Hackers have obtained more than 5,000 email addresses and phone numbers from Canada-based cryptocurrency exchange, Coinsquare. Now, they’re reportedly hoping to use the data to perform SIM swapping attacks.
One of the alleged hackers spoke to VICE Motherboard on June 2, explaining that the collective originally intended to sell the information, but realized they could “make more money by SIM swapping the accounts.”
Coinsquare’s CEO Cole Diamond told Cointelegraph the theft was from a third party and not the exchange itself. “Coinsquare’s systems have never been breached,” he said. “As stated to VICE, this was an employee theft of data from a third party CRM system. It took place about 18 months ago. So “hackers” didn’t steal anything. There is no hacker.”
While hackers may not have stolen the data, they reportedly have it now.
SIM swapping’s modus operandi
SIM swapping consists of a hacker hijacking the target’s mobile phone number, giving them the ability to request password resets for any website where the victim’s phone is used for two-factor authentication.
VICE Motherboard states that the information obtained includes phone numbers, and physical addresses. It also includes data on how much each user deposited in their account in the first six months, and the user’s “high-value client” rating within Coinsquare’s platform.
The hack occurred by an employee’s theft of information
Stacey Hoisak, general counsel for Coinsquare, gave more details on the attack on VICE Motherboard, stating that it occurred in 2019. He continued:
“The data was obtained as the result of employee theft of information contained within a client relationship database used for prospecting.”
Hoisak says the company replaced internal sales management services, rewrote data management policy, and upgraded its internal control in an effort to avoid additional employee theft.
In 2019, the cryptocurrency exchange partnered with the US-based crypto payments startup, Flexa, to bring in-store digital currency payments to Canada.
This article has been updated with comments from Coinsquare’s CEO.