A significant cyber heist targeting a major Nigerian bank has prompted a landmark court ruling ordering the restitution of over N9.3 billion in stolen funds. Justice Deinde Dipeolu of the Federal High Court in Lagos issued the directive on April 15, 2025, mandating 54 banks to immediately return the funds fraudulently transferred from the victimized bank, identified in court documents as an “old generation bank.” The court’s intervention followed a security breach on March 23, 2025, which allowed hackers to compromise the bank’s core banking system and siphon off the substantial sum. The stolen funds were subsequently dispersed across numerous accounts within the 54 implicated financial institutions. The court order represents a decisive step towards recovering the stolen assets and highlights the growing importance of judicial oversight in addressing cybercrime within the financial sector.
The court’s ruling, delivered in response to an ex parte motion filed by the affected bank (suit number FHC/L/CS/629/2025), outlines a comprehensive strategy for retrieving the stolen funds. Justice Dipeolu directed the 54 banks to implement a “Post No Debit” restriction on all accounts that received the illicit transfers, effectively freezing the assets and preventing further movement of the stolen money. This immediate action aims to secure the remaining funds while the recovery process unfolds. Furthermore, the court mandated the financial institutions to commence the immediate return of all available funds to the originating bank. This decisive action underscores the court’s commitment to swiftly addressing the financial repercussions of the cyberattack and ensuring the victimized bank recoups its losses.
The investigation conducted by the plaintiff bank revealed a sophisticated scheme employed by the hackers to launder the stolen funds. Following the initial breach, the funds were transferred in multiple tranches from the bank into primary accounts within the network of 54 institutions. These primary accounts served as a conduit, further distributing the funds to secondary and tertiary beneficiary accounts, making tracing the money a complex undertaking. This layered approach aimed to obscure the origin of the funds and make it more difficult for authorities to track and recover the stolen assets. The bank’s proactive reporting and subsequent investigation proved crucial in identifying the flow of funds and enabling the court to issue targeted instructions for their retrieval.
The court order requires the implicated banks to provide detailed information regarding the accounts involved in the fraudulent transactions. This includes disclosing the current balances of the affected accounts and specifying the amounts already transferred out, providing a comprehensive overview of the movement of the stolen funds. Furthermore, the banks are obligated to share comprehensive customer data related to the transactions, including the names of account holders and the destination accounts to which the funds were transferred. This information will be crucial in identifying the individuals who benefited from the cyberattack and potentially holding them accountable for their involvement. The level of transparency demanded by the court reflects a growing recognition of the importance of inter-bank cooperation in combating financial crime.
Justice Dipeolu’s ruling emphasizes the importance of safeguarding legitimate customer deposits while pursuing the recovery of the stolen funds. The court clarified that the order applies strictly to the erroneously transferred funds and does not infringe on other customer deposits within the implicated banks. This clarification is crucial in reassuring customers that their legitimate funds are not at risk and that the court’s actions are targeted specifically at the stolen assets. The statement, “For the avoidance of doubt and for clarity, the order is only in respect of funds erroneously transferred and sums salvaged,” reinforces the court’s commitment to protecting the interests of innocent account holders. This nuanced approach ensures that the pursuit of justice does not inadvertently penalize individuals unrelated to the cybercrime.
The ruling firmly establishes the ownership of the stolen funds, declaring that the money “belongs to the plaintiff and not the customers of the respondent banks.” This assertion reinforces the plaintiff bank’s claim to the stolen assets and provides the legal basis for the court’s directive to return the funds. By affirming its authority to direct full restitution, the court has set a precedent for future cases involving cyber-enabled financial fraud. The judgment sends a strong message to financial institutions and potential perpetrators that the judiciary will take decisive action to protect the integrity of the financial system and hold those responsible for cybercrime accountable. This landmark ruling reinforces the importance of robust cybersecurity measures and inter-bank cooperation in mitigating the risks posed by increasingly sophisticated cyberattacks.
