Payments giant Revolut has reportedly suffered a cyberattack which resulted in the company losing around $20 million.
A report from the Financial Times citing multiple unnamed people allegedly familiar with the incident noted that the stolen money belonged to the company, not its customers.
The breach was not publicly disclosed, and Revolut decided not to comment on the attack.
Refunding expensive purchases
There appears to be quite the discrepancy between how Revolut operates in the US, and how it operates in Europe. The resulting bug allowed users to have a payment declined, and then have Revolut refund the money that was never sent. The bug was apparently first spotted in late 2021, but before Revolut could patch the hole, cybercriminals found it and started exploiting it. No malware seems to have been involved.
As it turns out, cyber-criminals were encouraging people to make expensive purchases that would be declined, and would then withdraw the refunded money from ATM machines. Some $23 million were sent from Revolut this way, but the company managed to claw back roughly $3 million, it would seem.
Some reports have claimed that Revolut did not even initially know it was being robbed, and that it only realized after a partner bank in the US said it was holding less money than expected. Then, the US subsidiary asked for a cash injection in “millions of dollars” from its parent company, before closing the flaw in spring last year.
Revolut is a global financial technology company offering banking services, also known as “neobanks”. The company is licensed and regulated by the Bank of Lithuania within the European Union, and has its headquarters in London, UK. Revolut was founded in 2015 by Nikolay Storonsky and Vlad Yatsenko.
Besides the “traditional” banking services, Revolut also allows its users to delve into cryptocurrencies, and even trade on the platform.