach reporting window to ngCERT), more formal governance for larger enterprises, and stricter expectations for government agencies.

The guidelines are advisory, not law, but they align with the Cybercrime Act 2024 and the Nigeria Data Protection Act 2023. The release came four days after the CAC breach was confirmed — a useful reminder that policy ambition and real-world readiness still have a wide gap to close.

Guidelines may not be law yet, but they signal where expectations are going, so start aligning early rather than waiting to be forced. If the basics are not already in place, passwords, MFA, updates, and backups, that’s the first gap to close before anything else.

Nigeria's Apex Banking Body Breached, Members' IDs and Academic Records Leaked

On April 20, a threat actor known as Rabid listed the full database of the Chartered Institute of Bankers of Nigeria (CIBN) for sale — 250GB pulled from the body that certifies and regulates professional standards for bankers across Nigeria. What was taken goes beyond names and emails: scanned government-issued IDs, university transcripts, degree certificates, and professional membership credentials — the exact documents Nigerian banks use for employment verification and KYC. The platform's source code was included too, leaving the door open for a follow-on attack against CIBN's live systems.

No statement from CIBN has been issued. The body that sets the integrity standard for an entire industry failed to protect the identity documents of the people it certifies — and the most dangerous part is not the breach itself, but what comes next. Those credentials are now raw material for fake banker profiles, fraudulent job applications, and identity-backed financial crime.

If your organisation collects sensitive documents, ask yourself whether you actually need to keep them after verification is done — because data you have deleted cannot be stolen.

Nigerian Microfinance Lender's 870GB Customer Database, Including Police Records, Allegedly Put Up for Sale

Around April 25, a hacker known as "iProfessor" claimed to be selling 870GB of data from Fast Credit Finance Company — a CBN-licensed microfinance lender — on a cybercrime forum, limited to just five buyers. The alleged haul contains nearly 940,000 customer records: loan files, bank statements, government-issued ID scans, personal photographs, next-of-kin details, and what appear to be records belonging to Nigerian police officers and law enforcement personnel.

Fast Credit, the CBN, and Nigeria's Data Protection Commission have not confirmed the breach. This is still a dark web claim. But when a threat actor posts detailed samples and restricts buyers to five, they are not bluffing for attention — they are running a controlled sale. The inclusion of law enforcement records is what elevates this beyond routine financial fraud; if authentic, those records could be used to identify, profile, or target officers by name.

Microfinance lenders collect some of the most intimate financial data that exists — and they rarely face the same scrutiny as commercial banks. That gap is now being exploited. Your data protection obligations do not scale down with your balance sheet — know what you are holding, why you are holding it, and have a response plan ready before you need one.

Nigeria's Anti-Corruption Agency EFCC Targeted, Operatives' Identities Dumped Online

On April 21, a threat actor identified as "ki4t," affiliated with Nullsec Nigeria, posted on a dark web forum claiming to have breached the Economic and Financial Crimes Commission — Nigeria's primary anti-graft agency. The leaked dataset is said to include agent names, phone numbers, operational code names, and password hashes linked to EFCC personnel.

The EFCC has not publicly confirmed or denied the breach as of publication. But the implications, if verified, go beyond data privacy. Leaked operational identities and code names could compromise active investigations, expose undercover agents to physical risk, and hand criminal networks advance warning of enforcement activity. Nigeria is fighting financial crime at scale; exposing the people doing the fighting is the most direct way to slow them down.

Law enforcement agencies are not exempt from basic security hygiene — operational data should be compartmentalised, agent identities stored separately from administrative systems, and password hashing done properly so that even a leak does not hand attackers working credentials. If your organisation holds information that could put people in danger, protect it like lives depend on it — because in this case, they might.

Nigeria's Central Bank Issues Official Fraud Alert as Scammers Exploit April Breach Wave

On April 21, the Central Bank of Nigeria issued a public press release signed by Acting Director of Corporate Communications Hakama Sidi-Ali, warning Nigerians of a surge in fraudulent emails, messages, and online content falsely claiming to originate from the apex bank. The communications are designed to appear credible — referencing CBN leadership, licensing decisions, and policy matters — to pressure recipients into clicking malicious links or surrendering personal and financial data.

The timing is not coincidental. The alert came six days after the CAC breach was confirmed, and weeks into a wave of attacks hitting Sterling Bank, Remita, and Nigeria's government infrastructure. When large datasets leak, scammers do not wait — they immediately weaponise the stolen names, contacts, and institutional references to craft messages that feel real. The CBN is not the source of the problem; it is flagging the downstream damage that follows when other institutions fail to protect data.

Any message asking you to act urgently on behalf of a bank or regulator — click a link, verify your details, confirm a transaction — should be treated as suspicious by default. Go directly to the official website, call the official number, and never let urgency make the decision for you.

Crypto Scam Targets Ships Amid Hormuz Crisis

Greek maritime risk firm MARISKS has issued an alert about scammers impersonating Iranian authorities and demanding cryptocurrency payments from shipping companies in exchange for so-called safe passage through the Strait of Hormuz. What makes this especially convincing is that the scam mirrors a real Iranian transit fee regime introduced amid tensions in the Gulf, where laden oil tankers have reportedly been required to make legitimate transit-related payments in Bitcoin, USDT, or Chinese yuan. The warning comes against the backdrop of escalating disruption linked to the US-Iran standoff, with hundreds of ships reportedly stranded and traffic through the Strait significantly reduced. What makes the incident stand out is that at least one vessel is believed to have paid the fraudulent fee before being turned back by Iranian patrol boats, showing how cyber-enabled fraud is now exploiting geopolitical instability and targeting maritime operations in real time.

When situations are tense, urgency becomes the scam, so train your team never to act on payment requests without verifying through a trusted, independent channel.

French ID Agency Confirms Breach Exposing Citizen Data

France’s Agence Nationale des Titres Sécurisés has confirmed a data breach affecting systems used to manage national identity documents, including IDs, passports, and immigration records, with exposed data potentially including names, birth details, contact information, and other personal information. The agency said it detected the incident on 15 April and is investigating the cause and impact, while notifying affected individuals. What makes the incident notable is reports suggesting the breach may involve millions of records, with a threat actor reportedly advertising a database of 19 million records on a hacking forum before the breach was publicly disclosed. The incident is another reminder that government identity infrastructure remains a high-value target for cyberattacks, particularly where large-scale personal data repositories are involved.

Expect a surge in "official" phishing scams. If you get a text or email that seems legit because it knows your name or birthdate, don't click—it’s likely a scammer using this leaked data. To stay safe, update the password for your government accounts and enable two-factor authentication so a leaked ID number isn't enough to get into your profile

The Person Hired to Negotiate Your Ransom Was the One Who Set It

In a massive breach of trust, three cybersecurity professionals—Angelo Martino and Kevin Martin of DigitalMint, and Ryan Goldberg of Sygnnia—have pleaded guilty to participating in BlackCat (ALPHV) ransomware attacks. While they were hired as expert negotiators to help victims, they were secretly working with the hackers to inflate ransoms and pocket the proceeds. Between 2023 and 2025, they targeted schools, medical facilities, and financial firms, with two victims alone paying over $52 million. DigitalMint has since fired the employees, but the case highlights a terrifying reality: the "experts" brought in to put out the fire were actually holding the matches.

Trust is part of your security surface, so do not assume vendors or insiders are automatically safe, build in oversight, separation of duties, and independent checks. Also, do not rely blindly on external experts in a crisis, keep internal visibility and control so you can question decisions when it matters most.

A Gang That's Growing Faster Than Anyone's Been Paying Attention: The Gentlemen Ransomware

You might not have heard of Gentlemen ransomware yet, but CheckPoint's latest research suggests that's probably about to change.

The Gentlemen ransomware-as-a-service operation has rapidly scaled to over 320 victims since mid-2025, utilising sophisticated tactics such as deploying SystemBC, Cobalt Strike, and Active Directory exploitation to target corporate environments in the US, UK, Germany, Australia, and Romania. Research indicates affiliates are leveraging a high-revenue split to employ advanced tools, with incident response revealing a C2 server managing over 1,570 infected hosts, necessitating immediate hardening of external access, EDR monitoring for proxy tools, and network segmentation to mitigate risks.

New threats don’t stay small for long, so don’t wait for a name to become popular before you take it seriously. Keep threat intelligence active and review your defences regularly, because attackers are evolving faster than most teams are paying attention.

Hackers Are Pretending to be your IT Team on Microsoft Teams...and it's Working

Microsoft has put out a warning about a growing trend where threat actors are using Microsoft Teams' external collaboration feature to impersonate IT or helpdesk staff, reach out to employees via cross-tenant chats, and convince them to hand over remote access to their machines. The whole thing is designed to look like a routine support interaction. This is exactly what makes it so effective.

What Microsoft keeps emphasising is how difficult this is to detect precisely because almost every tool in the threat actors' chain is legitimate, whether its Quick Assist, or Rclone, Adobe or Autodesk.

If it looks like a normal work tool, people will trust it, so don’t rely on familiarity as a security check. Lock down external access points and train teams to verify internal requests through a second channel before granting access.

Vercel Got Breached : A Supply Chain Wake-Up Call

Vercel, the popular web deployment platform used by developers worldwide, disclosed a security incident this month in which attackers gained unauthorised access to certain internal systems. But the entry point wasn't Vercel itself; it was a small, third-party AI tool called 'Context.ai', which was used by one of Vercel's employees.

The good news is the environment variables marked as sensitive in Vercel are stored in a way  that prevents from being read, and Vercel says there's currently no evidence those were accessed. The company also confirmed, in collaboration with GitHub, Microsoft, npm, and Socket, that no npm packages published by Vercel were compromised. The chain seemingly appears safe.

Vercel mentioned that it has engaged Mandiant and other cybersecurity firms, notified law enforcement, and reached directly to affected customers to recommend rotating their credentials. Your security is only as strong as the tools your team plugs into it, so treat third-party apps, even the small ones, as part of your attack surface. Limit what they can access, review them regularly, and be ready to rotate credentials quickly if anything feels off.

AI Flagged a Malicious Axios Update Minutes After it was Published

This one stands out because the detection happened almost immediately, not days or weeks later.

A security researcher at Elastic Security Labs built a lightweight AI-based system to monitor code changes across open-source repositories. The system was designed to flag potentially malicious updates based on how code changes behaved, rather than relying on known signatures.

Within days of deploying it, the system flagged a suspicious update to Axios, one of the most widely used JavaScript libraries with over 100 million weekly downloads. The detection happened within minutes of the malicious package being published. The researcher quickly alerted maintainers and broader security community, leading to rapid investigation and containment of the issue.

The potential impact was significant. A successful supply chain compromise at that level could expose API keys, credentials, and internal systems across multiple organisations. This is your clue to invest in monitoring that can spot unusual behaviour early, not just known threats.

Hackers Are Now Signing Their Own Malware to Look Legitimate

This one is particularly concerning because it bypasses one of the core trust mechanisms in modern systems.

A financially motivated threat actor targeting transportation and logistics firms has been observed using a third-party code-signing service to make its malware appear legitimate. This activity was identified by researchers at Proofpoint during an investigation into cargo theft campaigns.

What makes this campaign different is the use of a code-signing service. The attackers submit malicious installer files to the service, which then re-signs them with what appears to be a valid digital certificate. This allows the malware to bypass certain security warnings and appear more trustworthy to operating systems and security tools.

The researchers also observed extensive post-compromise activity, including credential harvesting, data exfiltration via attacker-controlled channels, and highlighted that the campaign appears to be part of a broader operation focused on freight fraud and cargo theft, where attackers use stolen credentials to intercept and reroute goods.

“Looks legitimate” is no longer a reliable signal, so don’t trust software just because it’s signed or passes basic checks. Add deeper verification and monitoring, because attackers are now building trust into the attack itself.

A Token Flaw Turned Azure's AI Agent into a Silent Observer

A critical misconfiguration in Microsoft's Azure SRE Agent recently allowed external users to eavesdrop on other organizations' AI agent activity in real-time. Identified by researchers at Enclave, the flaw stemmed from how access tokens were issued. Because the token-generating system was configured globally across all Azure tenants, any user with a valid Azure account could request a legitimate token. The system failed to verify if the person requesting access actually belonged to the organization they were trying to view.

This meant an outsider could connect to a company's agent and observe its operations silently. Compounding the risk was the fact that this activity left no logs or traces on the victim’s side—the only record of the connection existed on the attacker’s system. Microsoft has since patched the vulnerability (tracked as CVE-2026-32173), which carried a critical CVSS score of 8.6, after confirming it allowed for improper authentication.

Access should never be assumed just because a token looks valid, so always enforce proper identity checks and tenant boundaries. Also, don’t rely only on visible logs, build monitoring that can detect unusual access patterns even when activity leaves little or no trace.

An AI Model Just Executed a Full Network Takeover on Its Own

This one marks a clear shift in what AI systems are now capable of.

The UK AI Security Institute evaluated a frontier model called Claude Mythos Preview and found that it could autonomously carry out a full corporate network attack in a controlled environment. The test, known as "The Last Ones", is a 32-step simulation that mirrors a real-world intrusion. Security experts estimate that the same process would take a human team roughly 20 hours to complete.

Anthropic has restricted access to the model, citing concerns that its capabilities could be misused to discover and exploit vulnerabilities at scale. Start treating AI as part of your threat model and prepare defences that can keep up.

Chinese Hackers Left the Keys Inside Their Own Backdoors

Security researchers uncovered multiple backdoors linked to Chinese threat actors that contained hardcoded credentials directly embedded in the malware. These backdoors were designed for long-term access, allowing attackers to quietly maintain control over compromised systems without raising alarms.

However, instead of using dynamic or encrypted authentication, the attackers included static usernames and passwords inside the code itself. This meant that anyone who discovered the malware could potentially re-use those same credentials to access infected systems. If you are compromised, act fast to remove all access points, because others may already be reusing them.

AI Can Now Run Fraud Operations From Start to Finish

A new assessment from INterpol warns that AI tools are enabling criminals to automate entire fraud operations, targeting victims to executing attacks. According to the report, AI systems can now carry out multiple stages of fraud with little to no human input, including harvesting credentials, gaining access to systems, and even selecting valuable data.

The report also highlights how AI has significantly improved social engineering. Fraudsters can now generate highly personalised messages, realistic scenarios, and convincing communication tailored to specific individuals, making scams harder to detect.

Fraud is becoming automated, so don’t assume a human is behind every interaction or that scale will be limited. Strengthen verification and awareness, because attacks are now faster, more personalised, and harder to spot.

Hackers Are Actively Exploiting a Microsoft Defender Zero-Day

On April 22, the US Cybersecurity and Infrastructure Security Agency (CISA) added a Microsoft Defender flaw (CVE-2026-33825, nicknamed "BlueHammer") to its Known Exploited Vulnerabilities catalog after attackers were caught using it in real intrusions. The bug lets a low-privileged user trick Defender — Windows' own built-in antivirus — into giving them full SYSTEM-level control of the machine.

Microsoft patched the flaw on April 14, but a frustrated researcher had already published working exploit code on April 2 in protest at how the disclosure was handled. Federal agencies have until May 6 to fix it. Everyone else should patch yesterday.

If this first edition shows anything, it is that most incidents do not start big, they start with something small that was ignored or trusted for too long. Pay attention to the basics, question what feels routine, and don’t wait for a headline before you act.

See you in the next drop.

‍