Documente Academic
Documente Profesional
Documente Cultură
Yet, the full story was – and remains – more complicated than it first
appeared.
First, it has deep roots, extending back to an incident in May when an outside
group broke into Binance user accounts and stole 7,000 bitcoin. At the time,
Binance was, as always, public about its problems, describing it as part of a
“large-scale security breach” in which “hackers were able to obtain a large
number of user API keys, 2FA codes and potentially other info.”
Unmentioned, however, was that identifying user information may have been
leaked.
It’s during this event that Platon alleges the information they have obtained
about Binance customers was produced, although in a twist, he says he was
not the perpetrator of the hack, but that he hacked an exchange “insider”
involved in the heist.
In another turn, Binance alleges the customer data was obtained from an
unnamed third-party company it has contracted to conduct its know-your-
customer (KYC) since February 2018.
In conversations with CoinDesk, Platon has claimed they are a “white hat
hacker” and, in a few comments, suggested they were asking Binance for a
bug bounty for exposing the information. Negotiations broke down, however,
and Platon and Binance representatives reported that he asked for 300 bitcoin
in order to further expand on the data he held.
“We would like to inform you that an unidentified individual has threatened and
harassed us, demanding 300 BTC in exchange for withholding 10,000 photos
that bear similarity to Binance KYC data. We are still investigating this case for
legitimacy and relevancy.”
We have contacted Binance for further comment.
Platon claims they have 60,000 pieces of KYC information in his collection.
What follows is what we know about the negotiations and their aftermath.
Moving Money
CoinDesk’s interaction with Platon first began in July, when we began
reporting on the movement of bitcoins stolen in the May breach of Binance.
Binance responded to the hack at the time, saying malicious actors acquired
customers’ APIs, two-factor codes, and “potentially other information.”
Platon’s take on the incident was different. They allege that an insider within
the organization helped make a number of APIs public that allowed the
hackers to directly access client accounts. Hackers stored lists of client API
keys – the codes used to access their accounts remotely – in text files Platon
claimed to be able to acquire. This allowed the hackers to access funds
remotely.
Using this personal information, the hackers wrote a malicious script that
allowed them to instantly withdraw .002 BTC (roughly $23) at a time. The code
placed a buy order for an obscure token called the BlockMason Credit
Protocol and converted it to bitcoin. The code, which we have examined,
could also perform a number of functions using API calls that are no longer
open or public. When we tested one API call, however, a simple request for
the server time, it was still open. It is unclear if the closed API endpoints were
removed or simply hidden.
Platon alleges the stolen coins were held in a wallet hosted by bitcoin software
wallet provider Blockchain, the maker of the recently launched PIT exchange.
By following a trail leading from this wallet, Platon discovered that the hackers
had laundered 2,000 bitcoins though Bitmex, Yobit, KuCoin, and Huobi and
were looking to convert as much as $1 million in bitcoin per day.
How It Worked
Of the 60,000 customer accounts Platon alleges were breached, he shared
636 files with CoinDesk. He hoped the media attention would spur Binance to
announce the true extent of the hack, and bring the attackers to justice.
For its part, Binance announced the stolen bitcoin came only from their
corporate accounts and did not affect consumers. At the time, the exchange
also suspended deposits and withdrawals to protect users. However, the
extent of leaked user information was kept secret.
In addition to images of passports, drivers licenses and actual headshots of
users holding up their IDs, Platon also supplied a few examples of metadata
associated with the images.
For example, this code suggests a user went through KYC on 03/20/2018:
"id": 1573211,
"userId": "25276308",
"front": "/IDS_IMG20180320/25276308_0_9416819.jpg",
"back": "/IDS_IMG20180320/25276308_1_7376587.jpg",
"hand": "/IDS_IMG20180320/25276308_2_4413070.jpg",
"auditor": "chenxiaozi",
"message": "",
"status": 1,
"createTime": "2018-03-20 08:12:33",
"updateTime": "2018-03-21 01:48:33",
"number": "s532557730580",
"firstName": "m[REDACTED]",
"lastName": "[REDACTED]",
"type": 2,
"sex": 1,
"country": "United States of America (USA)(美国)",
"email": "[REDACTED]@outlook.com",
"version": 1
The KYC took place in China as suggested by the name of the auditor as well
as the addition of the “美国” at the end of the country code. It is unclear what
the other fields represent.
“This is highly likely to be an API key attack,” said Viktor Shpak, CTO at
blockchain development firm VisibleMagic. “They harvested API keys from
somewhere.”
API keys are used to authenticate services within exchanges and other
applications and could allow a hacker to do anything from buy cryptocurrency
on a victim’s behalf to actually moving cryptocurrency to an outside wallet.
Platon’s motivation
While speaking with CoinDesk, Platon also contacted Binance’s chief growth
officer (CGO), Ted Lin, as part of a multi-front effort to bring the hackers to
justice (or so he alleges).
“I informed [Lin] that I have got insider information such as insider’s detail,
insider’s communication details with outsiders and even insider’s photo. I
informed him that I have details of hackers – server information, their identity,
their phone numbers and etc.”
In a message from Lin that Platon shared with CoinDesk, the CGO was
receptive to pay for information that could lead to the arrest of the hackers,
insiders and recovery of funds.
However, in this same message, Lin rebuffed Platon for the “FUD campaign”
he was running.
“As I said, we don’t react to extortions,” Lin said. In earlier conversations with
CoinDesk, Platon claimed to be independently wealthy, and the operator of a
crypto exchange he says is one-third the size of Binance.
Somewhere along the line, however, negotiations broke down. On July 22,
just five days after they initially contacted CoinDesk, Platon said he had
stopped negotiating with Binance.
“For about a month of negotiation, they didn’t pay a single penny,” Platon said.
“My deal with Binance is broken.”
Platon supplied the following alleged exchange with Ted Lin where the
negotiations broke down:
Platon’s explanation is simple: they think they are doing the right thing.
“People keep asking, ‘Why are you releasing those KYC photos?,’ ‘How did
you get them?’ The reason I am releasing those KYC is simple: To warn you
people who are dealing on Binance,” they wrote. “If I needed money, I would
sell it underground, not to publish it.”