FTX and a number of other crypto exchanges that have gone under are having their bankruptcy claims managed by Kroll, which suffered a late August data breach. This appears to have exposed some claimant contact information, which is already being used for phishing attempts that claim FTX funds are available to be withdrawn.
There is no word yet on a victim count, but the phishing scam appeared very quickly and appears to be sophisticated.
Phishing scam uses data breach information to target frustrated FTX claimants
Many people have had money they gave to FTX tied up in the bankruptcy proceedings for nearly a year now, and some have been told there is little chance they will ever see any of it again. The perpetrators of the data breach appear to be targeting these people with the follow-on phishing campaign, hoping that a fake email purporting to authorize withdrawal of their funds will catch them off guard.
Secured creditors and investors will be first to recover whatever is left of FTX’s available finances when all is said and done, leaving little to nothing for the average crypto exchange user. This is who the criminals appear to be targeting with phishing messages, which Kroll has shared several examples of. The messages appear to be from FTX and claim that the recipient can now log into their account to withdraw their money, accompanied by a link that goes to an attack site that attempts to capture their wallet recovery phrase.
The phishing message is fairly well done and could very well fool someone whose guard is down, particularly if they do not know much about crypto exchanges or bankruptcy proceedings. This “first timer” demographic is one that FTX heavily pursued in 2021 and 2022 with an expensive advertising campaign, just before it ended up collapsing.
Limited information stolen from crypto exchange, but enough to add legitimacy to phishing messages
Kroll says that only a relatively small amount of claimants were impacted by the data breach, and those that were had basic contact information that would normally be associated with a crypto exchange account exposed: full names, email, physical addresses and details of their claim. Still, that is enough information for an effective targeted phishing attack. The attackers also seem to be experienced, given that the fake FTX messages started going out very soon after the breach occurred.
The data breach stems from an employee that had their T-Mobile account SIM swapped. This has been a serious problem with the carrier over roughly the past two years, as cyber criminals seem to be having a lot of success in either social engineering customer service reps or simply finding employees inside the company to pay off. Telegram has been awash with offers to SIM swap any T-Mobile number during this time, with the hacker usually asking $1,000 and up for the service.
Employees that are likely to be targeted by SIM swap attempts can add significant layers of protection via a work-issued phone that uses an e-SIM, enabling a 2FA method that isn’t an SMS message, or putting a “number lock” or “port freeze” on their phone that requires a separate PIN to unlock.