Flutterwave's security breach costs them ₦11 billion.

Esther Daniel

Esther Daniel

· 4 min read
flutterwave-cybersecurity-breach-loss

Flutterwave experienced another security breach a month after receiving a court order to recoup $24 million lost to illegal point-of-sale transactions. This vulnerability allowed unidentified individuals to transfer billions of naira to multiple bank accounts.

In April 2024, the criminals unlawfully moved ₦11 billion ($7 million) to multiple accounts, according to a financial services insider who was directly informed of the events. According to a second insider, at least ₦20 billion ($13.5 million) was at stake.

According to a statement from Flutterwave, "as is typical in the financial services industry, there will always be attempts by bad actors to compromise the security of systems set up to protect and monitor services."

On one of our platforms that is utilised by, in April, we discovered unauthorised behaviours that were not consistent with typical user behaviour.

"No customer funds were lost or compromised, and the confidentiality of our customers' data remains intact," stated Flutterwave, without providing an exact figure.


The stolen money, according to a highly placed source with knowledge of the matter, was transferred over the course of four days among multiple accounts in five different financial institutions. The fact that the offenders made sure the deposits stayed below thresholds that would result in fraud checks probably prevented the incident from being discovered.


The same person, who wished to remain anonymous, stated that law enforcement has been notified of the situation and that investigations have started.

According to two financial services sector officials who verified the occurrence, Flutterwave contacted them to get the KYC information for the concerned accounts. They added that there has been a temporary restriction on the incident-related accounts.

Similar system breaches involve the transfer of money to the bank accounts of several hundred gullible individuals in order to hide the movement of monies. Programmes that automate bulk transfers often leverage the user details that are collected online or through social engineering.

But April's breach seems to be unique. A high-ranking employee of a financial institution said that the distribution may have been part of an organised network.

But April's breach seems to be unique. A high-ranking employee of a financial institution said that the distribution may have been part of an organised network.

"The offenders seemed to move the funds to arbitrary accounts, but those same accounts would move funds to other accounts, which would subsequently send the funds back to the original beneficiary account—a sort of round trip."

This closed-loop method is not the same as previous attempts to cover up the trail with disconnected third-party accounts.

But April's breach seems to be unique. A high-ranking employee of a financial institution said that the distribution may have been part of an organised network.

"The offenders seemed to move the funds to arbitrary accounts, but those same accounts would move funds to other accounts, which would subsequently send the funds back to the original beneficiary account—a sort of round trip."

This closed-loop method is not the same as previous attempts to cover up the trail with disconnected third-party accounts.

Since the Central Bank ordered all financial institutions to require all customers to provide their bank verification number (BVN) or a national identification number (NIN) for account or wallet opening by March 2024, it may be easier to identify the account owners involved in the most recent incident than it was previously. With the KYC information supplied by these financial institutions, Flutterwave was granted a court order in February known as a Mareva injunction, which permits it to reclaim the assets and money of the identified account holders even though they have already spent the money.

Esther Daniel

About Esther Daniel

A motivated and results-oriented Technical Product Manager and Business Analyst with three (3) years of experience in analyzing business processes and implementing technical solutions to optimize operational efficiency. Proficient in data analysis, SaaS tools, project - product management, and communication, seeking to leverage expertise to drive business growth and innovation

Copyright © 2024 Techcirca. All rights reserved.