On Tuesday, Jack Mallers’ Bitcoin-focused payments app Strike responded to a media inquiry about a customer database breach, saying, “There’s no evidence that Strike was breached.” However, within minutes, crypto researcher ZachXBT had posted evidence of the breach in a Telegram channel, and within hours, Strike admitted to customers that its email list was indeed breached by a third party.
The incident isn’t the first time that Strike and its CEO Mallers have misled the public about the reality of the company’s operations.
Mallers promised, for example, that customers would be able to use Strike to pay for everyday purchases in bitcoin at Walmart, McDonald’s, Walgreens, and Starbucks. This simply never happened.
Then in 2021, Mallers demonstrated international workers sending a USD remittance in their Strike account. In fact, for months, Strike was secretly representing Tether as USD to customers in its app.
Good thing Tether’s peg held $1 until Strike disclosed the full truth. Nowadays, it’s stopped using Tether, anyway.
Too bad customers thought they had real USD all along. On their behalf, and without their consent, Strike previously used Tethers to back the USD balances that it represented as USD to customers.
The email breach at Strike was real
In a statement to crypto publication The Block, Strike initially denied ZachXBT’s allegations of a major data breach. The breach, ZachXBT alleged, exposed private email addresses customers had used to register with Strike.
Evidence soon surfaced.
Strike customers started receiving scam emails sent to a dedicated email address that they used only to sign up for Strike. Phishing emails used well-known brands in the crypto industry, such as Etherscan and OpenSea.
yo @Strike when did you leak your customer emails? I just received scam email from https://t.co/y5ATj4ck7j<[email protected]> to an email address that I only gave to [email protected] -> You’re on the list!
— BitcoinEagle.dev (@bitcoin_eagle) October 30, 2023
A customer complains about Strike’s data breach.
Another phishing attack played off of the idea that some beginners might not know how digital assets work. It suggested that users could only confirm a transaction if they clicked through to a phishing site.
Received cryptocurrency phishing email that was delivered to my @Strike address. Any known security breach?@zachxbt @Strike @jackmallers pic.twitter.com/CiZH0UNQMt
— 𝅙 (@joaovarelas) October 28, 2023
More customers complain to Strike about phishing emails.
Read more: Bud to Bitcoin: How Strike’s Jack Mallers stumbled from cannabis to crypto
Anonymous investigator ZachXBT posted evidence of the breach on a Telegram channel. The evidence included the above claims, which suggested that the scam emails would only have happened if Strike had actually suffered a data breach.
The curious history of Strike
Jack Mallers was born into wealth and enjoyed family connections to the highest tiers of Chicago finance. His original startup, Zap, rotated through business models like Colorado cannabis payments and white-labeled Bittrex services.
When El Salvador announced bitcoin as legal tender, Mallers tried to earn a government contract for Strike. He lost to Chivo, a South American competitor.
Zap eventually pivoted to developing Tether, Bitcoin, and Bitcoin Lightning Network-based functionalities. It launched Strike API in 2021. Twitter integrated its API to provide a Bitcoin Lightning Network-based tipping option, which has failed to gain much traction. As Elon Musk purchased Twitter, Musk made his intentions clear to opt for Dogecoin.
Unfortunately, researcher ZachXBT has forced Mallers and Strike to backpedal yet again. Despite the company’s initial claim that “there’s no evidence that Strike was breached,” there was plenty of evidence. Indeed, Strike was breached.