Google Cloud Sync Feature Blamed for $15 Million Crypto Heist at Ripple-Owned Fortress Trust

Google Cloud Sync Feature Blamed for $15 Million Crypto Heist at Ripple-Owned Fortress Trust

Software development company Retool has identified a recent Google Account cloud synchronization feature as the culprit behind the crypto custodian Fortress Trust's hack, which led to the loss of $15 million, as reported by Hacker News on September 18.

Retool, which offers cloud services to various clients, including Fortress Trust, revealed that the breach had impacted all 27 of its cloud customers. The security lapse was attributed to a newly introduced Google update that changed its multifactor authentication standard to single-factor authentication, unbeknownst to the administrators.

The Hacking Sequence

Snir Kodesh, Head of Engineering at Retool, explained that the breach unfolded due to the alteration in Google's authentication setup. This change inadvertently made the system vulnerable to a breach without the knowledge of the administrators.

The breach began with an SMS social engineering attack targeting Retool's employees. The malicious actor sent fraudulent links to employees, posing as a member of the IT team. The accompanying message claimed the link was for addressing a payroll issue. One unsuspecting employee entered their login credentials on the counterfeit landing page.

To further their access, the hackers employed deepfake voice technology during a phone call with the employee to extract a multifactor authentication code. Armed with this code, they were able to add their device to the employee's account and generate their multifactor authentication code, providing them with an active Google Workspace session on the compromised device.

With access to the internal admin system, the hackers activated Google Authenticator cloud sync, gaining control over customers' accounts by altering their email and password credentials.

Retool did not disclose the extent of the impact on its other customers. The complexity of this attack suggests that the perpetrators possess advanced skills, possibly even insider access, enabling them to tailor their phishing campaigns to specific targets.

Following the incident on August 27, Ripple acquired Fortress Trust and reimbursed the affected customer's funds. This episode underscores the rising sophistication of social engineering scammers and hackers who have now set their sights on crypto firms, emphasizing the need for enhanced cybersecurity measures in the crypto industry.

Back to blog