Kroll SIM-Swap Attack Exposes FTX and BlockFi Claimant Data in Major Vendor Breach

The collapse of FTX and BlockFi in November 2022 left millions of cryptocurrency users navigating a complex bankruptcy process, hoping to recover at least a fraction of their frozen assets. As if the ordeal were not difficult enough, a new chapter in the saga unfolded in late August 2023 when Kroll, the advisory firm serving as claims administrator for both bankrupt platforms, disclosed a cybersecurity incident that compromised personal data belonging to thousands of claimants.

The Exploit Mechanics

The breach originated from a SIM-swap attack targeting a Kroll employee. In a SIM-swap, an attacker convinces a mobile carrier to port a victim’s phone number to a device under the attacker’s control. Once the number is transferred, the attacker can intercept SMS-based two-factor authentication codes, reset passwords, and gain access to sensitive corporate systems.

In this case, the attacker leveraged the compromised employee account to access Kroll’s claims management platform, where personal information of FTX and BlockFi creditors was stored. The compromised data included claimant names, email addresses, and account details — information that, while classified as “non-sensitive” by FTX, is more than enough to mount targeted phishing campaigns against an already vulnerable population of creditors.

Bitcoin was trading at approximately $27,300 and Ethereum at $1,705 at the time of the breach disclosure, underscoring that even as the broader crypto market was stabilizing, the human toll of the 2022 collapse continued to compound.

Affected Systems

Kroll’s platform was the sole system compromised. Both FTX and BlockFi were quick to emphasize that their own internal systems, including account passwords and wallet infrastructure, were never stored on Kroll’s platform and remained unaffected.

FTX released a statement confirming the breach was contained to Kroll’s environment. BlockFi echoed the same assurance, noting that “BlockFi’s internal systems and client funds were not impacted” and that “BlockFi account passwords were never stored on Kroll’s platform.”

However, the affected claimant pool is substantial. Thousands of users who had filed claims through Kroll’s restructuring portal were potentially exposed. The full scope of compromised records has not been publicly disclosed, but the risk is amplified by the fact that these individuals are known holders of cryptocurrency assets — making them high-value targets for social engineering attacks.

The Mitigation Strategy

Kroll stated that it “promptly contained and remediated the incident” and began notifying affected individuals directly. Both FTX and BlockFi issued advisories urging claimants to take immediate protective measures.

BlockFi recommended enabling “allowlisting,” a feature that restricts withdrawals to pre-approved wallet addresses and imposes a seven-day hold on any changes. The company also urged users to enable two-factor authentication using authenticator apps rather than SMS, which is vulnerable to the same SIM-swap technique that enabled this breach.

FTX encouraged claimants to remain vigilant against phishing emails and fraudulent phone calls, warning that bad actors could use the leaked contact information to impersonate official communications from the bankruptcy proceedings.

Lessons Learned

The Kroll breach highlights a critical and often overlooked vulnerability in the cryptocurrency ecosystem: third-party vendor risk. Even when a platform implements robust internal security measures, the data it shares with external partners can become a liability if those partners are not held to equivalent standards.

SIM-swap attacks remain one of the most effective and low-cost methods for breaching corporate accounts. Despite years of warnings from cybersecurity experts, many organizations — including large financial advisory firms — still rely on SMS-based authentication for at least some employee accounts.

For individual users, the incident reinforces the importance of using hardware-based two-factor authentication, being suspicious of any unsolicited communication related to bankruptcy claims, and never clicking links in emails purporting to be from claims administrators.

User Action Required

If you filed a claim in the FTX or BlockFi bankruptcy proceedings, take the following steps immediately: switch all two-factor authentication from SMS to an authenticator app such as Google Authenticator or Authy; enable allowlisting on any crypto exchange accounts; verify any communication about your claim by navigating directly to the official Kroll claims portal rather than clicking email links; monitor your email and financial accounts for unusual activity; and consider placing a fraud alert with credit bureaus if sensitive personal data was stored in your claim filing.

Disclaimer: This article is for informational purposes only and does not constitute financial or legal advice. Always consult qualified professionals for guidance specific to your situation.