Flutterwave unauthorized-transfer incidents

Across 2023 and into 2024, Flutterwave — Africa's most valuable fintech and a dominant payments processor in Nigeria — was hit by a recurring pattern of unauthorized-transfer incidents that drained billions of naira from its platform and forced repeated court action to claw back funds.

What happened

The most prominent 2023 episode began around 19 February 2023, when roughly ₦2.9 billion (~$4.2 million) was moved out of Flutterwave through 63 transactions across 28 accounts. By early March, court filings — seeking Post-No-Debit restrictions on 107 beneficiary accounts across 27 financial institutions — had become public. Online analysis suggested the funds were accessed after merchant API keys were compromised through social engineering, though the exact vector was never officially confirmed. Flutterwave publicly denied being hacked, insisting "no user lost any funds" and attributing the event to customers who had not enabled recommended security settings.

A larger incident followed. On 10 October 2023, Flutterwave discovered that point-of-sale merchants had abused their platform access — which it described as a "technical glitch" — to execute illegal transfers totalling roughly ₦19 billion (~$24 million).

Response

In February 2024, Flutterwave obtained a Mareva injunction compelling 35 financial institutions — including Access Bank, Zenith Bank, OPay, and Moniepoint — to disclose the KYC details of more than 6,000 beneficiary account holders so the company could pursue recovery via email, SMS, and WhatsApp. A further breach reported in May 2024 saw approximately ₦11 billion (~$7 million) moved through five institutions over four days using laundering-style "round-trip" transfers designed to stay below fraud-detection thresholds. Nigerian police later arrested bank customers tied to that case.

Impact

The cumulative incidents underscored deep weaknesses in Nigeria's payments ecosystem: weak merchant-key hygiene, inconsistent KYC enforcement across banks, and the ease with which beneficiary accounts could be opened and emptied before detection. While Flutterwave maintained that customer funds and data were never compromised, the episodes inflicted reputational damage on a company then preparing for a potential IPO and operating across more than 30 African markets.

Why it matters

Flutterwave's 2023 troubles became a reference case for fraud and insider/merchant abuse risk in high-growth fintech. They helped drive tighter scrutiny of POS-merchant onboarding and pushed the Central Bank of Nigeria's BVN/NIN verification mandates to the centre of the regulatory conversation, illustrating that at fintech scale, the most damaging losses can stem not from a database breach but from abused legitimate access and porous downstream KYC.

Timeline

February 19, 2023

An estimated ₦2.9 billion (~$4.2M) is diverted from Flutterwave through 63 transactions across 28 accounts; the company says it detected the anomaly via routine monitoring.

March 5, 2023

Court filings seeking to freeze 107 beneficiary accounts across 27 financial institutions surface publicly; Flutterwave denies being hacked and says no user lost funds.

October 10, 2023

Flutterwave discovers that POS-device merchants abused their platform access via a 'technical glitch,' illegally transferring roughly ₦19 billion (~$24M).

February 1, 2024

Flutterwave obtains a Mareva injunction to recover the ~$24M, compelling 35 institutions to disclose KYC details of more than 6,000 beneficiary account holders.

May 16, 2024

A separate breach reported in 2024 sees a further ₦11 billion (~$7M) moved through five financial institutions over four days in laundering-style 'round-trip' transfers.

December 10, 2024

Nigerian police reportedly arrest bank customers linked to the ₦11 billion fraud case.

Sources

techcrunch.comhttps://techcrunch.com/2023/03/05/alleged-security-breach-leaves-millions-of-dollars-missing-from-flutterwave-accounts/

techcabal.comhttps://techcabal.com/2024/02/08/flutterwave-to-recover-missing-24million/

techpoint.africahttps://techpoint.africa/news/flutterwave-plans-recover-lost-funds/

techcabal.comhttps://techcabal.com/2024/05/16/exclusive-flutterwave-loses-%E2%82%A611-billion-in-security-breach/

Related incidents

Data breachResolvedNovember 11, 2023

Blooms Today data breach (2023)

In April 2024, 15M records from the online florist Blooms Today were listed for sale on a popular hacking forum. The most recent data in the breach corpus was from November 2023 and appeared alongside 3.2M unique email addresses, names, phone numbers physical addresses and partial credit card data…

Victim: Blooms Today
Records: 3.2M

RansomwareContainedNovember 9, 2023

ICBC Financial Services LockBit ransomware (2023)

LockBit ransomware disrupted the U.S. broker-dealer arm of the world's largest bank, ICBC, jamming settlement of over $9 billion in U.S. Treasury trades. Bank staff sent critical settlement details by USB stick via a messenger across Manhattan. $62 billion of Treasuries failed to deliver in one day.

Victim: ICBC Financial Services (U.S. broker-dealer of Industrial and Commercial Bank of China)
Loss: $9.00B

Data breachResolvedJuly 16, 2023

Manipulated Caiman data breach (2023)

In July 2023, Perception Point reported on a phishing operation dubbed "Manipulated Caiman". Targeting primarily the citizens of Mexico, the campaign attempted to gain access to victims' bank accounts via spear phishing attacks using malicious attachments.

Victim: Manipulated Caiman
Records: 39.9M

Zero-dayResolvedMay 31, 2023

MOVEit Transfer mass exploitation (Cl0p)

Cl0p exploited CVE-2023-34362 in Progress Software's MOVEit Transfer to mass-extort over 2,700 organizations, including the BBC, British Airways, and the U.S. Department of Energy.

Victim: Progress Software MOVEit Transfer (2,700+ downstream)
Loss: $12.15B
Records: 95.0M