The cryptocurrency payment provider Transak confirmed that a third party gained partial access to the data of 92,554 users (1.14% of the total database). The company asserts that no financially sensitive or critically important information was compromised.
According to the team, the hacker gained unauthorized access to a platform employee’s laptop through a phishing attack.
“Using compromised credentials, the attacker was able to log into the system of a third-party KYC service provider that we use for document scanning and verification,” Transak clarified.
Through the provider’s control panel, the hacker accessed the following client data:
- names;
- dates of birth;
- identity documents (e.g., passports, driver’s licenses);
- user selfies.
“After thorough checks, we can confidently confirm that no financially sensitive information, including email addresses, phone numbers, passwords, credit card data, or social security numbers, was compromised in any way,” the security team emphasized.
Transak operates as a fully non-custodial platform and does not store user funds.
Despite no signs that hackers misused the obtained information, clients were advised to remain vigilant and monitor for suspicious activity. The service promised to send guidance on further actions to all affected users.
To localize and investigate the incident, the team engaged leading external cybersecurity experts. The UK’s Information Commissioner’s Office and other regulatory bodies in the EU and US have been informed of the situation.
In a comment to CoinDesk, Transak CEO Sami Start stated that the employee responsible for the breach was dismissed.
It later emerged that the ransomware group Stormous claimed responsibility for the hack.
?Cyberattack Alert ‼️
??USA — Transak
Stormous hacking group claims to have breached Transak, a developer integration for a fiat-to-crypto payment gateway.
Allegedly, 300 GB of sensitive personal documents, including government-issued IDs, proof of address, financial… pic.twitter.com/edy856IfQZ
— HackManac (@H4ckManac) October 21, 2024
They claim the scale of the stolen data is much broader, including over 300 GB of confidential personal documents, such as proof of address and financial reports.
According to them, the leak contains data on “over 1 million users,” who are also clients of other players in the crypto industry.
According to the website, Transak integrates with MetaMask, Trust Wallet, Coinbase Wallet, Ledger, Bitpay, and other cryptocurrency services.
CoinDesk reports that the Stormous extortionists are demanding $30,000 for data deletion, but the payment gateway is not inclined to negotiate.
Earlier in October, the Binance Labs-backed lending protocol Radiant Capital suffered an attack amounting to over $50 million. The hacker obtained private keys for three out of 11 signatures and altered smart contracts.