In new claims made by three sources who shared several pieces of evidence with TechCabal, the Nigerian fintech unicorn, Flutterwave, was likely breached a second and third time on March 1 and 14, 2023. The sources alleged that, much like the first incident on February 5, the perpetrators used monies fraudulently obtained from Flutterwave accounts to buy USDT on the crypto platform Binance. According to those sources, the monies involved in both incidents in March are estimated to be N550 million. It remains unclear how the perpetrators were able to move the money.
Nevertheless, Flutterwave denied the claims, telling TechCabal in an email: “As previously addressed in our public statement, the Flutterwave systems have not been hacked. Earlier this year during a routine check of our transaction monitoring system, we identified an unusual trend on some users’ profiles. In line with our standard operating procedure, we immediately launched a review which revealed that some users who had not activated some of our recommended security settings might have been susceptible. As far as our investigation has shown, this is the extent of the matter.”
A curious denial follows a money trail
In March, Techpoint reported that hackers transferred over ₦2.9 billion from Flutterwave accounts. Flutterwave denied the claim, but what followed was legal action to recover billions of Naira from several beneficiaries. TechCabal reported that hundreds of bank accounts were blocked in connection with the incident, and at the time, Flutterwave declined to comment on the matter.
Many of the account holders affected are cryptocurrency merchants, and claim that after the money was moved from Flutterwave’s accounts, it was used to buy USDT. Three first beneficiaries—accounts that directly received the diverted monies—told TechCabal that they jointly worked on fulfiling a USDT request that ran into billions of Naira for a Chinese merchant that they had routinely done business with. While these three first beneficiaries helped to source most of the USDT, they also sourced some of it from Binance’s open market, widening the trail of those affected. There are now about 295 people affected by all three incidents whose accounts remain frozen after Flutterwave petitioned the police and the courts to block the accounts in order to begin investigations.
The group chat
Legal wrangles show that money was moved
Flutterwave is insistent that neither the company or customers lost any funds. Despite this claim, some cryptocurrency merchants whose accounts were blocked told TechCabal that Flutterwave has filed petitions against them with the Economic and Financial Crimes Commission (EFCC), Nigeria’s anti-graft organization. One of the first beneficiaries is allegedly in EFCC custody, while the other has absconded. A first beneficiary is an account that received a transfer directly from a Flutterwave account. TechCabal could not independently verify those claims.
NIBSS asking that an account be frozen
But the legal actions aren’t moving in only one direction. David Ofedu Audu, whose five bank accounts frozen, and according to him, nothing has been done to remedy his locked accounts shared that the affected people have submitted petitions against Flutterwave at the Nigerian Human Rights Commission and the Federal Competition and Consumer Protection Commission. This is in addition to a petition filed by those affected at the Yaba Magistrate Court, pleading their innocence and asking the court to unfreeze their accounts. They are, however, still waiting for feedback from the court case, as their matter has been adjourned until April 26. “They [Flutterwave] are being very negligent and leaving poor Nigerians to suffer”, he told TechCabal.
A second beneficiary’s message on the group chat
Flutterwave is likely pursuing a forfeiture
Ajeka Iliasu Opaluwa, a first beneficiary of the first breach, also shared that Flutterwave has filed a forfeiture petition against the beneficiaries and claims that the beneficiaries committed the crime without the help of anyone. Opaluwa position is that just like the first breach, the second and third ones were committed by Chinese men.
In Flutterwave’s official response to Techpoint’s report on March 5, the company said, “We want to confirm that no user lost any funds.” Despite this, the company is looking to recover millions of dollars in funds from hundreds of users and will reportedly approach the court, seeking a judgment that the sums be forfeited. It begs the question of what funds it is trying to recover if the company and its customers did not lose any money.
Regarding the forfeiture petition, Flutterwave told TechCabal, “We cannot disclose specific legal actions or discuss ongoing cases due to the confidential and sensitive nature of these matters. However, we are collaborating with the appropriate authorities and pursuing all available legal options to hold those responsible accountable.”
NIBSS asking that a bank avail salvaged funds
TechCabal also contacted NIBSS. However, the payment system informed TechCabal that it was unable to provide this information. “As a shared service infrastructure for the Nigerian payment space, unfortunately, we are not able to confirm any information relating to the status of accounts within any financial institution.”