Hacker demands payment from Sterling Bank to delete leaked data

Sterling Bank has been given a ransom demand by the cybercriminal group behind the breach of its systems, which exposed customer and staff data on the dark web. The attackers are demanding payment in exchange for deleting the compromised data and preventing its wider public release.

In late March 2026, a threat actor known as ByteToBreach published what it claimed were more than 9 million records on DarkForum, an English-language dark web platform known for the exchange of stolen databases, hacking tools, and malware.

According to the threat actor, the breach involved data linked to approximately 900,000 customer accounts and more than 3,000 employee records. The threat actor also claimed the existence of a separate dataset connected to Cardinal Stone, an investment banking and multi-asset management firm.

The leak, according to the threat actor, is said to contain personally identifiable information (PII), raising concerns about risks such as identity theft, financial fraud, and unauthorised access to sensitive records.

READ ALSO: Trouble as hacker claims breach of Sterling Bank, alleges customer data exposure

According to messages exchanged on the Signal and reviewed by Economy Post, a purported representative of Sterling Bank asked the threat actor what assurances there were that the data would be deleted and not published. The threat actor responded that they had no personal interest in the data and were only driven by financial benefits.

The threat actor in the message exchange wanted a payment of 0.5 percent of a stated 200 million figure, equivalent to about 1 million, in exchange for the alleged data, which the bank representative responded that the amount was too high.

In a follow-up message, the threat actor insisted the price was non-negotiable, claiming it was already a concession compared to higher demands typically made in similar situations.

While the currency was not explicitly stated in the message exchange, the figures suggest the negotiation was likely in U.S. dollars.

The exchange appears to be part of an ongoing discussion between the threat actor and Sterling Bank, which, based on the published messages, ended without an agreement.

Earlier publication

Economy Post earlier reported that a notorious threat actor had claimed responsibility for a data breach at Sterling Bank Plc, alleging the exposure of a large volume of customer and employee data.

The threat actor had also stated that the hacked systems were located within Sterling Bank Plc’s internal network architecture, as defined by its autonomous system number (ASN).

The actor had also claimed that access gained through the breach was used to target external systems, including Remita, a popular payment platform.

READ ALSO: Fidelity Bank grants loans to staff at 3.5% but lends to manufacturers at 36%

The threat actor further claimed that approximately 3 terabytes of data were accessed from cloud storage, including over 800 gigabytes linked to Know Your Customer (KYC) services. The data is said to include identity documents such as passports, photographs, bank statements, and utility bills, alongside MySQL and PostgreSQL databases, logs, and container registries.

Another document released by the actor suggested that initial access within Sterling Bank Plc might have been used to pivot into external systems, including CRC Credit Bureau, one of the largest credit reporting agencies in Nigeria and Africa.

None of the organisations mentioned, Sterling Bank Plc, CRC Credit Bureau, Cardinal Stone and Remita, have publicly confirmed the alleged breach. When contacted on April 2, 2026, Sterling Bank Plc declined to comment.