UTME 2025 EXPOSED: How CBT ‘miracle centres’ & hackers rigged JAMB

Inside the cyber-scandal that felled JAMB’s 2025 UTME: backdoors, mercenaries and 6,458 candidates under probe — an investigative exposé.

Atlantic Post

August 23, 2025

5–8 minutes

biometric fraud, CBT centres, Cybercrime, education scandal, examination malpractice, investigative report, Is-haq Oloyede, JAMB, Nigeria education, UTME 2025

EXPOSED: How CBT “miracle centres” and mercenary hackers hacked the 2025 UTME — and why Nigeria’s exam system is bleeding credibility

The Joint Admissions and Matriculation Board (JAMB) promised a modern, tamper-proof Unified Tertiary Matriculation Examination (UTME). Instead, this year’s computer-based exercise descended into a theatre of cyber-trickery, insider betrayal and mass failure — a scandal that will stain admissions cycles for years and raise urgent questions about who really runs Nigeria’s testing ecosystem.

An exclusive, in-depth investigation of reporting by Saturday PUNCH and corroborating sources reveals a chilling playbook: rogue CBT-centre operators leak local network details to mercenary hackers; remote teams use those backdoors to log into centre servers, boot legitimate candidates offline and answer their papers for them, often before an examiner can react.

This resulted in thousands of suspiciously improved scripts, dozens of compromised centres and a credibility gap the size of the nation’s university system.

The scale of the fallout — mass failure and public anguish

The fallout was immediate and dramatic. JAMB’s own statistics showed that of roughly 1.95 million candidates who sat the 2025 UTME, more than 1.5 million scored below 200 out of 400, which represents a collapse in performance that triggered public outrage, political heat and acute scrutiny of the Board’s technology.

The scale is striking: fewer than 0.7 per cent of candidates scored above 300. Those figures have prompted parents, universities and the public to ask whether scores reflect students’ knowledge, or the success (or failure) of a high-tech racket.

When Prof. Is-haq Oloyede, JAMB’s registrar, addressed the nation in May he visibly broke down, in an extraordinary public admission of failure that underscored how severe the crisis had become.

Oloyede later authorised retests at affected centres and launched inquiries; but the damage to confidence had already spread.

The method: backdoors, IPs and mercenaries

Our investigation traces the mechanism to a predictably baneful mixture of greed and technical expertise.

A hacker who gave his alias as “Ahmed” described to PUNCH how operators of some accredited CBT centres supply Internet Protocol (IP) addresses, which effectively handed cyber-criminals a route into a centre’s local server.

Once inside, a remote “mercenary” outside the testing room takes over the candidate’s session: the legitimate candidate is deliberately logged out, told to “time themselves” and then re-presented with a completed paper they are instructed to submit.

The mercenary never sets foot in the testing room; they sit kilometres away, connected into the compromised local area network.

Ahmed’s account is not an anonymous anecdote in a vacuum: multiple sources, including education consultants, a CBT operator who admitted centres knowingly profit from fraud, and investigators, corroborate that insiders are the weak link.

Those insiders either sell credentials or allow external connections into LANs, creating what one source described as “backdoors” that bypass JAMB’s intended safeguards.

Where it happened: 19 CBT centres, some states over-represented

JAMB’s internal findings, which were later publicised, show that the problem clustered in pockets.

Nineteen CBT centres were identified for serious infractions, with Anambra (six centres) and Imo (four) topping the list, while Abia, Edo, Kano, Ebonyi, Delta, Kaduna, Rivers and Enugu also featured.

The board also identified “finger-pairing” and biometric manipulation among the techniques used.

Those regional hotspots reveal that malpractice is not random but organised, with local networks of operators, middlemen and tech-savvy fixers.

Arrests and investigations — are they sufficient?

Security agencies moved. The Department of State Services (DSS) and the Nigeria Police Force announced the arrest of at least 20 suspects connected to hacking some CBT centres.

JAMB, in turn, said it was investigating 6,458 admission-seekers for technology-enabled malpractice and inaugurated a 23-member Special Committee on Examination Infraction to report within 21 days.

On paper, these are decisive steps, but they face an uphill task in practice as digital forensics, chain of custody for evidence, and the prosecution of networks that cross state lines are complicated, costly and slow.

JAMB’s defence — and its own vulnerabilities

JAMB’s public line is blunt, as the Board maintains that its central systems are not internet-enabled and questions are transmitted to centres through localised models and access is granted via candidate biometrics.

JAMB’s spokesperson, Dr Fabian Benjamin, told journalists that the Board’s core servers were safe and that those claiming the Board’s website had been hacked were mistaken; what had been targeted were local servers at compromised centres.

That distinction is technically significant, but it also exposes a practical reality that if accredited centres’ local networks are weak, the entire CBT architecture remains vulnerable.

Who’s to blame — opportunists, operators, or system designers?

Multiple actors share responsibility.

• Greedy centre operators who monetise “guarantees” and treat accreditation as a licence to profiteer. Several operators and insiders admit centres profit handsomely from collusion with mercenaries.

• Tech mercenaries with the know-how to exploit IP leaks, manipulate sessions and bypass remote biometric checks.

• Desperate parents and candidates who fund the entire supply chain by paying large sums for “miracle centre” promises.

• Systemic weaknesses: while JAMB’s central architecture may be designed to be non-internet, the reliance on widely-distributed, often privately-managed CBT centres creates a de-facto attack surface that is only as strong as its weakest node.

It’s worth recalling JAMB’s past triumphs under Prof. Oloyede: impersonation and identity-theft cases decreased from reported highs (approximately 74,000 in an earlier era) to roughly 4,900 after biometric improvements – showing that technical measures paired with enforcement may work.

But the next generation of tech-enabled fraud is a different beast: anonymous AI-generated faces, image-blending, fraudulent claims of albinism to defeat facial recognition, finger pairing and LAN breaches necessitate tougher, forensic-grade remedies.

The stakes: admission integrity, graduate quality and social trust

There is more to this scandal than just a technical one. Career paths, university admission, and scholarship eligibility are all determined by UTME scores.

Institutions risk jeopardising the undergraduate pipeline as a whole if they cannot trust their intake.

Even worse, the public loses faith in meritocracy and social inequality is solidified when deserving students are excluded from fair competition and when the system favours those who can afford criminal aid.

What must happen next — a short, urgent road map

Independent forensic audit: Engage neutral digital-forensics teams to image centre servers, preserve logs and map the networks of collusion.

Tighten accreditation and surveillance: Re-audit all accredited CBT centres, withdraw licences where necessary and mandate tamper-proof CCTV with central streaming to JAMB’s secure endpoints.

Network hardening: Replace ad-hoc LAN connections with sealed hardware tokens, signed certificates and one-time session keys; eliminate persistent IP exposures.

Legal architecture: Fast-track prosecutions and publish case outcomes to deter insider collusion.

Public transparency: Publish anonymised datasets of irregularities and the steps taken — to rebuild trust and allow civil-society scrutiny.

Conclusion — a turning point, or the status quo?

Nigeria’s 2025 UTME crisis is a clarion call. The old battles against impersonation and paper leaks were won by a mix of policy and enforcement; the new war is digital, fast and distributed. If the Board, security agencies and governments respond with technical depth, open investigations and legal teeth, this may become a turning point.

If they rely on arrests alone and fail to fix the architecture that allowed backdoors and “miracle centres” to proliferate, we will see repeated cycles of scandal, litigation and public despair.

The moral is plain: you cannot outsource national examinations to a network of privately-run nodes without securing the weakest links.

Until that lesson is learned, and acted upon, the class of 2025 will carry the scars of a system that promised fairness but delivered farce.