Image: BlockFi
Cryptocurrency trading platform BlockFi disclosed this week a security incident during which a hacker attempted and failed to steal funds from the company’s users.
The attack took place last week, on May 14, BlockFi said in a post-mortem report [PDF] published on Tuesday.
The hacker used a SIM swapping technique to take control over an employee’s phone number, reset the employee’s email password, and gain access to the email account, along with accounts on the BlockFi platform.
BlockFi said the attacker had access to its platform for approximately 86 minutes, during which they tried and failed to steal BlockFi customer funds.
“Every action the unauthorized third party took with respect to our systems was logged, and BlockFi was able to confirm that no funds, passwords, social security numbers, tax identification numbers, passports, licenses, bank account information, nor similar non-public identification information was exposed as a result of this incident,” BlockFi said.
However, BlockFi says the attacker was able to access and view BlockFi client information typically used by the company for retail marketing purposes.
This included details such as:
- Name as listed on the account
- Email address
- Date of birth
- Physical address as listed on the account
- Activity history
“Due to the nature of the information that was leaked, we do not believe there is any immediate risk to BlockFi clients or company funds,” the company said.
Following the incident, BlockFi is now recommending that users enable a multi-factor authentication solution for their accounts and activate a wallet whitelist that prevents hackers from transferring funds to accounts not on the whitelist.
The company also said it updated internal systems to limit employee access to retail marketing information, planned for future security audits and penetration tests, and upgraded its incident response procedures to promote faster lockdowns in the event of similar intrusions.
Recent SIM swapping-related incidents
SIM swapping, also known as SIM jacking, is a type of ATO (account take over) attack during which a malicious threat actor uses various techniques (usually social engineering) to transfers a victim’s phone number to their own SIM card.
These types of attacks have been happening since the mid-2010s, but they have intensified since 2017 when cryptocurrency became mainstream.
Across the years, many of these attacks have often targeted employees or CEOs of cryptocurrency platforms and big-name investors — such as this spike in attacks recorded in June 2019.
Due to the rise in attacks, in recent years, law enforcement across the globe has started cracking down on hackers and scammers that use this technique to hijack accounts and steal funds.
For example, in January 2020, Canadian authorities charged an 18-year-old for using SIM swapping to steal more than $50 million worth of cryptocurrency from multiple victims.
Similarly, in March 2020, Europol broke up two SIM swapping gangs, one in Spain and one in Romania.
In November 2019, US authorities also charged two men from Massachusetts for conducting SIM-swapping attacks to steal cryptocurrency from high-value targets.
And in cases where victims can’t recover all their funds, some are filing civil lawsuits as well. Earlier this month, cryptocurrency investor Michael Terpin sued a New York teenager for using a SIM swap to steal more $23.8 million worth of cryptocurrency in 2018. Terpin previously sued AT&T for $240 million for failing to protect his phone number from SIM swapping attacks.