The crypto lending provider BlockFi reported on May 19 to have suffered a data breach that may put some of its clients in physical danger.
According to its incident report, some of the company’s client data was breached through a SIM swap attack performed on one of its employees.
The attackers successfully stole the email account and phone number used for the employees account verification procedure, which allowed them to access BlockFi’s records.
SIM-swapping attacks are the result of network operator vulnerabilities, and are usually performed through co-conspirators with access to the phone network’s equipment — though external intrusion techniques are also possible. This type of attack was the culprit behind several high-profile exchange thefts, but they usually targeted the clients themselves.
The attackers allegedly attempted to withdraw customer funds directly, but the attempts were unsuccessful, BlockFi says.
Nevertheless, the attackers had full access to customer data used as part of BlockFi’s marketing efforts.
The company stressed that no “non-public identification information” was leaked, which would include bank account numbers, passwords or social security numbers.
However, the hackers did obtain access to the customers’ full names, email addresses, dates of birth and notably, activity information and physical addresses.
Can the victims be physically extorted?
BlockFi asserts that no threat to customers’ BlockFi funds exists, writing, “Due to the nature of the information that was leaked, we do not believe there is any immediate risk to BlockFi clients or company funds.”
However, home address and activity data may expose the affected users to extortion and physical theft.
BlockFi did not disclose what kind of activity data was included in these databases, and has declined to answer Cointelegraph’s query on the subject, referring to the incident report for all information.
An unnamed spokesperson only added that “we have not received further indications that the unauthorized third party has tampered with the information that was accessed at this time.”
Nevertheless, it is easy to believe that simply reading the activity data would allow attackers to know the size of the client’s account and collateral pledges. This kind of data is crucial for any directed marketing campaign.
Furthermore, BlockFi’s privacy policy explicitly states that this information is available for marketing usage:
“We may use your personal information and information about how your use our services to send promotional and other information to you. We also may use your personal information to conduct analysis regarding your usage of our services and products and the effectiveness of our marketing initiatives.”
The connection between the home address, the customers’ activity on the platform and their identification data could allow criminals to precisely target the victims of this attack to extort them out of their cryptocurrency.
This kind of theft is not unheard of, as a Singaporean man was reportedly kidnapped in January and forced to transfer the cryptocurrency in his possession.
Similar cases were reported in 2017, notably the kidnapping of the director of crypto exchange Exmo in Ukraine. India was also reported to have several such cases that year.
The case for anonymous finance
An Ethereum (ETH) core developer used the occasion to praise the anonymity of blockchain-based decentralized finance, saying “will naysayers finally start to understand the point of DeFi on Ethereum?”
While DeFi carries a different set of risks, the consequences of data breaches on centralized platforms that hold know-your-client data could be catastrophic.