Gnosis Pay and other crypto projects impacted in Fractal ID data breach

Quick Take

  • Approximately 0.5% of decentralized identity startup Fractal ID’s 1 million customers were implicated in a data breach on Sunday, Fractal co-founder Julian Leitloff told The Block. 
  • The project maintains personally identifiable information, including users’ names, proof of residence and IDs.
  • Gnosis Pay is among the affected protocols, according to an email sent to users. 
  • Leitloff said the attacker gained entry through an operator account, and suspects it is related to a “siphoned password gained from other hacks.”

Decentralized payment network Gnosis Pay alerted users on Wednesday about a data breach at Fractal ID, the customer verification service it has used since at least 2019, according to a customer service email seen by The Block. Gnosis is likely not the only Web3 company affected.  

“At 7:30 PM CET, Monday, 15th July 2024, our Know Your Customer (KYC) service provider Fractal ID made the Gnosis Pay team aware that it had suffered a data breach on Sunday 14th July 2024,” the Gnosis Pay team wrote. 

Fractal co-founder Julian Leitloff confirmed reports of the exploit to The Block. “A single operator account got breached and as a result, we noticed suspicious activity on Sunday morning. We immediately stopped access and could identify the cause which was later verified with external support,” he said in a direct message. Approximately 0.5% of Fractal ID’s 1 million users were affected, Leitloff said. 

Like other KYC and anti-money laundering (AML) service providers, the Berlin-based Fractal ID, founded in 2017, collects and stores sensitive data for users, called personally identifiable information, including their name, residence, email address, “a Liveness Detection Selfie Scan” and documents like passports and licenses.

Fractal ID provides compliance assistance for at least eight crypto protocols including Polygon, Ripple and Near and over 250 companies among its clientele, according to its website.

“The attack wasn't Gnosis specific, but specific to the operator's account access. The system itself was not impacted but this account, meaning every user that account had access to,” Leitloff said.

In a screenshot of an email from Fractal ID posted to X, the company said that one of its engineers discovered an attacker had gained access to a Fractal ID operator’s account, enabling them to run an API script to access users’ data. Fractal ID said it stopped the exploit in just over two hours.

“Fractal KYC requires showing proof of ID and residence proof etc. I used this for Optimism retro KYC and Thrive/Arbitrum KYC,” X user @arlery, who posted Fractal ID’s email, said. “The fact that they’ve been compromised is so alarming.”

Leitloff said it's unclear how the attacker gained entry to the operator account, though the company suspects it is related to a “siphoned password gained from other hacks.”

Users’ “sensitive data is encrypted with a state-of-the-art security process,” the company wrote in a blog. Leitloff said that although the company offers a decentralized identity product, it uses centralized databases to store client data. This is "not a legal requirement per se but what today most regulated entities require" because local storage on users' computers "would definitely not work."

Fractal ID, built on Polkadot, was also one of the main developers of the open-source digital ID operating system idOS, built to enable users to manage their own identity across the Web. It received backing from the German Accelerator Southeast Asia and has raised nearly $8 million, according to PitchBook.

Fractal ID has not yet disclosed the data breach on social media, its blog or website, however Leitloff told The Block the exploit only affected a fraction of Fractal ID’s user base. 

CORRECTION: Julian Leitloff is the co-founder of Fractal ID.


Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.

© 2024 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Daniel Kuhn is a Senior Journalist and Editor at The Block, where he covers the crypto industry with a particular focus on tech. He previously served as deputy managing editor of opinion/features at CoinDesk. He first appeared in print in Financial Planning, a trade publication magazine. Before journalism, he studied philosophy as an undergrad, English literature in graduate school and business and economic reporting at an NYU professional program. You can connect with him on Twitter and Telegram @danielgkuhn or find him on Urbit as ~dorrys-lonreb.

Editor

To contact the editor of this story:
Lawrence Lewitinn at
[email protected]