FTX claims firm Kroll sued for betrayal

Thousands of FTX creditors faced additional stress after Kroll, the financial advisory firm handling the bankruptcy recovery process, suffered a personal data breach. The breach quickly resulted in a wave of fraudulent attacks targeting affected creditors.

The chronology of disaster: data leak and creditor reaction

The incident occurred in August 2023. Kroll, acting as the claims agent in the FTX bankruptcy case, announced that its security systems had been breached. As a result of the cyberattack, it later became known that the attackers gained access to the personal data of creditors, including their names, email addresses, phone numbers, and information about their claim amounts. Despite Kroll's assurances that FTX account passwords remained secure, the scale and nature of the stolen data immediately concern.

The fears were soon confirmed. FTX creditors began receiving a flood of phishing emails in which scammers, using the stolen information, impersonated Kroll or FTX representatives. These emails prompted victims to click malicious links promising fund withdrawals or data verification, sometimes resulting in the loss of remaining assets. This became the final blow for victims already waiting years for fund recovery.

The reaction was swift and decisive. On August 19, 2025, a class action lawsuit was filed against Kroll, with the plaintiffs being represented by Hall Attorneys law firm. The plaintiffs accused the company of failing to adequately protect confidential data and claimed that its negligence directly led to the wave of fraud. They argue that Kroll did not take sufficient measures to ensure the security of data storage, despite working with extremely sensitive information belonging to thousands of people.

The lawsuit also includes claims from affected clients from crypto exchanges BlockFi and Genesis, whose data Kroll also handled.

The lawsuit seeks damages and the implementation of measures to prevent similar incidents in the future. This situation sets a legal precedent for all companies that handle user data in such sensitive areas.

For a look at the other lawsuits affected FTX clients have prepared, read our full article FTX Customers Want to Expand Lawsuit, Alleging Law Firm Enabled Fraud

Why Kroll was vulnerable: a look at the attack methods

Understanding how Kroll fell victim to cybercriminals requires examining the attack details.

The data did not result from a direct server hack. According to media reports and on Kroll's statements, the cause was a so-called SIM swapping attack – a method in which scammers, using social engineering, convince a mobile operator to re-issue an employee's SIM card to their own phone. As reported in articles from SecurityWeek and ResearchGate, it was precisely this attack, targeting one of Kroll's employees, that allowed the attackers to gain access to the company's cloud storage.

SIM swapping begins with collecting victim information, then contacting the mobile operator while impersonating the employee and claiming a lost or stolen phone. Using deception, they convince the operator to issue a new SIM card, which instantly takes over control of the phone number. In this case, any verification codes sent via SMS are now received on the attacker's device. This method exploits companies' reliance on SMS-based multi-factor authentication (MFA), creating vulnerability to such attacks.

Kroll, founded in 1932, specializes in financial consulting, risk management, corporate investigations and cybersecurity. The irony lies in the fact that the company, which itself offers data protection services, allowed such a critical vulnerability. Cybersecurity experts believe that SIM swapping was likely made possible due to an insufficient level of security in internal protocols. If Kroll had used stricter multi-factor authentication methods that do not rely on an employee's phone number (such as biometric data or hardware keys), the attack could have been prevented. This highlights that even with technological solutions in place, human error and negligence in adhering to corporate security rules can negate all efforts.

Furthermore, the class action lawsuit states that Kroll used only email for communication with creditors, which, according to the plaintiffs, made them particularly vulnerable to phishing attacks. The lack of alternative, more secure communication channels (e.g., a secure portal with two-factor authentication) is one of the key accusations against the company.

Lessons for business: Basic principles of database security

The incident with Kroll serves as an important reminder for all companies that handle confidential information. In the age of digitalization, where data is one of the most valuable assets, its protection must be a priority. This applies not only to protection against external threats but also to internal vulnerabilities that often go unnoticed.

One of the key principles is data minimization. Companies should only collect and store information that is absolutely necessary for them to perform their functions. The less data stored on corporate servers, the less potential damage in the event of a leak.

The second principle is the principle of least privilege. Employees should only have access to the data they need to perform their immediate duties. In Kroll's case, an employee may have had access to too much information, which allowed the attackers to cause such extensive damage.

The third principle is encryption. All data, both at rest (stored on servers) and in transit, must be encrypted. This means converting data using an algorithm to make it unreadable to anyone who does not have the key. It is applied to both data stored on servers (at-rest encryption) and data transmitted over a network (in-transit encryption). This makes sensitive information useless to hackers, even if they manage to gain access to it.

Finally, regular audits and penetration testing. Companies must constantly check their systems for vulnerabilities. External experts can help identify weaknesses that may be invisible to internal teams. This helps prevent attacks before they occur and ensures maximum protection.

The incident with Kroll shows that cybersecurity is not a one-time task but a continuous process. Any company, regardless of its reputation, can become a victim if it does not constantly improve its protection methods.