The evolution of Nigerian threat actors

The Nigerian threat landscape has shifted. Throughout the early 2010s, activity centered on advance fee fraud and romance scams. Later, threat groups turned to Business Email Compromise (BEC). These early vectors targeted human vulnerabilities. By the mid-2010s, threat groups focused on cellular networks. They ran SIM-swapping operations and targeted USSD codes to take over bank accounts.

Since 2020, threat actors have moved to automated, scripted attacks against fintech APIs. Standardized banking-as-a-service (BaaS) platforms and public open API formats lowered the technical barrier. The financial return is high. An automated script attacking a vulnerable loan disbursement endpoint can process fraud profiles and trigger payouts at ₦150,000 per second. The risk has shifted from social engineering to code-level automation.

The tooling of the modern API attacker

Threat groups do not use custom malware. They use standard developer tools and interception proxies:

Attack target 1: Loan application endpoints

Scripted loan fraud executes in a series of steps. First, the script registers accounts using stolen identities and burner SIM cards. Next, the script sends a POST request containing fabricated employment records to the application endpoint.

POST /api/v2/loans/apply
Host: api.targetfintech.com
Authorization: Bearer eyJhbGciOiJIUzI1Ni...
Content-Type: application/json

{
  "bvn": "22219485730",
  "monthly_income": 950000,
  "employer": "Shell Petroleum Development Company",
  "job_title": "Lead Drilling Engineer",
  "requested_amount": 150000,
  "bank_code": "058",
  "account_number": "0123456789"
}

The risk engine reviews the parameters. If it processes client-supplied values (like salary and employer name) without validating them against third-party sources (like tax databases or bank statement aggregators), it approves the application. The system sends the credit payout to a mule account, where a script immediately transfers the funds to external wallets.

Attack target 2: Referral and rewards endpoints

Referral loops are exploited through automated registration sequences. The attacker registers a seed account to obtain a referral code: REF-99281. A Python script then iterates through hundreds of registration requests. Every request uses a stolen BVN and references REF-99281 as the parent account.

POST /api/v1/auth/register
Host: api.targetfintech.com
Content-Type: application/json

{
  "phone": "+2348039827162",
  "bvn": "22201938475",
  "referral_code": "REF-99281",
  "first_name": "Tunde",
  "last_name": "Bello"
}

If the wallet system credits the referral bonus (such as ₦1,000) immediately upon account registration, the script drains funds rapidly. Within minutes, the attacker collects large sums in the seed account and transfers the cash before operations teams spot the activity.

Attack target 3: Onboarding and account creation floods

Virtual account exhaustion attacks flood onboarding endpoints to disrupt service. Threat actors use script loops to target APIs connected to virtual account providers like Wema Bank or Providus Bank.

The script issues thousands of account creation requests using synthetic identity structures. The backend API automatically requests Wema or Providus to generate a virtual account for each registration. This creates two problems. First, it exhausts the fintech's pre-purchased pool of virtual accounts, preventing genuine users from signing up. Second, it populates the database with active Tier 1 accounts that are subsequently used to channel stolen funds.

The detection fingerprint of API-driven fraud

Security teams can find automated attacks by looking for these patterns in their server logs:

The fix

Securing these endpoints requires logic adjustments and backend validation:

Example finding

Format checking only during BVN verification

During a security assessment of a lending platform, we ran a synthetic load test with random BVN strings against their loan application endpoint. 34% of our randomly generated BVNs passed their KYC check because their BVN validation was only checking format (11 digits), not querying NIBSS for existence. Fix priority: critical.

Are your core onboarding and loan endpoints vulnerable to scripted attacks?

Get a security review

Automated scanners cannot simulate multi-step fraud flows. Detecting these API-driven fraud patterns requires manual reviews to inspect rate limiting logic and verify KYC validation depth.

Frequently asked questions

Are Nigerian threat actors using AI tools for these attacks?

Increasingly yes. LLM tools are used to generate realistic employment histories.

Can we block Nigerian residential IPs to stop these attacks?

No. Blocking CGNAT ranges from MTN/Airtel would block a large portion of your legitimate user base.

How do we respond when we detect an active scripted attack in progress?

Enable stricter rate limiting. You must also require CAPTCHA validation. Any accounts created during the attack window must be quarantined.

Related reading

Blog: Rate Limiting and Anti-Fraud Payment APIs · BVN Spoofing and Liveness Bypass

Services: API security testing · Lending platform security