Betterment confirms data breach after wave of crypto scam emails

U.S. digital investment advisor Betterment confirmed that hackers breached its systems and sent fake crypto-related messages to some customers.

The threat actor last week delivered fraudulent emails from Betterment infrastructure, luring recipients into a reward scam disguised as a company promotion that claimed to triple the amount of cryptocurrency sent to a specific address.

The company has more than one million customers, for whom it manages $65 billion in various assets. The platform is a mix between automated investment and financial advice services, and is considered one of the pioneers in the U.S. “robo-advisory” sector.

Crypto scam

On January 9, an attacker gained access to a third-party software platform that Betterment uses for marketing activity and used it to distribute a crypto reward scam, just like in the case of Grubhub right before Christmas.

“Once they gained access, the unauthorized individual was able to send a fraudulent, crypto-related message that appeared to come from Betterment to a subset of our customers,” explained the firm.

The company underlined that its technical infrastructure remained secure and was not impacted in any way; no customer accounts were accessed, and no account credentials were exposed.

However, the attacker still accessed certain customer information stored on the compromised system, which was viewable by the hijacked account, including:

• Full names
• Email addresses
• Physical addresses
• Phone numbers
• Dates of birth

Messages with the fake offer came from the email address “[email protected]” – a legitimate Betterment subdomain – and had the subject line “We’ll triple your crypto! (Limited Time).”

“We’re celebrating our best-performing year yet by tripling Bitcoin and Ethereum deposits for the next three hours,” read the message received by some Betterment customers.

In some messages, the threat actor claimed that deposits as much as $750,000 were accepted by “January 9, 2025 [sic] 8:45 PM Eastern Standard Time.”

The fake message included a wallet address for Bitcoin and one for Ethereum and claimed that deposits as large as $750,000 were accepted.

On January 9, Betterment published a statement about the incident, warning customers of the fraudulent messages and stating that the offer was not real and should be disregarded.

In a subsequent communication on January 10, the company confirmed unauthorized “access to certain Betterment systems,” which allowed the hacker to “send a fraudulent crypto offer to some customers.”

“The unauthorized access has been removed, and at this time we have no indication that the unauthorized individual had any access to Betterment customer accounts,” Betterment stated at the time.

Betterment promised to provide more information as it becomes available and publish a detailed post-mortem once the ongoing investigation is completed.

Meanwhile, the company is strengthening its protection against social engineering attacks to prevent similar incidents from occurring in the future. The company recommends its users “to remain vigilant and to be cautious of unexpected communications.”

“Please remember that Betterment will never call, text, or email you with a request to share your password or other sensitive personal information,” the company says.

BleepingComputer has contacted Betterment with questions about the incident, but a comment wasn’t immediately available.

On December 24, the same threat actor gained access to Grubhub’s systems used for communication with merchant partners and restaurants, and ran the same type of crypto reward scam that promised a tenfold return on deposited funds.

In an email to BleepingComputer, Grubhub did not provide any details about the breach but stated that it had identified the issue and taken steps to prevent it from happening again.