PSA: Do Not Give Out Your KYC Information Recklessly




Last modified


KYC Information

Know Your Customer (KYC) is the process of money service firms getting their clients’ identity information. This information includes details such as the client’s full name, physical address, citizenship, date of birth, and a photo of a government issued ID or passport. This data is important for firms in the money service industry as it prevents them from helping criminals launder money, fund terrorist groups, or take part in corruption.

While most clients do not like the KYC process, a lot of companies in the crypto sector demand it as they are under pressure from financial regulators. An example of a firm that had to add KYC rules against its wish is ShapeShift. When asked whether he believes KYC and privacy could work hand in hand, the firm’s CEO, Erik Voorhees said,

No, I mean this is why it was such a devastating thing for us to do because I personally and as a company respect the right of individuals to have financial privacy forcing KYC on people violates that right? So, I don’t support that the fact that we are doing, it isn’t because we support that, it’s because we are essentially being forced to do that

It is true that financial regulators such as the SEC have tightened their clampdowns on firms that do not follow set rules. While this may seem unfair for privacy-focused crypto startups, this move aims to end the highly unregulated wild west situation in the crypto industry.

However, this step towards regulation has brought about other problems. After collecting KYC data, some crypto firms are reckless with the details and end up putting it out there for everyone to see. This puts the investors of such startups at great risks of identity theft and other crimes.

Hacker Obtains KYC Data from Leading Crypto Exchanges and Sells it on the Darknet

According to a recent report, a hacker going by the name ExploitDOT was hawking user data from the biggest crypto exchanges on a darknet market called Dread. The hacker group had had an ad advertising data that he obtained from KYC since July last year. ExploitDOT claimed to have hacked exchanges such as Binance, Bittrex, Poloniex, and BitFinex. The hackers sold the data as cheap as $10 for every 100 documents and went ahead to give discounts for buyers that bought the documents in bulk.

Binance and the other three exchanges denied that they had been hacked. However, ExploitDOT came out to state that Binance and the other exchanges never contacted the group to check whether the claims were real. As proof of having the data ExploitDOT posted hundreds of pictures showing different people holding the names of the exchanges on a piece of paper. The hackers claimed that they would discard the user data if they got a payment for deleting it.

Investigator Unveils a Project That Runs on an Unsecure Platforms

An investigator recently published a blog post on Medium detailing how he discovered a crypto project that operated on WordPress. While running on WordPress is not a crime, the platform does not have the highest level of security, especially for a project that is conducting an ICO that needs KYC documents.

The firm had more than 15,000 KYC documents publicly listed, meaning anyone could access them. Per the investigator, the company uploaded the first ID document in August last year. He admits that he did not go through all the files. However, the few that he checked had sensitive information. The investigator found documents like,

  • Driver’s licenses for different countries
  • Uniformed personnel holding their identity cards
  • Documents containing fingerprints of different people from various countries
  • National ID cards that belong to citizens of the Republic of Bangladesh
  • ID cards named ‘Government of India’
  • Passports from countries like Russia, Italy, Algeria, and South Korea
  • Philippines Unified Multi-purpose IDs

The documents were either selfies or scanned files.

Reasons Why the ICO Investors Share a lot of Sensitive Information

Most crypto startups convince their investors that their teams have international experts in data management, business management, logistics, and IT. They then claim that the professionals would create secure blockchain solutions that would safeguard the given information.

Other projects offer airdrops once investors register. The airdrops attract a lot of people who quickly submit all the documents that the projects need without second thoughts.

The Takeaway

When investing in crypto projects, it is wise to exercise due-diligence to avoid sharing sensitive information with companies that cannot store it safely. Research about the project you want to invest in and ensure it is credible. In the wrong hands, such sensitive information can cause a lot of damage. Criminals can steal your identity, your money, damage your credit rating or your reputation.

Do you suspect that your KYC information might have been leaked and used against you? Let us know in the comments section below.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *