SurfShark researchers documented 13 million Nigerian account breaches on the dark web, which included 150,000 additional compromised accounts during the first half of 2025. The compromised accounts of 56% of users faced threats from unauthorized access, identity theft, and extortion attacks. The digital identity threat has become more visible because of our increasingly connected world.
The dark web and cyber risk situations continue to deteriorate
The stolen credentials serve as fuel for worldwide automated cyberattacks. The attacks now operate through automated systems, which use malware logs and public data breaches and phishing attacks to hide their activities.ย The dark web and Telegram platforms operate as a black market system, which allows users to purchase and exchange stolen credentials for access to VPNs, corporate networks, and email accounts.
Brandefense identifies the credential supply chain as fully developed because infostealer logs, breach dumps, and combolists serve as the base infrastructure for ransomware operations. The shutdown of Genesis dark web marketplaces has forced cybercriminals to adopt Telegram-based operations, which enable them to create massive amounts of stolen data through bot operations and subscription-based services.
The Black Basta ransomware group revealed internal communications that demonstrate their sophisticated method of using combolists and Luma stealers, and Meduza third-party logs for their operations. These attackers use a sophisticated method to gain system access through initial exploitation before staying hidden while pretending to be authentic system users.
The most skilled attackers begin their attacks through brute force attempts
The attackers use credential suffering to obtain initial system access. The combination of weak password security and insufficient MFA protection will result in major data breaches unless organizations implement identity-level controls and analytical systems.
The Ransomware-as-a-Service (RaaS) model enables attackers to enhance their stolen credential exploitation capabilities.ย Troy Hunt, an Australian security researcher, confirmed the datasets included stealer logs and credential stuffing lists.
IABs obtain credentials from their operations, which they distribute to ransomware partners who deploy malware to extract payment from victims. IABs operate under payment structures that reward them with ransom money from high-level credential access.
The criminals who operate in Telegram maintain their operation through well-organized systems
The bots operate as automated systems that perform request distribution, information sharing, and cryptocurrency payment processing.ย The stolen credential market operates through large channels that maintain membership of thousands of users to distribute fresh stolen credential collections for advanced automated attacks.
The situation has reached a dangerous point. Attackers who perform lateral movements against organizations can use their access to break into complete network systems. The attackers use the MITRE ATT&CK framework methods to access valid accounts, which enables them to bypass security boundaries and maintain persistence while stealing credentials and clearing defensive systems.
The Nigerian cybersecurity crisis faces two new challenges
The challenges faced are data laws that receive inadequate attention, and digital security practices continue to deteriorate. The Nigerian Data Protection Act received little enforcement because SurfShark observed that most people failed to follow its provisions, while many users maintained weak passwords and skipped two-factor authentication.
SurfShark products manager Sarunas Sereika explained that people need to share extensive personal data for daily tasks, which becomes vulnerable to identity theft, dark web sales, and scam targeting.
“In the wrong hands, this data can be used to commit identity theft, for targeted scams, or sold on the dark web.”
The increasing number of data breaches leads to rising stolen records, which cybercriminals use to damage digital trust among people. The stolen data records will keep destroying digital trust because they lack proper security measures, which will enable cybercriminals to use digital trust among people. The stolen data records will keep destroying digital trust because they lack proper security measures. This will enable cybercriminals to perform continuous “flood” and “532” attacks.