Flutterwave loses ₦11b in security breach

Share this story

Two executives in the financial services industry confirmed the incident and said Flutterwave reached out to request KYC details of the accounts involved. They also claimed that the accounts related to the incident have been temporarily restricted.

In similar system breaches, perpetrators conceal the movement of funds by sending money to the bank accounts of several hundred unsuspecting users. The details of those users are typically obtained online or using social engineering and fed into programs that automate bulk transfers.

However, April’s breach appears distinct. An organised network may have been involved in the distribution, said a highly placed staff at a financial institution.

Advertisement

To order your copy, send a WhatsApp message to +1 317 665 2180

“The perpetrators appeared to transfer the money to random accounts but thise same accounts would also transfer money to other accounts who then sent it back to the first beneficiary account, [in a sort of round trip].”

This closed-loop approach differs from past attempts to hide the trail using unconnected outsider accounts.

https://techcabal.com/2023/03/11/weekender-frozen-for-flutterwave/embed/#?secret=UayecXl6pJ#?secret=izYyxuqi11

This is the fourth incident of unauthorised transfers at Flutterwave reported in the last fourteen months. In October 2023, about 6,000 account holders across 35 banks and financial institutions received ₦19 billion (*$24 million) illegally transferred through unauthorised transactions by POS merchants.

In March 2023, about 107 bank accounts in 27 banks received ₦550 million. In a February 2023 breach, ₦2.9 billion was diverted to 107 bank accounts in 27 banks, according to court documents seen by TechCabal.

Identifying the account owners involved in the latest incident may be easier than before since the Central Bank mandated all financial institutions to require all customers to provide their bank verification number (BVN) or a national identification number (NIN) for account or wallet opening by March 2024. In February, Flutterwave received a court order—a Mareva injunction— that lets it recover the funds and assets of the identified account holders, even though they have spent the funds, with the KYC details provided by these financial institutions.