Bank Verification Numbers (BVNs) are 11-digit identifiers used by the Nigerian banking system to link a person to all their financial accounts. Attackers probe BVN lookup APIs by cycling through number combinations to harvest personal financial data at scale.
Think of it this way
Nigeria's BVN is like a master key to someone's entire banking identity. Enumerating BVNs is like a thief standing at a hotel front desk and trying every room key card from 00000000000 to 99999999999 until they find ones that open doors.
Many fintech apps expose BVN verification endpoints to check if a BVN belongs to a real person or to match it with account details during onboarding. Attackers discover these endpoints and write scripts to query them in bulk — trying sequential or known BVN patterns — and record which ones return valid user data. This harvested data is used for identity fraud, account impersonation, or sold to other criminals.
Scenario 1
An attacker targets a neobank's BVN verification endpoint used during onboarding. They send 50,000 requests over 6 hours with sequential BVN numbers. 12,000 return valid matches, giving them names, dates of birth, and linked phone numbers — enough to fabricate KYC documents.
Scenario 2
Fraudsters enumerate BVNs through a lending platform's eligibility check API to build profiles of real Nigerians with clean credit histories. They use this data to apply for loans in victims' names.
Anomira monitors for high-frequency calls to BVN or identity-verification endpoints from a single IP or session, sequential patterns in the submitted identifiers, and an abnormally high ratio of valid responses suggesting successful enumeration.
See this attack in your live API traffic
Anomira detects bvn enumeration automatically — no configuration needed.