Subdomain Takeover of Nigeria Police Service Commission Website: Technical Report Released

February 5, 2026
Cybercrime, Resources
1 min read

Web Security Lab has released a technical incident report documenting a subdomain takeover involving website infrastructure operated under the Nigeria Police Service Commission (PSC).

The report details how the subdomain recruitment.psc.gov.ng, historically used as an official police recruitment portal, was repurposed in December 2025 to serve pornographic and search-engine-optimised spam content.

The incident coincided with the public announcement of a nationwide police recruitment exercise, increasing the likelihood of public exposure to the compromised subdomain.

Key Findings

According to the report:

  • The recruitment subdomain had been operationally inactive but remained publicly resolvable
  • Its DNS configuration was modified to point to external cloud infrastructure
  • TLS certificate issuance confirmed third-party control of the subdomain
  • The deployed content was structured for SEO manipulation and monetisation
  • Significant search engine indexing and traffic exposure occurred

The investigation was conducted externally using publicly available technical data. As such, it does not determine the administrative pathway through which the DNS modification occurred, including whether the change was authorised or the result of unauthorised access.

However, the content subsequently served under the subdomain was clearly unrelated to official government operations and constituted misuse of a trusted government web asset.

Disclosure and Remediation

Web Security Lab identified the incident on 20 December 2025 and notified the Police Service Commission on 24 December 2025.

Following a lack of response, the matter was escalated on 12 January 2026 to Galaxy Backbone, the authoritative DNS operator for psc.gov.ng.

On 13 January 2026, the DNS A record for the affected subdomain was removed, rendering it offline.

Broader Implications

The report highlights systemic risks associated with legacy government subdomains that remain active after operational use has ended.

Such subdomains can be repurposed for abuse without requiring exploitation of core systems, creating exposure to reputational harm, misinformation, and fraud.

The case underscores the need for stronger subdomain lifecycle management, DNS governance controls, and continuous monitoring across public-sector web infrastructure.

Access the Full Report

The complete technical incident report is available for download:

Subdomain Takeover of Nigeria Police Service Commission Website — A Technical Incident Report

You may also like