One month following a court order aimed at recouping $24 million lost to unauthorized point-of-sale (POS) transactions, Flutterwave faced another breach in security, allowing unidentified individuals to divert billions of naira to multiple bank accounts.
According to an insider familiar with the situation, in April 2024, ₦11 billion ($7 million) was illicitly transferred to various accounts. Another source suggested the amount might exceed ₦20 billion ($13.5 million).
Flutterwave released a statement acknowledging the incident, emphasizing the perpetual threat posed by malicious actors within the financial services industry. They disclosed the detection of irregular activities on a platform utilized by a fraction of their customer base but did not disclose the precise amount involved. They assured that no customer funds were compromised, and data confidentiality remained intact.
Nonetheless, a well-informed source revealed that the stolen funds were dispersed across accounts in five financial institutions over four days, likely escaping detection due to careful adherence to thresholds that evade fraud scrutiny. Law enforcement has been notified, and investigations initiated.
Two financial services executives corroborated the incident, stating that Flutterwave requested Know Your Customer (KYC) details for the implicated accounts and temporarily restricted their access.
Typically, perpetrators conceal fund transfers by dispersing money among unsuspecting users’ bank accounts. However, the April breach exhibits a unique closed-loop method, possibly orchestrated by an organized network.
This marks the fourth unauthorized transfer incident at Flutterwave within fourteen months. Previous breaches include the illegal transfer of ₦19 billion ($24 million) across 6,000 accounts in 35 banks in October 2023, ₦550 million in March 2023, and ₦2.9 billion in February 2023.
Identifying the account holders may be facilitated by the Central Bank’s mandate for customers to provide their bank verification number (BVN) or national identification number (NIN) by March 2024. Flutterwave secured a court order in February to recover funds and assets from identified account holders, leveraging KYC data provided by financial institutions, despite the funds having been spent.