Just a month after getting a court order to recover $24 million lost to unauthorized POS transactions, Flutterwave faced another security breach. This time, unknown individuals diverted billions of naira to different bank accounts.
According to an insider, in April 2024, hackers transferred ₦11 billion to several accounts. Although others are suggesting the amount could be as high as ₦20 billion.
Flutterwave acknowledged the incident, stating, “As in the financial services industry, attempts by bad actors to compromise security are common.” They detected unusual activities on a platform used by a small group of customers but assured that “no customer funds were lost or compromised, and customer data remains secure.”
This stolen money was transferred to multiple accounts in five banks over four days, likely avoiding detection by keeping transactions below fraud detection limits. Law enforcement has been informed and investigations are ongoing.
Two financial services executives confirmed the breach and said Flutterwave requested KYC details of the involved accounts. Right now, those accounts have been temporarily restricted.
Usually, hackers often move money through hundreds of unsuspecting user accounts, but this time, it seems an organized network was involved. Funds were moved in a closed loop, with money cycling between a few accounts, which is different from previous methods.
This marks the fourth incident of unauthorized transfers at Flutterwave in the past fourteen months. In October 2023, ₦19 billion was illegally transferred through POS transactions affecting about 6,000 account holders across 35 banks. Earlier breaches in March and February 2023 involved ₦550 million and ₦2.9 billion respectively.
In February, Flutterwave obtained a Mareva injunction allowing them to recover the funds and assets from identified account holders, even if the money had been spent.
Here is the good news! Identifying the account owners in the latest breach might be easier now. In March 2024, the Central Bank required all financial institutions to collect customers’ bank verification numbers (BVN) or national ID numbers (NIN) for account opening.