A threat actor is selling 14GB of Adumo’s internal technical data on a dark web forum — and the files allegedly include the source code that runs South Africa’s largest independent payment processor.
The listing, priced at approximately $7,000, claims 15,546 files were extracted from Adumo’s systems. According to dark web monitoring site Daily Dark Web, the haul includes full InnerEDGE Docker images central to Adumo’s main processing platform, C# point-of-sale source code, card-operation functions covering activation, allocation, debit, and refund flows, EMV kernel source code from the Newland SP6x0 Phoenix SDK, PAX terminal firmware bundled with Mastercard and Visa bank certifications, and production BIN EMV parameters alongside debugging guides.
Adumo confirmed it is investigating. “Adumo is aware of information circulating online and is conducting an internal investigation to verify its source and scope,” the company said in a statement attributed to Lesaka Technologies CEO Lincoln Mali. A follow-up statement added that the material “does not include customer data” and “does not impact Adumo’s business operations.”
That framing is technically defensible. It is also beside the point.
No customer names or card numbers appear in the listing. What the threat actor claims to have stolen is something more dangerous: a working blueprint of how Adumo’s payment infrastructure operates.
Jacqui Muller, a Belgium Campus iTversity researcher and PhD candidate in computer science, told ITWeb the breach is “particularly concerning, not necessarily because of confirmed customer data exposure, but because of the nature of the assets allegedly being circulated.” Muller said the files appear to include point-of-sale software, debugging tools, low-level documentation, chip-and-PIN transaction logic, and certification artefacts for Mastercard and Visa systems. Source code exposure of this type does not produce fraud immediately. It gives a patient attacker a detailed map of where vulnerabilities exist — and all the time needed to find them.
The stakes are material. Adumo serves approximately 29,000 active merchants across South Africa, Namibia, Botswana, and Kenya, processing more than R80 billion in transactions per year, according to ITWeb. As part of Lesaka’s broader platform — which processes over R270 billion annually and serves 1.7 million consumers — Adumo’s infrastructure underpins payments for enterprise clients including Coca-Cola, McDonald’s, and KFC. A successful exploit derived from this source code would not stay contained. It would propagate across every merchant and cardholder touching that network.
The incident lands at an uncomfortable moment for South African financial infrastructure. Security researchers report that just days before the Adumo listing appeared, a separate threat actor claimed to have exfiltrated 1.2TB of data from Standard Bank — South Africa’s largest lender by assets — with that breach reportedly going undetected for three weeks. Whether the two incidents are connected is unclear. The proximity has amplified concern among cybersecurity professionals who have long warned that South Africa’s advanced digital infrastructure makes it a high-value target for financially motivated attackers.
Only 29% of South African organisations plan to significantly increase their cybersecurity budgets for 2025, according to security research data. For a country whose financial services sector processes hundreds of billions in transactions annually, that figure is difficult to defend. South Africa has recorded a string of high-profile incidents in recent years — including Cell C’s 2024 breach, in which attackers exfiltrated roughly 2TB of data tied to 7.7 million customers. The Adumo incident adds a distinct category of risk: not the theft of personal data, but the theft of the technical architecture that makes payments possible.
Adumo’s growth has been one of Africa’s more aggressive fintech consolidation plays. Since its founding in 2019, the company absorbed SwitchPay, WireCard, GAAP, SureSwipe, and iKhokha before Lesaka acquired the entire business for R1.67 billion ($96.2 million) in October 2024. That acquisition history means Adumo’s codebase integrates multiple legacy systems — precisely the kind of layered architecture that widens attack surface.
How Lesaka is Responding to The Issue
Lesaka’s investor communications have been measured. The company has not disclosed the breach vector, the date of the alleged compromise, or whether external forensic investigators are engaged. For a company listed on both the JSE and Nasdaq, the reputational and governance fallout from an incident like this carries real weight. Investors will ask whether this constitutes a material event requiring disclosure under Nasdaq listing rules. Regulators will ask whether South Africa’s Information Regulator has been notified under POPIA — the Protection of Personal Information Act — which mandates reporting of security compromises affecting personal information.
Adumo’s assertion that no customer data was exposed may prove accurate. It does not resolve whether internal technical data shared with external partners meets POPIA’s threshold for a reportable breach.
The $7,000 asking price itself deserves scrutiny. That figure is remarkably low for data of this alleged sensitivity — suggesting either a low-confidence seller pricing to move fast, or a buyer who already exists and this listing is a public signal.
Adumo has not announced when its investigation will conclude. Watch for a disclosure to the Information Regulator and a formal Lesaka investor statement as the clearest indicators of how seriously the company views the incident.
