Nigerian fintech unicorn, Flutterwave, has suffered yet another devastating security breach, with unknown perpetrators illegally diverting billions of naira into unauthorized accounts across multiple banks. This is the fourth such incident reported in just over a year for the San Francisco-based payments company.
According to insider sources, in April 2024 the hackers managed to transfer at least ₦11 billion ($7 million), and potentially up to ₦20 billion ($13.5 million), to various accounts over a four day period. The illicit transactions seemed designed to avoid fraud detection by keeping deposits below certain thresholds.
“As is common in the financial services industry, there will always be attempts by bad actors to compromise security systems,” Flutterwave acknowledged in a statement. “In April, we detected unauthorized activities…on one of our platforms used by a small subset of customers.”
However, the company insists that “no customer funds were lost or compromised” and that customer data confidentiality remains intact. Flutterwave says it has reported the matter to law enforcement for investigation.
Two financial services executives confirmed that Flutterwave reached out requesting account holder details from the banks involved, and that those suspect accounts have been temporarily frozen.
The modus operandi appears somewhat different from past breaches, suggesting a more sophisticated network was involved. Rather than simply funneling funds to random accounts, there seems to have been a closed loop of transfers between certain accounts before moving the money to a central beneficiary.
Read also: Nigeria to open Startup House in San Francisco Tech Hub
This is the latest in a troubling series of cybersecurity lapses at Flutterwave. In October 2023, ₦19 billion was illegally taken through POS merchants across multiple banks. Prior to that, ₦550 million was diverted in March 2023, while ₦2.9 billion was stolen in a February 2023 breach.
As one of Africa’s pioneering unicorn startups valued at over $3 billion, Flutterwave’s recurring vulnerability to hackers raises serious concerns over its security infrastructure. Identifying the perpetrators could be aided by recent regulations requiring national ID numbers for all bank accounts. However, regaining customer trust will likely prove an uphill battle.
