Nigeria’s Economic and Financial Crimes Commission (EFCC) has exposed a large-scale fraud operation in which fintech companies are allegedly buying stolen personal and biometric data to facilitate illegal financial activities. The agency claims that a network of more than 12,000 individuals nationwide is actively gathering sensitive information from unsuspecting citizens and selling it to players in the digital finance sector.

In a statement issued on Friday, the EFCC outlined a two-fold scheme that combines data harvesting and malware to defraud Nigerians. The agency cautioned that this operation presents a significant “threat to national security” and undermines the integrity of Nigeria’s rapidly expanding fintech industry.

According to the EFCC, the operation is centered around a network of individuals, referred to by the agency as “Account Suppliers” or the “KYC Group.” These individuals convince ordinary Nigerians to surrender their personal identification information in exchange for small payments, usually ranging from ₦1,500 ($1.00) to ₦2,000 ($1.33).

The harvested data includes some of Nigeria’s most crucial identifiers:

• Bank Verification Number (BVN): A unique 11-digit number linked to an individual’s biometric data (such as fingerprints and facial photographs) and all their bank accounts in Nigeria. It is a foundational element of the country’s financial identity system.
• National Identity Number (NIN): Nigeria’s primary identity number, used for a wide variety of official and private-sector transactions.
• Other personal details, such as passport photographs and address information.

This complete data set is then allegedly sold to fintech companies for as much as ₦5,000 ($3.33) per individual. The EFCC claims that these fintech companies use the stolen data to open new accounts, which are subsequently used for fraudulent activities, including investment scams and laundering money through cryptocurrency transactions.

“Information available to the Commission revealed that the actors are up to 12,000 all over the country seeking account donors,” stated the EFCC.

Although the EFCC has not named the specific fintech companies involved, the allegations point to a critical vulnerability in the Know Your Customer (KYC) processes of some digital financial platforms. KYC regulations are designed to ensure that financial institutions verify their clients’ identities to prevent money laundering and other financial crimes. The scheme described by the EFCC suggests that these protocols are either being circumvented or are vulnerable to manipulation with high-quality stolen data.

The agency also drew attention to another related tactic involving malware concealed within promotional offers. In one case, fraudsters devised a fake promotion that promised a 50% discount on tickets from a prominent foreign airline. To participate, victims were instructed to make a small ₦500 payment, presented as a “charity” donation. This process then led them to download a malicious version of the airline’s app, which would allow unauthorized access to the victim’s device and banking details.

“Through this access, they control and launder the funds by purchasing cryptocurrencies,” the EFCC explained. The stolen funds were typically transferred from the victim’s primary bank account to accounts opened at microfinance banks or fintech institutions, likely utilizing the same stolen identity data.

Regulatory Implications and Market Integrity

The EFCC’s findings cast a shadow over Nigeria’s highly regarded fintech sector, which has attracted considerable international investment and advanced financial inclusion. These allegations raise significant concerns about the strength of security and compliance measures within the industry.

The agency confirmed it has made arrests in connection with these scams and is actively working to recover the stolen funds. It issued a firm warning to the public, advising Nigerians not to act as “Account Donors” for any financial gain.

“The Commission is dedicated to protecting the nation’s financial ecosystem in the best interests of all Nigerians,” the statement concluded, signaling the potential for heightened scrutiny and regulatory actions within the fintech industry to combat these emerging threats.

Source