Transak, the Miami-based fiat-to-crypto payment gateway used by leading platforms such as Metamask, Trust Wallet, Coinbase, and Ledger, announced today that it suffered a data breach affecting 1.14% of its user base.
The breach, which affected around 57,000 users, was reportedly carried out by the notorious Stormous ransomware gang.
Transak explained in a blog post that an attacker gained unauthorized access to an employee’s laptop through a sophisticated phishing attack. Using the compromised credentials, the attacker was able to infiltrate the system of a third-party KYC (Know Your Customer) vendor used by Transak for document scanning and verification services.
The breach exposed sensitive personal information, including names and other personally identifiable information (PII). However, Transak, which operates as a non-custodial gateway, assured that no financial assets or “financially sensitive” data such as social security numbers or credit card information were compromised in the incident.
Transak has more than 5 million users in 160 countries, raising concerns about the extent of the data breach.
The Stormous ransomware gang claimed responsibility for the attack by posting some of the stolen data on its own website. The group, which has previously targeted other blockchain and identity verification systems, said it stole 300 gigabytes of data from Transak. This data reportedly included sensitive documents such as IDs, addresses, financial statements, and selfies collected during the KYC onboarding process.
“There is currently no indication that data was misused. However, we advise affected users to be vigilant and monitor for suspicious activity. We will be reaching out to affected users with advice and resources to protect themselves from potential misuse of their information, including identity tracking services,” Transak said.
The attack comes after Stormous claimed responsibility for the breach of Fractal ID, a decentralized authentication provider for Web3 projects, in July. The gang recently revealed that it obtained 12 gigabytes of data from Fractal ID, including personal photos, bank statements, addresses, and cryptocurrency wallet addresses (ETH/BTC).
Both Transak and Fractal ID have hired external investigators to evaluate the data breaches.
*This is not investment advice.
