Zephyr Energy loses £700K in cyber hit that rerouted contractor payment

Attackers slipped into the process and redirected funds, leaving the company scrambling to recover the cash

by · The Register

UK-listed oil and gas outfit Zephyr Energy plc has admitted a cyber incident siphoned off roughly £700,000 after a single payment to a contractor was quietly redirected to an attacker-controlled account.

The company, a technology-led oil and gas firm focused on developing assets in the US Rocky Mountain region, said on Thursday that one of its American subsidiaries was targeted in what it described as a "highly sophisticated" attack.

The result was the diversion of funds during what should have been a routine payment process, with the cash ending up in a third-party account before anyone realized something was off.

Zephyr isn't saying how the attackers pulled it off, but the outline is familiar: a legitimate payment, stealthily rerouted so the money ends up somewhere else entirely.

The London-headquartered biz says it moved quickly once the issue was spotted, notifying law enforcement and working with banks and external consultants to try to claw the money back. Whether any of that £700K makes a return trip remains unanswered as these cases tend to become a race against time once funds start hopping between accounts.

Zephyr is also drawing a fairly clear boundary around what this incident is and what it isn't. The company says its systems have been reviewed by external consultants, the issue has been contained, and day-to-day operations have not been disrupted.

There is, however, the usual nod to "industry standard practices," followed by the promise that extra layers of security have now been added. What those layers look like has not been disclosed, but in cases like this, they often boil down to tighter payment verification, stronger controls around supplier bank detail changes, and a renewed appreciation for picking up the phone before sending large sums of money into the void.

For investors, Zephyr is at pains to underline that this is a contained hit. The board says the company has more than enough working capital to absorb the loss without affecting ongoing operations.

Still, it's a pricey reminder that in 2026, you don't need to break into a network to make off with the cash. Sometimes it's enough to wait for finance to hit "send." ®

Criminal wannabes even more dangerous than the pros, says ex-FBI cyber chiefinterview: If they don't know what they're doing, you might never get your data backJessica Lyons, 08 Apr 2026Iran cyber actors disrupting US water, energy facilities, FBI warns: Your PLCs aren't internet-connected, right? Right?!Jessica Lyons, 07 Apr 2026Jaguar Land Rover's cyber bailout sets worrying precedent, watchdog warns: Lack of clear criteria risks encouraging firms to lean on state support instead of worrying about insuranceCarly Page, 20 Mar 2026Flaw in UK's corporate registry let directors rummage through rival records: Back button blunder in WebFiling service run by Companies House revealed confidential paperworkConnor Jones, 16 Mar 2026