“In a context where trust has become the cornerstone of digital financial services, CinetPay is going through one of the most delicate periods in its history. Between a large-scale cyberattack, cash flow tensions, and media suspicions, the fintech company, despite holding a license issued by the BCEAO, has seen its model put to the test.
At the heart of this storm, its CEO breaks the silence and, in this exclusive interview, shares his perspective on the events. He openly discusses the coordinated attack in September 2025, the exploited vulnerabilities, the impacts on merchant partners, and the corrective measures taken to restore trust.
Faced with accusations of money laundering reported in the Senegalese press, he also provides clarifications and details the cooperative stance taken with the authorities. Beyond crisis management, this exchange sheds light on the structural challenges of the fintech sector in Africa: governance, cybersecurity, regulation, and ecosystem maturity.
Transparency, accountability, and resilience: these are the concepts that run through this interview and outline a player in full reconstruction, determined to establish itself permanently in the African digital payments landscape.
Your company is going through a crisis involving a cyberattack, cash flow tensions, and media suspicions. What exactly happened?
In September 2025, CinetPay was the target of a coordinated cyberattack, affecting our operations in Ivory Coast, Togo, and Burkina Faso simultaneously. Fraudsters exploited a technical vulnerability to siphon funds through mobile money accounts.
The intrusion was detected promptly, and our crisis protocols were immediately activated, but some funds had already been withdrawn before we could intercept them.
This incident directly impacted our cash flow, causing delays in reimbursements to some merchant partners. We acknowledged this situation in September 2025, made firm commitments to reimburse, and filed complaints. Subsequent investigations have identified and prosecuted those responsible.
We understand the significance of this situation for the affected businesses. A structured reimbursement plan is being implemented, and the vast majority of impacted companies have already been reimbursed. We are not yet at the end of the process, but we are moving forward with determination, and I personally commit to it.
Today, can you affirm that all vulnerabilities have been corrected?
No one can guarantee zero risk. After the incident, we commissioned an independent firm to audit our entire architecture. Based on this audit, we completely redesigned our security infrastructure.
Our cash environments are now segmented by country, a real-time fraud detection system has been deployed, multi-factor authentication has been strengthened, and a dedicated security officer has been hired. We are also in the process of ISO 27001 certification and PCI-DSS renewal.
Beyond tools, this crisis has profoundly transformed our culture: security is no longer a department, it is a shared responsibility at all levels. We remain vigilant and committed to protecting the funds and trust of our customers.
You are mentioned in an investigation in Senegal for money laundering suspicions. What is your version of the facts?
The articles published in Senegal have created confusion and tarnished our reputation. It is important to clarify the facts, with supporting documents if you wish to verify.
On September 2, 2025, the Senegalese Cybercrime Division alerted us that one of our merchants, Nectar Microcredit Technology, was using our APIs without our knowledge for illegal online lending activities. This merchant had registered on our platform declaring activities of creating microfinance applications, corresponding to its business registry, but was diverting our services for illicit financial activities.
Our reaction was immediate. On September 5, we filed a formal complaint against Nectar Microcredit Technology and its manager for abusive use of our tools, deceptive business practices, and false declarations; terminated the contract, froze its funds in our accounts, and made these funds available to the authorities.
We are fully cooperating with the Senegalese authorities, and to date, no evidence suggests CinetPay’s voluntary involvement in irregular activities.
This situation has also allowed us to strengthen our procedures: KYC control is now stricter, and all merchant flows are subject to continuous monitoring to prevent any misuse.
Can it be said that your platform was used as an indirect channel for fraudulent flows?
Any payment platform, like any bank, can face risks of non-compliant use of its services by some users. This happens worldwide, including in the largest financial institutions. The real question is: how do you react when you discover it?
In Senegal, as soon as we learned that a merchant was diverting our APIs for illicit activities, we terminated its contract in less than 72 hours, filed a complaint, froze its funds, and made these funds available to the authorities. In Ivory Coast, we reported the cyberattack to the judicial authorities upon its detection. Legal proceedings are ongoing.
In both cases: immediate action, transparency, and cooperation with justice. But I also draw a deeper lesson from this: our merchant KYC procedures must be more robust. We have strengthened identity verification and continuous monitoring of merchant activities. A responsible platform does not only verify at entry: it monitors continuously.
You obtained a BCEAO license supposed to guarantee a high level of security. How do you explain that such fraud could occur just after?
The BCEAO license attests to the regulatory compliance of a payment institution. It is a rigorous examination that focuses on governance, financial soundness, procedures, and systems. Only 30 fintech actors have obtained it throughout the UEMOA. CinetPay is one of them, and we are proud of it.
But no license in the world provides an absolute guarantee against cybercrime. International banks, technological giants with security budgets a hundred times higher than ours, also experience cyberattacks.
What distinguishes serious actors is not the absence of incidents, but the ability to react, protect their clients, and learn from them. This is exactly what CinetPay has done. And the fact that we obtained this license demonstrates that the regulator deemed our fundamentals to be solid. The September incident stemmed from a specific vulnerability that has since been corrected.
What do you say today to companies hesitating to use CinetPay?
I say to them: ask me the questions you have. I prefer a partner who doubts and verifies to a partner who signs without looking. What we can show them today is an independent security audit, a reimbursement plan in progress, and new products that will soon be launched.
I will not claim that the crisis is behind us, as if nothing had happened. We are a team that faced the worst situation head-on and continued to work. This is the type of partner I want to be for African businesses.
Is cybersecurity now your number one priority?
Cybersecurity is a permanent priority, not a reaction to the crisis. What has changed since September is the level of investment and governance around this issue. We have tripled our security budget, hired dedicated experts, and established a security committee that reports directly to the management. We have also entered into partnerships with cybersecurity specialists to benefit from continuous monitoring and regular intrusion testing.
But our number one priority remains serving our merchants and developing payment solutions that transform the daily lives of Africans. Security is the foundation on which everything else rests. It is a prerequisite, not an end goal.
Is the African fintech sector mature enough to handle this type of crisis?
The African fintech sector is young, ambitious, and growing. Like any maturing sector, it also learns from its crises. What happened to CinetPay can happen to any actor, in Africa as elsewhere.
What this crisis reveals is the need for a more structured ecosystem: proactive regulators like the BCEAO, shared security standards among actors, and a culture of transparency in case of incidents. CinetPay has chosen transparency. We openly share our experience so that the entire sector can benefit from it.
I deeply believe in the maturity of African fintech. The fact that the BCEAO has established a regulatory framework for fintechs, that actors like CinetPay invest in security, and that judicial authorities prosecute fraudsters shows that the ecosystem is structuring and strengthening.”
