In a significant setback for Nigerian fintech company Flutterwave, a major security breach in April 2024 allowed unknown individuals to divert billions of naira to several bank accounts. This incident follows closely on the heels of a court order obtained by Flutterwave to recover $24 million lost to unauthorized POS transactions.
The unauthorized transfers amounted to ₦11 billion ($7 million), according to a financial services insider with direct knowledge of the situation. Another insider claimed the amount involved was at least ₦20 billion ($13.5 million).
Flutterwave acknowledged the breach in a statement to TechCabal, noting that the company had detected “unauthorized activities inconsistent with usual customer behavior on one of our platforms used by a small subset of our customer base.” Despite the substantial financial impact, Flutterwave emphasized that “no customer funds were lost or compromised, and the confidentiality of our customers’ data remains intact.”
The breach, which saw the stolen funds dispersed across multiple accounts in five financial institutions over four days, likely went undetected due to the perpetrators keeping deposits below the limits that would trigger fraud checks. The incident has been reported to law enforcement, and investigations are underway, said a source who wished to remain anonymous.
Financial services executives confirmed the breach and indicated that Flutterwave had reached out to request KYC details of the accounts involved. These accounts have since been temporarily restricted.
Unlike typical breaches where funds are transferred to the accounts of numerous unsuspecting users, this incident appears to involve an organized network. The perpetrators used a closed-loop method, transferring money to random accounts that then transferred it back to the original beneficiary accounts, effectively masking the money trail.
As Flutterwave grapples with this latest security breach, the fintech sector is reminded of the constant vigilance required to protect financial systems from increasingly sophisticated cyber threats.