Crypto investor data exposed by a SIM swapping attack against a Kroll employee

Security consulting giant Kroll disclosed a data breach resulting from a SIM-swapping attack against one of its employees.

Security consulting firm Kroll revealed that a SIM-swapping attack against one of its employees caused the theft of user information for multiple cryptocurrency platforms. Kroll is managing ongoing bankruptcy proceedings for the impacted organizations, including BlockFi, FTX, and Genesis. 

On August 19, 2023, the consulting firm became aware that threat actors targeted the T-Mobile phone number belonging to one of its employees. The company defined the attack as “a highly sophisticated ‘SIM swapping’ attack.”

“We were recently informed that on Saturday, August 19, 2023, a cyber threat actor targeted a T-Mobile US., Inc. account belonging to a Kroll employee in a highly sophisticated “SIM swapping” attack. Specifically, T-Mobile, without any authority from or contact with Kroll or its employee, transferred that employee’s phone number to the threat actor’s phone at their request.” reads the statement published by Kroll. “As a result, it appears the threat actor gained access to certain files containing personal information of bankruptcy claimants in the matters of BlockFi, FTX and Genesis. Immediate actions were taken to secure the three affected accounts. Affected individuals have been notified by email.”

The company immediately launched an investigation into the incident and notified the FBI. The company pointed out that they have no evidence that their systems or accounts were impacted. 

The security breach suffered by Kroll may have exposed the data of individuals. Media suggests that threat actors may already be attempting to misuse the stolen data in phishing attacks.

The unfortunate result of the SIM-swap against the Kroll employee is that person who had any financial relationship with BlockFi, FTX, or Genesis.

“Multiple readers who said they got breach notices from Kroll today also shared phishing emails they received this morning that spoofed FTX and claimed, “You have been identified as an eligible client to begin withdrawing digital assets from your FTX account.”” reads a post published by KrebsonSecurty.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)