Binance, one of the world's largest cryptocurrency exchanges, has revealed that it is being blackmailed to the tune of 300 Bitcoin (approximately US $3.5 million) by someone who is threatening to release some 10,000 sensitive photographs of its customers. And in an attempt to identify its blackmailer, Binance has put a 25 Bitcoin (approximately US $290,000) bounty on their head. The content allegedly stolen from Binance purports to be know-your-customer (KYC) data uploaded by the cryptocurrency exchange's customers when they first registered their accounts. That information includes photographs as well as passport details and IDs. Banks and financial institutions are required to request identifying KYC data from investors in order to stem illegal activities such as fraud, money laundering and the financing of terrorist organizations. Although not directly denying that the sensitive data is of its customers, Binance does point out how there are "inconsistencies" that suggest it may not have been stolen from the firm. Part of Binance's reasoning is that it says it adds a watermark to images uploaded when it requests KYC data, thereby making it easier--if a data leak does ever occur--to identify where it might have originated:
At the present time, no evidence has been supplied that indicates any KYC images have been obtained from Binance, as these images do not contain the digital watermark imprinted by our system. With that said, our security team is hard at work pursuing all possible leads in an attempt to identify the source of these images.
The cryptocurrency exchange does, however, note that the images made public "all appear to be dated from February 2018, at which time Binance had contracted a third-party vendor for KYC verification in order to handle the high volume of requests at that time." The implication is clear: if these indeed are, as appears to be the case, the images of Binance users, then it may be that the unnamed third-part vendor suffered a security breach. Binance says it has sought more information from the vendor as to whether that theory might be accurate. To perhaps underline the point that any hack may not have been specifically against Binance but instead against third-parties providing services, the cryptocurrency pointed out that the hacker "claims he has KYC information from multiple exchanges." According to Binance, after they turned down the extortionist's demands, some of the "stolen data" was distributed to interested parties in the media as well as the rest of the world via a public website and Telegram group. The chief executive of Binance, Zhao Changpeng (also known as "CZ"), turned to Twitter to discourage anyone from joining the Telegram group being used to distribute the photos:
By joining or spreading the link of the Telegram group, you are helping malicious hackers (at least giving attention). What we should do as an industry is to fight them. Stay on the positive side. Report the group, then leave.
It certainly hasn't been a great year security-wise for Binance. In May, it revealed that it had suffered a security breach that saw hackers steal more than $40 million worth of Bitcoin. And it's not even the first time that Binance has offered a substantial reward for information that leads to the arrest of hackers. Last year, the cryptocurrency exchanges offered a reward equivalent to $250,000 as it sought to identify criminals who attempted to steal from the site after grabbing trading API keys from unsuspecting investors they had previously phished. Binance says it has been in contact with law enforcement agencies about the latest incident and that it will assist the authorities with any investigation.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
