A darknet hacker claiming to have stolen thousands of KYC documents—for sale at $1-$10 a pop—appears to have offered evidence, in direct response to a Decrypt article that cast doubt on the claims.
The hacker—known as ExploitDOT on the darknet—has released screenshots of images that back up his/her/their claims that they hacked leading crypto exchanges, including Binance. Crypto exchanges have a reputation for being hacked—such as Cryptopia this month—but typically, it is user funds that are stolen. This particular theft, however, allegedly obtained the personal details of users, totaling 85GB. To be clear, the documents are still not objective "proof." They could, plausibly, have been fabricated or lifted from elsewhere.
Earlier this week, CCN posted this article which asked whether hacked customer data was being sold on the darknet. A cybersecurity expert had contacted the site providing three pieces of KYC data, the link to the post on the darknet and a response from Binance--which wasn’t independently verified by CCN. The story was picked up by several other sites, including The Block Crypto which contained a statement from Binance and further public messages from the hacker.
In response, Decrypt wrote an article that questioned whether there was enough evidence to say the hack was real, putting the post into context with other posts written by ExploitDOT on various forums that appeared to show a tendency for hyperbole. To counter this claim, the hacker wrote this rather rambling document which took aim at the doubt expressed, and said the media was not living up to the hacker’s high standards.
The document contains twenty-six links to screenshots--showing a variety of images, from scans of passports to crypto exchange users holding up driving licenses. The photos range in size, with some screenshots showing hundreds of minute images while others are easily legible. The personal data on these has been covered up but the writing is still legible and they show which exchanges the KYC checks were associated with. The exchanges include Binance, Kraken, Bittrex, and Bitfinex.
"This image definitely did not come from our system. Could be this person got hacked, could be someone who subpoenaed his info got hacked, could be his cloud backups of his photos got hacked," Kraken CEO Jesse Powell told Decrypt.
A Bitfinex spokesperson said, "After careful investigation, we have seen no evidence to date that any images or data associated with this cache of documents were obtained as a result of any breach of our systems." The response from Binance can be seen here.
The data dump appears to be even larger than originally reported. According to the hacker, the documents being sold are only a part of a larger collection. As to the size of the data, an additional screenshot shows the figures 42.5 GB and 42.6 GB presumably representing the sizes of the folders containing these images—although this could have been faked.
But how was the data obtained? As reported in the previous article, a Binance representative said there was no evidence the hack had come from Binance. Both Decrypt and The Block Crypto suggested the KYC data may have been obtained through a phishing attack. Yet the hacker denies this, arguing that phishing is not possible to obtain such a large amount of this type of data.
While the hacker seems all too willing to show off his/her/their hoard, they have mixed feelings over what to do with the KYC data they allegedly own. After offering to sell the data in chunks, they’re now considering destroying the data, for a price. The reason being, says the hacker, is that it will help them to do something good, instead of breaking into exchanges and stealing people’s data presumably. In the document, they write, “I do what gets me paid, that doesn't hurt individuals personally, and I'm fine with what I do as long as I don't hurt people personally and financially.” How decent.
But during this moral crusade, the data thief did manage to threaten the Decrypt journalist with “consequences” and continues to offer the trove to anyone willing to pay for it. Let’s just hope whoever the buyers are, the seller can check their details to ensure they too, are obtaining stolen identities for the right reasons.
We will update this article once exchanges have replied.