Creditors with claims in FTX’s ongoing bankruptcy could potentially be doxxed if they published affiliate links, a pseudonymous Twitter user named @Alice_comfy claimed on Wednesday.
**URGENT**
IF YOU HAVE EVER POSTED AN FTX AFFILLIATE LINK OR PNL CARD AND DON'T WANT TO GET DOXED, GO BACK AND DELETE IT RIGHT NOW.
FTX LINKS USE ACCOUNT ID.https://t.co/cg55Yb9Y2P
— Alice (@Alice_comfy) August 30, 2023
Kroll, the company that serves as a claims agent for creditors in the collapsed cryptocurrency exchange’s Chapter 11 bankruptcy, told users last week that sensitive information related to claims had been compromised in a data breach.
“[An] unauthorized party accessed files in Kroll’s cloud-based systems, including files that contained your name, address, email address, and the balance in your FTX account,” the firm said, adding that digital assets in the FTX case were unaffected.
Kroll also warned that for “certain claimants” the compromised information could include FTX account numbers and “unique identifiers assigned as part of the bankruptcy process,” according to its website.
Because FTX affiliate links—where customers could once earn rewards for getting others to sign up—contained account IDs, the links could be used to match personal information with pseudonymous Twitter accounts that shared them online, @Alice_comfy explained.
Kroll did not immediately respond to a request for comment from Decrypt.
Affiliate links allowed new FTX customers to receive a 5% fee discount on transactions, while those who shared them received 30% of the corresponding user's total trading fees generated, according to Blockduo. A screenshot of the now-defunct referrals page on FTX shows the option for users to create their own custom affiliate codes as well.
The Twitter user told Decrypt that they “don’t think the breach is publicly available yet” in a Twitter DM. Still, the notion that FTX account numbers are listed separately from “unique identifiers” is cause for concern, they said.
When Kroll initially divulged the security incident, it said that sensitive information for other crypto-related bankruptcies was also accessed: BlockFi and Genesis. Being doxxed is the latest hurdle customers could face as they wait for some reprieve.
The malicious actor gained access to a Kroll employee’s phone because of a so-called SIM-swapping attack, where the target’s phone number was transferred. The attack has become established as a common way for criminals to steal crypto, too.
Kroll urged claimants to exercise caution moving forward and be on the lookout for phishing scams, where bad actors could trick people into divulging more sensitive information via fake emails.
The message was highlighted by Binance CEO Changpeng Zhao, who shared an example of what false emails could look like on Twitter on Sunday. Zhao said, “Learn to protect yourself.”
New rounds of phishing attacks already underway for the poor users of FTX, BlockFi, Genesis, as a result of the Kroll data leak, which seems to be a result of a SIM swap on an employee.🤷♂️
Learn to protect yourself. Learn about phishing attacks👇https://t.co/AtcevQciVR pic.twitter.com/pbHFnhsArK
— CZ 🔶 Binance (@cz_binance) August 27, 2023