Malicious actors exploited a fault in Revolut's payment prcoessing system to steal more than $20 million from the financial super app in 2022, the FT has reported.
The fault stemmed from discrepancies between Revolut's US and European systems, causing funds to be erroneously refunded using its own money when some transactions were declined, says the FT, citing multiple anonymous sources.
Organized criminal gangs exploited the loophole by "encouraging individuals to try to make expensive purchases that would go on to be declined." The refunded amounts would then be withdrawn from ATMs.
The fault was detected in late 2021 by a partner bank to Revolut in the US, and was corrected in Spring 2022.
About $23 million was withdrawn in total, with some funds recovered by pursuing those who had withdrawn cash.
Revolut has yet to comment on the breach.