FTX, BlockFI and Genesis’ Customer Data Exposed in “SIM Swapping Attack”

Customer data from the bankrupt crypto exchange, FTX, and insolvent digital asset lenders BlockFi and Genesis, were exposed earlier this month, Kroll, the vendor responsible for overseeing creditor claims for the insolvent businesses, confirmed today (Friday).

FTX, BlockFi, Genesis Hit by Data Leak

In a statement, Kroll explained that the hack was the result of a “highly sophisticated SIM swapping attack” targeted at the T-Mobile (a mobile network operator) US account of one of its employees.

A SIM swapping attack is fraud conducted via a phone in which a hacker deceives a mobile service provider into redirecting their target's phone number to a SIM card they control. This grants the hacker access to the victim's incoming text messages and calls, including those used for two-factor authentication (2FA).

“As a result [of the attack], it appears the threat actor gained access to certain files containing personal information of bankruptcy claimants in the matters of BlockFi, FTX and Genesis,” Kroll commented, adding that it acted immediately “to secure the three affected accounts.”

The bankruptcy claims' vendor added that it had informed affected customers of the attack via email. In addition, the firm, which is also a prominent risk and financial advisory solutions provider, said it is cooperating with the US Federal Bureau of Investigation (FBI) and “a full investigation is underway.”

“We have no evidence to suggest other Kroll systems or accounts were impacted,” Kroll added.

FTX and BlockFi Respond

In different posts on social media platform X (formerly known as Twitter), FTX and BlockFi also confirmed the attack. However, FTX noted that the information comprised was “non-sensitive” customer data of certain claimants in its pending bankruptcy case.

“FTX account passwords were not maintained by Kroll, and FTX’s own systems were not affected,” the cryptocurrency exchange said, adding that it is “closely monitoring the situation.” Furthermore, FTX urged its customers to “remain on high alert for attempted fraud and scam emails impersonating parties in the bankruptcy.”

(1/3) FTX learned that Kroll, the claims agent in the bankruptcy, experienced a cybersecurity incident that compromised non-sensitive customer data of certain claimants in the pending bankruptcy case.

The incident comes over a month after Finance Magnates reported that several of FTX's users could be facing a phishing attack. The users at the time were receiving suspicious password reset emails from the exchange’s official customer support email, [email protected].

Meanwhile, in its post on X, BlockFi emphasized that its “internal systems and client funds were not impacted” by the SIM swapping attack. “We can also confirm that BlockFi account passwords were never stored on Kroll’s platform,” the firm added.

“In the following weeks, you should expect an uptick in phishing attempts and spam phone calls,” BlockFi added. “BlockFi and Kroll will never call, email, or text you to ask you for your personal information.”

Regarding recent third-party data incident: pic.twitter.com/WdezgAerLF

FTX, one of the entities in Sam Bankman-Fried’s crypto empire, tumbled in November last year following a bank run triggered in part by concerns about the solvency of the exchange’s affiliated trading firm, Alameda Research. FTX filed for bankruptcy protection in the same month.

In the wake of FTX's collapse, BlockFi and Genesis are among the crypto companies that similarly fell apart. Both businesses have sought bankruptcy protection to restructure their operations.