Hackers Exploit a Flaw in Revolut’s Payment Systems: Steal $20 Million

A recent report shared by Financial Times has shed light upon a breach of sorts that cost Revolut $20 million (originally $23 million) back in early 2022. Hackers exploited a flaw in Revolut’s payment systems that was not known at the time by the concerned authorities. 

https://twitter.com/lewisevans2007/status/1678417138942369792

The report explained that the issue was first observed in 2021 and malicious actors exploited it in early 2022. The hackers continued to take advantage of this flaw for a few months:

“A flaw in Revolut’s payment system in the US allowed criminals to steal more than $20mn of its funds over several months last year before the company could close the loophole.”

What was the flaw? 

The flaw was due to the differences between Revolut’s European and U.S. systems. The resulting issue led to accounts getting wrongly refunded for some declined transactions. 

The report further explained:

“Organized criminal groups then took advantage of the fault early in 2022, according to three people with knowledge of the situation, encouraging individuals to try to make expensive purchases that would go on to be declined. This would then be cashed out via ATMs.”

This way, when people make such purchases that get declined and then are refunded, Revolut’s corporate funds are affected instead of customer accounts. And while Revolut was able to get some of its money back, the net loss turned out to be roughly $20 million, according to the report.

When was the issue discovered?

The issue was first discovered back in 2021, but before Revolut could do much about it, the exploitations were already in full force. The loophole was exploited over several months yet Revolut was still unable to detect it. 

Here is how the company came to know according to the report:

“Revolut’s systems failed to pick up the mass fraud and the problem came to light when a partner bank in the US notified the fintech that it was holding less cash than expected.” the report said. “This was followed by requests from Revolut’s US subsidiary for multimillion-dollar cash injections from its parent.”

What was striking about the case, according to multiple sources was:
-The scale, about two thirds of Revolut’s net profit for 2021
-The timeframe, running for months before being closed
-The fact that it was external partners who first picked up something was wrong

— Siddharth Venkataramakrishnan (@SVR13) July 9, 2023

Outcome: How has this affected Revolut?

While the issue was resolved by the spring of 2022, it cost Revolut a lot more than money and negatively impacted the company’s reputation. Revolut is facing extended delays in securing a banking license in the UK, and the 2022 scandal is most probably to blame for it.

The report by Financial Times suggests that the Bank of England expressed its plans to reject the license. Besides Revolut’s efforts to salvage the license, the company is also facing some trouble with the auditors at BDO. The reports explain the waning received by the organization:

“Auditor BDO separately warned that Revolut’s revenues could have been “materially misstated” as it was unable to satisfy itself of the “completeness and occurrence” of about two-thirds of its revenues reported for 2021.”

Conclusion

Revolut has suffered over an extended duration due to the $20 million scam that cost the organization both in terms of cost and status. With the fintech company’s reputation struggling, major investors have also written down their stakes bringing down the valuation to half of what the company raised back in 2021 ($33 bn). 

Revolut has also been hit with some high-status departures. And while the details regarding the breach have not been made public, it is only a matter of time before Revolut will have to implement the necessary measures to counter any future slip-ups.