Nigeria’s NIMC Behind Over 3M DDoS Attack On FIJ, Violating Cybercrimes Act

Nigeria’s National Identity Management Commission (NIMC) has been accused of launching and executing a Distributed Denial-of-Service (DDoS) attack on the website of the Foundation for Investigative Journalism (FIJ), shortly after the newsroom exposed companies and individuals illegally selling Nigerians’ National Identification Number (NIN) data on the black market.

The attack, revealed in an evidence-backed publication on Friday by FIJ journalist Timileyin Akinmoyeje, briefly knocked down FIJ’s website on Thursday morning. The site reportedly suffered severe slowness as it was overwhelmed by more than 3 million botnet requests traced back to NIMC’s headquarters in Abuja.

A DDoS attack occurs when a website is flooded with fake internet traffic generated by malware-infected devices—called bots or, collectively, a botnet. By overwhelming the server with artificial traffic, legitimate visitors are blocked from accessing the website, potentially forcing it offline.

Source of Attack and Violations

FIJ’s technical team identified the specific Internet Protocol (IP) address 102.219.223.249, which was traced directly to the NIMC headquarters in Abuja. Independent verification by West Africa Weekly confirmed the same result, establishing NIMC as the origin of the attack.

The NIMC, established by the NIMC Act No. 23 of 2007, is mandated to manage and protect the national identity database of more than 200 million Nigerians. However, this attack raises serious questions about its role and accountability.

While FIJ had earlier published several investigations exposing NIMC’s failure to safeguard Nigerians’ national identity database from exploitation on the data black market, the agency’s lapses amount to a direct violation of Section 26 of the NIMC Act (2007), which mandates that all information in its custody must be kept confidential.

In addition, by deploying a DDoS attack against FIJ’s website and server, NIMC further violated Section 8 of the Cybercrimes (Prohibition and Prevention) Act, 2015. This offence of unlawful interference carries penalties of up to two years imprisonment, a ₦5 million fine, or both.

Furthermore, since a DDoS attack inherently relies on the use of malware and botnets, NIMC’s actions also contravene Section 32(3) of the Cybercrimes Act (2015), an offence punishable by up to three years imprisonment, a ₦1 million fine, or both.

Meanwhile, evidence of the DDoS attack carried out by NIMC against FIJ also points to a violation of Section 39 of the 1999 Constitution, which guarantees that the press, whether print, online, radio, or television, shall at all times remain free to uphold the fundamental objectives of the Constitution and ensure the responsibility and accountability of the government to the people.

Read: Nigeria Lost ₦826bn In Gas, 15,400 GWh of Electricity, And ₦472bn In Flaring Fines Between January and May 2025

About The Author

Mayowa Durosinmi

author

M. Durosinmi is a West Africa Weekly investigative reporter covering Politics, Human Rights, Health, and Security in West Africa and the Sahel Region

See author's posts