Hackers steal ₦2.9 billion from Flutterwave accounts, motion granted to freeze accounts connected with stolen funds

·
March 5, 2023
·
4 min read
Flutterwave's office

The news:

  • In early February 2023, hackers transferred over ₦2.9 billion from Flutterwave accounts.
  • While police investigations are ongoing, Flutterwave is seeking to freeze accounts where some of the money was transferred.
  • A motion to freeze accounts in 27 financial institutions in Nigeria, including Access Bank, Kuda, Zenith Bank, and OPay, was filled, with suit no. MISC/MC4/181/23, and later granted

According to documents seen by Techpoint Africa, ₦2,949,557,867 has been illegally transferred from the accounts of African fintech unicorn, Flutterwave.

On February 19, 2023, Flutterwave's legal counsel, Albert Onimole, reported the case to the Deputy Commissioner of Police, State Criminal Intelligence Department, Panti, Yaba, Lagos.

In an accompanying letter, Onimole stated that the hack on Flutterwave's accounts occurred about two weeks ago from February 13. It was said that the money was initially transferred to 28 accounts in 63 transactions.

Advertisement

While the incident was reported to the police on February 13, 2023, with the list of accounts that had received the money, the police could not freeze the funds at the time. Onimole, in his letter, blames some commercial banks for allowing the money to be moved to other accounts, thus widening the money trail.

To further investigate accounts holding the stolen funds across various financial institutions in Nigeria, S.A. Adedesin, Legal Officer, State CID, Panti, Yaba, Lagos, filed a suit (MISC/MC4/181/23), dated February 27, at the Magistrate Court of Lagos (Yaba Magisterial District sitting at Yaba) to support Flutterwave's claims. A motion ex-parte, it appears, was granted in favour of Flutterwave.

The suit (MISC/MC4/181/23) is between the Commissioner of Police and the following financial institutions.

  1. Access Bank
  2. Providus Bank
  3. Union Bank
  4. Keystone Bank
  5. PalmPay
  6. First City Monument Bank (FCMB)
  7. Kuda Bank
  8. Zenith Bank
  9. First Bank of Nigeria
  10. Guaranty Trust Bank (GTB)
  11. United Bank for Africa (UBA)
  12. Polaris Bank
  13. Wema Bank
  14. Union Bank
  15. Sterling Bank
  16. Ecobank
  17. Paycom
  18. Fidelity Bank
  19. Eyowo
  20. Stanbic IBTC Bank
  21. Opay
  22. VFD Microfinance Bank
  23. Carbon
  24. Moniepoint
  25. Al-Hayat Microfinance Bank
  26. PiggyVest
  27. Nomba (previously Kudi)

Some accounts have already been frozen  

While there are no documents to confirm if the court has ruled in favour of Inspector Micheal's motion, some people have confirmed that their accounts have been frozen in connection to the hack.

A Twitter user said, "I got a mail from my bank saying I'm a 4th beneficiary to this acclaimed fraud money. This was after over five days after a successful trade. My account is locked 🔒  can't access fund inside. Pls is this right? It's unfair I have zero business with flutter wave or the hack."

Don't miss out on Africa's financial revolution

Keep up with the rapid pace of innovation in Africa's fintech landscape with Fintech Today. Designed for quick consumption, our exclusive newsletter, trusted by over 1,000 industry leaders, delivers the latest insights, trends, and breakthroughs right to your inbox.
Fintech Today

Give it a try, you can unsubscribe anytime. Privacy Policy.

Per the motion filed by  Adebesin, 107 accounts, including fifth beneficiaries of those accounts, are to be placed on lien/Post-No-Debit (PND).

With the stolen funds distributed across several accounts, which, according to tweets, may or may not have anything to do with the hack, it is not clear at this time who hacked Flutterwave.

Questions about how hackers got past Flutterwave's security and what this means for the unicorn's customers remain unanswered.

An official statement by Flutterwave denies the hack saying, "we identified an unusual trend of transactions on some users’ profiles. Our team immediately launched a review (inline with our standard operating procedure), which revealed that some users who had not activated some of our recommended security settings might have been susceptible."

The statement adds that Flutterwave was able to address the issue before any harm was done to its users.

"We want to confirm that no user lost any funds, and we take pride in the fact that our security measures were able to address the issue before any harm could be done to our users.

Our commitment to keeping our users’ financial information safe and secure is why we invest heavily in security initiatives such as periodic audits, certifications, and licenses such as the PCI-DSS & ISO 27001. These are in line with global best practices in information security management."

However, some Twitter users insist that their accounts were locked as a result of the hack on Flutterwave.

This is a developing story.


[Update 1] This article was updated on Sunday, March 5, 2023, at 4:11 pm WAT to reflect that this is a developing story and Flutterwave is working on an official statement.

[Update 2] Monday, March 6, 2023 at 1:20 am WAT. Flutterwave's statement claims there was no hack, and no users lost money.

[Update 3] Monday, March 6, 2023 at 11:15 am WAT. The article has been updated;

  • to include the suit number of the court case between Flutterwave and the 27 financial institutions.
  • affirm that an ex-parte motion was granted to freeze the connected accounts on the 27th of February, 2023.
  • accurately reflect that it was Flutterwave's legal counsel, Albert Onimole, who blamed commercial banks for the widening of the money trail, following a delay in obtaining a motion to freeze connected accounts.
He's a geek, a sucker for Blockchain and an all-round tech lover. Find me on Twitter @BoluAbiodun1.
He's a geek, a sucker for Blockchain and an all-round tech lover. Find me on Twitter @BoluAbiodun1.
Subscribe To Techpoint Digest
Join thousands of subscribers to receive our fun week-daily 5-minute roundup of happenings in African and global tech, directly in your inbox, hours before everyone else.
This is A daily 5-minute roundup of happenings in African and global tech, sent directly to your email inbox, between 5 a.m. and 7 a.m (WAT) every week day! 
Digest Subscription

Give it a try, you can unsubscribe anytime. Privacy Policy.

He's a geek, a sucker for Blockchain and an all-round tech lover. Find me on Twitter @BoluAbiodun1.

Other Stories

43b, Emina Cres, Allen, Ikeja.

 Techpremier Media Limited. All rights reserved
magnifier