Transferred bitcoins? Your identity might have been stolen


A bitcoin transfer service left over 250,000 files, including users' KYC documents, accessible to anyone on the internet. If we were able to find the leaked data, it’s likely that threat actors have found it, too.

On September 11th, the Cybernews research team discovered a public-facing Amazon AWS storage bucket that was by no means meant to be public.

The leaking bucket stored more than 250,000 files with Know Your Customer (KYC) documents, packed with the sensitive data of cryptocurrency users. Financial institutions and fintech platforms require KYC to identify users and ensure compliance with laws and regulations.

ADVERTISEMENT
bitnob data leak
Source: Cybernews

Proof of identity involves providing a government-issued ID, such as a passport, driver's license, or national identification card. The process also involves taking selfies and holding the ID to verify that it belongs to the individual undergoing verification.

For this reason, KYC documents pose extreme dangers of identity theft, impersonation, and financial fraud if they fall into the hands of malicious actors.

Cybernews researchers have identified that the exposed bucket belongs to Bitnob, a fintech platform headquartered in Lagos, Nigeria. The company provides bitcoin transfer, savings, and loan services across the African continent and globally.

What data is at risk?

  • Photos of passport, national ID, or driving license
  • Names and surnames
  • Dates of birth
  • Country
  • Personal identification numbers

Our researchers could not determine for how long this data was publicly accessible. While the exact number of affected individuals is unknown, the files contain images of government-issued IDs that can be linked to specific individuals, suggesting that the number of potential victims could be high.

The leak was likely caused by human error, as misconfigured authentication is a frequent issue behind data leaks, aligning with Cybernews' ongoing research findings.

ADVERTISEMENT

How much does your passport scan cost on the dark web?

Incidents like this pose serious risks to data owners. For one, exposed IDs could end up on the dark web, scoured by nefarious actors seeking for passport scans.

According to research by Comparitech – a company that provides cybersecurity reviews for consumers – the average price for a digital passport scan on the dark web is approximately $15.

However, if additional proof of address or identification – such as a selfie, utility bill, or driver’s license – is included, the average price shoots up to $61. Document scans are often purchased in bulk.

leaked passport photo
Leaked passport photo. Source: Cybernews

Cybercriminals may use your ID to set up accounts on crypto exchanges, digital payment systems, or betting websites.

Malicious actors may also utilize ID scans to open bank accounts in your name. That’s especially problematic as some institutions only ask for two pieces of identification, such as a copy of your passport and a driver's license.

Having a fraudulent account set up in your name is extremely dangerous, as it can be used to cash out illegal funds, implicating victims in criminal activities.

Meanwhile, leaked Bitnob user KYC documents could be used by attackers to bypass security measures and access user accounts, resulting in unauthorized transactions and financial damage to users.

We contacted the company multiple times, and access to the bucket has been secured. An official comment has yet to be received.

ADVERTISEMENT