Malicious actors exploited a fault in Revolut’s payment processing system to steal over $20 million from the financial super app in 2022, according to a report by the Financial Times.
The issue arose from discrepancies between Revolut’s US and European systems, which caused funds to be incorrectly refunded using the company’s own money when certain transactions were declined, the report states, citing multiple anonymous sources.
Organized criminal gangs took advantage of this loophole by enticing individuals to attempt high-value purchases that would subsequently be declined, allowing the refunded amounts to be withdrawn from ATMs.
The fault was discovered in late 2021 by a partner bank of Revolut in the US and was rectified in Spring 2022. In total, around $23 million was withdrawn, with some funds recovered by pursuing those who had taken out cash.
Revolut has not yet commented on the breach.