Nigerian fintech collapse highlights security gaps

A Nigerian fintech that had raised $3.2 million and signed up 40,000 users in its first week reportedly unraveled after attackers exploited basic payment-security flaws. (threadreaderapp.com) Akintola Steve, a backend engineer, posted the account on April 11 in a 16-part thread that said the startup spent 14 months building its platform before launch. He wrote that support complaints surged within days, including reports of drained wallets, negative balances, and unauthorized overnight transfers. (threadreaderapp.com) His thread described three failure points: a weak endpoint that exposed balances through Structured Query Language injection, replayed transfer requests that were processed more than once, and session tokens that stayed usable after they should have expired. He said attackers reused stolen JSON Web Tokens across devices and internet addresses because the system lacked token rotation and device binding. (threadreaderapp.com) Digital payments work by moving money between ledgers, and the handoff has to be locked so one request produces one result. Steve said the startup accepted transfer payloads with amount, recipient, and timestamp but no nonce, a one-time code that stops the same request from being replayed. (threadreaderapp.com) He also said the company treated security as something to add after the minimum viable product, even as it built microservices, caching, and load balancing into the stack. His proposed fixes included threat modeling, mutual Transport Layer Security between services, short-lived tokens, request signing, and replay protection with nonces and timestamps. (threadreaderapp.com) The account has not identified the company, and no independently verified public record in the available reporting ties the $3.2 million figure to a named Nigerian fintech collapse. The thread should be read as a reported case study from one engineer, not a regulator’s incident report or a court filing. (threadreaderapp.com) The backdrop is a Nigerian fintech market that kept attracting capital even as oversight tightened. A 2025 legal review said Nigeria logged 103 startup deals in 2024, drew $410 million across startups that year, and saw the Central Bank of Nigeria push stricter know-your-customer and due-diligence rules on fintechs. (globallegalinsights.com) That pressure has been rising alongside fraud losses. Nigeria Inter-Bank Settlement System data published in February 2025 showed financial institutions lost ₦52.26 billion to fraud in 2024, up from ₦17.67 billion in 2023, according to multiple reports citing the fraud report. (nairametrics.com) (guardian.ng) Other Nigerian operators have also warned that security failures can start with ordinary product gaps, not exotic hacks. Techpoint reported in April 2024 that a Nigerian payment company found some point-of-sale merchants abusing access to make illegal transfers through a system glitch. (techpoint.africa) The thread’s closing point was narrower than the funding headline: the startup did not fail at marketing or scale first, it failed at trust. In payments, one exposed endpoint or one replayable request can turn a launch week into a shutdown. (threadreaderapp.com)