Verify a decision

{"actor":"system:backfill","investigation_id":"641ae7b7-45b5-41ee-a639-bb92d3be674a","kind":"publish","page_slug":"transak","published_at":"2026-05-19T16:33:20.494Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Transak","sections":[{"content":"Transak is a fiat-to-crypto payment infrastructure provider founded in 2019 by Sami Start (CEO) and Yeshu Agarwal. The company enables users in 160+ countries to purchase cryptocurrency using fiat currency, supporting 100+ cryptocurrencies across 75+ blockchains. Transak integrates with over 350 platforms including MetaMask, Phantom, and Uniswap, and claims over 8.3 million users globally. The company has raised $37 million in funding from investors including Tether, IDG Capital, and ConsenSys. Transak operates registered entities in the USA, UK, Canada, Australia, Poland, India, and Hong Kong. Transak Limited, a subsidiary, is registered with the UK's Financial Conduct Authority (FCA) as a crypto asset firm. In March 2024, Transak announced it became the first crypto on-ramp provider to achieve SOC 2 Type 2 compliance.","heading":"Company Overview","severity":"low","sources":[{"credibility":2,"name":"DL News: A conversation with Sami Start, co-founder and CEO of Transak","type":"news_article","url":"https://www.dlnews.com/research/internal/conversation-sami-start-co-founder-and-ceo-of-transak/"},{"credibility":1,"name":"Transak: Becomes First Global On/Off-Ramp To Achieve SOC 2 Type 2 Compliance","type":"official","url":"https://transak.com/blog/transak-becomes-soc-2-type-2-compliant"},{"credibility":2,"name":"Tracxn: Transak Company Profile","type":"research","url":"https://tracxn.com/d/companies/transak/__p3zhs3X2HLYPf-C4IKvJH9YPlCk6aIZmK9DQGCdgIww"}]},{"content":"In October 2024, Transak disclosed a data breach affecting 92,554 users, representing approximately 1.14% of its user base. The breach originated when an attacker conducted a phishing attack against a Transak employee's laptop, then used the compromised credentials to access the dashboard of a third-party KYC (Know Your Customer) vendor that Transak relies upon for document scanning and identity verification services. Exposed data included users' full names, dates of birth, passport numbers, driver's license details, and selfie photographs used in liveness verification. Transak stated that no financially sensitive information was compromised — including email addresses, phone numbers, passwords, credit card details, or Social Security Numbers. The responsible employee was reportedly dismissed following the incident. Transak's official blog disclosed the breach on October 21, 2024. CEO Sami Start stated: 'No bank statements, social security numbers, or credit card details were accessed, and even emails or passwords were not involved, which significantly reduces the severity of the incident.' Transak notified relevant data protection authorities including the UK's Information Commissioner's Office (ICO) and regulators across the EU and US, and offered identity monitoring services to affected users. Transak's documentation confirms an integration with Sumsub for KYC reliance, though the company has not publicly named the specific vendor compromised in this incident.","heading":"October 2024 Data Breach","severity":"high","sources":[{"credibility":1,"name":"Transak Official Blog: Transparency and Action — Response to a Recent Security Incident","type":"official","url":"https://transak.com/blog/transak-security-incident-oct-2024"},{"credibility":1,"name":"CoinDesk: Crypto Employee's Use of Laptop Outside of Work Cited in Data Breach Affecting 93K Transak Users","type":"news_article","url":"https://www.coindesk.com/tech/2024/10/21/crypto-on-ramp-service-transak-targeted-in-data-breach"},{"credibility":2,"name":"The Block: Transak discloses data breach affecting nearly 100,000 users, Stormous ransomware gang claims responsibility","type":"news_article","url":"https://www.theblock.co/post/322263/transak-discloses-data-breach-affecting-over-57000-users-stormous-ransomware-gang-claims-responsibility"},{"credibility":2,"name":"SC Media: Over 92K impacted by Transak data breach","type":"news_article","url":"https://www.scworld.com/brief/over-92k-impacted-by-transak-data-breach"},{"credibility":1,"name":"Transak Documentation: KYC Reliance using Sumsub","type":"official","url":"https://docs.transak.com/features/kyc-reliance-sumsub"}]},{"content":"The Stormous ransomware group claimed responsibility for the Transak breach, alleging the extraction of over 300GB of data from Transak's systems. The group published a leak page on or around October 31, 2024, releasing a subset of alleged stolen data and threatening to leak or sell the remainder unless ransom demands were met. Stormous claimed the stolen data included government-issued identification documents, financial statements, proof of address records, and user selfies — a broader scope than Transak's official disclosure. The group had previously claimed responsibility for a July 2024 breach of Fractal ID, a Web3 decentralized identity system. ZachXBT, an on-chain investigator, highlighted the discrepancy between Transak's characterization of the breach as limited to 'names and basic identity information of a small number of users' and the ransomware group's claims of a much larger dataset. CEO Sami Start acknowledged uncertainty about the group's claims, stating: 'We don't know if they necessarily did this or if they're just claiming credit for it.' The ransomware group's stated scope has not been independently verified by a credible third party as of the time of this report.","heading":"Stormous Ransomware Group Claims","severity":"high","sources":[{"credibility":2,"name":"The Block: Stormous ransomware gang claims responsibility for Transak breach","type":"news_article","url":"https://www.theblock.co/post/322263/transak-discloses-data-breach-affecting-over-57000-users-stormous-ransomware-gang-claims-responsibility"},{"credibility":2,"name":"ChainCatcher: ZachXBT — Transak suffered ransomware attack, leakage of user information","type":"news_article","url":"https://www.chaincatcher.com/en/article/2148218"},{"credibility":3,"name":"RedPacket Security: Stormous Ransomware Victim — Transak","type":"community_report","url":"https://www.redpacketsecurity.com/stormous-ransomware-victim-transak/"},{"credibility":2,"name":"CryptoNews: Transak Discloses Hack As Stormous Group Claims Attack","type":"news_article","url":"https://cryptonews.com/news/transak-discloses-ransomware-hack-as-stormous-ckla/"}]},{"content":"On-chain investigator ZachXBT flagged the Transak incident, noting the ransomware attack and the resulting leakage of user information. ZachXBT highlighted a notable discrepancy: while Transak's official communications characterized the breach as limited in scope to 'basic identity information,' the Stormous ransomware group publicly claimed far broader data extraction including financial statements and proof of address documents. ZachXBT also noted the connection between the Stormous group's Transak attack and the same group's earlier breach of Fractal ID in July 2024, suggesting a pattern of targeting crypto identity infrastructure.","heading":"ZachXBT Coverage","severity":"medium","sources":[{"credibility":2,"name":"ChainCatcher: ZachXBT — Transak recently suffered a ransomware attack","type":"news_article","url":"https://www.chaincatcher.com/en/article/2148218"}]},{"content":"On March 11, 2025, plaintiff Shane Pearson filed a class action lawsuit against Transak USA LLC in the US District Court for the Southern District of Florida (Case No. 1:25-cv-21146). The complaint alleged that Transak failed to implement reasonable and adequate data security measures and did not provide timely notice to affected individuals. Claims included negligence, breach of third-party contract, invasion of privacy, and unjust enrichment. The U.S. breach was reported to have affected 23,113 individuals — a subset of the broader global 92,554-user figure — with data including full names, addresses, driver's license numbers, and dates of birth. The lawsuit received preliminary court approval for a $601,000 settlement on September 7, 2025. Under the settlement terms, class members with documented out-of-pocket losses such as identity theft remediation or credit monitoring expenses may claim up to $1,500; those without documentation may receive $50. The claim deadline was set for December 1, 2025, with a final approval hearing on December 15, 2025. A dedicated settlement site was established at TransakUSASettlement.com. Transak has not admitted wrongdoing as part of the settlement.","heading":"Class Action Lawsuit and Settlement","severity":"high","sources":[{"credibility":1,"name":"ClassAction.org: $601K Transak Settlement Ends Class Action Lawsuit Over September 2024 Data Breach","type":"court_filing","url":"https://www.classaction.org/news/601k-transak-settlement-ends-class-action-lawsuit-over-september-2024-data-breach"},{"credibility":1,"name":"Bloomberg Law: Crypto Services Provider Transak Sued Over 2024 Data Breach","type":"news_article","url":"https://news.bloomberglaw.com/us-law-week/crypto-services-provider-transak-hit-with-suit-over-data-breach"},{"credibility":1,"name":"Law.com: Crypto Firm Transak Sued in Miami Over Data Breach, Delayed Response","type":"news_article","url":"https://www.law.com/nationallawjournal/2025/03/12/crypto-firm-transak-sued-in-miami-over-data-breach-delayed-response/"},{"credibility":2,"name":"Top Class Actions: Transak class action claims crypto company failed to protect customer data","type":"news_article","url":"https://topclassactions.com/lawsuit-settlements/lawsuit-news/transak-class-action-claims-crypto-company-failed-to-protect-customer-data/"},{"credibility":2,"name":"ClaimDepot: Transak USA Data Breach Affects 23,113 Individuals","type":"other","url":"https://www.claimdepot.com/data-breach/transak"},{"credibility":1,"name":"Pearson v. Transak USA — Settlement Agreement (PDF)","type":"court_filing","url":"https://www.classaction.org/media/pearson-v-transak-usa-settlement.pdf"}]},{"content":"The Transak breach illustrates a systemic risk pattern in crypto identity infrastructure: user KYC data collected through third-party identity verification vendors creates concentrated exposure even when the primary platform operator maintains separate security controls. Transak did not publicly name the specific KYC vendor whose dashboard was compromised, stating only that it was a vendor used for 'document scanning and verification services.' Transak's public documentation confirms a KYC reliance integration with Sumsub, though no public source has confirmed Sumsub as the vendor specifically accessed during the October 2024 incident. The attack vector — phishing an employee to obtain credentials to a vendor's admin panel — bypassed any technical controls Transak maintained on its own systems. This breach follows a similar pattern to the Fractal ID breach in July 2024, also claimed by Stormous, and a Sumsub-related data leak reported in early 2026, indicating broader vulnerability across shared KYC infrastructure in the Web3 sector.","heading":"Third-Party Vendor Risk","severity":"high","sources":[{"credibility":1,"name":"Transak Official Blog: Response to Security Incident","type":"official","url":"https://transak.com/blog/transak-security-incident-oct-2024"},{"credibility":2,"name":"CyberPress: Alleged Data Breach in Transak's KYC Database","type":"news_article","url":"https://cyberpress.org/breach-in-transaks-kyc/"},{"credibility":2,"name":"Infosecurity Magazine: Phishing Attack Impacts Over 92,000 Transak Users","type":"news_article","url":"https://www.infosecurity-magazine.com/news/phishing-attack-impacts-over-92000/"}]},{"content":"Following the breach, Transak stated it notified relevant data protection authorities including the UK's Information Commissioner's Office (ICO), EU regulators, and US authorities as required under applicable data protection laws including GDPR and the UK Data Protection Act. The company engaged leading cybersecurity firms and forensic experts to investigate the incident. Additional security measures implemented in response included enhanced phishing and social engineering awareness training, increased investment in system security controls, and a review of third-party vendor access protocols. Transak also provided identity monitoring services to affected users. As of the time of this report, no regulatory enforcement actions or fines against Transak related to the October 2024 breach have been publicly reported.","heading":"Regulatory Notifications and Compliance Response","severity":"medium","sources":[{"credibility":1,"name":"Transak Official Blog: Update on Security Incident","type":"official","url":"https://transak.com/blog/transak-security-incident-update-oct-2024"},{"credibility":1,"name":"Transak Compliance Page","type":"official","url":"https://transak.com/compliance"}]}],"sources_used":[],"summary":"Transak is a fiat-to-crypto on-ramp infrastructure provider founded in 2019 and serving over 8 million users across 160+ countries, with integrations into major platforms including MetaMask, Phantom, and Uniswap. In October 2024, a phishing attack on an employee's laptop led to unauthorized access to a third-party KYC vendor's dashboard, exposing the personal identity documents of approximately 92,554 users globally, including names, dates of birth, government-issued IDs, and selfie photos. The breach resulted in a $601,000 class action settlement covering U.S.-based affected users, and the Stormous ransomware group claimed responsibility, alleging extraction of over 300GB of data.","timeline":[{"date":"2019-01-01","event":"Transak founded by Sami Start and Yeshu Agarwal.","source":"DL News","source_url":"https://www.dlnews.com/research/internal/conversation-sami-start-co-founder-and-ceo-of-transak/"},{"date":"2024-03-07","event":"Transak announced SOC 2 Type 2 compliance certification, claiming to be the first crypto on-ramp provider to achieve this standard.","source":"Transak Official Blog","source_url":"https://transak.com/blog/transak-becomes-soc-2-type-2-compliant"},{"date":"2024-09-23","event":"Transak was first contacted by a hacker claiming to have accessed confidential data from its network (per U.S. class action filing).","source":"ClassAction.org","source_url":"https://www.classaction.org/news/601k-transak-settlement-ends-class-action-lawsuit-over-september-2024-data-breach"},{"date":"2024-10-20","event":"Reported date of the phishing-enabled breach of a Transak employee's laptop and subsequent access to a third-party KYC vendor's dashboard.","source":"RedPacket Security / CryptoNews","source_url":"https://www.redpacketsecurity.com/stormous-ransomware-victim-transak/"},{"date":"2024-10-21","event":"Transak publicly disclosed the data breach via its official blog, confirming 92,554 users were affected. CEO Sami Start issued public statements.","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2024/10/21/crypto-on-ramp-service-transak-targeted-in-data-breach"},{"date":"2024-10-21","event":"ZachXBT flagged the Transak ransomware incident, highlighting the discrepancy between Transak's characterization and the attackers' claims.","source":"ChainCatcher","source_url":"https://www.chaincatcher.com/en/article/2148218"},{"date":"2024-10-31","event":"Stormous ransomware group published a leak page for Transak, claiming extraction of 300GB+ of data and releasing a subset publicly.","source":"RedPacket Security","source_url":"https://www.redpacketsecurity.com/stormous-ransomware-victim-transak/"},{"date":"2025-03-11","event":"Plaintiff Shane Pearson filed a class action lawsuit against Transak USA LLC in the Southern District of Florida (Case No. 1:25-cv-21146), alleging failure to adequately protect user data and delayed breach notification.","source":"Bloomberg Law","source_url":"https://news.bloomberglaw.com/us-law-week/crypto-services-provider-transak-hit-with-suit-over-data-breach"},{"date":"2025-09-07","event":"The Pearson v. Transak USA class action received preliminary court approval for a $601,000 settlement covering 23,113 U.S.-based affected individuals.","source":"ClassAction.org","source_url":"https://www.classaction.org/news/601k-transak-settlement-ends-class-action-lawsuit-over-september-2024-data-breach"},{"date":"2025-12-01","event":"Claim submission deadline for affected U.S. class members in the Transak USA settlement.","source":"ClassAction.org","source_url":"https://www.classaction.org/news/601k-transak-settlement-ends-class-action-lawsuit-over-september-2024-data-breach"},{"date":"2025-12-15","event":"Final approval hearing scheduled for the Transak USA class action settlement.","source":"ClassAction.org","source_url":"https://www.classaction.org/news/601k-transak-settlement-ends-class-action-lawsuit-over-september-2024-data-breach"}]},"v":1}