FTX creditors are taking legal action against Kroll Restructuring Administration, the firm responsible for managing claims following the crypto exchange's bankruptcy. A class action lawsuit, filed on August 20 by US-based Hall Attorneys, alleges that Kroll's handling of creditor data and communication protocols has resulted in financial harm and exposed sensitive personal information to cybercriminals.
Allegations of Data Mishandling and Security Failures
The core of the lawsuit centers on Kroll's alleged negligence and insufficient security measures. In August 2023, Kroll suffered a data breach where an unauthorized party accessed an employee's mobile number, subsequently gaining entry to Kroll’s systems and exposing sensitive creditor data, including names, addresses, email contacts, and FTX account balances. Despite this known vulnerability and consistently warning creditors about phishing risks, Kroll reportedly continued to send critical notices exclusively via email. This approach left claimants highly susceptible to scams, as evidenced by prominent FTX creditor Sunil Kavuri, who reported receiving daily fraudulent messages. Furthermore, the lawsuit claims Kroll's methods caused significant verification delays, account lockouts, and, in some instances, the complete loss of claims for affected creditors.
Demands for Compensation and Systemic Reform
Nicholas Hall, lead counsel for the plaintiffs, is encouraging all FTX creditors, irrespective of their US or Bahamas residency, to join the legal battle. The lawsuit seeks monetary compensation for class members who have suffered losses due to phishing attacks, delayed claims, and expunged filings, with potential relief ranging up to actual damages for eligible victims. Beyond financial remuneration, the creditors are demanding significant practical reforms from Kroll. These include the implementation of multi-channel communications (both email and First-Class Mail), mandatory response periods for status-change notifications, a manual tax-form option, and more stringent security controls for account updates, such as mailing verification codes. Additionally, the plaintiffs are calling for deliverability safeguards and independent audits to bolster data protection and prevent future breaches.
