Zephyr Energy reported that a hacker stole £700,000 (approximately $1 million) from one of its U.S.-based subsidiaries by redirecting a payment intended for a contractor into a hacker-controlled account. In a regulatory filing with the London Stock Exchange on Thursday, the British oil and gas company stated that it is “working with the corresponding banks and consultants to attempt to recover the diverted funds,” while also noting that the incident is contained and its operations are running normally. The case demonstrates that payment workflows can remain vulnerable to business email compromise (BEC) tactics that alter bank details during invoice processing, even when companies follow “industry standard practices” for their technology and payment platforms.
What Zephyr reported
According to Zephyr Energy’s statement in the London Stock Exchange filing, the theft occurred when a payment intended for a contractor was diverted into an account controlled by the attacker. The company did not provide details on the exact entry point or the specific mechanism of compromise. This lack of technical detail affects incident response: without a described initial access path, the focus typically must remain broad—covering email access, accounting systems, and payment authorization steps—rather than being limited to a single product or integration.
Zephyr did describe the operational status and response posture. It stated that the incident is “contained” and that its operations are running normally. For recovery, it pointed to coordination with “the corresponding banks and consultants” to attempt to recover the diverted funds. The filing also noted that, while it used “industry standard practices” for its technology and payment platforms, it has implemented “additional layers of security” following the incident.
A Zephyr spokesperson did not respond to a request for comment. This means the public record remains limited to the company’s filing and general descriptions of BEC techniques.
Business email compromise and the payment redirection pattern
The incident aligns with a known category of fraud: BEC. In this attack pattern, hackers gain access to email inboxes or accounting systems and then use that access to alter bank account and routing numbers during the process of paying someone or clearing an invoice.
This matters technologically because BEC exploits the data dependencies within routine business processes rather than targeting a single application vulnerability. In many organizations, contractor payments depend on information that can be changed upstream—such as vendor bank details and invoice-related instructions. If an attacker gains control of email communications or accounting records, they can potentially influence what payment systems transmit to banks.
In Zephyr’s case, the reported outcome aligns with this general BEC pattern: a contractor payment was redirected into a hacker-controlled account. The stated outcome is consistent with the fraud mechanism used in BEC attacks.
FBI data on BEC financial impact
According to the FBI’s most recent annual report on internet cybercrime, published in April, BEC attacks remain one of the top sources of financial losses, totaling more than $3 billion in victim losses during 2025. While that figure is not specific to Zephyr, it places the company’s reported £700,000 loss within a broader trend: BEC is not a niche threat, and it continues to generate substantial aggregate losses.
For technology teams, the implication is that defenses cannot rely solely on perimeter security or general “industry standard practices” for payment platforms. Even when core payment infrastructure is protected, attackers may target the communication and data layers that feed payment instructions—particularly email and accounting systems, which are common targets in BEC attacks.
What “additional layers of security” could mean for payment systems
Zephyr stated that it implemented “additional layers of security” after the incident, but the company did not specify what those layers are. The phrasing indicates a shift from baseline controls to enhanced safeguards around the workflow that was exploited—payment initiation, verification of bank account details, and the systems that store or transmit those details.
Given that Zephyr used “industry standard practices” for its technology and payment platforms, observers may watch for whether the “additional layers” focus on reducing the chance that attackers can (1) access email or accounting records, (2) change bank or routing details without detection, or (3) push altered instructions into payment execution. The attack pattern described in BEC incidents—unauthorized access via email inboxes or accounting systems—suggests that hardening those specific surfaces is a logical direction, even though the company’s filing does not enumerate specific controls.
Zephyr also stated that the incident is contained and operations are running normally. In incident-response terms, that statement indicates the company believes it has contained the attacker’s ability to continue manipulating payments. However, the need to work with banks and consultants to attempt recovery highlights a practical constraint: once funds are redirected, recovery depends on external financial institutions and process coordination.
Key takeaways and what to monitor
The reported theft follows a payment redirection scenario consistent with business email compromise: unauthorized access to email inboxes or accounting systems used to alter bank account and routing numbers. The broader context from FBI reporting—BEC generating more than $3 billion in victim losses during 2025—underscores that payment workflows tied to email and invoice processing remain a high-value target.
For readers tracking security and payments, the next concrete signal would be any further public detail from Zephyr beyond the filing—particularly if it later describes the specific initial access method, the exact system or systems involved, and the nature of the “additional layers of security.” Until then, the case reinforces a technical lesson already documented in BEC attack patterns: attackers can succeed by manipulating the information that payment systems rely on, not only by attacking the payment infrastructure itself.
Source: TechCrunch