By Chijioke ARINZE
IN this investigation, Arinze Chijioke tells the story of how civic organisations have come under repeated digital attacks, raising concerns about a shrinking civic space and the growing threat these actions pose to transparency, accountability, and democratic engagement in Nigeria. The findings point to a broader reality: Nigeria is becoming an increasingly unsafe environment for civil society organisations seeking to hold the government accountable.
On Tuesday, April 4, 2023, two months after Nigeria’s presidential election, the website of the International Society for Civil Liberties and Rule of Law (Intersociety) was attacked and rendered inaccessible. Founded in 2008, Intersociety is a prominent Nigerian-based non-governmental organisation based in Onitsha, Anambra State. It focuses on promoting human rights, democracy, and the rule of law through research, advocacy, and investigations into security issues, particularly targeting religious violence and state-backed persecution.

Before the election, Intersociety was critical of the Independent National Electoral Commission, INEC, questioning its legitimacy and capacity to conduct a free and fair poll. For instance, the NGO released a damning report about how the commission allegedly planned to rig the election, using the voter registration and revalidation exercises. After the election on March 26, 2023, it released another report, detailing the names of 50 top Nigerian university professors who were alleged to have played various “conspiratorial roles in the rigging of the election.
“We received life-threatening and distracting calls from agents of professors, and others alleged to have been involved in the electoral fraud that characterised the 2023 elections,” Executive Director of the NGO, Emeka Umeagbalasi told The ICIR.
What followed was an attack on Intersociety’s website.
After the attack, Umeagbalasi was informed by the domain host that the website’s hosting was suspended following numerous complaints and petitions that had originated from Nigeria and were strongly linked to alleged “subversive agents” within the government of former President Muhammadu Buhari. These actors, according to him, operated across the security and intelligence establishments.
The April attack was not the first. However, it shows a troubling pattern, the sustained targeting of civic organisations through coordinated cyber disruptions that threaten not just their operations, but the broader space for dissent and accountability in Nigeria.
Big on purchase of surveillance tech
In its report on the state of deployment of surveillance technologies in Africa, Paradigm Initiative said that funding for surveillance technologies has increased in Nigeria over the last two decades. According to a report by the Committee to Protect Journalists (CPJ), the government spent at least 127 billion naira on surveillance and security systems between 2014 and 2017, with about N46 billion spent on surveillance capabilities in 2017 alone. In 2020, the government budgeted $9 billion for surveillance-related activities.
Another report by the Institute for Development Studies, “Mapping the supply of surveillance technologies to Africa”, found that Nigeria is Africa’s largest customer for surveillance technologies, spending at least $2.7bn on surveillance technologies in the last decade.

“The technology has been used to spy on peaceful activists, opposition politicians, and journalists,” the report stated. “Nigeria spends hundreds of millions of dollars annually; the total of known contracts 2013–22 exceeded $2.7 billion.”
The most common categories of digital surveillance technologies imported by Nigeria, as noted by the report, include internet interception technologies, mobile phone interception technologies, social media surveillance technologies, safe city technologies for surveillance of public space, and biometric ID surveillance technologies.
These surveillance technologies are supplied by companies predominantly from the USA, China, Europe, and Israel. This commercial trade, the report stated, facilitates the violation of citizens’ rights to privacy and anonymity, and freedom of expression and association.
A pattern of attacks
Between 2018 and 2023, with the exception of 2020, Umeagbalasi revealed that the website was taken down at least five times and has also suffered more than 50 Trojan (malicious software disguised as legitimate, non-replicating code that tricks users into installing it to steal data or create backdoors) and other virus attacks, an average of about ten incidents annually.
“We often face attacks each time we release detailed and high-profile reports on insecurity, political participation, religious attacks, violation of the rule of law and good governance, “he said. “The government is never comfortable with our reports, so they go after our website and try to disrupt our work.
These attacks, according to him, have included malware infections, coordinated shutdown attempts, and sustained disruptions that rendered the website inaccessible. “We no longer publish reports on the website whenever they attack. It is all intended to intimidate and silence intersociety and the work that we do.”

Cyber attacks on Intersociety
The attacks are not peculiar to the organisation. Websites belonging to media organisations have also been attacked, further strengthening the argument that surveillance infrastructure is increasingly being used as a pressure point against rights-based advocacy/organisations that expose failures in governance.
After it published an investigation in November 2022, indicting a former Bauchi Police Commissioner, Umar Sanda, who attempted to help a former Information Commissioner evade justice after allegedly killing his friend, WikkiTimes became exposed to numerous cyber attacks, including trolling on social media platforms such as Facebook. Founded in 2018 to cover Northern Nigeria’s underreported regions, WikkiTimes has established itself as a leading digital investigative news outlet, focusing on social justice, human rights, and governance, and consistently exposing corruption and abuse of power.
“Sanda was not happy about our story, which was all over social media,” Haruna Mohammed, WikkiTimes’ publisher, told The ICIR. “He mobilised loyalists who reported our Facebook page for “violation of community standards, it was not hidden. “Facebook also informed us that we were being reported for that story, and the page was taken down.”
24 hours later, Wikkitimes’ website went down for several hours. Haruna said that tech experts outside Nigeria intervened and restored the website. But that did not end the attacks. After the platform exposed how the chairman of Ningi local government area in Bauchi State, Mamuda Tabla, allegedly aided and abetted loggers who engaged in deforestation inside the Lame Burra Game Reserve in the state, its website was attacked again.
“We are constantly being targeted because of our focus on accountability journalism and those we try to expose,” Mohammed said. “Oftentimes, we experience bot attacks that slow our website down.”
In April 2023, hackers reportedly breached the platform’s backend and deleted its story database, including several published articles. Also, in April 2025, its website experienced over 400 coordinated cyberattacks within a 48-hour period. The outlet’s technical support lead, Ibrahim Salisu said at the time, “Pages wouldn’t load, our admin panel was locked out, and we saw traffic from bots we couldn’t trace. It felt like someone was intentionally trying to silence us or wear us down digitally.” “It wasn’t just a random spike; it was calculated, coming at us from different directions,” he said.
Haruna explained that the incessant attacks affected operations. “We could not publish our reports or engage our audience, but it also taught us lessons, “he said.
Provisions under the law
Nigeria has several legal frameworks meant to protect rights-based advocacy/organisations from cyber attacks. For instance, Section 37 of the Nigerian Constitution guarantees privacy, protecting communications, including in the digital space, while Section 39 also guarantees freedom of expression, which encompasses freedom to disseminate information and educate the public about the activities of the government.
Chukwudi Unah, a constitutional lawyer with expertise on data privacy, said that the Nigeria Data Protection Act (NDPA) 2023 further strengthens digital privacy by regulating the collection and protection of personal data. He said that the Act further established the Nigeria Data Protection Commission to enforce compliance, adding that the law requires institutions, including public bodies, to safeguard personal data and system integrity.
While the NDPA focuses on the remedies available against the organisation that failed to protect data, the Cybercrimes (Prohibition, Prevention, etc.) 2024 punishes the attacker and criminalises unauthorised access to computer systems, unlawful interception, data interference, hacking, and system disruption.
Unah, however, noted that the Cybercrimes Act also grants security agencies powers to intercept communications and access stored data for criminal or national security purposes, usually with judicial authorisation.
“Under the pretext of ‘national security, ‘ the government often clamps down on mirrors and dissenting voices, which of course, should not be the case. Broad national security exemptions and weak oversight raise concerns that such powers may be misused.”
He maintained that where the attacker is traced to a government agency, then the best remedy will be to sue for breach of data privacy, adding that instituting class actions against public agencies or institutions is the surest way to go against data breaches.
Attacks never end
On Thursday, August 21, 2025, the website of the Foundation for Investigative Journalism (FIJ) suffered multiple Distributed Denial of Service (DDoS) attacks. The attack, traced to the National Identity Management Commission (NIMC) headquarters in Abuja, temporarily rendered FIJ’s website inaccessible to real visitors. A DDoS attack is a malicious attempt to make a server, service, or network resource unavailable by flooding it with excessive traffic from multiple, often compromised, sources (a botnet).
Attack-on-FIJ
FIJ’s editor-in-chief, Fisayo Soyombo, told The ICIR in an interview that the website was attacked shortly after it published investigations exposing websites that were illegally selling Nigerians’ personal data, including National Identification Numbers (NINs) and Bank Verification Numbers (BVNs). The platform had been documenting stories of these websites illegally selling the data of Nigerians at cheap prices since 2024.
The investigations revealed that some platforms were offering access to NIN records for as little as N100 to N150. Some of these black market sites include Xpressverify, NINPrint, NINCard, nimcverify.ng, with the most recent story in the series detailing how IloTech, a virtual top-up platform, was secretly selling Nigerians’ NIN records for as low as N180.
These illegal websites were taken down after FIJ’s stories, but that came at a cost for the platform. Technical analysis cited by FIJ traced a significant volume of the traffic to an IP address linked to the headquarters of the NIMC.
“Someone at NIMC, who was profiting from these private websites, was not happy and thought we were taking business from them and decided to strike,” said Soyombo. “We were grounded, we could not publish, we had staff coming to the office, and they could not write stories because there were no places to publish them.”
He explained that the website got over 50,000 requests within an hour, and within a 72-hour period, the site received more than 2 million malicious requests designed to overwhelm its servers and force it offline.
Soyombo explained that an insider at the NIMC confirmed the attack but claimed that it was a mistake and that the commission was going to release a statement and apologise. However, no apology has been issued to date.
Okike Benjamin, a professor of computer security at the University of Abuja and cybersecurity specialist, said that DDoS attacks work by utilising a botnet—a network of internet-connected machines, otherwise called bots or zombies, which may include computers, IoT devices, smartphones and are usually infected with malware, which is software specifically designed to disrupt, damage, or gain unauthorised access to a computer system.
“The attacker sends data requests to a target IP address, thereby exhausting its bandwidth or resources, hence preventing legal users’ access to such resources,” he explained. The infrastructure required to carry out a Distributed Denial-of-Service (DDoS) attack varies from one attack to another, and these bots are usually controlled remotely by an attacker.”
He said that threat actors, ranging from individual hackers to sophisticated nation-state group hackers, typically have the capacity to launch these attacks, often with the sole aim of disrupting services, extorting money, or causing chaos.
“These attacks have become highly accessible due to the proliferation of botnets, which are networks of compromised internet-connected devices. DDoS is available for hire, thereby making it possible for even inexperienced actors to launch substantial attacks
To attribute an attack to an actor, Benjamin said you look out for Metadata: Timestamps, keyboard layouts, file system paths, and user language settings which may be used to reveal the attacker’s time zone, System Logs & Forensic Memory: Evidence in RAM, such as running processes, unencrypted data, and executed console commands may be used to link an actor to a particular attack and Data Staging: Evidence of how attackers collected and compressed data before illegal access of sensitive data of a victim.
“Investigators trace the origin of malicious traffic through a systematic process known as network forensics. This involves capturing, recording, and analysing network traffic and logs to reconstruct the attack and identify the source of attacks. Sometimes, these attackers deploy Virtual Private Network (VPN) to conceal their identities. With some tools, the real IP addresses of attackers may be revealed,” he explained.
He further explained that while IP-address tracing is generally not highly reliable if considered in isolation, it may be a pointer to the location of an attacker. “In any case, this can assist in identifying ISP and a geographic location, but it hardly gives the attacker’s physical location, “he said.
Crackdown escalates four months after
Four months after the attack on the website of FIJ, on December 22, 2025, a senior investigative reporter with the platform, Sodeeq Atanda, was arrested by men of the Nigeria Police Force (NPF) in Owutu, Ikorodu area in Lagos State.
Two weeks earlier, on December 6, the police had tried to track him, but they could not get his exact location. So, they resorted to tracking his neighbours, abducting his wife and nine-month-old baby, whom they used as bait to arrest him. Atanda was subsequently taken to the Force Headquarters, Obalende, Lagos.
“I had noticed during a routine digital check that the ‘conditional call forwarding’ had been activated on the two lines inside my phone, the feature that had previously been inactive, “he recalled. “Similarly, when manually checked, the first line had “forward calls to +234616” when busy and “forward calls to +234616” when unreachable. Meanwhile, the second line had “forward calls to +234611” when unanswered, and “forward calls to +234611” when unreachable,”’.
He explained that the forwarding interferences could not be disabled.
“The system response read “Failed to read data, Unable to deactivate call diverting when phone is unreachable, unsupported by operator when we attempted to cancel it,” he said. “Soon, my phone also became hot without any user activity, a sign of interference.”
The suspected tracking happened three months after Atanda returned from the Ekiti State Police Command, where he was detained for eleven hours following a petition by Abayomi Fasina, the vice chancellor of the Federal University Oye-Ekiti (FUOYE).
Atanda had published a series of investigations documenting sexual misconduct involving Fasina and Raphael Segun Larayetan, a lecturer in the same university, who allegedly sexually harassed and raped students in the Department of English and Literary Studies.
While in detention, Atanda said that he kept his phone safely far away from the station to avoid privacy invasion, but the police collected his phone number and other personal details, which they will later use to track him down.
Protection only on paper
There is a general consensus among sources interviewed that legal provisions against cyberattacks only exist on paper. They also believe that government agencies responsible for handling such cases never take it seriously.
After the attacks on WikkiTimes, Haruna said that he asked the platform’s lawyer to petition both the police and the Department of State Security Service, DSS, hoping that an appropriate investigation would be carried out. But they ignored it.
“Nobody reached out to offer help, and we were not surprised because you cannot be a judge in your own case,” he said, “They are the same people we are trying to investigate for failing in their responsibility.”

Attacks-against-Wikki Times
Soyombo said that he could not report to the government to take action because it was a government agency that took the website down in the first place. “You don’t expect them to act when they are responsible.”
Umeagbalasi says Intersociety does not bother to complain to security agencies when there is an attack because its investigation has pointed accusing fingers at them.
“We don’t have a responsible government; what we have is one that is committed to destroying the civic space, and so, we cannot even be talking about how attacks can be addressed. Also, the principles of criminal investigation are dead in Nigeria. We just had to find new ways of better protecting our websites from further attacks.”
For Umeagbalasi, attacks on civic organisations and those that strive to promote transparency are worrying because the civic space is increasingly being stifled. Now, he said that organisations that used to be vibrant in protecting human rights and holding powers to account have become weak, without independence.
“What we now have is a transformation into tyranny and dictatorship, with no dissenting voices, despite the salient provisions in the constitution about civil liberties, rule of law and freedom of expression.”
For Haruna, the government and security agencies must not see media organisations as enemies but collaborators in the business of deepening democracy and entrenching accountability. He, however, said that while Wikki times cannot completely be immune to cyberattacks, the platform has now subscribed to services that allow it to be informed early enough about impending attacks and also help to prevent them from occurring. “We also try to use End-to-end encrypted platforms for communication.”
Nigeria actually has laws that allow surveillance of citizens
While Nigeria has several legal provisions that protect rights-based advocacy/ organisations from cyber attacks, there are also specific provisions of the law that permit the state and security agencies to access, track or monitor citizens’ communications. For instance, section 45 of the 1999 Constitution (as amended) allows the government to restrict rights, including privacy, when it is reasonably justifiable in a democratic society for purposes like defence, public safety, public order, or protecting the rights of others.
The Nigerian Communications Act (2003) also empowers the Nigerian Communications Commission (NCC) to order telecom operators to intercept private communications and disclose data to authorised officers in the interest of public safety or national security. There is also the Lawful Interception of Communications Regulations (LICR) 2019 issued under the Nigerian Communications Act, which provides that licensed “Authorised Agencies” (e.g., State Security Service, Office of the National Security Adviser, Nigeria Police Force) can intercept communications with a court-issued warrant for National security, preventing or investigating a crime, Public safety or emergencies.
However, the regulations create a narrow exception for urgent circumstances. In cases involving imminent danger to life or credible threats to national security, interception may be carried out without prior judicial approval. Even then, the law imposes a safeguard: the agency must apply for a warrant within 48 hours after the interception. If a warrant is not granted, the interception must stop.
While the Cybercrimes Act of 2015 makes unauthorised interception illegal and punishable with fines and imprisonment if done without proper legal authority, Section 39 enables courts to issue interception orders when there are reasonable grounds that the communications are required for criminal investigation or prosecution.
Furthermore, the Terrorism (Prevention and Prohibition) Act, 2022, in Nigeria empowers a court to issue an Interception of Communication Order to combat terrorism, specifically under Section 68 of the Act.
While these laws establish safeguards such as judicial warrants and post-interception approvals, credible evidence across Africa suggests that legal authorisation does not always translate into effective accountability. For instance, a 2021 analysis by the Brookings Institution shows that the growing use of digital espionage tools, including sophisticated spyware, is “risking worsening authoritarian tendencies” and raises fundamental questions about whether security agencies are being adequately held to account.
In practice, the analysis shows that governments have deployed these tools not only for legitimate security purposes but also to monitor journalists, opposition figures, and civil society actors, often under broadly defined national security justifications, and this creates a critical accountability gap.
Although Nigeria’s legal framework, from the Constitution to the Cybercrimes Act and LICR 2019, formally requires judicial oversight, for instance, the same laws contain ambiguous grounds such as public safety and national security, which can be invoked to legitimise intrusive surveillance.
Across Africa, such ambiguities have enabled a rise in “digital repression,” where surveillance tools are used to track dissent and restrict civic space, frequently with limited transparency or independent oversight. In this context, the issue is less about the absence of laws and more about the weakness of enforcement and oversight mechanisms.
No response from government
On Thursday, April 2, 2026, this reporter sent a freedom of information request, FOI to the National Cybersecurity Coordination Centre (NCCC), specifically requesting the technical infrastructure, tools, and institutional frameworks available to the NCCC for monitoring, detecting, attributing, and responding to cyber threats affecting digital platforms operating within Nigeria and detail on whether the NCCC has received complaints, petitions, or intelligence reports concerning cyberattacks against organisations engaged in governance accountability, human rights advocacy, or investigative journalism, and the outcomes or current status of such cases.

FOI-Request

Also, this reporter requested details on whether the NCCC has identified any patterns, trends, or actors (state or non-state) linked to cyberattacks targeting Nigerian civic organisations or media platforms and clarification of the legal framework guiding the NCCC’s cybersecurity monitoring and intervention activities, including applicable laws and internal safeguards designed to prevent misuse or overreach, particularly in relation to journalists, media organisations, and civil society actors.
Furthermore, this reporter requested details of internal and external oversight structures governing the deployment of cybersecurity tools and operations, including audit processes, reporting obligations, and any independent review mechanisms to ensure accountability and protection of civil liberties and clarification on whether the NCCC collaborates with other security or intelligence agencies in monitoring or responding to cyber activities involving civil society or media organisations, and the legal basis for such collaboration.
Despite the expiration of the seven-day response window on Tuesday, April 14, as required by the FOI Act, the centre had yet to respond as of the time of publication.

