Kroll, a renowned security consulting firm, has announced a significant security breach that resulted from a SIM-swapping attack on one of its employees. The incident led to the unauthorized access and theft of user data from several cryptocurrency platforms, including BlockFi and the now-defunct FTX, both of which are currently undergoing bankruptcy proceedings under Kroll’s guidance.
The attack, which occurred on August 19, 2023, involved a highly sophisticated SIM-swapping technique targeting a T-Mobile phone number belonging to a Kroll employee. The attacker managed to convince T-Mobile to transfer the employee’s phone number to their device, gaining access to sensitive files containing personal information of bankruptcy claimants associated with BlockFi, FTX, and Genesis. SIM-swapping attacks are a growing concern in the digital world.
They involve tricking a telecom provider into transferring a victim’s phone number to a new SIM card, which is controlled by the attacker. This allows the attacker to bypass security measures such as password resets and multi-factor authentication, often leading to the hijacking of the victim’s digital life, including access to financial, email, and social media accounts. In this instance, the fallout from the attack on Kroll’s employee has left individuals with financial ties to BlockFi, FTX, and Genesis at an increased risk of becoming victims of similar SIM-swapping and phishing attacks. There are already reports of phishing emails being sent to these individuals, masquerading as communications from FTX.
Kroll, a company that prides itself on managing cyber risk and investigating data breaches, has not yet responded to questions regarding the incident. However, it is expected that affected customers of BlockFi, FTX, and Genesis will be offered free credit monitoring services in the wake of the T-Mobile SIM swap.
This incident serves as a stark reminder of the vulnerabilities associated with relying on mobile phone companies for security. It is advisable for individuals to minimize their reliance on phone numbers for account security and to consider more secure options such as security keys or one-time codes from mobile authentication apps. Interestingly, mobile providers often escape legal repercussions when their customers suffer financial losses due to SIM-swapping attacks.
Earlier this year, a California judge dismissed a lawsuit against AT&T that stemmed from a 2017 SIM-swapping attack, which resulted in the theft of over $24 million in cryptocurrency.