This week, popular Malta-based cryptocurrency trading platform Binance informed its community about an unsuccessful extortion attempt that had been made against the exchange and said it was investigating the matter further.
The revelation comes after the extorter had begun distributing know-your-customer images — i.e. photos of traders holding up their personal IDs — in a Telegram chat room and to cryptocurrency trade publications. Going by the handle Guardian M, the distributor has asserted the pictures are from Binance and other exchanges.
One of those trade publications, CoinDesk, has since confirmed with some traders that their apparent KYC photos found in the dump were real. The outlet confirmed with another affected individual that a picture of them found therein looked real but had falsified information on their ID.
With that said, it’s not clear how much of the data is authentic and precisely where it all came from. Zooming out, it’s possible the images derive from a third-party provider or, worse yet, a phishing campaign that may have ensnared the identities of many individuals.
Binance Responds and Points Out Inconsistencies
Curiously KYC data dump doesn’t appear to be the result of any kind of exchange hack.
In an update announcement titled “Statement on False ‘KYC Leak,'” Binance revealed an anonymous person had been “demanding 300 BTC in exchange for withholding 10,000 photos that bear similarity to Binance KYC data.”
The exchange noted the peculiarities of the purported leak. First off, the data dump didn’t appear to come from Binance itself, as the distributed images didn’t have Binance’s in-house watermarks that are used by the exchange’s own systems.
Secondly, the exchange said the KYC images appeared to be from the “same data set” of the KYC data haul reported on in the cryptocurrency ecosystem earlier this year. That data was alleged to come from top exchanges like Binance and Kraken.
Yes it appears to be the same. The only difference is the hacker is now blackmailing Binance rather than trying to sell the data.
— Tim.decrypt (@Timccopeland) August 7, 2019
Amid those earlier reports, Kraken chief executive officer Jesse Powell noted the images also lacked Kraken’s internal watermarks.
“This could easily be a ton of phished iCloud/GSuite accounts where people were auto syncing photos from their phones,” Powell told news site Decrypt at the time. “There are just way too many possible sources of these images if you are looking back eight years.”
Fast forwarding to the present day, Binance said in their Tuesday update that they couldn’t initially rule out a partial source of the revealed KYC data being a third-party vendor the startup had contracted to process KYC verifications back in February 2018.
“Currently, we are investigating with the third-party vendor for more information,” the exchange explained.
The episode could also possibly be linked to a wider phishing campaign. As Bitcoin analyst Dovey Wan noted on Twitter, some people who joined the Guardian M chat room ended up receiving phishing calls shortly thereafter as Telegram relies on users’ mobile numbers for accounts.
A few friends said receiving calls after they joined the telegram group, and there are systematic phishing call to Binance customers started a few days ago it seems like.
But my understanding is Binance will never call you … https://t.co/mVATBmwSZn
— Dovey 以德服人 Wan 🗝 🦖 (@DoveyWan) August 7, 2019
Got a Helpful Lead? You Could Be Rewarded
“The relevant law enforcement agencies have been contacted and we will be working closely with them to pursue this person,” Binance declared in their statement.
Moreover, the Malta-based exchange went one step further, announcing they would offer a reward of up to 25 bitcoin for information that can help Binance bring the extortionist to justice:
“If you are able to provide any information to help identify this person and allow us to pursue the individual through legal action, we will offer a reward of up to 25 BTC, dependent on the relevance of the data supplied. You may submit this information by opening a support ticket at https://support.binance.com.”
Notably, Binance CEO Changpeng Zhao also later called for the cryptocurrency community to avoid helping the culprit spread the link to Guardian M’s Telegram chat room.
I would like to add, by joining or spreading the link of the telegram group, you are helping malicious hackers (at least giving attention). What we should do as an industry is to fight them. Stay on the positive side. Report the group, then leave. 🙏🙏🙏 https://t.co/Cvxks2S69i
— CZ Binance (@cz_binance) August 7, 2019