Fractal ID data breach traced to 2022 hack of employee who reused password

Decentralized identity startup and Know-Your-Consumer (KYC) verification provider Fractal ID has published a postmortem outlining the data breach that the company suffered on July 14. The company said the data breached "may include names, email addresses or phone numbers, wallet addresses, physical addresses, images and pictures of any uploaded documents" of about 6,300 users, or .5% of the users in Fractal ID's database. 

The Berlin-based Fractal ID provides compliance assistance for at least eight crypto protocols including Polygon, Ripple and Near and counts over 250 companies among its clientele, according to its website. 

The threat actor gained access to the system through a compromised employee's account. Because the employee had administrator-level access to the system, the hacker was able to "sidestep" internal data privacy systems, the company states, before an automated system notified an engineer and allowed them to shut out the attacker 29 minutes after the attack began. 

The company noted that a party who claimed responsibility for the attack requested a ransom from the company, but the company declined to engage and instead contacted Berlin's cybercrime law enforcement. The company has also contacted affected users, according to its postmortem. The company outlined several measures it plans to take to defend against attacks in the future, including restricting which accounts have access to sensitive data and blocking requests to login from unknown IP addresses. 

Initial hack dates back to 2022

The employee's machine was originally compromised all the way back in September 2022, according to researchers at cybercrime intelligence firm Hudson Rock. The machine was infected by the Raccoon 'infostealer,' a commonly available Malware-as-a-Service first observed in April 2019.

"While the computer was infected back in 2022, it appears the victim did not change their password, enabling the hackers to infiltrate an account and initiate the hack," the researchers wrote. 

"The operator didn’t follow our opsec policies and training. We have put technical measures in place to ensure these cannot be sidestepped by any operators in the future. This was not the result of a software vulnerability," Fractal ID noted in its postmortem. 

The U.S. Justice Department indicted a 26-year-old Ukrainian national, Mark Sokolovsky, in 2022 for conspiring to operate Raccoon Infostealer, which was allegedly leased to would-be hackers for as little as $200 a month in cryptocurrency. The FBI was able to identify "more than 50 million unique credentials and forms of identification (email addresses, bank accounts, cryptocurrency addresses, credit card numbers, etc.) in the stolen data from what appears to be millions of potential victims around the world," though the agency acknowledged that number is likely an undercount. 

After failing to fake his death following the Russian invasion of Ukraine, Sokolovsky was extradited to the United States this past February. The U.S. government also set up a website where users can check if their credentials have been compromised.