Blackmailed for Bitcoin – exchange rebuffs $3.5m ransom demand
Credit to Author: Paul Ducklin| Date: Fri, 09 Aug 2019 14:53:14 +0000
Cryptocurrencies are a big deal once again, now that Bitcoin is back over $10,000.
You might think that’s good news for cryptocurrency exchanges, which are businesses that let you trade regular money, such as Euros, Dollars and Pounds, into and out of so-called virtual currencies like Bitcoin, Monero and Dogecoin.
But it’s not all plain sailing – cryptocurrency companies are of particular interest to cybercrooks, and not only for the cryptocoins they hold.
Here’s a story of super-sized digital blackmail aimed at one of the biggest exchanges out there.
KYC
As you probably know, business are supposed to make an effort to know their customers (and their suppliers) these days, as a way of making money laundering more difficult.
And know-your-customer (KYC) rules are particularly important for banks and other businesses, including cryptocoin exchanges, that let people put in money at one end, shuffle it around a bit, or even a lot, and later extract it at the other.
The problem with KYC rules is that they force companies to collect and keep personal data that both you and they would much rather not send across the internet – for example, bills that prove your address, bank statements that vouch for the source of your money, scans of your passport to confirm your identity, and more.
Ironically, the stuff that you’re expected to keep confidential to keep it out of the hands of cybercrooks and to make identity theft harder…
…that’s the very stuff that you now have to share electronically with an ever-increasing number of online business, who are forced to demand it just in case you turn out to be a cybercrook yourself.
(If you’ve ever needed to recover a social media account after having your password hacked, you’ve probably, and understandably, had to jump through “prove thyself” hoops that involved sending over the internet exactly the sort of data you wouldn’t usually dream of sending over the internet.)
Collect and store
Now imagine that you’re a cryptocurrency exchange.
Not only do you manage a whole pile of online accounts and cryptocoin wallets (free money!) that cybercrooks would love to get their paws on, you also have a cupboard full of seriously personal data about your customers (free identities!) that the crooks would love just as much.
After all, in the event of a password breach, you can always change your password, and as long as you do it before the crooks get round to trying your old one, you’ve essentially solved the problem.
But it’s much harder to get a new passport, almost impossible to get a new Social Security or National Insurance number, and entirely impossible to get a new birthday.
Give us money or else…
One of the world’s biggest cryptocurrency exchanges, Binance, is currently facing a blackmail saga in connection with alleged KYC data.
Simply put, a crook is claiming to have stolen KYC data on some 10,000 Binance customers, and wants a blackmail payment of BTC 300 (currently about $3,500,000) not to publish it.
It’s kind of like sextortion, where the crooks threaten to reveal personal information about you unless you pay up, except that this time it’s not up to you to pay the money, but up to someone else.
As you probably know, sextortion scams (they get that name because the data they threaten to leak is usually of a sexual or prurient nature) try to convince you that the threat is real by including sample data that “proves” you were hacked, such as a phone number or password.
But sextortion scams are almost always totally bogus – the “proof” comes from an earlier data breach, and that’s all the crooks have got.
The “proof” means nothing, and the rest of the scary story about the sexy data they have on you is made-up.
In Binance’s case the concern isn’t that the photos are of a sexy sort, but of an identificational sort – as you can imagine, they’re not the kind of pics that might embarrass you, but rather the kind that might put you at risk of identity theft.
But do the images really exist in the volume claimed, and did the “proof” samples already seen by Binance really come from a breach at the company?
We won’t pay!
Binance has now publicly stated its opinion that the photos it has seen so far – the “proof” offered by the crooks – did not come from Binance’s KYC data.
The images, says Binance, don’t contain any obvious signs of the digital watermarks that the company claims to add to all the image data it keeps.
Digital watermarks aren’t perfect for proving that a picture didn’t come from you, because proving a negative is almost always very hard.
Neverthelesss, even though image files are easily transcoded, adapted, scaled, reprocessed and so on to disguise their true origin, watermarks do provide some sort of guide to the source (or otherwise) of a photo.
That has led Binance to form the opinion that, whether the crooks have as much data as they say or not, it didn’t come from a Binance breach:
When asked to prove the source of the data, the individual demanded 300 BTC and refused to supply irrefutable evidence of their findings. Later, they went to the press under false pretenses, posing as a white hat with good intentions. The relevant law enforcement agencies have been contacted and we will be working closely with them to pursue this person.
Of course, regardless of where the data came from, Binance paying up wouldn’t stop the crooks dumping any data they have anyway.
So the company has taken a different tack, offering to pay someone to expose the crooks, instead of dealing with the crooks themselves:
If you are able to provide any information to help identify this person and allow us to pursue the individual through legal action, we will offer a reward of up to 25 BTC [about $300,000], dependent on the relevance of the data supplied.
What to do?
As Binance has wryly implied, this sort of incident offers other cybercrooks a very believable phishing lure – “Hey, you’re a Binance customer and I just happen to be here to help in these tricky times.”
So the company has warned as follows:
Please be wary of any fraudsters who may impersonate Binance customer service and request you to withdraw your funds.
That’s good advice – and not just for Binance but for all your online accounts.
By the way, digital blackmail attacks like this, such as the sextortion scams we mentioned above, don’t just happen to companies – they can happen to you as an individual, too.
The subject matter may be different – sexy pics rather than KYC data – but the criminality is the same: you’re supposed to send money for the crooks not to do something, even though paying up wouldn’t stop them doing it anyway, and wouldn’t stop them coming back with more threats later.
Watch our video for advice on what to do:
(Watch directly on YouTube if the video won’t play here.)