On Sunday, payments fintech Flutterwave denied a Techpoint report that hackers stole ₦2.9 billion of customer funds. In its response to the story, Flutterwave said it noticed unusual activities in its systems and told users to activate safety protocols. But it insisted that customers did not lose any funds. 

However, several sources told TechCabal a different story. One of those sources told this publication that his company lost ₦8 million. Three other sources said their accounts were frozen for being beneficiaries of illegal transfers from Flutterwave accounts.

A call to action

On March 3, 2023, Alex Onyia tweeted about a hack at Flutterwave. Part of his tweet said, “Flutterwave has been hacked by Omar Edewor Trades, who has an account in Access Bank, and several millions of naira have been stolen from people’s [Flutterwave] accounts.” He advised everyone to get a new API key—one of the safety precautions that Flutterwave asked its users to take two days later.

Onyia is the CEO of Educare, a school management software provider that integrates Flutterwave and Paystack payment technologies into their software for educational institutions and other businesses. On a call with TechCabal, Onyia maintained that money was fraudulently transferred out of the Flutterwave accounts of his clients through API calls. 

He said, “On Thursday, March 2, 2023, I got a message from my account manager at Flutterwave asking if we authorised some transactions. I looked into the matter and was already blaming my dev team. I thought they introduced something new or a backdoor that was triggering the debit. After further investigation, I discovered that there was no problem with my company and that there was a compromise in Flutterwave’s system.”

Onyia claimed that the hacker moved ₦4,990,000 out of the client’s Flutterwave account first and ₦3,360,000 moments later. “They even initiated a third debit for ₦3,360,000, but the balance wasn’t up to that, so it didn’t materialise,” he said.

flutterwave hack

Following the money trail

Onyia said that he called Access Bank, where the money had been transferred into an account named Omar Edewor Trades. “We called the bank, but we were told that the money had been moved to another bank. After sharing the necessary documents, including information about the illegal transaction on Flutterwave, I asked Access Bank to freeze the account.” According to Onyia, while the bank was investigating, it noticed that a lot of money was flowing into that account and immediately froze the account.

“We asked the bank to send us back our money since there was money in the account and proof that about ₦8 million moved from our account to the fraudster’s. The bank refused, saying that they had no right to, as based on the transaction trail, our money has been moved to a different account.” TechCabal could not verify that the Access Bank account was frozen at the time of this report.

Onyia said that on March 3, Flutterwave asked customers to activate IP whitelisting, a security measure that was previously optional and asked everyone to change their API keys. “If you know your system was not compromised, why are they asking everyone to take all these measures?”

Flutterwave’s response

Flutterwave answers this question in its official statement, saying, “During a routine check of our transaction monitoring system, we identified an unusual trend of transactions on some users’ profiles. Our team immediately launched a review (in line with our standard operating procedure), which revealed that some users who had not activated some of our recommended security settings might have been susceptible.” However, the fintech flatly denied that any user lost any funds, as its security measures were “able to address the issue before any harm could be done to our users”.

But court documents seen by TechCabal raise questions about Flutterwave’s version of events. Those documents include certified true copies of a petition by Fluttewave’s legal counsel to the police dated February 20, 2023. The letter asked for police assistance to recover funds by obtaining court orders from the magistrate court to sustain account freezes on 107 bank accounts in 27 banks that allegedly, directly or indirectly, received money from the illegal transfers from Flutterwave accounts.

flutterwave hack
A page from Flutterwave’s petition showing banks of the accounts the company requested to have frozen

Read also: In the wake of explosive accusations against Africa’s most valuable startup, Flutterwave co-founder speaks

Some of the frozen accounts

Ajeka Iliasu Opaluwa, owner of Pajek Signature, a cryptocurrency trading business, is listed in court documents as a first beneficiary of the illegal transfer from Flutterwave accounts. A first beneficiary is an account that received a transfer directly from a Flutterwave account.  On a call with TechCabal, Opaluwa said, “I sold USDT worth ₦1.6 billion to William Atong Chen, a Chinese merchant who has been a customer since 2019. When we first transacted five years ago, my partner met him in Lagos to complete KYC (know your customer). The transactions started on February 5, 2023, and I got paid, just like all the others I have had with him. It was on February 7, 2023, after the trade had been concluded, that the bank froze my account.”

flutterwave hack
Page from Flutterwave’s petition asking for the freezing of Opaluwa and Pajex signature’s accounts
Email from one of Opaluwa’s banks

Opaluwa told Chen that the bank had frozen his account. “I asked him to come to the bank and help me resolve the issue, but he said he was no longer in Nigeria. His Nigerian numbers are still reachable, and when I call him to recount my plight, he insists that he made the transaction in good faith and that it was not stolen money he sent to me,” Opaluwa said on the call.

Opaluwa insists that the Chinese customer’s name is William Atong Chen, however, the only Chinese name found on Flutterwave’s court document listing bank accounts to be frozen is Quiang Chen. Opaluwa shared evidence of the transaction with TechCabal. “I made the transaction lawfully. I sourced USDT, and when I saw evidence that I had been paid, I handed them over. Three days later, somebody comes to tell me that the money I was paid was stolen. Was I supposed to take it to a digital money detector? How could I have known the money was stolen?” he asked on the call. He told TechCabal that he has filed a petition against Flutterwave as he is also a victim. 

The accounts of other crypto traders who received payments for crypto assets from Opaluwa were also frozen. David Ofedu Audu, whose five bank accounts are listed on Fluterwave’s petition for account freezing, is one of them. Audu told TechCabal that his transactions with Opaluwa started on February 5 and ended on February 7. The day after, February 8, his five accounts were frozen.

flutterwave hack
Flutterwave’s petition showing a request for the freezing of one of Audu’s account

He also shared an email from StanbicIBTC Bank confirming that his accounts were frozen because of the illegal transfers from Flutterwave accounts. His account manager at Providus Bank, where his accounts were also frozen, cited the same reason for the freeze, on a call.

Email from one of Audu’s banks where his account was frozen
Flutterwave’s petition showing Audu as a second beneficiary of illegal transfers from Flutterwave accounts

“I am a second beneficiary because the person who paid me received the money directly from Flutterwave. Opaluwa bought USDT from me for a Chinese customer called Chen,” Audu said on the call. In the court documents, Chen’s account is listed as one of the accounts frozen for receiving funds from the impacted Flutterwave accounts.

TechCabal also spoke to sources whose accounts were blocked but who claimed they had no dealings whatsoever with Flutterwave. Henry Awaka, one such person, told TechCabal that his Fidelity Bank account was frozen around the same period. He told TechCabal, “I sent several emails to Fidelity Bank but got no response.” 

He remained in the dark until his friend, who was a second beneficiary, saw his name in the court documents and told him about it. According to the document, Awaka’s Fidelity bank account is a fourth beneficiary and received ₦1,199,291 from an account named Nnam Monday Kingsley at Providus Bank. Awaka said that he traced the transaction and discovered that it was from a bulk sale of alcoholic drinks—350 crates of Trophy and 27 crates of Budweiser alcoholic drinks. 

Flutterwave’s petition showing Awaka as fourth beneficiary of illegal transfers from Flutterwave accounts

Awaka is a sales manager at an international brewery and he claimed he makes these sorts of transactions regularly. He didn’t suspect that he had become a beneficiary of some of the  N2.9 billion illegally transferred from Flutterwave accounts. He has since emailed his bank several times with the receipt of his transaction but has received no response. “Fidelity Bank is so complacent about the matter,” he said. According to him, there are about 180 people in a Whatsapp group whose accounts have been frozen after making one legitimate transaction with someone who received money that came from the Flutterwave account. 

Awaka’s email to his bank showing a receipt of the transaction for which his account was frozen

TechCabal sent several emails to Flutterwave asking for comments, but the company did not provide one at the time of this report. 

Get the best African tech newsletters in your inbox