Financial technology company, Revolut, has been targeted by hackers who exploited a vulnerability within its US payment system.
The company has not publicly admitted the attack, or the subsequent theft, but details of the attack have been published by the Financial Times.
In the report by the Times, they detail that the attack was leveraged against a vulnerability in the software used to communicate between its European and US payment servers.
The vulnerability allowed attackers to issue payments which were declined. In these situations, Revolut would issue an immediate refund of the monies taken. However, the comms issue meant that Revolut would incorrectly refund accounts with money from the bank itself rather than the money belonging to the account.
This exploit has allowed the threat actors the ability to steal approx. $23 million from the FinTech service provider.
Long term issue
Sources told the Financial Times that Revolut had been aware of occasional incorrect refunds occuring since 2021, but that attackers started exploiting this vulnerability in earnest in early 2022.
In most instances, the attackers would issue very payments which they knew would be declined and as soon as the refunds were issued would remove the funds from ATMs.
The scale of the mass fraud conducted against the digital bank was only discovered when a US-based partner bank of Revolut’s notified the company that its fund were lower than expected.
Since its discovery, the software vulnerability was patched in the spring of 2022.