Hackers steal $20 million from Revolut

Malicious actors have stolen more than US$20 million from financial technology company, Revolut, by exploiting a software within its US payment system.

The cyber security incident was allegedly ongoing for several months in 2022, before the vulnerability was closed. Revolut has not yet publicly addressed the theft, however it was reported on by The Financial Times (FT).

According to FT’s sources, the software vulnerability meant that there were communication issues between its European and US payment systems. This meant that when some transactions were declined, Revolut would incorrectly refund accounts with money from the bank itself rather than the money belonging to the account. Through exploiting this system, malicious actors were able to steal around $23 million from Revolut. 

The sources also reported that while this refund issue had been flagged occasionally in 2021, in 2022 organized criminals began to take advantage of the fault. These gangs would purposefully make large purchases they knew would be declined, then removing the excess money refunded to their accounts via an ATM. 

The mass fraud apparently came to light when a US-based partner bank of Revolut's notified the company that its fund were lower than expected. The software vulnerability was then patched in spring 2022.

While Revolut was able to recover some of the money stolen by targeting those who had exploited the payment system error, overall the company lost around $20 million.

Revolut data breach exposes information of 50,000 customers

On September 11, 2022, Revolut suffered a data breach with saw a third party gain access to Revolut’s database and the personal information of 50,150 users.  

The data breach was caused by a social engineering attack. Malicious actors accessed data including names, addresses, email addresses and partial payment card information during the cyber attack, although Revolut has stated that card details were hashed.

The Lithuanian government made a statement on the cyber attack, as Revolut holds a banking license there. It said that Revolut had taken “prompt action to eliminate the attacker's access to the company's customer data and stop the incident” once it was discovered.  

Revolut customers took to social media to discuss the attack, namely Reddit. One user shared details of an email they received regarding the cyber attack, which stated the “isolated incident” saw Revolut take “immediate action to properly manage...and protect [its] customers”.  

The email also assured customers their data, money and account were all safe and further advised them to be “especially vigilant for any suspicious activity, including suspicious emails, phone calls or messages”.  

In comments on the post, however, another Reddit user criticized Revolut for only emailing its affected customers rather than making a public statement. Others criticized the non-specific language used in the email, saying that they “just want to know what data was leaked”.