₦airaland Forum

By Timileyin Akinmoyeje


The website of the Foundation for Investigative Journalism (FIJ) has suffered multiple coordinated cyberattacks traceable to the National Identity Management Commission (NIMC) headquarters in Abuja.

The Distributed Denial of Service (DDOS) attacks, which briefly knocked FIJ’s website offline, started on Thursday morning.

DDOS attacks happen when attackers flood a website with fake traffic, usually from many hacked computers (a botnet) to overwhelm the server. As a result, the website would be unable to handle real visitors and ultimately shut down after a continuous barrage.

The attacks are coming after FIJ published a series of reports exposing registered companies and private individuals illegally trading Nigerians’ NIN data for cheap on the data black market.

“When I checked, it wasn’t loading either, so I contacted the service provider. In fact, they were the ones who first discovered the issue,” said the head of FIJ’s web team.

https://fij.ng/article/wp-content/uploads/2025/08/WhatsApp-Image-2025-08-22-at-14.13.17_8ff728e0-743x628.jpg In the last 72 hours, over 3 million requests on the website server resulted from hits from the IP address.


According to his technical analysis of the situation, the service provided identified an IP address that had overwhelmed FIJ’s website with over 50,000 requests within an hour. A deeper analysis eventually revealed the scale of the attack.


https://fij.ng/article/wp-content/uploads/2025/08/WhatsApp-Image-2025-08-22-at-14.15.17_3052ae17-1-743x628.jpg The requests were originating from mostly unknown devices, operating systems and browsers


“In the last 72 hours there were about 2 million requests. Each hit is a real request because once you visit the site, 15–20 scripts are loaded, each as a separate request.”

Most of the requests came from undefined devices and browsers, a sign of a coordinated cyberattack.

“The same IP address was behind it, and when I checked the IP, both on Cloudflare and on What’s My IP Address, it showed NIMC,” he added.


https://fij.ng/article/wp-content/uploads/2025/08/WhatsApp-Image-2025-08-22-at-14.17.53_c614a336-1-768x539.jpg Further findings revealed that the IP address coordinating a DDoS attack on the FIJ website is coming from the NIMC HQ in Abuja.


FIJ’S DATA BREACH REPORTS

FIJ has been documenting instances of black market sites illegally selling the data of Nigerians at cheap prices since 2024. In March 2024, FIJ reported how Xpressverify, an unlicensed website, monetised NIN recovery and printing from Nigeria’s database.

The report generated impact immediately and forced NIMC and other agencies regulating data privacy to launch investigations.

But in July 2025, FIJ again exposed NINPrint, a platform operated by Abbeytech Ventures, for selling NIN records for as low as N180 per request. FIJ tested the platform by purchasing the data of four Nigerians who consented to the process.

In another instance on August 8, FIJ reported how NINCard had been illegally offering ID services since October 2023 without a licence. The report also revealed how NIMC had been aware of the website’s activities for over a year but did not shut it down.

Four days later, on August 12, FIJ also reported how nimcverify.ng was selling Nigerians’ NIN records for N150 to anyone with just a phone number.

FIJ’s most recent story in the series detailed how IloTech, a virtual top-up platform, was secretly selling Nigerians’ NIN records for as low as N180. FIJ was able to obtain the records of a Nigerian minister and a senator through the site.

All of these illegal websites were taken down after FIJ’s story. The speed of the impact ranged from less than 24 hours to seven days.


WHAT IS THE JOB OF NIMC?

The National Identity Management Commission (NIMC) was created under the NIMC Act No. 23 of 2007 to establish, own, operate, maintain and manage Nigeria’s national identity system.

According to Section 5 of the Act, NIMC’s core mandate is to create and maintain the National Identity Database, register all Nigerian citizens and legal residents, and assign each person a National Identification Number (NIN).

It is also responsible for issuing General Multi-Purpose Identity Cards linked to the NIN, ensuring that identity records are kept up to date, and collaborating with other agencies like INEC, Immigration, FRSC, and banks to make the NIN usable across public and private services.

The law also emphasises the protection of personal data. Section 26 makes it clear that all information in the National Identity Database must be kept confidential.

Sections 14 and 27 prohibit the unauthorised use, disclosure or sale of identity information. NIMC is therefore required to manage the system not just for registration but also with strong safeguards for privacy.

The Act sets out clear punishments for those who attempt to compromise the system. For example, Section 29 states that anyone who gives false information during registration can face up to three years in prison or a fine of N100,000, or both.

Under Section 28, using or possessing another person’s NIN or ID card without authorisation carries the same penalty. More serious breaches are addressed in Section 30, which prescribes up to 10 years in prison or a fine of N10 million, or both, for anyone who unlawfully accesses, leaks, sells or misuses identity information stored in the NIMC database.


NO PUNISHMENTS SO FAR

Both the NIMC and the Nigeria Data Protection Commission, the agency responsible for data privacy regulation in Nigeria, were made aware of the published FIJ reports. But none of the perpetrators has been brought to book.

For instance, FIJ can confirm at press time that Timzytech, the individual who managed nimcverify, has simply switched to a new page to continue selling Nigerians’ data for cheap.

Since 2011, Nigeria has spent about $630 million trying to build a functional national identity system. That year, the federal government under Goodluck Jonathan approved N30.66 billion to provide electronic ID cards to all Nigerians above the age of 18.

By 2019, the country secured a $433 million World Bank-backed grant supported by the French Development Agency (AFD) and the European Union. The project’s goal was to register at least 148 million Nigerians by mid-2024 and strengthen the country’s identity management infrastructure.

This database is still porous.

jmoore:
Who will prosecute NIMC for cybercrime?

A government agency is involved in cybercrime

The naive operator in charge of the attacks can't even mask the ip.

Exousiang01:
You instantly assume that the attack came from NIMC.
If they lock you up again now ignorant Nigerian youths will start making noise

Smartcitizen:
When they called them terrorists in power you think it's a joke abi?

Exousiang01:
You instantly assume that the attack came from NIMC.
If they lock you up again now ignorant Nigerian youths will start making noise

RollinTNDA:
If the attack is from nimc that means somebody in nimc is selling those data to hackers and exposing it will stop the profit.
Hence the attack allegedly

Fij don spoil market for somebody

The same IP address was behind it, and when I checked the IP, both on Cloudflare and on What’s My IP Address, it showed NIMC,” he added.

jmoore:
Who will prosecute NIMC for cybercrime?

A government agency is involved in cybercrime

The naive operator in charge of the attacks can't even mask the ip.

Stephen0mozzy:
If you're into this kind of work, you need to up your security infrastructure. This kain thing can easily be prevented using:

1. Rate limiting / throttling.
2. Fingerprinting to identify the device/IP sending the request if they try to randomize it.

DDOS is the easiest to prevent against.
Unless them just use "cheap-artiko" WordPress site.

Islie:
FIJ’s Website Attacked From NIMC Headquarters After Multiple Reports on NIN, BVN-Selling Websites




https://fij.ng/article/fijs-website-attacked-from-nimc-headquarters-after-multiple-reports-on-nin-bvn-selling-websites/

Exousiang01:
You instantly assume that the attack came from NIMC.
If they lock you up again now ignorant Nigerian youths will start making noise