T-Mobile SIM-swapping attack on Kroll employee caused crypto platform data breach

A recently announced data breach affecting several prominent cryptocurrency platforms was sourced back to a SIM-swapping attack on an employee at Kroll, a financial services company contracted to help the struggling exchanges.

Last week, bankrupt cryptocurrency platforms FTX and BlockFi said Kroll had informed them of data breaches affecting their customers. CoinDesk editor Rob Mitchell reported that another crypto site, Genesis, also privately informed customers of a breach.

Kroll has been hired by all three companies to create a claims administrator platform so they could give users back some of the funds that had been lost during their respective collapses.

On Friday evening, Kroll published a statement confirming the breach, explaining that they were informed on August 19 that a hacker targeted an employee’s T-Mobile account in “a highly sophisticated ‘SIM swapping’ attack.”

SIM swapping, also known as a port-out scam or SIM-jacking, refers to a technique where a threat actor calls a target's mobile carrier posing as the account owner and requests that the victim's phone number be ported to a new SIM card.

“T-Mobile, without any authority from or contact with Kroll or its employee, transferred that employee’s phone number to the threat actor's phone at their request,” the company said.

“As a result, it appears the threat actor gained access to certain files containing personal information of bankruptcy claimants in the matters of BlockFi, FTX and Genesis. Immediate actions were taken to secure the three affected accounts. Affected individuals have been notified by email.”

The company noted that the FBI is involved in an investigation into the incident but said there is “no evidence to suggest other Kroll systems or accounts were impacted.”

As did the affected cryptocurrency platforms, Kroll warned people to be wary of any calls or emails asking for crypto wallet information, passwords and other personal information.

With the rise in two-factor authentication requirements for many online services, hackers have increasingly deployed the SIM swapping tactic — costing U.S. residents at least $68 million in 2021, according to the FBI.

Two weeks ago, the U.S. Department of Homeland Security recommended that organizations transition away from widely-used SMS and voice-based multifactor authentication, and instead “adopt easy-to-use, secure-by-default-passwordless solutions” after a string of high-profile cyberattacks carried out by teenage hackers in 2021 and 2022.