Nigeria's National Identification Number (NIN) is an 11-digit government identity number linked to a person's biometric data, address, and personal records. Attackers systematically query NIN verification endpoints to build databases of real citizen identities for fraud.
Think of it this way
Your NIN is tied to your fingerprint, face, and address at NIMC. Someone enumerating NINs is like a fraudster flipping through an identity register, photographing every page — building a stolen catalogue of real people's identities.
Apps that integrate with NIMC or third-party NIN verification services expose endpoints that accept a NIN and return personal information. Attackers probe these endpoints at scale using bots, harvesting name, date of birth, state of origin, and other PII for every valid NIN they find. This data powers identity fraud, SIM swap attacks, and fraudulent account creation.
Scenario 1
A fraudster probes a telecom's NIN verification API with 100,000 NIN guesses per day. After a week, they have 300,000 verified identities which they use to register SIM cards, open bank accounts, and apply for government subsidies in victims' names.
Scenario 2
An attacker uses NIN enumeration to identify a specific victim's government name and date of birth, which they then use to convince a carrier agent to perform a SIM swap.
Anomira tracks request patterns to NIN verification endpoints, flagging sessions that query many different NIDs in sequence, especially from unauthenticated or newly created accounts.
See this attack in your live API traffic
Anomira detects nin enumeration automatically — no configuration needed.