In recent days, reports about widespread unauthorized withdrawals from cards linked to the Humans mobile app without SMS codes have caused a major public outcry. Following transactions labeled as PL HUMANS P2P, the Central Bank, aiming to address security flaws, temporarily suspended all transactions involving Humans and initiated a detailed investigation into suspicious activities.
What has Humans stated?
Amid widespread discontent, Humans issued an official response, confirming that between December 4 and 8, illegal double deductions were made from the accounts of some users. The company highlighted:
- The primary vulnerability that enabled fraud was due to issues in Paylov’s technical infrastructure;
- The fraudulent operations did not occur through the Humans app, but rather through automated machine requests sent directly to Paylov’s API;
- The perpetrators illicitly gained access to card tokens and encrypted keys under Paylov’s responsibility;
- A second attack occurred because Paylov failed to fully implement restrictions, such as IP blocking, after the first breach.
The company announced that all technical materials have been submitted to the Central Bank and law enforcement agencies, and that damages to affected users will be compensated in accordance with the law.
According to current information, some of the fraudulent operations were carried out not only on Humans clients but also on cards from other payment service providers.
What has Paylov stated?
After Humans released its statement, Ostagram JSC, which operates under the Paylov brand, also issued its response.
They stated:
- A cooperation agreement with Humans was signed on April 10, 2025;
- On December 6, suspicious transactions via the Humans app were detected and Humans management was warned to temporarily halt operations;
- On December 7, Humans sent a notice claiming the “attack had been resolved,” and operations resumed;
- As of December 8, Paylov fully suspended all payment services related to Humans.
In its statement, Paylov strongly emphasized:
— The technical vulnerability did not exist in our system. The fraud occurred because encrypted keys were not securely stored on the Humans side.
Furthermore, they noted that no negative incidents have been observed among other partners using Paylov’s infrastructure.
Conclusion: The situation is serious, with mutual accusations between the parties
The Humans-Paylov controversy is currently being considered one of the largest cybersecurity incidents in the country.
While one side blames Paylov’s system, the other claims that Humans failed to ensure secure storage of encrypted keys.
As the Central Bank and law enforcement agencies continue their investigation, affected users are awaiting clear mechanisms for the recovery of their funds.
Read “Zamin” on Telegram!
Users of Меҳмон are not allowed to comment this publication.
