Coinsquare Hackers Admit They'll Use 5,000 Stolen User Data For SIM Swapping

Hackers have acquired the personal information of 5,000 users of Canadian cryptocurrency exchange Coinsquare and said they will use this data to perform SIM swapping attacks.

SIM swapping is an account takeover where someone convinces a mobile carrier to switch a victim’s phone number to a SIM card they own. The hacker first tries to obtain the user’s personal details. Once that is secured, they will ask the mobile carrier for a SIM swap claiming they "lost" their mobile phone along with the SIM. Once this is done, all text messages, calls and authentication messages like one-time passwords will be routed to the new SIM card in their possession.

One of the Coinsquare hackers recently spoke with Vice Motherboard and provided them with a portion of the stolen data, which included email addresses, telephone numbers, and the users' total funds deposited to the platform during a six-month period. Initially, the hackers wanted to sell the data but later realized they could make more money “by SIM swapping the accounts”.

"The original intent was to sell it [the data] but we figured we would make more money by SIM swapping the accounts," the hacker told the publication.

Vice verified the data by registering to Coinsquare using the email addresses and calling the numbers listed. The email addresses could not be used because they were already registered. Some of the numbers called responded to confirm they have accounts in the Canadian crypto exchange.

Coinsquare denied that a hacking of their systems had occurred. The crypto exchange claimed the data was obtained through employee theft from a third-party that has access to the data. Coinsquare said a former employee stole the information.

The company clarified to Cointelegraph that the theft happened from a third party and not on the exchange itself. This contradicts the hacker’s statement, who told Vice that they wanted to embarrass the exchange for claiming they are the most secured Canadian exchange. “Obviously that is a lie,” he added.

Coinsquare said they were first made aware of the issue in 2019 and has replaced internal sales management services, improved its internal controls, and reworked its data management policy.

Using SMS to push multi-factor authentication in securing online accounts is discouraged in favor of newer tools like authenticator apps. Many high-profile hacks have occurred through SIM swapping. Twitter and Square founder Jack Dorsey’s Twitter account got hacked in 2019 using this method. Cryptocurrency investor Michael Terpin became a victim of SIM swapping twice, in which the hacker succeeded in the second attempt in siphoning $24 million worth of cryptocurrencies. He sued the hacker, who was 15 years old during the incident, as well as AT&T for gross negligence in connection with the theft.