Zephyr Energy loses £700K after payment was quietly rerouted in cyber incident

Zephyr Energy plc has admitted it lost roughly £700,000 after a single contractor payment was stealthily diverted to an attacker-controlled account. It has been reported that the hit hit one of the company's US subsidiaries and that the diversion happened during what should have been a routine payment process — money sent, money gone. Ouch. Investors were told operations continue as normal, but the reputational sting is real.

What allegedly went wrong

According to the company, attackers slipped into the payment workflow and redirected funds before anyone noticed. Zephyr described the intrusion as "highly sophisticated," though it hasn't disclosed the exact technique used — so it has been reported that social engineering or business-email-compromise-style tricks could be in play. The firm says it moved fast: notifying law enforcement, engaging banks and external consultants, and trying to claw back cash. Whether any of the £700K returns remains an open question; once funds start hopping between accounts, recovery turns into a race against time.

Response, reassurance and the bigger picture

Zephyr says external consultants reviewed systems, the incident is contained, and day-to-day operations haven’t been disrupted. The board insists the company has sufficient working capital to absorb the loss. Unsurprisingly, it has also promised "extra layers of security" — details unspecified — which likely means tighter supplier-bank-change controls and renewed verification protocols. In 2026, you don't always need to smash a firewall to make off with the cash; sometimes all it takes is a convincing email and the click that follows.

This is a cautionary little gut-punch for a sector that likes to talk about hard assets and hard hats. How do you protect a balance sheet when the attack surface is human? Short answer: more than passwords and hope.

Sources: The Register