Africa’s leading payments technology company, Flutterwave, has fallen victim to a recent security breach, resulting in the unauthorized transfer of approximately N11 billion from its accounts to various unknown recipients, as reported by TechCabal on Thursday.
A senior staff member, speaking on condition of anonymity, disclosed that the cybercriminals had illegally transferred a substantial sum of N11 billion ($7 million) to multiple accounts in April 2024, highlighting the severity of the security incident.
Just as the financial company was celebrating a legal triumph, securing a court order to reclaim $24 million stolen through unauthorized POS transactions, a new security breach has dealt a fresh blow, underscoring the ongoing battle against cyber threats.
“In 2023, we discovered that certain POS device merchants abused their access by conducting unauthorised transactions. In response to this, we temporarily suspended the accounts where funds were improperly transferred,” Flutterwave had said.
The insider noted that “the perpetrators appeared to transfer the money to random accounts but those same accounts would also transfer money to other accounts who then sent it back to the first beneficiary account, (in a sort of round trip).”
Contrary to initial reports, a trusted source revealed to TechCabal that the actual amount embroiled in the security breach was substantially higher, totaling at least N20 billion (approximately $13.5 million).
In a statement provided to TechCabal, the financial giant highlighted the ongoing struggle against cybercriminals, who relentlessly target the financial services industry with the aim of compromising security systems and disrupting essential services.
“In April, we detected unauthorised activities inconsistent with usual customer behaviour on one of our platforms used by a small subset of our customer base.”
While Flutterwave didn’t disclose the specific amount that was lost to the ‘cyber lords,’ it said that “no customer funds were lost or compromised, and the confidentiality of our customers’ data remains intact.”
According to a primary source cited in the report, the fraudulent transactions were swiftly carried out over a mere four-day period, leveraging multiple bank accounts in five financial institutions to conceal the trail.
“The incident likely went undetected because the perpetrators ensured the deposits remained below limits that would trigger fraud checks,” Techcabal stated.
Read also: Reactions As Kenyan Court Clears Flutterwave Of Wrongdoing
A person familiar with the situation, who chose to remain nameless, confirmed that the issue has been reported to the relevant law enforcement agencies, and a probe is now in progress to unravel the mystery.
Two high-ranking executives in the financial sector have corroborated the incident, revealing that Flutterwave promptly contacted them to obtain crucial Know Your Customer (KYC) information regarding the affected accounts, which have since been temporarily suspended.
As seen in various security breaches, criminals employ a clever strategy to launder stolen funds by channeling them into a network of unrelated bank accounts belonging to unwitting users, obscuring the money trail.
Cybercriminals then exploit the stolen user data, gathering sensitive information through online snooping or clever psychological tactics, and feeding it into advanced algorithms that enable rapid, high-volume financial transactions.
The recent security breach in April represents the fourth instance of financial insecurity within the company in just 14 months, a troubling trend that raises concerns about the efficacy of their security measures.
TechCabal uncovered a massive fraud operation in which N2.9 billion was illegally dispersed into 107 accounts spanning 27 banks in February 2023, exposing a complex web of financial deceit.
In a suspicious transaction, 107 bank accounts across 27 financial institutions received a combined total of N550 million in March 2023, raising red flags about potential money laundering or fraud.
A fraudulent scheme of unprecedented proportions was uncovered in October, involving the illegal transfer of N19 billion to approximately 6,000 account holders in 35 banks and financial institutions through rogue point-of-sale activities.
Flutterwave achieved a major breakthrough in February 2024, obtaining a court order that issued a Mareva injunction, enabling the recovery of funds and assets tied to the implicated account holders, even if they had already spent the money, courtesy of the vital KYC details furnished by the financial institutions.