Crypto On-Ramp Service Transak Targeted in Data Breach

Transak, a crypto on-ramp used by a number of popular blockchain companies, has fallen victim to a data breach, the team disclosed in a blog post on Monday.

According to Transak, the leaked data was limited to “names” and “basic identity information.” However, a ransomware group that claimed responsibility for the attack says it obtained more sensitive user data as well.

In an interview with CoinDesk, Transak CEO Sami Start said that 93,000 people were impacted by the breach, which included passports, ID cards and selfies used by customers to verify their identities with crypto financial products. “There’s no bank statements, there’s no social security numbers, there’s no credit card information, there’s not even any emails or passwords that were accessed, which limits the severity of this incident significantly,” said Start.

Transak provides developers with tools to bridge users from fiat to crypto, such as by allowing them to purchase cryptocurrencies via credit card. According to its website, Transak has been integrated into major blockchain wallets like Metamask and Trust Wallet, among others. Crypto exchanges like Coinbase and Binance.US also use Transak’s services.

The incident ultimately “impacted 1.14% of our user base,” Transak said in Monday’s blog post. “Importantly, no financially sensitive or critical information was compromised.”

A ransomware group that claimed responsibility for the breach said the data came from a larger subset of Transak’s customers and did include some financial data.

“This breach has impacted all KYC [know your customer] DATA processed through Transak’s infrastructure,” the ransomware group claimed in a public Telegram group that it operates. “We have extracted more than 300GB of data, which includes sensitive personal documents such as government-issued IDs, proof of address, financial statements, and user selfies.”

The ransomware group claims it has only released a subset of the stolen data it has on hand. If Transak fails to pay a ransom, the group threatened to “leak the remaining data or sell it to the highest bidder.”

Transak told CoinDesk that it is not interested in negotiating with the ransomware group. “We don’t know if they necessarily did this or if they’re just claiming credit for it,” said Start. “They’ve released this evidence where they’ve shown some screenshots from our KYC vendor, but it’s possible that someone else posted that somewhere else and they’ve just taken credit for it.”

According to Start, the data breach occurred because an employee “used their laptop for things other than work.”

“They’ve been exited from the company,” said the Transak CEO. “They did some non-work related activities on their laptop that caused them to run a script – a malicious script – that gave access to their system.”

The access enabled hackers to gain access to one of Transak’s third-party user authentication, or KYC (know-your-customer), services. According to Start, this particular vendor had a “vulnerability” in its system, which enabled the attacker to download a subset of Transak’s user data via the compromised device.

In his interview with CoinDesk, Start insisted that the data breach was limited exclusively to this KYC service. “Any rumors about accessing any other systems are not true,” Start said. The attackers “may have gotten some screenshots that were in the employee’s download folder – maybe one or two screenshots of some other system – but they only accessed this one vendor, and they only accessed the users that I mentioned. I challenge anyone to show otherwise.”

UPDATE (15:59 UTC – Oct. 21, 2024): Adds information from CoinDesk’s interview with Transak.