London-based payments giant, Revolut, has reportedly fallen victim to a significant cyberattack resulting in a loss of approximately $20 million. Multiple anonymous sources familiar with the incident disclosed the breach to the Financial Times. However, Revolut has chosen not to comment on the attack, and the breach has not been publicly disclosed.
According to the sources, the stolen funds belonged to the company itself and not its customers. It appears that Revolut’s operations in the United States differ from those in Europe, leading to a vulnerability that cybercriminals exploited. The bug in question allowed users to experience a declined payment, after which Revolut would automatically refund the money, even though it was never sent in the first place. The flaw was initially detected in late 2021, but before Revolut could address it, hackers discovered and exploited it. Notably, no malware appears to have been involved in the cyberattack.
The modus operandi of the cybercriminals involved encouraging individuals to make expensive purchases intentionally destined for decline. They would then withdraw the refunded money from ATM machines, facilitating the transfer of approximately $23 million from Revolut. However, the company managed to recover around $3 million of the stolen funds.
Reports indicate that Revolut may not have been initially aware of the ongoing theft. It was only when a partner bank in the United States reported a shortfall in funds that Revolut became aware of the situation. Subsequently, the company’s U.S. subsidiary requested a cash injection from its parent company amounting to “millions of dollars” to address the issue. The flaw was eventually patched during the spring of the previous year.
The cyberattack and subsequent loss represent a significant blow to Revolut, one of the world’s leading fintech companies. As the investigation unfolds, questions arise regarding the security measures in place at Revolut and the potential impact on its reputation and customer trust. With Revolut’s decision to remain silent on the incident, concerned customers and industry observers eagerly await further details regarding the nature of the attack and steps taken to prevent similar incidents in the future.
Source: Techradar