Security consulting giant Kroll disclosed today that a SIM-swapping attack against one of its employees led to the theft of user information for multiple cryptocurrency platforms that are relying on Kroll services in their ongoing bankruptcy proceedings. And there are indications that fraudsters may already be exploiting the stolen data in phishing attacks.
Cryptocurrency lender BlockFi and the now-collapsed crypto trading platform FTX each disclosed data breaches this week thanks to a recent SIM-swapping attack targeting an employee of Kroll — the company handling both firms’ bankruptcy restructuring.

In a statement released today, New York City-based Kroll said it was informed that on Aug. 19, 2023, someone targeted a T-Mobile phone number belonging to a Kroll employee “in a highly sophisticated ‘SIM swapping’ attack.”
“Specifically, T-Mobile, without any authority from or contact with Kroll or its employees, transferred that employee’s phone number to the threat actor’s phone at their request,” the statement continues. “As a result, it appears the threat actor gained access to certain files containing personal information of bankruptcy claimants in the matters of BlockFi, FTX and Genesis.”
T-Mobile has not yet responded to requests for comment.
Countless websites and online services use SMS text messages for both password resets and multi-factor authentication. This means that stealing someone’s phone number often can let cybercriminals hijack the target’s entire digital life in short order — including access to any financial, email and social media accounts tied to that phone number.
SIM-swapping groups will often call employees on their mobile devices, pretend to be someone from the company’s IT department, and then try to get the employee to visit a phishing website that mimics the company’s login page.
Multiple SIM-swapping gangs have had great success using this method to target T-Mobile employees for the purposes of reselling a cybercrime service that can be hired to divert any T-Mobile user’s text messages and phone calls to another device.
In February 2023, KrebsOnSecurity chronicled SIM-swapping attacks claimed by these groups against T-Mobile employees in more than 100 separate incidents in the second half of 2022. The average cost to SIM swap any T-Mobile phone number was approximately $1,500.
The unfortunate result of the SIM-swap against the Kroll employee is that people who had financial ties to BlockFi, FTX, or Genesis now face increased risk of becoming targets of SIM-swapping and phishing attacks themselves.
And there is some indication this is already happening. Multiple readers who said they got breach notices from Kroll today also shared phishing emails they received this morning that spoofed FTX and claimed, “You have been identified as an eligible client to begin withdrawing digital assets from your FTX account.”
A phishing message targeting FTX users that went out en masse today.
A major portion of Kroll’s business comes from helping organizations manage cyber risk. Kroll is often called in to investigate data breaches, and it also sells identity protection services to companies that recently experienced a breach and are grasping at ways to demonstrate that they doing something to protect their customers from further harm.
Kroll did not respond to questions. But it’s a good bet that BlockFi, FTX and Genesis customers will soon enjoy yet another offering of free credit monitoring as a result of the T-Mobile SIM swap.
Kroll’s website says it employs “elite cyber risk leaders uniquely positioned to deliver end-to-end cyber security services worldwide.” Apparently, these elite cyber risk leaders did not consider the increased attack surface presented by their employees using T-Mobile for wireless service.
The SIM-swapping attack against Kroll is a timely reminder that you should do whatever you can to minimize your reliance on mobile phone companies for your security. For example, many online services require you to provide a phone number upon registering an account, but that number can often be removed from your profile afterwards.
Why do I suggest this? Many online services allow users to reset their passwords just by clicking a link sent via SMS, and this unfortunately widespread practice has turned mobile phone numbers into de facto identity documents. Which means losing control over your phone number thanks to an unauthorized SIM swap or mobile number port-out, divorce, job termination or financial crisis can be devastating.
If you haven’t done so lately, take a moment to inventory your most important online accounts, and see how many of them can still have their password reset by receiving an SMS at the phone number on file. This may require stepping through the website’s account recovery or lost password flow.
If the account that stores your mobile phone number does not allow you to delete your number, check to see whether there is an option to disallow SMS or phone calls for authentication and account recovery. If more secure options are available, such as a security key or a one-time code from a mobile authentication app, please take advantage of those instead. The website 2fa.directory is a good starting point for this analysis.
Now, you might think that the mobile providers would share some culpability when a customer suffers a financial loss because a mobile store employee got tricked into transferring that customer’s phone number to criminals. But earlier this year, a California judge dismissed a lawsuit against AT&T that stemmed from a 2017 SIM-swapping attack which netted the thieves more than $24 million in cryptocurrency.
This entry was posted on Friday 25th of August 2023 02:05 PM
I know how easily I give up my phone number just out of wanting to be a nice person and being gullible. The more I read these types of stories, the more it makes me more defensive about giving away personal information. I think it takes these types of stories to become better protectors of our personal information. I just wish it was more well known to people that don’t care about IT. 
Had my debit card skimmed recently and the perps added it to Apple Wallet. The bank only required 3 forms of authentication all of which are weak:
a. SMS text
b. e-mail
c. call the bank
Got 2 SMS text messages back to back, I have T-mobile, looks like someone could have done a brief SIM swap. Reached out to TMO and they said no changes were done to my account. I don’t believe it.
eSIM doesn’t do jack in this case.
You’d be amazed how quickly this problem would be solved if the mobile companies AND the companies using SMS 2FA were held liable for all losses.
Mobile companies never agreed to secure access to something, so there’s no reason they should be liable.
And that phish domain is still active. Registrar listed in whois is tucows but they’re using njalla nameserver. Probably njalla acted as tucows reseller.
Kinda surprised that Kroll used phones as identification. I can’t do much about my bank allowing it. But Kroll could’ve required employees to use a more secure form of 2FA. Why didn’t they?
I’ll reluctantly accept that mobile phone companies aren’t responsible for securing my identity. But it seems reasonable to hold a security consulting company to a higher standard.
It’s a “security consulting giant”? Problem #1?
I’m not a lawyer, but what does a “security consulting giant” have to do with bankruptcy restructuring?
Also, I didn’t know “SIM swapping” was sophisticated.
The fix for this problem:
https://www.wired.com/story/sim-swap-fix-carriers-banks/
What do folks think about using a VOIP number like Google Voice instead of one’s true phone number for SMS verifications?
Some businesses (for instance Coinbase) do not allow voip services like Google Voice. Very stupid. I know.
It is more secure in the sense that Google may have higher security using hardware keys, but many entities disallow Google Voice numbers “for security” – in which they need to ensure US residents only for legal reasons.
Some sites don’t allow settings up a voip style number for that purpose. BUT if you set the number up and then move it to googlevoice. they dont recheck.
My number is a GV, my email is 2FA with yubikeys, the security linked email is another gmail with 2FA.
side not: I also added my accounts as the security reset account to my parents email addresses to prevent them losing access to phish/spam/forgetfulness.
Where 2FA codes must be issued via SMS, suggest configuring using a Google Voice number because it cannot be SIM-swapped. (have not looked into whether other VOIP providers function in the same way)
Most of my accounts requiring a phone number for 2FA purposes allow the use of a Google Voice number but there are a handful that do not (i.e. the codes just never arrive or the site does not accept the number during configuration) in which case I must unfortunately use my cell number.
Where 2FA codes must be issued via SMS, suggest configuring using a Google Voice number because it cannot be SIM-swapped. (have not looked into whether other VOIP providers function in the same way)
I’ve found that most accounts requiring a phone number for 2FA purposes allow the use of a Google Voice number but there are a handful that do not (i.e. the codes just never arrive or the site does not accept the number during configuration) in which case one must unfortunately use a number linked to a cell phone.
Sort of an odd one. It sounds like the information obtained might be public information available from the bankruptcy court itself, for a fee, using the court’s PACER system.
I’d be more interested in the sim swapping and whether whatever it was got around T-Mobile’s SIM Protection feature. If that wasn’t used, seemingly the employee could have better protected their phone. Something for employers to consider.
In a world where security mattered, sms authentication would be the rarest 2fa, not the most common. I think a lot of people need to be educated if these sim swapping attacks are ever going to be stopped.
Love your work Brian, keep it up.
Your email address will not be published. Required fields are marked *
Comment *
Name *
Email *
Website


Δ
Mailing List
Search KrebsOnSecurity
Recent Posts
Spam Nation
A New York Times Bestseller!
Thinking of a Cybersecurity Career?
Read this.
All About Skimmers
Click image for my skimmer series.
Story Categories
The Value of a Hacked PC
Badguy uses for your PC
Badguy Uses for Your Email
Your email account may be worth far more than you imagine.
Most Popular Posts
Why So Many Top Hackers Hail from Russia
Category: Web Fraud 2.0
Innovations from the Underground
ID Protection Services Examined
Is Antivirus Dead?
The reasons for its decline
The Growing Tax Fraud Menace
File ’em Before the Bad Guys Can
Inside a Carding Shop
A crash course in carding.
Beware Social Security Fraud
Sign up, or Be Signed Up!
How Was Your Card Stolen?
Finding out is not so easy.
Krebs’s 3 Rules…
…For Online Safety.

source