In what appears to be an elaborate game of hackers hacking hackers, an individual operating under the pseudonym “Bnatov Platon” has provided CoinDesk with extensive information about their attempts to obtain millions of dollars in exchange for declining to release information about customers of one of the world’s largest cryptocurrency exchanges, Binance.
Information about the hack, gathered over a month-long interaction with the hacker, was pushed into the public eye today when Platon began posting what he alleged were images and information about real Binance customers, first on an open website and then on Telegram.
The idea customer information might not be safe on the world’s largest exchange was enough to immediately spark the attention of the industry, with major news websites and Twitter influencers swiftly broadcasting the news.
Yet, the full story was – and remains – more complicated than it first appeared.
First, it has deep roots, extending back to an incident in May when an outside group broke into Binance user accounts and stole 7,000 bitcoin. At the time, Binance was, as always, public about its problems, describing it as part of a “large-scale security breach” in which “hackers were able to obtain a large number of user API keys, 2FA codes and potentially other info.”
Unmentioned, however, was that identifying user information may have been leaked.
It’s during this event that Platon alleges the information they have obtained about Binance customers was produced, although in a twist, he says he was not the perpetrator of the hack, but that he hacked an exchange “insider” involved in the heist.
In another turn, Binance alleges the customer data was obtained from an unnamed third-party company it has contracted to conduct its know-your-customer (KYC) since February 2018.
Further, CoinDesk has confirmed at least two of the hundreds of profiles leaked belong to real customers who provided identifying information to the exchange. One of the images we analyzed seemed to have been doctored but the person whose identity appeared in the picture confirmed she had created a Binance account around the time of the leaks.
In conversations with CoinDesk, Platon has claimed they are a “white hat hacker” and, in a few comments, suggested they were asking Binance for a bug bounty for exposing the information. Negotiations broke down, however, and Platon and Binance representatives reported that he asked for 300 bitcoin in order to further expand on the data he held.
In a statement, Binance responded to the “fear, uncertainty, and doubt” cast by the news:
“We would like to inform you that an unidentified individual has threatened and harassed us, demanding 300 BTC in exchange for withholding 10,000 photos that bear similarity to Binance KYC data. We are still investigating this case for legitimacy and relevancy.”
We have contacted Binance for further comment.
Platon claims they have 60,000 pieces of KYC information in his collection.
What follows is what we know about the negotiations and their aftermath.
CoinDesk’s interaction with Platon first began in July, when we began reporting on the movement of bitcoins stolen in the May breach of Binance.
Binance responded to the hack at the time, saying malicious actors acquired customers’ APIs, two-factor codes, and “potentially other information.”
Platon’s take on the incident was different. They allege that an insider within the organization helped make a number of APIs public that allowed the hackers to directly access client accounts. Hackers stored lists of client API keys – the codes used to access their accounts remotely – in text files Platon claimed to be able to acquire. This allowed the hackers to access funds remotely.
The files also “contain extremely serious information” including customers’ email addresses and account passwords, Platon said. The customers at risk had opened Binance accounts between 2018 and 2019.
Using this personal information, the hackers wrote a malicious script that allowed them to instantly withdraw .002 BTC (roughly $23) at a time. The code placed a buy order for an obscure token called the BlockMason Credit Protocol and converted it to bitcoin. The code, which we have examined, could also perform a number of functions using API calls that are no longer open or public. When we tested one API call, however, a simple request for the server time, it was still open. It is unclear if the closed API endpoints were removed or simply hidden.
Platon alleges the stolen coins were held in a wallet hosted by bitcoin software wallet provider Blockchain, the maker of the recently launched PIT exchange.
By following a trail leading from this wallet, Platon discovered that the hackers had laundered 2,000 bitcoins though Bitmex, Yobit, KuCoin, and Huobi and were looking to convert as much as $1 million in bitcoin per day.
Of the 60,000 customer accounts Platon alleges were breached, he shared 636 files with CoinDesk. He hoped the media attention would spur Binance to announce the true extent of the hack, and bring the attackers to justice.
For its part, Binance announced the stolen bitcoin came only from their corporate accounts and did not affect consumers. At the time, the exchange also suspended deposits and withdrawals to protect users. However, the extent of leaked user information was kept secret.
In addition to images of passports, drivers licenses and actual headshots of users holding up their IDs, Platon also supplied a few examples of metadata associated with the images.
For example, this code suggests a user went through KYC on 03/20/2018:
"id": 1573211, "userId": "25276308", "front": "/IDS_IMG20180320/25276308_0_9416819.jpg", "back": "/IDS_IMG20180320/25276308_1_7376587.jpg", "hand": "/IDS_IMG20180320/25276308_2_4413070.jpg", "auditor": "chenxiaozi", "message": "", "status": 1, "createTime": "2018-03-20 08:12:33", "updateTime": "2018-03-21 01:48:33", "number": "s532557730580", "firstName": "m[REDACTED]", "lastName": "[REDACTED]", "type": 2, "sex": 1, "country": "United States of America (USA)(美国)", "email": "[REDACTED]@outlook.com", "version": 1
The KYC took place in China as suggested by the name of the auditor as well as the addition of the “美国” at the end of the country code. It is unclear what the other fields represent.
Further, Platon sent CoinDesk code that he described as accessing a back door placed in Binance servers by an “insider.” Analysis of the code suggests Platon is correct.
“This is highly likely to be an API key attack,” said Viktor Shpak, CTO at blockchain development firm VisibleMagic. “They harvested API keys from somewhere.”
API keys are used to authenticate services within exchanges and other applications and could allow a hacker to do anything from buy cryptocurrency on a victim’s behalf to actually moving cryptocurrency to an outside wallet.
Shpak said code in particular is suggestive of a back door within Binance although CoinDesk was not able to independently verify access via this function and the associated API key.
public static String getApiKey(String uri, String userId) { String time = ""; time = get("https://www.binance.com/api/v1/time"); Map<String, String> param = new HashMap<String, String>(); param.put("userId", userId); param.put("desc", "api" + JSON.parseObject(time).getString("serverTime")); return post(uri + "/exchange/mgmt/account/getApiKey", param); }
“Most likely an insider created a handler to get access to user API keys then they harvested those API keys and got access to user data and have built nice toolkit to work through this,” he said.
Though, when confronted with this information at the time, a Binance representative said, “As of the latest from the team, there is currently no evidence that these are KYC images from Binance and they are not watermarked per our system process.”
While speaking with CoinDesk, Platon also contacted Binance’s chief growth officer (CGO), Ted Lin, as part of a multi-front effort to bring the hackers to justice (or so he alleges).
“I personally wanted to make Binance world’s first exchange that capture hackers. It will be extremely positive for Binance’s reputation,” Planton said, who added:
“I informed [Lin] that I have got insider information such as insider’s detail, insider’s communication details with outsiders and even insider’s photo. I informed him that I have details of hackers – server information, their identity, their phone numbers and etc.”
In a message from Lin that Platon shared with CoinDesk, the CGO was receptive to pay for information that could lead to the arrest of the hackers, insiders and recovery of funds.
However, in this same message, Lin rebuffed Platon for the “FUD campaign” he was running.
“As I said, we don’t react to extortions,” Lin said. In earlier conversations with CoinDesk, Platon claimed to be independently wealthy, and the operator of a crypto exchange he says is one-third the size of Binance.
He also said he wasn’t interested in financial remuneration. “When I require money, I can just hack out one exchange account balance (hacker’s). I could retrieve more than 600 or 700 coins easily by hacking hacker’s wallet,” Platon said.
“But I didn’t touch single penny while watching more and more coins are laundered out and moved around to remove track,” he said, claiming he didn’t want to tip the hackers off that he was on their trail.
Despite Platon’s allegedly altruistic aims, CoinDesk later learned from Platon and Binance officials the supposed white hat hacker was requesting 300 bitcoin, about $3 million at July’s exchange rate, paid in 50 installments for his information.
Somewhere along the line, however, negotiations broke down. On July 22, just five days after they initially contacted CoinDesk, Platon said he had stopped negotiating with Binance.
“For about a month of negotiation, they didn’t pay a single penny,” Platon said. “My deal with Binance is broken.”
It was then that Platon’s conversations with Binance degenerated into a hostage negotiation, with Platon threatening to dump whatever customer information he had acquired.
Platon supplied the following alleged exchange with Ted Lin where the negotiations broke down:
Ted Lin, [20.07.19 19:54]
i see you already fed the info you have to the mediaTed Lin, [20.07.19 19:59]
given the damage from your FUD campaign is already done, whatever bounty you were asking for the information would be significantly less. As i said, we don’t react to extortions.But we are willing to get more information relating to perpetrators if you have useful information that can enable us to put bad guys behind bars and recover funds. Platon, [21.07.19 16:53]
as i said i don’t need your moneyPlaton, [21.07.19 16:53]
i am out of deal alreadyPlaton, [21.07.19 16:54]
i am not expecting you to react either.Platon, [21.07.19 16:59]
but i love to see insider’s and those hacker’s reaction when news is published. once again i am not interested in your reaction.Ted Lin, [21.07.19 19:04]
I thought you want to see those hackers caught?Platon, [21.07.19 19:11]
i wanted. but not now.Platon, [21.07.19 19:12]
i rather step away and keep watching.Ted Lin, [21.07.19 19:19]
We are still interested in paying for information that can lead to arrest of hackers, insiders, recovery of funds.Ted Lin, [21.07.19 19:19]
Let us know if you have more info that can achieve those.Ted Lin, [21.07.19 19:20]
We were going through verification of the type of info you have before you decided not to talk.Ted Lin, [21.07.19 19:21]
Let me know if you change your mind and want to continue.Ted Lin, [21.07.19 19:21]
Thanks for your help.Platon, [21.07.19 19:28]
Then pay me.
“My decision for negotiation with Binance was wrong,” he said, “They are not the right people… so I will just publish all data to its customers.”
Indeed, speaking with a Binance representative on July 22 Platon said, a “current interest of mine is those hackers and insider in your company. Would love to see their reaction when the news is published.”
On August 5, Platon’s threats became a reality, as he uploaded a document dump containing a total of 500 photos for 166 people’s KYC to an open file sharing site, under the pseudonym “Guardian M.”
This was followed up by a second dump containing hundreds of images of individuals holding their IDs, to a Telegram group on Wednesday morning.
Platon’s explanation is simple: they think they are doing the right thing.
“People keep asking, ‘Why are you releasing those KYC photos?,’ ‘How did you get them?’ The reason I am releasing those KYC is simple: To warn you people who are dealing on Binance,” they wrote. “If I needed money, I would sell it underground, not to publish it.”
Image via Twitter. Header image and internal images via CoinDesk.
Platon has not responded to requests for further comment and has not indicated if they will be posting more. We have contacted Binance for comment. John Biggs has supplied marketing and business assistance to Viktor Shpak of VisibleMagic, the developer who analyzed the Binance code.