Roughly 500 people were in for a random surprise on Mar. 8, receiving a profanity-laced correspondence from BlockFi after their email addresses were used to sign up for fake accounts.
According to employees of the company, a single attacker began the registration process for more 1,000 fake accounts on Mar. 7, using email addresses belonging to real users.
The attacker entered “vulgar and racist” terms as the first and last names for the fake accounts which resulted in about 500 emails containing offensive language being sent out automatically before BlockFi caught on to the problem and halted registrations altogether.
I received an email from @BlockFi this weekend asking me to confirm my account (which I never signed up for in the first place). When I opened the email, it began with: “Hi **n-word**,” except of course this most violent racial slur was spelled out fully (1/*)
— Sara Sheridan (@SaraSheridan14) March 8, 2021
“I am the farthest thing from a crypto investor,” tweeted Philadelphia-based journalist Sara Sheridan in all caps on Mar. 8. “I never even heard of BlockFi before receiving an email addressing me as a racial slur.”
Zac Prince, the CEO of BlockFi, initially described the attack as a “technical issue with the new account signup workflow” before unveiling the full scope of what had happened in today’s Forbes article.
1/ We are temporarily pausing new signups for @BlockFi. Existing clients continue to have full access to the platform and everything other than new sign ups is operating normally. We experienced a minor
— Zac Prince (@BlockFiZac) March 8, 2021
A similar attack was reported by crypto derivatives exchange FTX last month. Attackers managed to trick the feed from Blockfolio’s Signal app, a product acquired by FTX in Aug. 2020, into displaying racist messages. FTX CEO Sam Bankman-Fried believes the attack was done by a competitor.
Some BlockFi customers reported not being able to access the company’s website altogether following a scheduled maintenance period which had concluded earlier in the day, on Mar. 7, but the matter may be unrelated to the attack.
— adamfalah (@adamfalah19) March 9, 2021
Visitors to the BlockFi website are currently met with a message clarifying that while registration remains closed, pre-existing BlockFi clients continue to have full access to the platform.
The attack BlockFi’s problems come at a critical time for the three year old company as it is currently attempting to close a round of funding that will bring its valuation to approx. $3 billion. The crypto assets lender has attracted over $100 million in venture capital thus far, including contributions from Coinbase Ventures and Winklevoss Capital.
In May 2020, BlockFi suffered a data breach in which the full names, addresses and dates of birth of customers were compromised.