In a shocking revelation made by the Financial Times, cybercriminals exploited an unknown flaw in Revolut’s payment systems, stealing a staggering $20 million of the company’s funds in early 2022.
The Flaw: A Discrepancy between US and European Systems
The vulnerability originated from discrepancies between Revolut’s U.S. and European systems. The fault led to funds being erroneously refunded from the company’s own reserves when certain transactions were declined. The problem was first detected late last year.
Organized criminal syndicates reportedly exploited the loophole. They enticed individuals to attempt large purchases that would subsequently be declined. The erroneously refunded amounts were then extracted via ATMs.
While the precise technicalities surrounding the flaw remain unknown, it is reported that the cybercriminals made away with approximately $23 million in total. The fintech firm managed to recover some of the stolen funds by pursuing cash withdrawals, resulting in a net loss of around $20 million.
Revolut: A Victim Again – 50,000 Customers’ Data Breached
In a separate incident earlier in 2022, the Lithuanian-based online bank Revolut was victim to a significant data breach. The hackers made off with the personal data of 50,000 customers, as reported by the Lithuanian data protection authority, VDAI.
The attack, which took place on September 11, 2022, was short-lived and quickly mitigated by the bank. Nevertheless, the attacker successfully accessed the data of 50,150 customers. About 21,000 of the affected customers were based in the European Economic Area (EEA). The number of customers affected in the Benelux countries has yet to be disclosed.
The hackers made off with customer names, addresses, email addresses, phone numbers, partial payment card details, and account information. The bank assured that no funds were stolen and no PIN codes or passwords were viewed during the attack, as told to BleepingComputer by a Revolut spokesperson.