Crypto Lender Celsius Suffers Data Breach Through Third-Party Mailing List

Cryptocurrency lender Celsius Network has suffered a data breach that exposed customer data.

Compromised Third-Party Systems

According to an announcement from the company CEO Alex Mashinsky, hackers gained access to a backup third-party email distribution system Celsius uses. This data trove contained the personal details of its customers. Armed with the list, the cybercriminals impersonated the company by sending malicious emails and text messages into tricking them into part ways with their private keys. The hackers placed a phishing link in the emails that supposedly redirected Celsius users to a malicious web wallet that promises to compensate them with $500 for revealing their private keys. The crypto lending platform said that the affected customers got this message in their emails and SMS. The crypto lender claimed they were able to nip the issue in the bud before damage was done. Celsius has informed the community that investigations are ongoing and customers should remain vigilant. Even though Celsius says they were able to arrest the situation on time, a Reddit thread revealed the extent of the theft. According to a Reddit user, the criminals made away with over $300,000 in the attack. Another user “VaporFye” provided a comprehensive guide on the phishing email wallet address and admitted to having lost 20 ETH (about $50,000) to the thieves.

The Wave of Malicious Attacks Sweeping Through

Malicious attacks on crypto projects have surged in the past year. Last year, another crypto lending platform BlockFi had its systems compromised via one of its employees. The hacker was able to gain control of the employee’s phone number through a SIM swap attack. From there on, they accessed the company's systems. But, BlockFi claims the attacker could only access the company's retail marketing systems. The company said the intruder accessed no customer information. Cryptocurrency wallet provider Ledger has also had its fair share of attacks. According to a published correspondence, the crooks stole the personal data of customers. Ledger initially said that only 9,500 users were affected, but a subsequent investigation revealed those details were false. The exact figure was placed at more than a quarter-million. Two of the affected parties, John Chu and Edward Baton, have since taken Ledger to court, citing the company’s attempts to cover up their negligence as a reason.