Flutterwave has allegedly suffered another security breach that allowed unknown persons to divert billions of naira to several bank accounts.
The perpetrators, according to Techcabal report, were said to have illegally transferred ₦11 billion ($7 million) to several accounts in April 2024, one financial services insider with direct knowledge of the incident said.
A second insider claimed the amount involved was at least ₦20 billion ($13.5 million).
This is coming, one month after obtaining a court order to recover $24 million lost to unauthorised PoS transactions.
“As is common in the financial services industry, there will always be attempts by bad actors to compromise the security of systems set up to protect and monitor services,” Flutterwave said in a statement.
“In April, we detected unauthorized activities inconsistent with usual customer behaviour on one of our platforms used by a small subset of our customer base.”
The Techcabal report records that Flutterwave did not specify the amount involved rather insisted that “no customer funds were lost or compromised, and the confidentiality of our customers’ data remains intact.”
However, one highly-placed person with knowledge of the incident said that the stolen funds were moved to several accounts in five financial institutions over four days.
The incident likely went undetected because the perpetrators ensured the deposits remained below limits that would trigger fraud checks.
The matter has been reported to law enforcement and investigations have begun, said the same person who asked not to be named.
Two executives in the financial services industry, confirmed the incident and said, Flutterwave reached out to request KYC details of the accounts involved. They also claimed that the accounts related to the incident have been temporarily restricted.
In similar system breaches, perpetrators conceal the movement of funds, by sending money to the bank accounts of several hundred unsuspecting users. The details of those users are typically obtained online or using social engineering and fed into programs that automate bulk transfers.
However, April’s breach appears distinct. An organised network may have been involved in the distribution, said a highly placed staff at a financial institution.
“The perpetrators appeared to transfer the money to random accounts but these same accounts would also transfer money to other accounts who then sent it back to the first beneficiary account, [in a sort of round trip].”
This closed-loop approach, differs from past attempts to hide the trail using unconnected outsider accounts. Numerous bank accounts frozen for illegal transfers from Flutterwave
This is the fourth incident of unauthorised transfers at Flutterwave reported in the last fourteen months. In October 2023, about 6,000 account holders across 35 banks and financial institutions received ₦19 billion ($24 million) illegally transferred through unauthorised transactions by POS merchants.
In March 2023, about 107 bank accounts in 27 banks received ₦550 million. In a February 2023 breach, ₦2.9 billion was diverted to 107 bank accounts in 27 banks, according to court documents.
Identifying the account owners involved in the latest incident may be easier than before since the Central Bank mandated all financial institutions to require all customers to provide their bank verification number (BVN) or a national identification number (NIN) for account or wallet opening by March 2024.
Recall that in February, Flutterwave received a court order—a Mareva injunction— that lets it recover the funds and assets of the identified account holders, even though they have spent the funds, with the KYC details provided by these financial institutions.
HOWEVER, a ‘Branded Content’ published by Punch online on Thursday, May 16, 2024, Flutterwave said ‘it blocked attempted network intrusion and reported offenders to security agencies’.
The report reads:
“Sources familiar with the event said on Wednesday that the company had detected unusual activities in April and carried out processes to ensure the protection of its customers.
“On confirming the unauthorised activities, Flutterwave immediately informed law enforcement agencies and handed over the IP address and details of the offenders.
“Flutterwave has assured its customers and stakeholders that their funds were not affected and are safe with them, according to a statement by the company.
“Our sources confirm that in April, Flutterwave detected unusual activities on one of its platforms, which is used by a small number of customers for specific business transactions.
“The platform’s security stopped the breach before customer funds were impacted. Flutterwave informed the regulator while reporting the case to the relevant law enforcement.
According to insiders, Flutterwave will undertake improvements on the said platform and move their users to another platform to ensure business continuity for their customers.
In a statement shared by the company, Flutterwave further advised its customers to take advantage of the security measures available while using Flutterwave, as they also have a role to play in ensuring the best personal security practices.
Flutterwave’s Head of Information and Security, stated, “As leaders, we continue to invest heavily in our security infrastructure to ensure customers continue to remain safe as they transact using Flutterwave. As a proactive step to strengthen security, we are enhancing safety features on the affected platform and will be migrating some of our customers to another platform to ensure they can benefit from the security enhancements. We will continue our advocacy for ecosystem-led system initiatives that will help in fighting security threats in the digital ecosystem across Africa.”
However, Flutterwave is not the only company that has experienced these fraud incidents. There has been a rising increase in cyber-crimes in Nigeria, creating trust issues between companies and their customers.
“For instance, MTN, Africa’s largest mobile network operator, lost a total of N10.5 billion to cyber criminals in 2022. Also, Patricia Technologies Limited, a popular crypto platform, lost $2 million that belonged to its depositors in January 2022, leading to the suspension of the platform.
“Commercial banks have also been affected. Access Bank, one of the largest banks in Nigeria, filed a lawsuit in June 2023 to retrieve N30 billion and another in July 2023 to retrieve N5 billion that were lost to hackers.
“Meanwhile, on March 5, 2023, Flutterwave also denied claims that its account was hacked and that N2.9 billion was illegally transferred from its account to several other accounts. However, court documents revealed that the company had sought police assistance to recover what was stolen”.
Author
