Here’s What Caused Ripple’s Fortress Trust $15 Mln Crypto Hack

Retool recently revealed that the Google Authenticator breach has hit 27 crypto accounts, resulting in $15mn stolen from Fortress Trust.
By Coingape Staff
Updated May 16, 2025

Retool has just unveiled crucial information about a recent hacking incident that affected 27 cryptocurrency accounts. In this breach, a staggering $15 million worth of cryptocurrency was stolen from Fortress Trust, after the attacker successfully gained control by exploiting the Google Authenticator cloud sync function. The hacker initially took control of the victim’s Google account, subsequently gaining access to all the data stored within Google Authenticator.

Advertisement
Advertisement

Retool’s Security Breach

In a recent revelation, software development company Retool disclosed a disturbing security breach that impacted 27 of its cloud customers. The breach, stemming from a targeted SMS-based social engineering attack, has raised significant concerns within the cybersecurity landscape.

Retool, headquartered in San Francisco, pointed a finger at a Google Account cloud synchronization feature introduced in April 2023, deeming it a “dark pattern” that exacerbated the situation. According to Snir Kodesh, Retool’s head of engineering, the synchronization of Google Authenticator to the cloud emerged as a novel and unexpected attack vector.

This development caught them off guard as they had initially implemented multi-factor authentication, which, unbeknownst to administrators, had silently transformed into single-factor authentication due to the Google update.

This alarming incident unfolded on August 27, 2023, and while it didn’t grant unauthorized access to on-premises or managed accounts, it occurred concurrently with Retool’s migration of logins to Okta, a key detail in the story.

Also Read: ETH Price Holds $1,630, Are Ethereum Bulls Ready To Take Control of The Market?

Advertisement
Advertisement

A Closer Look Into The Cyber Hack

The cyber assault commenced with an SMS phishing attack aimed squarely at Retool’s employees. Threat actors cunningly posed as IT team members, instructing recipients to click a seemingly legitimate link to address a fictitious payroll-related issue. Tragically, one employee fell victim to this phishing trap, landing on a deceptive page that duped them into surrendering their login credentials.

According to the recent statement, the situation took a more sinister turn due to the employee’s activation of Google Authenticator’s cloud sync feature. This granted the threat actors elevated access to Retool’s internal admin systems, leading to the compromise of 27 customer accounts in the cryptocurrency industry. In a devastating blow, one of these customers, Ripple’s recently acquired Fortress Trust, suffered a staggering loss of nearly $15 million in cryptocurrency.

In hindsight, this sophisticated attack underscores the vulnerability of syncing one-time codes to the cloud, highlighting the importance of FIDO2-compliant hardware security keys to thwart such phishing attempts.

Though the identity of the hackers remains shrouded in mystery, their tactics bear a striking resemblance to those of Scattered Spider (aka UNC3944), a financially motivated threat actor renowned for their sophisticated phishing campaigns.

Furthermore, the use of deepfake technology and synthetic media has raised alarms at the U.S. government level, with warnings of their potential exploitation in various malicious endeavors, including business email compromise (BEC) attacks and cryptocurrency scams. This incident serves as a stark reminder of the evolving and pervasive nature of cyber threats in today’s digital landscape.

Also Read: Taiwan Collaborates with El Salvador to Enhance Crypto Regulation

Advertisement
Coingape Staff
CoinGape comprises an experienced team of native content writers and editors working round the clock to cover news globally and present news as a fact rather than an opinion. CoinGape writers and reporters contributed to this article.
Why trust CoinGape: CoinGape has covered the cryptocurrency industry since 2017, aiming to provide informative insights to our readers. Our journalists and analysts bring years of experience in market analysis and blockchain technology to ensure factual accuracy and balanced reporting. By following our Editorial Policy, our writers verify every source, fact-check each story, rely on reputable sources, and attribute quotes and media correctly. We also follow a rigorous Review Methodology when evaluating exchanges and tools. From emerging blockchain projects and coin launches to industry events and technical developments, we cover all facets of the digital asset space with unwavering commitment to timely, relevant information.
Investment disclaimer: The content reflects the author’s personal views and current market conditions. Please conduct your own research before investing in cryptocurrencies, as neither the author nor the publication is responsible for any financial losses.
Ad Disclosure: This site may feature sponsored content and affiliate links. All advertisements are clearly labeled, and ad partners have no influence over our editorial content.