On August 27th, the cryptocurrency management company, Fortress Trust, faced an unexpected attack that resulted in a breach of all 27 customer accounts stored in the cloud, causing a staggering loss of $15 million USD. What’s noteworthy is that this attack coincided with Fortress Trust’s migration of their login information to Okta.
Immediately following the breach, the company’s team initiated an investigation and worked to remedy the situation. According to Retool, a cloud service provider used by several customers, including Fortress Trust, the hacker exploited the cloud account synchronization feature introduced in Q1/2023. This feature synchronized Google cloud accounts but with a twist—Google had updated its authentication standards, switching from multi-factor authentication to single-factor authentication without the administrators’ knowledge.
The hacker impersonated one of Fortress Trust’s IT team members and sent a phishing link to victims via SMS. Falling into the trap, the victims quickly clicked on the link and unwittingly shared their login information. The hacker then called the victims, requesting the Multi-Factor Authentication (MFA) code. With this code, the hacker added their own utility to the victims’ Okta accounts, allowing them to generate MFA codes and access the accounts at will.
In the end, after creating chaos, the hacker gained deep access to all 27 accounts, changing both the email addresses and passwords associated with them. This led to the theft of $15 million worth of cryptocurrency assets.
The tactics used by the hacker in the Fortress Trust attack bear a striking resemblance to those employed by Scattered Spider (or UNC3944), a reputed high-level phishing attack expert.
In response to this incident, Ripple acquired Fortress Trust and reimbursed the affected customers. This event highlights the cunning nature of scammers and underscores the lucrative target they have set their sights on: cryptocurrency companies and projects.