FTX Arena in Miami showing data breach affecting crypto exchange creditors

Crypto Exchange Creditors Hit by SIM Swap Attack, Customer Information From FTX and Other Insolvent Companies Exposed in Data Breach

FTX investors are receiving some more bad news as corporate investigation and financial advisory firm Kroll has reported a data breach. Kroll is handling claims for FTX and a number of insolvent crypto exchanges, such as BlockFi and Genesis Global.

Kroll reports that the data breach was traced to a SIM swap attack on the phone of one of its employees, and that “limited” and “non-sensitive” claimant data was exposed. There is not yet any sign of financial information being accessed, but claimants are being warned about phishing attempts aimed at gaining access to their crypto wallets.

Crypto exchange creditors on heightened alert for phishing attempts after Kroll breach

Kroll has confirmed that the data breach is the result of an employee having their phone number stolen in a SIM swap incident by an unknown perpetrator. The company says that only a small amount of “specific claimants” were impacted, but that personal data was accessed in those cases. That data appears to have included names, physical and email addresses, and claim details. Kroll says that no user login credentials or claimant financial information are included in the data breach.

The attack does not appear to have directly breached the systems of the crypto exchanges that Kroll is overseeing. Impacted claimants have been contacted about the data breach, and it appears that the biggest threat at present is the use of the stolen information in follow-up phishing attempts aimed at capturing their wallet seed phrases.

Kroll took to its social media accounts to share some samples of phishing attempts it has seen, with the attackers claiming to be from FTX and telling claimants that they can now log in to withdraw their frozen assets, some of which have been unavailable since the crypto exchange’s scandal blew up in late 2022.

The employee that was victimized had an account with T-Mobile, which has been heavily targeted by cyber criminals as of late. A February 2023 report from KrebsOnSecurity found that illicit marketplaces on Telegram were frequently offering SIM swaps ranging from $1,000 to $1,500 in price throughout 2022, as hackers seemed to have great success repeatedly phishing or social engineering T-Mobile employees into giving up administrative access.

Data breach takes advantage of long FTX payout delays

FTX stopped customer withdrawals ahead of its bankruptcy filing in mid-2022. As an unsecured creditor, the average holder of a crypto exchange account is at the back of the recovery line in bankruptcy cases behind secured creditors and investors. Compounding the issue is the fact that FTX kept notably poor financial records, making it extremely difficult to trace clear lines in terms of whose money was used for what purpose, and that it experienced a late 2022 hack that ended up costing it about $415 million in losses. The crypto exchange is also reportedly burning some $1.5 million per day in legal fees as the case drags out, according to a recent filing with a Delaware court.

The perpetrators of the data breach appear to be playing on the desperation of FTX claimants to get back at least some amount of the money that vanished when the company suddenly went bankrupt. The average claimant may well not be very familiar with crypto exchanges or bankruptcy proceedings, with FTX signing up many new users in the months before its collapse on the strength of a multimillion-dollar ad campaign that featured a spot during the Super Bowl and endorsements from the likes of Tom Brady and Steph Curry. A common refrain from FTX customers is that they felt confident in making their first ventures in crypto with the company due to its seeming legitimacy and ties to the mainstream.

The phishing messages that Kroll has shared look at least passable as an official communication from FTX, and appear to be written by a native speaker of English. At a glance, claimants who are desperate to recover their money might be taken in and follow the included phishing link to an attack site that attempts to capture their wallet login information.

Roger Grimes, data-driven defense evangelist at KnowBe4, notes that the rapidity with which this fairly sophisticated campaign was deployed is somewhat suspicious: “It is a little surprising to see the breached information supposedly being used to phish victims already. That’s either very quick work or the breach happened a while ago. Either way, if confirmed, it shows the importance of trying to prevent data breaches.”

Claimants have been informed that recovery of any of their lost funds from the bankrupt crypto exchanges would likely take months at minimum and possibly years, if anything can even be recovered in the end. Recent legal precedent also indicates that suing a mobile provider for allowing a SIM swap to take place is not a viable avenue of compensation, as a lawsuit against AT&T of this nature was dismissed in a California court earlier this year.