Flutterwave, Africa’s leading payments technology company, has suffered a fresh security breach that involved the siphoning of about N11 billion from its accounts by some unknown persons, Techcabal reports on Thursday.
An inside source, said to be a “highly-placed staff” of the company was reported to have disclosed that the perpetrators illegally transferred N11 billion ($7 million) to several accounts in April 2024.
This recent security breach comes after the financial company obtained a court order to recover $24 million lost to unauthorised POS transactions.
“In 2023, we discovered that certain POS device merchants abused their access by conducting unauthorised transactions. In response to this, we temporarily suspended the accounts where funds were improperly transferred,” Flutterwave had said.
The insider noted that “the perpetrators appeared to transfer the money to random accounts but those same accounts would also transfer money to other accounts who then sent it back to the first beneficiary account, (in a sort of round trip).”
However, another insider told Techcabal that the amount involved was at least N20bn ($13.5 million).
In a statement made available to Techcabal, the financial giant said, “As is common in the financial services industry, there will always be attempts by bad actors to compromise the security of systems set up to protect and monitor services.
“In April, we detected unauthorised activities inconsistent with usual customer behaviour on one of our platforms used by a small subset of our customer base.”
While Flutterwave didn’t disclose the specific amount that was lost to the ‘cyber lords,’ it said that “no customer funds were lost or compromised, and the confidentiality of our customers’ data remains intact.”
According to the first source cited in the report, the fraudulent financial transactions were completed within four days and operated across several bank accounts in five financial institutions.
“The incident likely went undetected because the perpetrators ensured the deposits remained below limits that would trigger fraud checks,” Techcabal stated.
The matter has been reported to law enforcement and investigations have begun, said the same person who asked not to be named.
According to the report, two executives in the financial services industry confirmed the incident and said Flutterwave reached out to request the Know Your Customer (KYC) details of the accounts involved. They also claimed that the accounts related to the incident have been temporarily restricted.
As carried out in some security breaches, perpetrators conceal the movement of funds by sending money to several, sometimes, unrelated bank accounts of multiple unsuspecting users.
The details of those users are then obtained online or using social engineering and fed into programmes that automate bulk transfers.