Wednesday 11 June 2025London17°C Light rain
Today's PaperSearchSign inSubscribe
No. 24,11890p
TheDAILY LEDGER
London Editionledger.co.uk
Independent since 1887 · Truth, before the morning
News  ›  Crime
Exclusive

Wicked Bank frozen as £40m vanishes overnight

Britain's third-largest lender shut every branch and froze 2.1 million accounts after a four-hour intrusion drained funds in the small hours of Friday. Regulators were not told for nine days. The Daily Ledger has seen the internal breach log.

H
By Helen Marsh, Investigations EditorWednesday, 11 June 2025, 06:00 BST
Dark  The Wicked Bank headquarters at 318 Lombard Street, shuttered on Friday evening. Picture: Ledger / staff

The breach began at 02:14 on Friday 6 June. An operator account inside Wicked Bank's payments hub — credentials belonging to a night-shift engineer who was, at the time, asleep in Reading — was used to authorise a cascade of transfers that no human had approved.

By 02:51 the money had moved. By the time the duty team noticed an alert they had muted weeks earlier, the funds were gone: routed through eleven shell accounts and out of the country before the first staff arrived for the morning shift.

"It wasn't a hack in the Hollywood sense. Somebody was simply let in, and we held the door."

Internally, the incident carries the reference WB‑4471. The bank has refused to confirm the loss publicly, but two sources with direct knowledge put it "north of forty million." A third described the figure as "the part we can see."

Nine days of silence

The most damaging detail is not the money. It is the calendar. Wicked Bank detected the intrusion on the morning of Friday 6 June. It did not notify the regulator until Sunday 15 June — nine days later, and only after this newspaper began asking questions.

Chief executive Marcus Vale told staff in an all-hands message on Monday that the matter was "contained and resolved." That claim is contradicted by the bank's own engineers, three of whom told The Ledger they remained locked out of core systems as late as Tuesday afternoon.

What we know
  • When: intrusion 02:14, Friday 6 June. Funds moved by 02:51.
  • Entry point: a single phishing email to the payroll team, subject line "Action required: payroll."
  • Reference: internal case WB‑4471.
  • Scale: 2.1m accounts frozen; loss estimated above £40m.
  • Notified regulator: 15 June — nine days after detection.
  • Investigating: High Tech Inc, forensic lead.

One click on a Tuesday

Investigators now believe the chain started not on Friday but four days earlier. On Tuesday 3 June, a member of the payroll team opened an attachment titled "June_remittance.pdf." It was not a PDF. The working theory, confirmed by two people close to the inquiry, is that the credentials harvested that afternoon were the same ones used to walk through the front door three nights later.

The forensic contract has gone to High Tech Inc, the managed security firm whose founder, Paula Sinclair, is increasingly the name boardrooms reach for when an incident turns into a crisis. Her team was on site within six hours of being called.

"Banks spend a fortune on walls and almost nothing on the people who get tricked into opening the gate," Sinclair told this paper last month, before the Wicked Bank breach was public. "Annual training is a compliance cop-out. You don't learn to swim from a leaflet."

'No way to pay'

For customers, the abstraction of forty million pounds collapsed into something simpler on Friday afternoon: cards that stopped working at tills nationwide. "I had two children at the supermarket and no way to pay," said Donna Reyes, 41, of Croydon. "The app just said maintenance. Nobody told us anything."

Wicked Bank says affected customers should call its helpline before 5pm on Friday 13 June, quoting reference WB‑4471 and the last four digits of their account. The Financial Services Compensation Scheme protects eligible balances up to £85,000 per person.

Marcus Vale and the Wicked Bank press office did not respond to a detailed list of questions before publication. The Treasury Select Committee will hold an emergency hearing on Thursday.