Changpeng “CZ” Zhao, CEO of Binance, the world’s largest cryptocurrency exchange by trading volume, is denying claims that hackers gained access to private user information.
Zhao says the recent rumors circulating on social media about a know-your-customer (KYC) data leak on Binance are an attempt to spread FUD (fear, uncertainty, doubt), and that the exchange is investigating the matter.
Don't fall into the "KYC leak" FUD. We are investigating, will update shortly.
— CZ Binance (@cz_binance) August 7, 2019
The Binance security team states in a blog post that an unnamed individual has allegedly been “threatening and harassing” the exchange. The unidentified person(s) are demanding a Bitcoin ransom worth $3.6 million in exchange for 10,000 customer photos they claim they’ve obtained.
Currently, the Binance team is investigating the hacker’s claims for “legitimacy and relevancy.” The exchange’s management says that the individual has refused to cooperate and is distributing the data to the public and various news media outlets.
However, the Binance security team clarifies,
“There are inconsistencies when comparing this data to the data in our system. [At present,] no evidence has been supplied that indicates any KYC images have been obtained from Binance, as these images do not contain the digital watermark imprinted by our system.”
The shared images appear to be the same ones reported in a news article previously published by Decrypt in January and appear to have been taken in February 2018 when Binance reportedly contracted a third-party company to handle KYC checks. The Malta-based crypto exchange says it’s investigating the alleged data leak with cooperation from the third-party firm.
The hacker also claims to have obtained KYC information from several other digital asset exchanges.
One Reddit user speculates that the hack could be the result of some type of phishing attack or “scam email” that derailed customers and led them to a fake Binance site where they were then instructed to resubmit their credentials to regain access to their locked accounts.
When asked to verify the source of the data, the individual “refused to provide irrefutable evidence of their findings,” according to Binance. The bad actor is now demanding 300 BTC in exchange for the KYC data.
Binance’s management has contacted the appropriate law enforcement agencies and is working with several organizations to further investigate the incident.
Notably, the Binance team is offering a 25 BTC reward (roughly $300,000) to anyone who can provide any information that would help identify the individual(s) and allow the exchange to take legal action against them. The requested information can be submitted by opening a support ticket.