In a major security breach, malicious actors capitalized on an undisclosed vulnerability in Revolut’s payment systems, successfully siphoning off more than $20 million from the company’s funds in early 2022.
Furthermore, the Financial Times reported the incident, citing anonymous sources familiar with the matter. The breach, which has not been publicly disclosed by Revolut, was triggered by discrepancies between the neobank’s U.S. and European systems, resulting in incorrect refunds being issued using Revolut’s own funds when certain transactions were declined.
At the same time, according to the report, the flaw was first discovered in late 2021. However, before it could be resolved, organized criminal groups took advantage of the loophole by encouraging individuals to make expensive purchases that would ultimately be declined.
The refunded amounts were then swiftly withdrawn from ATMs. While specific technical details regarding the flaw remain unknown, approximately $23 million was stolen in total, with some funds recovered through efforts to track down those who had withdrawn cash. The breach inflicted a net loss of around $20 million on Revolut, a notable fintech firm.
Interestingly, the disclosure of the breach comes less than a week after Interpol announced the arrest of a suspected senior member of OPERA1ER, a French-speaking hacking group notorious for targeting financial institutions and mobile banking services through malware, phishing campaigns, and large-scale Business Email Compromise (BEC) scams.
Although it is unclear whether OPERA1ER was involved in the Revolut breach, this arrest highlights the ongoing threat posed by cybercriminals to the financial industry.
