According to a month-long investigation, it appears the recent know-your-customer (KYC) data leak involving data from Binance traders is linked to the Binance hack in May that resulted in over 7,000 stolen Bitcoin.
Although the investigation is still ongoing, CoinDesk says it can confirm that two out of more than a hundred allegedly leaked profiles originally created in February 2018 belong to actual Binance customers who had completed the KYC checks required by the crypto trading platform, which Binance says was handled by a third-party firm.
Information about the security breach was made public on Wednesday when a hacker who goes by the pseudonym “Bnatov Platon” started posting what he claims are photos and information about Binance users.
CoinDesk reports that Platon who calls himself an ethical “whitehat hacker” seeking a bug bounty from Binance, is effectively demanding 300 Bitcoin (BTC) worth approximately $3.5 million in exchange for the leaked KYC data and images, uploaded the data to an open website and then shared those images on Telegram.
Platon claims he has 60,000 pieces of KYC information belonging to Binance’s customers.
Binance KYC leaked? A telegram group sharing the KYC details of customers has just surfaced. @cz_binance suggests it’s old data from the 2018 hack and warns to not fall for the FUD, @binance is currently investigating. #Bitcoin #BTC #Binance pic.twitter.com/EtZYOiLRdD
— The BTC Speculator (@TheBTCSpec) August 7, 2019
KYC documents (passports, licenses, selfies) are being leaked en masse in a public Telegram group. They're purported to be from the #Binance hack.
This is exactly the reason why centralized KYC is so dangerous. pic.twitter.com/ayw3xBHsSn
— LocalCryptos (@LocalEthereum) August 7, 2019
At the time of the May hack, Binance described it as a “large-scale security breach” that allowed hackers “to obtain a large number of user API keys, 2FA codes and potentially other info” and made no allusion to compromised images of customers holding up passports. Meanwhile, Platon denies any involvement in the May hack. Instead, he says he hacked an “insider” working for the exchange who was allegedly involved in the May theft of Binance’s stolen Bitcoin.
While one of the images analyzed by CoinDesk seems to have been modified, the news outlet confirms that the individual whose identity was revealed was registered on Binance at the time of the KYC data leaks.
Platon alleges that a Binance insider assisted in making several APIs public, which gave hackers direct access to customer accounts. Platon says he managed to obtain the text files used by the hackers to keep clients’ API keys, which are codes for remotely accessing their accounts.
According to Platon, the files “contain extremely serious information” such as users’ email addresses and passwords. The clients, who may be at risk, created Binance accounts during the past two years, Platon said.
The hackers took advantage of the leaked personal information by using it to create malicious scripts that allowed them to make many small withdrawals of 0.002 BTC, Platon reveals. He also notes that the scripts issued buy orders for a BlockMason Credit token that was instantly converted to Bitcoin.
The stolen cryptocurrency was stored in a wallet created on Blockchain.com, Platon claims. He also mentions that the hackers laundered around 2,000 Bitcoins from this wallet through crypto derivatives exchange BitMEX, and several other digital asset trading platforms including Huobi, KuCoin and Yobit.
Platon, who has reportedly shared 636 files with CoinDesk, is allegedly hoping that publicly revealed sensitive customer data will create enough media attention to force Binance into announcing the true extent of the security breach. He also wants the hackers who stole the large amount of Bitcoin to be caught and punished.
Platon also shared code with CoinDesk that he claims was used to access Binance’s services through a back door. Viktor Shpak, CTO at blockchain startup VisibleMagic, confirms that Platon was correct.
“This is highly likely to be an API key attack. They harvested API keys from somewhere.”
API keys allow users to authenticate, or verify, services on crypto exchanges and other applications. If a hacker acquires these keys, then they can purchase cryptocurrency from the victim’s account and transfer it to external wallets.
Commenting on how the leaked code might be used, Platon said,
“Most likely an insider created a handler to get access to user API keys then they harvested those API keys and got access to user data and have built nice toolkit to work through this.”
When this information was presented to a Binance representative, they stated,
“As of the latest from the team, there is currently no evidence that these are KYC images from Binance and they are not watermarked per our system process.”
Meanwhile, Platon says,
“I personally wanted to make Binance world’s first exchange that capture hackers. It will be extremely positive for Binance’s reputation.”
“I informed [Lin, Binance’s chief growth officer] that I have got insider information such as insider’s detail, insider’s communication details with outsiders and even insider’s photo. I informed him that I have details of hackers – server information, their identity, their phone numbers and etc.”
According to CoinDesk, Lin told Platon that Binance would be willing to pay for information that would lead to the arrest of the hackers. However, he says the exchange will not pay 300 BTC for the leaked KYC data.
“As I said, we don’t react to extortions,” Lin states.
Platon claims he doesn’t need money as he currently owns an exchange that is one-third the size of Binance. Says Platon,
“When I require money, I can just hack out one exchange account balance (hacker’s). I could retrieve more than 600 or 700 coins easily by hacking hacker’s wallet.”
“People keep asking, ‘Why are you releasing those KYC photos?’ ‘How did you get them?’ The reason I am releasing those KYC is simple: To warn you people who are dealing on Binance. If I needed money, I would sell it underground, not to publish it.”