Malicious actors exploited an unknown flaw in Revolut’s payment systems to steal more than $20 million of the company’s funds in early 2022.
The development was reported by the Financial Times, citing multiple unnamed sources with knowledge of the incident. The breach has not been disclosed publicly.
The fault stemmed from discrepancies between Revolut’s U.S. and European systems, causing funds to be erroneously refunded using its own money when some transactions were declined.
The problem was first detected in late 2021. But before it could be closed, the report said organized criminal groups leveraged the loophole by “encouraging individuals to try to make expensive purchases that would go on to be declined.” The refunded amounts would then be withdrawn from ATMs.
The exact technical details associated with the flaw are currently unclear.
images from Hacker News