In the quiet suburbs of Ikorodu, Tunji Adegoke, a 60-year-old retired civil servant, sat staring at his phone. It was 10:00 a.m. on a Thursday. The signal bars on his screen had vanished, replaced by a cold, persistent ‘no service.’ Adegoke didn’t panic; he assumed it was a routine maintenance glitch from his service provider. He went about his morning routines, oblivious of the fact that in the bustling business centre in Ikeja, a stranger had just ‘become’ him.
By the time Adegoke walked into a physical service centre four hours later to complain, his retirement proceeds had been wiped out. His N2.8 million gratuity, the harvest of 30 years of labour, was gone. The fraudsters hadn’t broken into a bank vault. They had simply exploited the ‘siloed’ nature of Nigeria’s digital ecosystem.
They performed a SIM swap, intercepted his one-time passwords (OTPs) and walked through the front door of his bank account. This was done because there were no security checks linking banks to the telecom provider enough to flag a sudden SIM change before allowing transactions.
In other words, this is social engineering. The fraudsters did not need to hack his physical phone to get the codes. This is because the phone number was now active on their device.
When the criminals logged into Adegoke’s bank app and requested an OTP for a transfer, the bank sent that text message to his phone number. Since the network now recognised the fraudsters’ SIM as the ‘owner’ of that number, the OTP was delivered directly on their screen, not Adegoke’s.
Tunji’s story is a microcosm of a national crisis. Despite the aggressive rollout of the National Identification Number (NIN) and SIM linkage, the ‘bleeding’ of Nigerian bank accounts via unauthorised swaps continues.
Another recent case was that of Ibrahim Mariam Titilayo, a 24-year-old National Youth Service Corps (NYSC) member.
In May 2025, while serving her fatherland in Akure, Ondo state, Ibrahim did what millions of Nigerians do: she bought a new Airtel SIM card from an authorised vendor. As required, she registered the SIM using her NIN. For six months, she used the line daily, unaware that the string of digits assigned to her carried a dark, hidden history.
On October 16, 2025, her nightmare began when plainclothes officers from the Force Intelligence Department (FID), Abuja, tracked the signal of that specific SIM to Ibrahim’s location in Akure.
In Akure, she was arrested. The officers seized her iPhone 12 Pro Max, an Itel phone and her Wi-Fi router.
Ibrahim was confronted with a terrifying allegation: she was being linked to a high-profile kidnapping and murder case that had occurred in January 2024, months before she even purchased the SIM.
The police revealed that the phone number now registered to Ibrahim’s NIN was the same number used by a kidnapping syndicate to negotiate ransoms and coordinate murder in early 2024.
The trap was that when the original criminal abandoned the SIM, it remained dormant for over 12 months. Following the Nigerian Communications Commission’s (NCC) rules, the telco deactivated the unlinked line and put it back into the pool for sale.
Crucially, while the telco assigned the number to Ibrahim’s NIN in 2025, the police tracking systems still had that number flagged in connection to the 2024 crime. To the investigators’ automated systems, the person currently holding the SIM was the person they had been hunting for nearly two years.
Ibrahim was forced to travel from Akure to Abuja on November 20, 2025, to clear her name.
To analysts, in both cases, the missing link is not a lack of data; it is the absence of a synchronised digital public infrastructure (DPI) that allows banks, telecommunications companies, and security outfits to talk to each other in real-time.
A crisis of interoperability
DPI is often described as the ‘digital roads and bridges’ of a modern economy. In Nigeria, these road connections are still not concrete enough. We have the Identity Layer (NIN), the Payment Layer (Bank Verification Number/Nigeria Inter Bank Settlement System), and the Communication Layer (SIM). However, these three layers still largely exist in silos.
The fraudsters and criminals live in the gap between the bank, the telco and security outfits.
A systems architect, Emmanuel Balogun, explained: “When a SIM is swapped, the telco’s system updates instantly. But because there is no automated DPI bridge, the bank remains in the dark. To the bank, that SIM is still the ‘Trusted Device.’ It’s like a homeowner giving a spare key to a neighbour, but the neighbour changes the locks and doesn’t tell the homeowner.”
For victims, the human angle is one of profound betrayal. The very tools meant to include them in the digital economy—the mobile phone and the USSD code—become the weapons used against them. The ‘bleeding’ isn’t just financial; it is a haemorrhage of trust in the state’s ability to protect its citizens in a virtual world.
Recycled nightmare
The government’s mandate to deactivate unlinked SIMs was a necessary security step, but without a robust DPI to manage the ‘afterlife’ of a phone number, it has created a new class of victims.
Take the case of Sarah Nkalagu, a small-business owner in Aba. She purchased a new SIM card from a reputable dealer. Within 48 hours, she began receiving credit alerts and loan offers addressed to a “Mr. Okechukwu.” Her new number was a recycled line, previously owned by someone who hadn’t linked with NIN.
Because Nigeria still lacks a centralised Consent and Data Sharing Layer, Nkalagu’s new SIM remained tethered to the previous owner’s bank account.
If Nkalagu were a criminal, she could have wiped Okechukwu’s account clean. Conversely, if a fraudster tracks when high-value numbers are recycled, they can ‘squat’ on those identities. This ‘Recycled SIM’ trap is a direct result of the failure to sync the telecom churn registry with the banking industry’s KYC database.
Menace of a condemned phone
There is another twist to this crisis. Lately, across Nigerian streets, the megaphone cry of traders seeking ‘condemned’ phones and laptops has become a staple of the informal economy. Promising ‘good prices’ for broken hardware, these itinerant buyers are fuelling a booming trade.
However, a troubling reality lies beneath the transaction: Nigerians aren’t just selling scrap metal; they are unknowingly selling their passwords, bank access, and private identities.
To the average seller, a phone that won’t power on or has a shattered screen is worthless. But the internal storage remains a goldmine. Even if a device is damaged, data often stays intact. Many devices are sold with active logins for banking apps, social media, and emails. If a SIM card is left inside, it becomes a tool for intercepting OTPs, giving strangers total control over the victim’s financial life.
Caught in the act
While efforts are being intensified in Nigeria to curb the menace, a 31-year-old Dare Oladimeji was caught in the act. He was arrested by the Special Anti-Robbery Squad for hacking. The culprit boasted that he could hack a phone even if it is locked. All he needed to do to hack someone’s account was to hack their SIM card.
Oladimeji, a senior secondary school certificate holder who learned to hack SIMs from Google, was arrested after security operatives tracked the suspect to the Idi-Oro area of Lagos state, for an investigation that included the withdrawal of N200,000 from a victim’s account.
Speaking to journalists, he said he began the hacking business after he returned from Dubai.
“I decided to venture into this business, which is a small version of Yahoo Yahoo, because I didn’t want to go into robbery.
“At Idi-Oro, there are pickpockets; when they snatch phones from victims, they will throw the SIM cards away. What I do is go looking for these SIM cards and continue from there.
“I work on SIM cards to get money. When I lay my hands on any, I would slot it into any small phone that is not an Android. When that is done, I would press a code that brings out the list of banks the owner of the SIM uses. For example, if the person is using GTB, I will proceed with the normal code of *37*100#. If the person has money, we will use it to buy a recharge card to confirm how much the owner has, through the debit alert that would pop up to reveal the balance. Thereafter, we would transfer the money into donor accounts, from where we would withdraw the money.
“Locking of phones with a password does not stop me from hacking into any account, as long as I can lay my hands on the SIM card. All I need to do is remove the SIM and slot it into a small phone. The only thing that can prevent me from hacking into an account through a phone is when the SIM card itself is locked. But most people don’t lock their SIM cards; they only lock their phones. You can only beat my likes to the game if you lock your SIM card because only the owner knows the password.”
NCC insists all SIMs are linked, traceable
The Executive Vice Chairman, Nigerian Communications Commission, Dr Aminu Maida, said the stronger the country’s infrastructure, the better it helps in tackling challenges.
“When I assumed office, one of our key actions was concluding the NIN-SIM linkage policy.
Today, every SIM card is linked to a validated NIN. This means that in the event of any incident, identities can be traced, and security agencies have access to that information.”
Further, last month, NCC proposed that telecom operators must give subscribers a minimum of 14 days’ notice before deactivating their SIM cards over inactivity or postpaid churn.
The proposal is contained in a consultation paper, titled: ‘Stakeholders Consultation Process for the Telecoms Identity Risks Management Platform,’ dated February 2026 and published on the Commission’s website.
Under the proposed amendments to the Quality-of-Service Business Rules, the NCC stated that “prior to churning of a post-paid line, the Operator shall send a notification to the affected subscriber through an alternative line or an email on the pending churning of his line.”
It added, “This notification shall be sent at least 14 days before the final date for the churn of the number.”
A similar provision was proposed for prepaid subscribers. The commission said, “prior to churning of a pre-paid line, the Operator shall send a notification to the affected subscriber through an alternative line or an email on the pending churning of his line,” stressing again that the notice “shall be sent at least 14 days before the final date for the churn of the number.”
Currently, under Section 2.3.1 of the QoS Business Rules, a subscriber line may be deactivated if it has not been used within six months for a Revenue Generating Event and if inactivity persists for another six months, the subscriber may lose the number, except in cases of network-related faults.
Stemming the tide
Cybersecurity expert and CTO, Cyber Insight, David Nwobodo, warned that even non-functional devices must be handled with care.
Nwobodo said before selling, users should remove physical storage (Always pull out SIM and SD cards), factory reset (if the screen works, wipe all data, and physical destruction, if the device won’t power on, the hard drive or storage chip should be physically destroyed or removed.
In an interview with The Guardian, Chief Digital Officer, Lotus Bank, Akin Adegoke, said re-allocated SIMs must be de-linked from ex-users to curb fraud.
According to him, the solution is in coordination, not more customer warnings. He said banks and telcos should establish a secure, real-time notification system where any SIM swap or number reassignment automatically triggers a status update to the linked bank.
This report is produced under the DPI Africa Journalism Fellowship Programme of the Media Foundation for West Africa and Co-Develop.
Adegoke said before authorising sensitive transactions, the bank should be able to confirm whether the SIM has been recently recycled. “If it has, the system can temporarily step up authentication or restrict high-risk activity. This does not require reinventing infrastructure. It requires agreed standards, shared responsibility and regulatory backing to make real-time information exchange mandatory rather than optional,” he stated.
Further, he said: “IF a SIM is reassigned without the previous owner de-linking their Bank Verification Number (BVN), the bank’s system should automatically treat that number as high-risk the moment its status changes. Digital banking cores can trigger a temporary freeze on high-value Unstructured Supplementary Service Data (USSD) transfers, block profile changes, and require stronger re-verification before any sensitive transaction is approved. This should be automatic, not customer-driven. Once a SIM tenure is reset or a swap is detected, risk controls must activate immediately to protect the account until identity is properly confirmed.”
Building the real-time trust bridge
Goke Adekanmbi, a fintech specialist, said to curb the bleeding, Nigeria must evolve its DPI from a collection of static databases into a living, breathing network of interoperable systems.
He said the ‘handshake’ must become mandatory and instantaneous. According to him, the moment a SIM swap is initiated, a DPI-enabled signal should automatically trigger a 24-hour ‘Financial Deep Freeze’ on that number across all Nigerian banks.
Adekanmbi said instead of a telco agent simply looking at a NIN slip, the swap should require a real-time biometric match against the user’s BVN record. He said if the fingerprints don’t match the bank’s record, the swap is denied.
“Banks should be required to query the NCC registry before processing any USSD transaction above a certain threshold (e.g., ₦50,000) to ensure the SIM hasn’t been swapped in the last 48 hours,” he stated.
This report is produced under the DPI Africa Journalism Fellowship Programme of the Media Foundation for West Africa and Co-Develop.
