Posted on March 7, 2023 at 11:53 AM
Flutterwave allegedly suffers breach amid reports of frozen bank accounts
African fintech platform Flutterwave has suffered from a major hacking attack. The hackers managed to illegally transfer 2,949,557,867 nairas from the accounts of the fintech company. It is alleged that the breach happened mid-last month.
Flutterwave accounts hacked
The legal counsel at Flutterwave, Albert Onimole, has confirmed this hack and reported the matter to the State Criminal Intelligence Department in Lagos. Onimole reported this matter on February 19, 2023.
Onimole also sent an accompanying letter detailing this breach to the law enforcement authorities. He noted that the breach happened three weeks ago, on February 13, 2023. The money stolen by the criminals was transferred to 28 different accounts through 63 transactions.
The breach was initially reported to law enforcement authorities on February 13, 2023. The company’s complaint included the accounts that received the money, with the police unable to freeze the funds when the report was made.
The letter sent by Onimole noted that some commercial banks were to blame for letting the hackers transfer funds, which widened the money trail and made it more challenging to recover the stolen funds.
Authorities are conducting more investigations on the accounts used to transfer the stolen funds in several financial institutions across Nigeria. S.A. Adedesin, a legal officer at State CID in Lagos, has filed a suit at the Magistrate Court of Lagos, also known as the Yaba Magisterial District, sitting at Yaba.
Adedesin filed the suit on February 27, and it seeks to support the claims made by Flutterwave. It also appears that a motion ex-parte was granted in favor of the fintech company. The suit in question is MISC/MC4/181/23, between the Commissioner of Police and several financial institutions that might have been used to transfer the funds.
Some hacker accounts have been frozen
Currently, no documents can prove that the court ruled in favor of a motion filed by Inspector Michael. However, some individuals have said that their bank accounts were frozen after they were suspected of being associated with the exploit.
One user on Twitter said that they received a mail from their bank saying that they were a beneficiary of money fraud because of the money trail left by the hackers. The user denied being involved in the Flutterwave hack, saying they were successfully trading on the platform for several days. “My account is locked. Can’t access funds inside. Pls, is this right?” the user asked.
The motion filed by Adedesin has referenced 17 accounts. These accounts include the fifth beneficiaries of the accounts. The accounts have already been placed on lien /Post-No-Debit (PND), meaning that the holders cannot access the funds in the accounts.
As aforementioned, the money stolen from Flutterwave was distributed across multiple accounts. Tweets indicate that the transfer of these funds might have or might not have anything to do with the exploit. However, the hacker or hackers behind this exploit remain unknown.
There are investigations over how these hackers managed to access the Flutterwave accounts and bypass the security measures safeguarding the funds. Customers are demanding to know whether security vulnerabilities were exploited and resulted in the breach.
On the other hand, Flutterwave denies any allegations about a hacking attack. The fintech has issued a statement saying that the breach affected customers who failed to install the recommended security features.
“We identified an unusual trend of transactions on some users’ profiles. Our team immediately launched a review (inline with our standard operating procedure), which revealed that some users who had not activated some of our recommended security settings might have been susceptible,” Flutterwave said.
The company’s statement has also said that it managed to address the issue before more damage could be done to the users. The company assured users that it had not lost any funds, adding that it had robust security measures and addressed the issue before harm was done.
The company has also reiterated its commitment to keeping financial information safe and secure. It added that it had invested in security measures like periodic audits, licenses, and certifications to ensure user funds remained safe. The company added that the measures taken aligned with the best practices across the industry in information security management.
Despite the company’s statement, some Twitter users have insisted that their accounts were frozen because of this breach, and they cannot access their funds.