
Details have emerged showing how a man, operating under the alias Prince Adeyemi Adeniyi Matthew, successfully obtained an authentic, verified .gov.ng government domain website (pfipc.gov.ng).
Our investigation revealed that the arrowhead of the scam exploited deep-seated lapses inherent in the procedure for issuing government websites at the National Information Technology Development Agency (NITDA).
The gaping loopholes waiting for exploitation
An analysis of the domain registration via WHOIS records shows that pfipc.gov.ng was officially created on September 30, 2024, by NITDA webmasters.
Our investigation revealed that the exploit did not occur through a technical back-door or code-based hacking. Instead, it was done through the official registration process, achieved via elaborate social engineering and institutional forgery.
The procedure adopted by Adeyemi Adeniyi
To bypass NITDA’s vetting process, Adeyemi exploited administrative inertia and institutional silos to launch his grand scheme using high-quality forgeries:
The forged presidential mandate: Adeyemi originated an application using a fabricated official appointment letter and establishment memos, complete with falsified seals, reference numbers, and signatures purportedly originating from the Office of the Chief of Staff to the President, Rt. Hon. Femi Gbajabiamila.
The NITDA vetting bypass: To register a .gov.ng domain, an applicant must provide an official letter of authorisation signed by the political head or a Director of the establishing Ministry, Department, or Agency (MDA), stamped with an official seal.

Adeyemi presented NITDA with these cloned clearances. Because NITDA’s domain registrars lacked an active cross-verification link with the Office of the Chief of Staff or the Office of the Secretary to the Government of the Federation (OSGF) to independently authenticate reference numbers, they processed the application on the face value of the documents, assuming they had already been vetted by the presidency.
The agency’s technical staff subsequently provisioned the government website for what they believed to be a legitimate federal entity.
Sources within NITDA told Microsecondnews that this same flawed procedure was adopted for other government websites created before and shortly after the PFICP incident. However, they strongly denied that an internal mole influenced the process, asserting that staff genuinely believed they were acting on a formal request from a valid government agency.
How institutional inertia aided Prince Adeniyi Adeyemi
The policy framework required to prevent this specific brand of digital identity theft was actually conceived years earlier.
In late 2023, NITDA, in partnership with the Nigeria Internet Registration Association (NiRA), drafted comprehensive guidelines intended to overhaul the .gov.ng registry.
However, due to institutional inertia and a lack of inter-agency integration, these stricter verification protocols sat on the back burner—until the audacious scale of Adeyemi’s exploit forced an immediate, emergency implementation.
Institutional reforms and remedial steps to stop further abuse
Following the security breach, NITDA and NiRA aggressively weaponised these delayed reforms into an active, four-tier defence system designed to permanently plug registration loopholes:
Mandatory electronic identity linking
Registrants can no longer hide behind unverified or fictional staff names. The National Identification Number (NIN) of both the administrative and technical contact personnel must now be electronically linked and instantly verified through the National Identity Management Commission (NIMC) database.
End of Yahoo and Gmail accounts for applications
Furthermore, applications can no longer be initiated from a generic email. The administrative contact must use a validated, officially assigned government email address that is cross-checked directly against the Federal Civil Service database.
New document verification process
To defeat forged letterheads, NITDA has introduced an out-of-band verification process. Registrars no longer accept scanned documents at face value; instead, they utilise designated secure phone lines and physical tracking channels to verify the authenticity of authorisation letters directly with the issuing Principal Officer.
Additionally, any newly proposed entity name must pass cross-agency verification against official establishment acts or gazettes issued by the OSGF before a namespace is granted.
Structural standards & technical domain security
To secure the infrastructure from the inside out, NITDA and NiRA have accelerated the deployment of Domain Name System Security Extensions (DNSSEC).
This adds a critical cryptographic layer to all approved government domains, rendering it nearly impossible for unauthorised parties to hijack or spoof domain records.
They have also enforced strict naming hierarchies that dictate exactly how federal, state, and local governments format their subdomains (e.g., AgencyName.gov.ng vs AgencyName.StateName.gov.ng), effectively eliminating the ambiguous, look-alike naming gaps that fraudsters rely on.
Ongoing audits and enforcement sanctions
The registry has transitioned from a passive directory into an actively policed zone. Automated digital sweeps are now periodically conducted across the entire .gov.ng ecosystem to immediately flag, suspend, or permanently terminate unverified, dormant, or improperly managed government domain strings.
To guarantee compliance down the chain, NiRA Accredited Registrars now face severe financial penalties or the outright revocation of their accreditation if they attempt to process a government domain without routing it through NITDA’s primary clearance gateway first.
Read Also: From fake UN job to fake govt agency: The decade-long backstory of Prince Adeniyi




