Back to the list

Identity of Ripple's Fortress Trust Hacker Who Stole $15 Million in Crypto Revealed

source-logo  u.today 18 September 2023 08:19, UTC

Chinese crypto blogger and journalist Colin Wu has shared the details of the recent hack of crypto custodian Fortress Trust, just recently acquired by Ripple blockchain giant. It became possible thanks to software developing company Retool, citing a story by thehackernews.com.

The soft spot hit by the hackers here, according to Wu, was to do with the additional security system provided by a major authentication app.

27 accounts on Fortress Trust were compromised

According to Retool, the cyber criminals managed to compromise as many as 27 accounts on Fortress Trust crypto custody company. They succeeded in making this exploit after a targeted SMS (text)-based social engineering attack.

Retool has released details of a hack involving 27 crypto accounts, including how $15 million in cryptocurrency was stolen from Fortress Trust. Google Authenticator cloud sync function was the reason, the attacker took control of the Google account, thereby controlling the data…

— Wu Blockchain (@WuBlockchain) September 18, 2023

According to Fortress Trust, the hackers used a Google account cloud synchronization feature that was introduced in the spring of this year. The company, based in San Francisco just like Ripple that bought it, stated that the feature mentioned above made the breach worse and referred to it as a "dark pattern." Retool called this type of synchronization "a novel attack vector," per the head of engineering at the company, Snir Kodesh. He stated that this multi-factor-authentication turned into single factor thanks to the update made by the internet search giant in April.

The attack that occurred on Aug. 27 happened at the same time that Fortress Trust was moving its logins to Okta.

Here's how attack began, and here's who stands behind it

The hackers pretended to be one of the Fortress Trust IT team members when they started their SMS-phishing attack. They gave the recipients directions to follow a link that looked quite legitimate in order to help them with a payroll-related problem.

One real staff member fell for this trick and went to a fake landing page, which then had them share their credentials. What happened next is that the villains again rang the same employee, pretending to be a member of the IT team (with the help of deep fake changing their voice) and told the staffer to pass them the code of multi-factor authentication (MFA).

This code let the hackers add their own gadget to the Okta account of the victim, and after that, the culprits were able to make up their own MFA codes to access the account. In the end, having put smoke in the eyes of this employee, the hackers were further able to access all the 27 accounts mentioned above. The hackers changed the email addresses for those accounts, along with the passwords. As a result, a whopping $15 million worth of crypto assets was lost.

The way the attack was performed shows similar methods to the hacker calling himself Scattered Spider (aka UNC3944), who is believed to be an expert of a high level in phishing attacks.