Brinztech Alert: Threat Actor Seeks Italian Bybit User Phone Numbers for Fraud Schemes

Threat Intelligence Analysis: Bybit Italian User Data Sought on Hacker Forum

A threat actor has posted a purchasing announcement on a hacker forum, actively seeking a supplier of phone numbers belonging specifically to Italian users of the Bybit cryptocurrency exchange. This is not a data sale, but a public request for data, signaling a high level of criminal interest in this specific target group.

The actor explicitly states their malicious intent: to use the phone numbers as “leads” for spam and “cashout” schemes. “Cashout” in this context refers to the fraudulent withdrawal of funds from compromised user accounts. This announcement strongly indicates that a targeted campaign against Italian Bybit users is imminent or already underway, and that a database containing this information may be circulating privately.

Key Cybersecurity Insights

A public request for specific data provides valuable intelligence on active and developing threats. The key implications include:

• A Highly Targeted Campaign is Being Planned: This is not a random attack. The actor’s specific request for Italian Bybit users demonstrates a calculated and prepared campaign. They likely have a pre-developed scam, localized in Italian and tailored to Bybit’s platform, and are now seeking the victim list to execute it.
• High Risk of “Smishing” and Voice Phishing (Vishing): Since the primary data being sought is phone numbers, the most probable attack vectors are SMS-based phishing (smishing) and direct voice calls (vishing). Attackers will send urgent text messages or make calls impersonating Bybit support, inventing a fake security issue to trick victims into revealing login credentials, 2FA codes, or authorizing fraudulent transactions.
• The Looming Threat of SIM Swapping for Account Takeover: A compromised phone number is the key to defeating SMS-based Two-Factor Authentication (2FA). Attackers can use other publicly available or previously leaked PII to contact a victim’s mobile carrier, impersonate them, and have the phone number “swapped” to a SIM card under their control. Once they control the number, they can initiate password resets and intercept the 2FA codes needed to take over the Bybit account and drain the funds.
• Indicates an Existing or Imminent Data Breach: A public purchasing request like this suggests one of two scenarios: a data breach containing this specific information has already occurred and the data is being sold in private circles, or the demand is so high that the actor is trying to incentivize other hackers to specifically target Bybit or a third-party partner to acquire the data.

Critical Mitigation Strategies for Bybit and its Italian Users

This threat requires immediate and proactive defensive measures from all Italian Bybit users.

• For Italian Bybit Users: Be on High Alert for Mobile-Based Scams: All Bybit users in Italy should assume they are being actively targeted. Treat all incoming text messages and phone calls claiming to be from Bybit with extreme suspicion. Bybit will not call you or text you to ask for your password or 2FA codes. Do not click on any links received in text messages regarding your account.
• For Italian Bybit Users: Upgrade from SMS 2FA Immediately: The single most effective defense against SIM swapping is to stop using SMS-based 2FA. Users must immediately log in to their Bybit account and switch to a more secure Two-Factor Authentication (2FA) method, such as an authenticator app (e.g., Google Authenticator, Authy) or a hardware security key (e.g., YubiKey).
• For Bybit: Proactive User Notification and Enhanced Monitoring: Bybit should proactively warn its entire Italian user base about this specific threat, strongly advising them to upgrade their 2FA method and be wary of smishing attacks. Internally, Bybit must enhance fraud monitoring on Italian accounts for signs of account takeover, such as logins from new devices, password resets followed by immediate withdrawal attempts, or other unusual patterns.
• For Bybit: Investigate All Potential Data Sources: Bybit should launch an internal investigation to determine if a breach of its systems or a third-party vendor has occurred. This includes auditing their own customer databases, as well as the security posture of any third-party marketing or KYC (Know Your Customer) partners that may have had access to their Italian user data.

for report this post please contact us: contact@brinztech.com