Humans reports 825 complaints over fraudulent withdrawals linked to Paylov

Humans has received 825 user complaints related to fraudulent withdrawals of funds, Spot writes with reference to the company’s press service.

Earlier, we reported that funds belonging to more than 2,000 users were stolen through the Humans application, totaling about 7 billion UZS.

The company stated that it does not have and cannot have information on the number of affected users or the amounts of the transactions. It also noted that all fraudulent transactions occurred outside the Humans application – directly within the technical infrastructure of the Paylov payment service.

“At the same time, the fraud affected not only Humans customers: some of the transactions were carried out using cards of users of other payment organizations. Precise information on the number of affected users and the amounts of the transactions is held exclusively by Paylov. The regulatory inspection conducted by the Central Bank took place specifically at the Paylov payment organization, and not within the Humans infrastructure, which follows directly from the regulator’s official statements,” Humans said.

On January 7, the Central Bank reported the completion of an inspection at the Paylov payment organization, which provided payment services to Humans. The regulator transferred the materials to the Tashkent Main Department of Internal Affairs for legal assessment and the adoption of appropriate measures.

From December 6, 2025, to January 8, the Humans contact center received 825 complaints from application users. All materials received, according to the company, have been transferred to law enforcement agencies for use as part of the investigation into the vulnerability in the infrastructure of the Paylov payment service.

“The negative consequences of the incident affected both Humans customers and the company itself. In particular, the functionality of P2P transfers in the Humans application was degraded. At the same time, it has been established that all fraudulent operations were carried out outside the Humans application, without the involvement of Humans users and without the entry of OTP codes, which rules out their initiation by Humans,” the company emphasized.

From December 4 to December 8, 2025, some Humans users were affected by two waves of fraudulent charges to bank cards.

On the morning of December 8, the Central Bank began receiving complaints from citizens about unauthorized withdrawals of funds through the Humans application. The regulator then instructed Paylov to suspend P2P transfers to ensure compliance with security requirements and prevent potential damage. As of December 9, all payments through Humans were suspended.

Humans’ position

From December 4 to December 8, some Humans users were affected by two waves of fraudulent bank card charges. The company explained that the vulnerability that allowed attackers to carry out unauthorized withdrawals was located within the technical perimeter of Humans’ partner – the Paylov payment service, the rights holder of which is Octagram.

Humans has provided the regulator and law enforcement agencies with a complete set of technical materials to investigate the vulnerability in Paylov’s infrastructure and identify the perpetrators.

The settlement of issues related to refunding funds to affected customers will be carried out in accordance with the requirements of the legislation. The company considers full and transparent compensation for damages to affected customers, within lawful procedures as provided for by law, to be “the only acceptable model for resolving this incident.”

“All fraudulent operations were carried out without interaction with the Humans application, without customer involvement and without entering OTP codes. The attackers sent machine-generated requests directly to the Paylov API and were able to initiate withdrawals due to access to card tokens and keys that are under Paylov’s responsibility. After the first wave of fraud, Paylov did not take sufficient measures to restrict access, including failing to block unauthorized IP addresses from which the requests originated. This led to a repeated attack. The fraudulent transactions affected not only Humans customers – some operations were carried out using cards of users of other payment organizations,” the statement said.

In connection with this incident, P2P transfers via the Paylov service in the Humans application have been temporarily suspended. The restrictions apply exclusively to P2P transfers due to the use of Paylov’s infrastructure, where the vulnerability was identified.

All other services, including mobile communications, the Humans Market goods marketplace, and the Humans Yaxshi grocery delivery service from bazaars, are operating as usual.

Paylov’s position

Octagram rejected the accusations made by Humans regarding an alleged “technical vulnerability” that supposedly caused the unauthorized withdrawals of funds.

On December 6, Octagram employees reportedly warned responsible staff at Humans Companies about observed suspicious transactions, after which the transactions were temporarily suspended.

On December 7, Humans Companies sent an official letter to Octagram, reporting that appropriate measures had been taken and fraudulent operations prevented, and on the basis of this letter requested the resumption of transactions.

As of December 8, all payment services provided by Octagram through the Humans mobile application were suspended.

“There are no technical vulnerabilities on the part of Octagram, and all necessary technical measures have been taken. Fraudulent operations were carried out by Humans Companies using encrypted keys provided by Octagram, for the correct and secure storage of which Humans Companies is responsible. It should be noted that no negative incidents have been observed in the systems of any other partners using Octagram’s technical solutions,” the statement said.

An operational review has now been launched into the incident. Octagram is providing all necessary information to the relevant authorities. Following the review, additional official information will be provided and a formal submission will be made to law enforcement agencies in the prescribed manner.