Cyber Incident Victim: Flutterwave
Date:
Feb 2023
Location:
Nigeria
Summary
An alleged security breach at Flutterwave led to unauthorized transfers of approximately $4.2 million across multiple accounts via dozens of transactions. The company denied being hacked, stating its systems detected unusual transaction patterns during routine monitoring and attributed potential vulnerabilities to users not activating recommended security settings, claiming no customer funds were lost due to its protective measures. Legal actions were initiated to freeze accounts at numerous financial institutions, restricting withdrawals from over 100 accounts as police investigations continued into the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early February 2023, Flutterwave, Africa’s largest privately valued startup, experienced a security incident involving unauthorized transfers of approximately ₦2.9 billion (~$4.2 million USD) from its accounts. According to legal documents and reports from Techpoint Africa, unknown actors executed 63 transactions across 28 accounts during this period. The incident came to light through police investigations and court filings initiated by Flutterwave’s legal team, which sought to freeze accounts suspected of receiving the misappropriated funds. By late February or early March, Flutterwave had filed motions targeting 27 financial institutions to place 107 accounts—including fifth-tier beneficiaries—under lien or Post-No-Debit (PND) orders, effectively blocking withdrawals from these accounts. Public awareness escalated in early March when social media users reported frozen accounts and speculated about a breach, though Flutterwave had not publicly disclosed the incident prior to these reports. The company’s legal actions indicated the funds had moved through multiple layers of accounts, complicating recovery efforts. No technical details about the attack vector were confirmed, though online commentary suggested socially engineered compromises of merchant keys as a potential entry point.
Flutterwave issued a statement denying any system breach, attributing the irregular transactions to users who had not activated recommended security settings. The company claimed its internal transaction monitoring systems detected unusual activity during a routine review, prompting immediate investigation under standard protocols. It asserted that no end users lost funds due to its security interventions, emphasizing investments in certifications like PCI-DSS and ISO 27001. Concurrently, law enforcement agencies continued investigating the fund movements while Flutterwave pursued asset recovery through frozen accounts. The incident raised operational disruptions for account holders affected by the PND directives, though the scale of these secondary impacts remained undocumented. As of March 5, 2023, the cause of the fund transfers, the identity of the perpetrators, and the full recovery status remained undisclosed or under investigation. Flutterwave maintained its focus on transactional security collaborations with financial partners and law enforcement without acknowledging systemic vulnerabilities.