A major outage at Cloudflare on 18 November 2025 caused widespread disruption across digital banking, payment systems and cryptocurrency platforms. The incident began at 11:20 UTC, when unusual traffic caused Cloudflare’s bot-mitigation system to fail, taking down services routed through the company’s network. Cloudflare deployed a fix less than two hours later, and by 14:30 UTC the incident was declared resolved, though degraded performance continued for some users throughout the day.
Cloudflare later confirmed the failure was due to a cascading software bug rather than a cyber-attack. A configuration file used for bot detection had grown unexpectedly large, triggering a latent parsing error and causing systems to crash. To isolate the problem, Cloudflare temporarily disabled its Warp encryption service in London and apologised for the disruption, committing to strengthen configuration management.
Fintech platforms hit hardest
Fintech services were among the most significantly affected due to their reliance on Cloudflare for traffic routing, DDoS protection and API security. Mercury Bank reported widespread outages that prevented customers from accessing dashboards or processing card payments. Engineers were forced to bypass Cloudflare’s security layer in order to restore service — a move that improved availability but exposed their servers to additional risk.
Varo Bank, another app-only institution, was also disrupted, leaving customers unable to access accounts or initiate transfers. The outage briefly cut off access to Supabase, TailwindCSS-powered dashboards and multiple payment tools. In France, the Vélib’ bike-rental app failed due to Cloudflare’s malfunctioning challenge pages, and major global services such as DoorDash and Uber experienced intermittent errors.
Crypto exchanges and decentralised-finance platforms were similarly affected. Coinbase, Kraken, Aave, Etherscan and DeFiLlama displayed 500-series errors during the outage. Industry experts warned that the event highlighted the ecosystem’s dependence on a small set of global routing and security providers. Redundant routing and multi-vendor setups, they argued, should be treated as baseline security practice.
Although traditional capital-markets infrastructure was not impaired, retail trading interfaces and market-data portals suffered delays and outages. Cloudflare’s pre-market share price dropped by more than 3 percent, reflecting investor anxiety over the repercussions for operational resilience.
Why the outage matters
The sudden blackout raised questions about systemic concentration risk in fintech. Cloudflare acts as a gatekeeper for traffic across roughly a fifth of the global web, meaning a fault in its systems can instantly block legitimate users from reaching essential financial services. Industry leaders warned that reliance on Cloudflare, AWS or Azure creates potential single points of failure in systems that consumers depend on for payments, savings and credit.
Recent outages at other cloud providers have added to concerns that internet infrastructure is insufficiently diversified. Banks and fintechs face regulatory expectations to maintain service continuity, and analysts estimate that mid-sized firms can lose around US$300,000 per hour of downtime. For global fintech operators, these losses scale rapidly.
The incident also underscored the tension between security and availability. Mercury Bank’s decision to bypass Cloudflare restored access for customers but removed DDoS protection and exposed the bank’s origin servers. Experts say fintechs must design fail-over systems that avoid such high-risk trade-offs.
What fintech can learn
Risk-management specialists say the Cloudflare outage should act as a turning point. Firms are urged to adopt multi-CDN and multi-cloud architectures, maintain alternative DNS setups and map all third-party dependencies across their technology stacks. Clear, real-time customer communication — demonstrated by Cloudflare’s prompt status updates — is increasingly viewed as essential for retaining trust during outages.
As digital banks, crypto platforms and payment companies continue to expand, resilience planning is becoming a core competitive requirement. The November 2025 outage showed that even well-established infrastructure providers are not immune to software errors. For fintech operators, redundancy and contingency planning may now be as important as user experience and innovation.