Nigeria’s Economic and Financial Crimes Commission (EFCC) has uncovered a large-scale fraud operation where fintech firms are allegedly purchasing compromised personal and biometric data to facilitate illicit financial activities. The agency claims a network of over 12,000 individuals across the country is actively harvesting sensitive information from unsuspecting citizens and selling it to players in the digital finance sector.
In a statement released on Friday, the EFCC detailed a two-pronged scheme that leverages both data harvesting and malware to defraud Nigerians. The agency warned that the operation poses a significant “threat to national security” and undermines the integrity of Nigeria’s rapidly growing fintech ecosystem.
The Anatomy of the Data-Harvesting Scheme
According to the EFCC, the core of the operation relies on a network of agents the agency calls “Account Suppliers” or the “KYC Group”. These individuals persuade ordinary Nigerians to surrender their personal identification details for small payments, typically between ₦1,500 ($1.00) and ₦2,000 ($1.33).
The data harvested includes some of the country’s most critical identifiers:
- Bank Verification Number (BVN): A unique 11-digit number linked to an individual’s biometric data (fingerprints and facial photograph) and all their bank accounts in Nigeria. It is a cornerstone of the country’s financial identity system.
- National Identity Number (NIN): Nigeria’s primary foundational identity number, used for a wide range of official and private-sector transactions.
- Other details, such as passport photographs and address information.
These complete data sets are then allegedly sold to fintech companies for as much as ₦5,000 ($3.33) per individual. The EFCC claims these fintechs use the purchased data to open new accounts, which are subsequently used for fraudulent purposes, including investment scams and laundering money through cryptocurrency transactions.
“Information available to the Commission revealed that the actors are up to 12,000 all over the country seeking account donors,” the EFCC stated.
While the EFCC has not publicly named the specific fintech companies involved, the allegations point to a critical vulnerability in the Know Your Customer (KYC) processes of some digital financial platforms. KYC regulations require financial institutions to verify the identity of their clients to prevent money laundering and other financial crimes. The scheme described by the EFCC suggests that these protocols are either being bypassed or are susceptible to manipulation with high-quality stolen data.
Malware Attacks and Phishing Scams
The agency also highlighted a separate but related tactic involving malware disguised within promotional offers. In one example, fraudsters created a fake promotion offering a 50% discount on tickets from a major foreign airline.
To participate, victims were required to make a nominal ₦500 payment, framed as a “charity” donation. The process then prompted them to download a malicious version of the airline’s app. This application would gain unauthorised access to the victim’s device and banking information.
“Through this access, they control and launder the funds through purchase of cryptocurrencies,” the EFCC explained. The stolen funds were typically moved from the victim’s primary bank account to accounts opened at microfinance banks or fintech institutions, likely using the same stolen identity data.
Regulatory Implications and Market Integrity
The EFCC’s findings cast a shadow over Nigeria’s celebrated fintech scene, which has attracted significant international investment and driven financial inclusion. The allegations raise serious questions about the robustness of security and compliance frameworks within the sector.
The agency confirmed that it has made arrests in connection with these schemes and is actively working to recover stolen funds. It issued a stern warning to the public, urging Nigerians not to act as “Account Donors” for any financial incentive.
“The Commission is committed to safeguarding the financial space of the nation in the overall interests of all Nigerians,” the statement concluded, signalling a potential for increased scrutiny and regulatory enforcement on the fintech sector to curb these emerging threats.