AI-generated image of an African man and woman accessing the scam website. Photo source: ChatGPT.
|
Getting your Trinity Audio player ready...
|
In 2026, Adejọkẹ (not real name), a youth corps member, was excited when she saw a link to apply to serve as an ad-hoc staff member of the Independent National Electoral Commission (INEC) in a WhatsApp group.
She was excited about the possibility of participating in the off-cycle gubernatorial election scheduled for August 15, 2026, in Osun State.
Without hesitation, she opened the recruitment link in her phone’s browser, filled out the form, and shared it with her friends.
“I didn’t know that there would be a consequence for my action,” Adejoke said in a conversation with DUBAWA.
Barely a week after submitting her application, she received an unknown call from a hidden phone number instructing her to send a One-Time-Password (OTP).
“At first call, I didn’t pick it up because it wasn’t showing the caller ID. It rang again and again, and I had to answer without saying a word. The person sounded like a foreigner saying: Congratulations, when you see the code, call it for me. A cryptocurrency code popped up.” I asked him, “What’s the meaning of cryptocurrency?” He hung up.
It didn’t end there; Adejọkẹ’s email inbox was flooded with unsolicited online investment-advertising.
This occurred in the second week of January, when unsuspecting Nigerians circulated a link (archived here) disguised as a recruitment portal for INEC’s Ad-hoc staff role on Meta platforms, Facebook and WhatsApp.
A caption that accompanied the link stated that the commission intends to train and employ about 100,000 Nigerians as ad hoc staff for the upcoming elections. The electoral commission released a disclaimer on its official Facebook page on Jan. 6, 2026, flagging the purported link as fake.
The commission disassociated itself from what it described as an “unauthorised website” circulating false recruitment claims.
INEC advised the general public and the prospective applicants to stay glued to its official platform, INECPRES, for any recruitment updates.
“Do not click on or register on suspicious or unofficial links. Do not submit personal details (BVN, passwords, OTPs, or bank details) on non-INEC platforms,” the Commission warned.
As of Jan. 30, 2026, DUBAWA found no evidence that INEC attempted to report the website’s spread or hold any perpetrator accountable. When contacted through the commission’s Citizen Contact Unit (ICCU) and its social channels regarding possible takedown, DUBAWA received no response.
Website continues to thrive
However, the fake website continues to thrive in Nigeria despite INEC’s official statement.
On Jan. 17, 2026, Ezeifekwuaba Benedict, a 36-year-old plumber, saw the link and applied after someone forwarded the link to him on WhatsApp.
“I was eager to participate in the 2027 General Election, and this was my first time, so I needed to give it a try,” he said.
He regretted being naive enough to submit his name, email and phone number on the website.
“It looked so real, and that was why I applied. The truth of the matter is that when you apply, you will see positive comments from those who have also applied,” Benedict described the interface.
The ongoing virality prompted DUBAWA to trace the origin of the link using Open-Sourced Intelligence (OSINT).
Upon accessing the fake link, DUBAWA found a poorly designed interface compared to the original INEC portal.
It was confirmed that after applications, the website instructed applicants to share it with five groups or 15 contacts on WhatsApp, a clear attempt to access more personal information without safeguards.
A cross-border operation
For the past few months, a website domain, okripeti.org, based in the United States, has been scraping data without caution from Malawi, Ghana, Nigeria, Tanzania and Uganda.
In every website, there are three indicators – Protocol, Domain and Path. In the case of the purported link, Okripeti.org is a website domain using a dubious domain name to imitate INEC and other personalities in Africa.
An open-sourced investigation unravelled the domain’s past activities using URLScan, a website-scanning tool.
DUBAWA discovered that the website leverages GitHub, a hosting provider, to create malicious 18 scam paths’ entries that dubiously collate data of unsuspecting Africans.
In September 2025, the perpetrator lured Malawians to exchange their personal data for free 20GB of internet data to commemorate Peter Mutharika’s re-election as president.
Barely a month later, the perpetrator used the same strategy on another webpage featuring a picture of Yoweri Museveni to celebrate Uganda’s 63rd anniversary.
The scheme turned to Ghana in October 2025 during the 41st birthday of Shatta Wale, a prominent Ghanaian musician. The link shared in the West African country featured his image, promising free Internet for everyone.
Tanzanians, still reeling from the election that brought Samia Hassan to power as their first female president, also saw what appeared to be 20GB of free internet data in October.
Unsuspecting victims in each country clicked the links and submitted their personal information, only to be disappointed by freebies that never arrived.
Data privacy, obligations, and violations
Personal data, such as name, gender, language, phone number, and tribe, helps differentiate individuals’ identities worldwide. These confidential details are often required at any stage of the registration process by public, private, and social institutions.
As fraud and impersonation skyrocketed, governments worldwide compelled institutions and service providers to implement data privacy policies, ensuring the absolute safety of their clients’ or customers’ personal data.
In Nigeria, the National Data Protection Commission (NDPC) enforces the Nigeria Data Protection (NDP) Act 2023, which protects Nigerians’ data privacy and regulates the dissemination of malicious websites or links.
However, this is not the first time websites like Okripeti have siphoned Nigerians’ personal data through Meta platforms without the regulatory commission’s prior warning.
Since 2023, fact-checking organisations in Nigeria have debunked the authenticity and virality of such links on Meta, as found here, here, here, here, and here.
Meta advised users to avoid clicking phishing links and showed ways to strengthen their accounts. In the privacy section, protective measures include enabling two-factor authentication.
However, Meta has been accused of negligence in protecting the digital identities of over 38.7 million Nigerian Facebook users, in favour of higher revenue.
Its help centre only encourages steps to report a post or page, and this requires massive clicks on a ‘report button.’
DUBAWA lodged a complaint with Meta via its AT3 agency on February 3, 2026. Our Freedom of Information Act (FOIA) request was acknowledged by the agency, assuring us it would be shared with the appropriate team. Despite our follow-up mail, neither Meta nor its partners responded till press time.
Meta’s gaps in its online safety system and its failure to remove scam links on its platforms promote information disorder in Africa, where digital literacy lags behind.
Legal provisions on data privacy in Nigeria
We explored specific obligations regarding cross-border transfer and processing of personal data under the Nigeria Data Protection (NDP) Act 2023. The concept of “duty of care” in relation to data controllers and data processors is well stated in Section 24(3).
This duty encompasses processing personal data fairly, lawfully, transparently, and securely, which directly applies to social media platforms as data controllers/processors.
Section 29 also imposes obligations on data controllers and data processors when engaging other processors. The Act requires data controllers and processors to ensure compliance, assist in fulfilling data subject rights, and implement appropriate security measures.
Social media platforms that outsource data processing must ensure these duties of care are upheld. Meta, in particular, has fallen short in this regard.
Where a data controller or data processor fails to comply with orders under the Act, Section 49 provides for offences and penalties, ranging from fines to imprisonment.
On cross-border data transfers, Section 41(a) prohibits the illegal transfer of personal data from Nigeria to another country unless the recipient is subject to a law, binding corporate rules, contractual clauses, a code of conduct, or a certification mechanism that provides an adequate level of protection in line with the Act.
Under Section 43(a), the data subject must have given informed consent; or (b) transfer is necessary for contract performance involving the data subject.
The question now is, “Who is the data controller or processor enabling the scam?”
Unmasking the dangerous domain
Using WHOIS, an open-source tool for checking webpages and domains, DUBAWA discovered that the website was registered with NameCheap Inc. on Aug. 16, 2025, and updated on Sept. 11, 2025. Further analysis revealed that the perpetrator began pursuing its evil path on the same day.
NameCheap Inc. offers domain name registration and web hosting services, serving customers in the United States.
Corroborating WHOIS’s verdict, ICANN Lookup, an open-source tool for website analysis, pointed to Namecheap as the website’s registrar, but hid the perpetrator’s name and contact details for confidentiality.
Further checks with URLScan revealed that the domain resolves to a United States IP address (185.199.118.153) and that GitHub hosts it.
NameCheap responds to FOIA requests
DUBAWA submitted a Freedom of Information Act (FOIA) request to NameCheap Inc., seeking additional information regarding the website and its data storage.
Feedback from their Legal and Abuse department indicated hesitation to voluntarily disclose customers’ information.
The corporation urged DUBAWA to provide a US court order or subpoena, along with the request and contact information.
After DUBAWA sent a follow-up email, NameCheap Inc.’s legal department said the domain owner’s contact details may be hidden in the ICANN Lookup under the General Data Protection Regulation (GDPR).
“Please note that we do not guarantee that you will receive a response from our customers, as we cannot force them to engage in email correspondence,” said the company.
Jonathan Agbo, a lawyer and member of the Digital Rights Lawyers Initiative, identified that sections of the NDP Act cannot be interpreted as facilitating third-party access to data (such as DUBAWA) in another jurisdiction.
He justified that NameCheap cannot comply with requests for personal data [of the perpetrator] without following due process.
“NameCheap is wary of its obligations in the USA to protect a data subject’s information without a valid order compelling its release,” he said. “The system in the US, where they don’t have a National Data protection law, requires that an order or subpoena be obtained so that they don’t incur lawsuits for breach of confidentiality,” he explained.
On how foreign journalists or civil society groups could obtain a U.S. court order or subpoena, the legal practitioner said the process would involve contacting attorneys licensed to practice in the state of the US where the order is required.
Jonathan said NameCheap’s demands do not necessarily mean denial of access to justice for victims. He stated that the company can be characterised as an enabler of fraud across all the jurisdictions where the harms were committed.
For clarity, DUBAWA contacted Rahmatullahi Muslihudeen, a cybersecurity expert, about our findings.
Rahmatullahi assessed the domain and its scamming webpages. She affirmed its existence, noting that it is run from the United States.
She verified some discrepancies which questioned the website’s authenticity.
According to her, “The site was misconfigured in page settings (wrong branch/folder), which is common with GitHub Page hosting. For instance, the server is configured only to serve specific file paths. A blank or error page will likely appear if anyone attempts to host the website on GitHub Pages with a custom domain.”
The expert explained that the personal data collected from people was stored in an external storage system for off-site collection, and that the website has no backend code.
“It’s very obvious the link is a scam because it’s not using an official domain, and it’s not meant for INEC. It has various potential risks like harvesting people’s information, phishing follow-ups, and identity data that can be used for fraud,” Rahmatullahi said.
Data breach report filed with NDPC
On Jan. 23, 2026, DUBAWA filed a case via the NDPC Information Management Portal requesting answers on the viral link and its subsequent takedown by the Commission.
An automated email confirmed receipt of the report on the same day. It stated that the Commission will look into it, and actions will be communicated accordingly.
The Commission, on Jan. 26, 2026, officially acknowledged receipt of DUBAWA’s mail and assured a swift response to the relevant departments’ questions. As of the time of filing this report, the Commission has yet to respond.
Rahmatullahi urged data regulatory bodies such as NCC, NITDA, EFCC, and cybercrime units to be proactive in enforcing rapid domain takedown of fraudulent websites. She said that stopping malicious or deceptive websites requires technical, legal, and public awareness collaborations.
She also encouraged Internet Service Providers (ISPs) to implement DNS-level blocking of malicious domains.
Lastly, she recommended greater public knowledge of digital literacy.
“Verify announcements on official websites and social media handles. Be suspicious of urgency, rewards, or pressure tactics. No HTTPS and no official domain means do not trust. If it’s not linked from the official site, it’s fake,” Rahmatullahi said.
Jonathan also added that “Victims of injustice, as in this case, can maintain an action in Nigeria to compel the rectification of the harm done to them and can do so across all jurisdictions where the harm has been committed.”
Editor’s note: The first source’s name was hidden because Section 3 (I)(18) of the National Youth Service Corps (NYSC) 2011 revised ByeLaw prohibits corps members from addressing the press without prior written consent of the State Coordinator. The headline was slightly edited after new information emerged.
Editing/ research credits
- Kemi Busari—Lead Editor
- Lois Ugbede— Sub-Editor
- Simbiat Bakare— Copy Editor
- Ropo Sekoni— Copy Editor
