Cyber Attack Target - 20 Million Stolen from Revolut by Malicious Actors

Posted by Selina Coen on Tue, Aug 15th, 2023

Every company, no matter what sector, small or large, is threatened by hackers and fraudsters. This fact hit neobank Revolut hard when, in 2022, the bank was hacked, cybercriminals making off with around $20 million of Revolut funds. Here is what happened and how cyber-attacks targeting the financial sector and beyond can be prevented. 

Who is Revolut, and How Did they Lose $20 Million?

Revolut is a successful neobank formed in the UK in 2015. The company provides financial services to consumers, including prepaid debit cards and peer-to-peer payments. Although Revolut is a UK start-up, it runs its banking system via Lithuania as it has been unable to get a UK banking license - this problem persists and may be worsened by this recent attack. In 2021, Revolut made £636 million (around $815 million) in revenue, a 143% increase year-on-year. In 2022, Revolut had 20 million users, with 1.4 million using the app daily. 

The Financial Times was the first to highlight the Revolut hack. At some point, a software flaw entered the Revolut system. The fault was a process issue caused by differences between European and US payment systems. If a payment were made that could not be processed, the charge would be declined. However, the flaw meant that Revolut refunded the customer in error (even though the payment was never taken from the customer's account). Of course, cybercriminals are always waiting in the wings to exploit flaws such as this. So before long, the hackers were on the money trail, encouraging people to make expensive purchases that could quickly be declined, then go to an ATM and withdraw the refund. 

It took a partner bank in the US to notify Revolut of the problem, the partner pointing out that the bank was holding less cash than expected. Unfortunately, it took Revolut several months to fix the flaw; during this time, the cybercriminals extracted over $20 million. The stolen money came from Revolut's corporate funds, not customer accounts.

How Hackers Hack the Financial Sector

Revolut is just one FI in a long line of cyber-attacks targeting the financial sector. The extent of the problem in the financial industry was captured by a 2023 IMF (International Monetary Fund) survey across 51 countries. The survey highlights the issue, pointing out that cyber threats targeting financial instructions are "proliferating." The type of cyber-attacks focusing on the financial industry varies, but some more common is ransomware, data breaches, and DDoS attacks. The 2022 Verizon Data Breach Investigation Report (DBIR) has identified three types of cyber threats behind 79% of breaches in the financial sector: Application Attacks, System Intrusion, and Miscellaneous Error. According to the DBIR, stolen credentials are part of most attacks in the industry. 

The Revolut attack demonstrates the opportunistic nature of cyber threats, proving that anything and everything goes when it comes to data and financial theft; if there is a vulnerability, it will be exploited. 

The human-computer interface is often where exploits begin. In the case of Revolut, this exploit was a process flaw misused for financial gain. However, many attacks against a bank or other FI exploit humans, processes, and computers. Data from Statistica shows that Financial Institutions(FIs) are the most at risk from phishing. This fits the DBIR study findings that found a strong link between stolen credentials and data breaches.

How to Stop Hackers in their Tracks

In the case of Revolut, the process exploit was not the only cyber breach experienced by the company. In 2022, Revolut also suffered an unauthorized entry attack that resulted in the theft of the personal data of over 50,000 customers. This attack scenario fits with the DBIR findings of system intrusion, with stolen credentials likely to be the entry mechanism. Stolen credentials are typically phished using social engineering tactics that exploit human behavior. Continuing the exploitation is often part of a continued attack model; in the case of the Revolut attack, customers were under further threat with post-breach phishing attempts via SMShing even after the initial breach.

Cyber-attack prevention against financial sector companies requires a sustained and layered approach to security. All aspects of a system, from the human touch point to the underlying financial processes, must be tested, protected, and hardened. Security strategies must begin with understanding the weaknesses in a system. Penetration testing and threat and risk assessments guide the areas of a system or service most at risk. Using this intelligence, an FI can examine the technologies and methodologies available to harden their systems.

Email security and web-borne threat prevention help to stop phishing emails from entering an employee's inbox. However, the employees must be trained to spot social engineering or phishing attempts. Security awareness training is a critical measure to take to ensure that unauthorized access is prevented. Often, administrators and other privileged account users are targeted by cybercriminals; security awareness training must be able to adapt to the type of role of an employee. Behavior-driven security awareness training will provide tailored sessions that educate at-risk employees about the nuanced social engineering attacks used to steal their credentials. 

Cybercriminals will continue to target the financial sector as the wins can be enormous, with the average cost of a data breach in the industry being $5.9 million. If a hacker finds an opportunity to steal data and credentials, they will use it. In the case of cyber security, prevention is better than a cure. 

Find out more on how to prevent cyber-attacks in the banking and financial industries. Get in touch with our team of experts today.