Financial and risk advisory firm Kroll has suffered a SIM-swapping attack that allowed a threat actor to access files containing personal information of clients of bankrupt cryptocurrency platforms FTX, BlockFi and Genesis.
The Kroll SIM-swapping attack
On Saturday, August 19, 2023, an attacker targeted a Kroll employee’s T-Mobile US account “in a highly sophisticated SIM swapping attack”.
“Specifically, T-Mobile, without any authority from or contact with Kroll or its employee, transferred that employee’s phone number to the threat actor’s phone at their request. As a result, it appears the threat actor gained access to certain files containing personal information of bankruptcy claimants in the matters of BlockFi, FTX and Genesis,” the company noted.
Kroll notified affected individuals by email, sharing more information about the potentially compromised info – in FTX‘s case: the clients’ name, address, email address, and the balance of their FTX account; in Genesis‘ case, the claimants’ name, address, email address, and their claims against the Genesis debtors.
BlockFi also confirmed the incident and advised its customers on how to protect themselves.
While the unauthorized party accessed files in Kroll’s cloud-based systems, according to the company there is “no evidence to suggest other Kroll systems or accounts were impacted.”
Attack fuels phishing campaign
Several FTX account holders have received targeted phishing emails in the wake of this attack.
Posing as FTX, the phishers are trying to trick crypto holders by claiming that they have been identified as an eligible client to begin withdrawing digital assets from their FTX account.
Kroll has warned affected FTX, BlockFi and Genesis clients not to share passwords, seed phrases, private keys, and other secret information with suspicious individuals, apps, websites or devices, and to only seek information about the bankrupcy cases on the legitimate website.
Kroll also informed them that, in connection with the processing of bankruptcy claims, they won’t be asked to link a cryptocurrency wallet to a website or app, provide a seed phrase or private keys, download software or use a specific wallet app, request passwords though email, text or phonecall, or to provide any kind of personal identifying information (birth date, social security number, etc.) over email or social media.