Cybersecurity in Africa’s financial sector reached a turning point in 2025. A combination of stricter data protection regulations, including Nigeria’s Data Protection Act and South Africa’s Protection of Personal Information Act (POPIA), pushed more companies toward public disclosure of incidents that would previously have been handled quietly. The numbers behind that shift are significant. Cyberattacks on the continent ran at roughly 60% above the global average in 2025, with organisations facing over 3,100 attacks per week on average.
This post covers the five major cybersecurity breaches that hit African fintechs in 2025, based on verified reports and official disclosures.
1. The Banxso Collapse (South Africa)
The Banxso case was the most legally significant fintech security incident on the continent in 2025, and it remained in the courts into 2026.
Banxso was a South African online trading platform. The company claimed it was a victim of a cyberattack involving a fraudulent scheme called “Immediate Matrix,” which it described as a parasitic operation that used its brand without authorisation to deceive investors. According to Banxso, deepfake videos of public figures including Elon Musk and Johann Rupert were used to lure investors into a fake trading system that falsely appeared connected to the platform.
However, South Africa’s Financial Sector Conduct Authority (FSCA) investigated the situation and found what it described as “overwhelming” evidence of fraud on the part of Banxso itself. The FSCA issued a penalty and the company was placed under provisional liquidation in August 2025. In March 2026, a South African court confirmed the final liquidation of the company. Admitted liabilities at that point exceeded R137 million, with over 300 victims filing claims for losses of up to R220 million.
The case raised two separate concerns that are worth distinguishing. The first is the use of AI-generated deepfake content to deceive investors, which is a growing cybersecurity threat regardless of who was ultimately responsible for the scheme. The second is the legal and regulatory outcome, where the FSCA and the courts concluded that the platform itself bore responsibility for the losses investors suffered. Both sides of the story are documented in official proceedings, and the final court ruling stands as the verified conclusion.
2. The M-TIBA Data Breach (Kenya)
In October 2025, reports surfaced of a significant data breach involving M-TIBA, a major health-fintech platform operating in Kenya. The platform sits at the intersection of healthcare and financial services, processing health insurance payments and medical records for a large user base.
The breach resulted in the exposure of sensitive customer data, including health and financial records. What made this incident particularly notable was the method of exposure. Instead of using the stolen data privately or entering into ransom negotiations, those responsible published the data on public Telegram channels. There is no verified public record of M-TIBA making a ransom payment in connection with this incident.
The M-TIBA breach highlighted a shift in how some attackers operate. Public exposure of data, used as a reputational weapon, puts pressure on companies in a way that private negotiations do not. For platforms that handle both health and financial data, the sensitivity of what was exposed made the incident especially damaging to user trust.
3. The MTN Group Cyber Incident (South Africa and Ghana)
In April 2025, MTN Group officially confirmed a cybersecurity incident involving unauthorised access to customer data across two of its major markets.
In Ghana, the breach affected around 5,700 customers, according to MTN’s disclosure on April 28, 2025. In South Africa, the incident escalated into a criminal investigation involving the Hawks and the South African Police Service (SAPS). MTN clarified in its official statement that there was no evidence that Mobile Money (MoMo) wallets or financial clearing systems had been compromised. The breach was limited to personal subscriber data.
The significance of this incident extends beyond the numbers directly affected. MTN’s mobile money services function as financial infrastructure for millions of users across Africa. The fact that a breach reached subscriber data at all, even without touching wallet systems, prompted renewed scrutiny of how telecoms companies protect the identity and personal data that underpin mobile financial services.
4. The Pepkor and Mobiz Breach (South Africa)
In November 2025, Pepkor Lifestyle, the retail group that owns brands including Incredible and HiFi Corp, confirmed a data leak. The breach did not originate from within Pepkor’s own systems. The point of failure was Mobiz, a third-party SMS provider used by Pepkor for customer marketing communications.
Customer phone numbers and marketing campaign data were exposed as a result. The immediate consequence was a significant increase in smishing attacks, which are SMS-based phishing attempts, targeting retail finance customers in South Africa. Attackers used the leaked contact data to send convincing fraudulent messages designed to extract financial information from recipients.
The Pepkor and Mobiz incident became one of the clearest examples in 2025 of supply chain vulnerability in African fintech. A company can invest heavily in its own security infrastructure and still be exposed through a third-party vendor with weaker protections. Following this and similar incidents, several African fintechs began moving away from SMS-based one-time passwords toward app-based authentication methods.
5. The Nigerian Fraud Surge (Industry-Wide)
Unlike the incidents above, the Nigerian situation in 2025 did not centre on a single named company or attack. It was an industry-wide pattern documented in official data.
According to the Financial Institutions Training Centre (FITC) report for Q1 2025, the total amount involved in fraud across Nigerian banks and fintechs rose to N22.27 billion, up from N6.5 billion in the previous quarter. Actual losses, meaning the amount that was not recovered, came to around N3.3 billion in just the first three months of the year.
Mobile app fraud was the single biggest contributor to those losses, accounting for 43% of the total. The FITC data also showed that while the number of staff-related fraud cases saw a slight decline during that period, the financial value of fraud involving insider access remained high, pointing to a small number of high-value incidents involving employees or contractors with system access.
Many Nigerian fintechs did not make individual public disclosures about specific attacks during this period. The FITC figures cover aggregated industry data and do not attribute losses to specific institutions.
What These Incidents Signal for 2026
The five cases above point to several patterns that are already shaping how African fintechs approach security in 2026.
Deepfakes as a financial weapon. The use of AI-generated video and audio to impersonate executives, investors, and public figures moved from a theoretical concern to a documented tool of financial deception in 2025. Attackers are no longer relying on poorly written emails. Voice and video cloning are now part of the threat.
SIM-swap fraud is accelerating. In mobile-first markets like Kenya and South Africa, SIM-swap fraud, where attackers convince a telecom to transfer a victim’s number to a new SIM they control, remained one of the fastest-growing financial threats of the year. Once an attacker controls a phone number, they can intercept OTPs and access mobile money accounts.
Third-party vendors are a weak link. The Pepkor and Mobiz case was not an isolated example. Several 2025 incidents across the continent traced back to vendors and partners and not the fintechs themselves.
Regulation is forcing transparency. In March 2026, the Central Bank of Nigeria issued a mandatory Cybersecurity Self-Assessment directive for all fintechs operating under its supervision. Combined with POPIA enforcement in South Africa and Kenya’s data protection framework, the pressure on African fintechs to publicly account for security failures is higher now than at any previous point. That means 2026 will likely produce more documented disclosures, not because attacks are necessarily increasing, but because the option to stay silent is shrinking.
Sources: FSCA official statements and court records (Banxso), MTN Group official disclosure (April 2025), FITC Fraud and Forgeries Report Q1 2025, Pepkor Lifestyle official statement (November 2025).
