The individual—or group—who obtained personal information of Canadian crypto exchange Coinsquare’s users intends to use the stolen data to conduct a wave of SIM swapping attacks, according to Vice.
“The original intent was to sell it but we figured we would make more money by SIM swapping the accounts,” a pseudonymous hacker reportedly told the outlet in an online chat on June 2.
SIM swapping involves “cloning” their victims’ SIM cards, creating functionally identical copies. This allows the culprit to receive any data that is being sent to the original device—including SMS confirmations and SMS-based, two-factor authentication codes. This information can then be used to log into their crypto exchange accounts, for example, and steal Bitcoin or other cryptocurrencies.
It’s not uncommon either. As Decrypt reported last November, two men in Massachusetts were charged for using SIM swapping techniques to steal $550,000 in cryptocurrency.
Apparently, Coinsquare drew the hacker’s ire by claiming on its website to be “the most secure trading platform”—and he accepted the challenge.
“I set out to embarrass the company for claiming they (sic) the most secure Canadian exchange and obviously that is a lie,” the individual added.
The hacker also reportedly provided the proof that he indeed has compromised the exchange—in the form of a list that included email and, in some cases, physical addresses, as well as phone numbers of over 5,000 Coinsquare users.
The data also showed that the platform was keeping records of “total $ funded first 6 months” and marked some of its users as “high value client.” At least Coinsquare customers can find solace in the fact that the document did not contain any passwords.
A year later and with a vengeance
In its turn, Coinsquare told Vice that the data was not leaked via a hack, blaming an ex-employee for stealing the information instead.
“The data was obtained as the result of employee theft of information contained within a client relationship database used for prospecting,” Stacey Hoisak, general counsel at Coinsquare, said.
She added that Coinsquare found out about the leak roughly a year ago and notified law enforcement, data protection authorities and all impacted users—at least whom the platform knew about. Hoisak also claimed Coinsquare did not realize the full extent of the breach until recently.
“Since we were made aware of this issue last year, Coinsquare has replaced internal sales management systems, re-written data management policy and upgraded its internal controls, and we are not aware of any breach or additional employee thefts since that time,” she continued.
It looks like the plague of crypto exchange hacks is not dying down. A report by CypherTrace found that cryptocurrency theft in the first months of 2020 has already reached $1.36 billion, including hacks and fraud, and it could breach record highs by the end of the year.