While Flutterwave claims no customer funds were lost, a source with knowledge of the incident alleges stolen funds were moved to accounts across five banks over four days, likely to avoid triggering fraud checks. Law enforcement is investigating the matter.
This concerning incident marks the fourth unauthorized transfer issue for Flutterwave in the past fourteen months. Here’s a timeline of previous breaches:
- October 2023: ₦19 billion ($24 million) was illegally transferred through unauthorized POS transactions to roughly 6,000 accounts across 35 banks.
- March 2023: Approximately ₦550 million was diverted to 107 bank accounts across 27 banks.
- February 2023: Court documents reveal ₦2.9 billion was diverted to 107 bank accounts in 27 banks.
The latest breach appears distinct from previous attempts. Instead of using unconnected outsider accounts, the perpetrators may have employed a “closed-loop” system. Funds were transferred to seemingly random accounts, which then cycled the money back to the initial beneficiary, potentially obscuring the trail.
A recent regulation by the Central Bank of Nigeria requiring all financial institutions to collect Bank Verification Numbers (BVN) or National Identification Numbers (NIN) for new accounts or wallets since March 2024 might aid identification of those involved in this incident.
In February, Flutterwave obtained a court order to recover funds and assets from identified account holders involved in a previous breach, even if the funds had already been spent.