Cryptocurrency marketplaces leave $18 million in the open for anyone to steal, leak user data
Cryptocurrency has been in the public eye for a few years now with the increasing popularity of Bitcoin and its massive valuation. Celebrities and influencers have jumped on the bandwagon, coming out with their own coins in ICOs (initial coin offerings) that can raise vast amounts of money for the coin creators. Cryptocurrency is also considered anonymous, private and secure by the general population.
For these reasons, cryptocurrency marketplaces are being opened all over the world to meet the demand. In fact, there are an estimated 18,988 markets for trading cryptocurrencies, but they are trading only about 1,700 cryptocurrencies. The reason for this is that marketplaces make a percentage on every transaction, allowing for major profits. According to Bloomberg, exchanges can make up to $3 million per day, or nearly $1 billion in one year.
So, in that mad rush to make money, the smaller or newer exchanges may leave security behind as a second thought. And that’s exactly what we found.
Our research shows that many crypto marketplaces are dangerously unsafe. In these unsecured databases, we were able to see the customers’ account balances and private information. This lack of security could allow their customers’ money to easily be stolen by anyone, as well as have their private details leaked or sold on the black market.
- One main exchange has around $16.5 million in “hot” wallets, with almost 80,000 private keys exposed. Its mainnet RPC keys are also exposed with a $25,000 balance
- One Chinese exchange, Hubdex, has users with high balances ($52,000, $40,000, $8,000, etc.) and unencrypted KYC data – ID cards and driver’s licenses that are easily downloadable
- Another smaller exchange, Swiss-based Lykke, also has unencrypted KYC data and other exchanges’ API keys that can allow for easy money withdrawal from those exchanges. Balances are as high as $10,000
- The crypto marketplaces or platforms are unprotected, allowing anyone to easily steal or manipulate balances
- Unprotected data includes private keys, multisig wallet keys, API keys, full user and KYC data, mainnet RPC keys, and more
- The total balance in these unprotected marketplaces comes to at least $18 million
About this research
In order to carry out this research, our analysts scanned the entire internet for open MongoDB databases and matched them against our crypto keywords. After this filtering by keywords, we manually checked each database for sensitive data.
One of the databases we discovered belongs to a Swiss-based cryptocurrency marketplace called Lykke. According to Lykke’s 2018 Coinholder meeting file (dated June 28, 2018), their average monthly trading volume was $106 million. They also claim to have nearly 100,000 clients with “substantial growth potential” with about $12 million in revenues for fiscal year 2017.
This appears to be a serious company in the cryptocurrency market, which makes it quite disappointing that they aren’t providing adequate security for their growing customer base.
Here’s what we found when we accessed their unsecured database.
What data we found in the database
The first thing we found was what appeared to be Lykke’s API keys. Having access to these keys would allow us to have pretty much direct access to the exchange. With this, we can perform trades, exchanges, deposits and withdrawals.
Next, we found the private keys for their customers. These private keys would give us direct access to the customer’s wallet, allowing us to do whatever we want with the funds, including spending it, transferring it, trading it, etc.
The unsecured database also included multisig wallets. Multisig wallets require two or more signatures before any funds can be spent. However, the database also includes the redeem scripts, which would give us access to their wallets. Beyond that, we also have each customer’s private keys, so even without the redeem script we could still access these multisig wallets.
Lastly, Lykke’s unsecured database allowed us to see each customer’s transactions and balance. While Lykke claims that this data is read-only, we still have access to these APIs, which means that we can access and manipulate these accounts without needing any "write" permissions.
Having any of this information allows us direct access to these users’ funds, meaning the full ability to steal those funds or manipulate any data we choose.
This is a serious breach of users’ privacy and security.
Another database we were able to match to a Chinese-based marketplace called Hubdex. It positions itself as “the first decentralized exchange in the world that is built on a dedicated public chain of decentralized community autonomy” (translated from Chinese) and claims to have served more than 160,000 users worldwide. There isn’t a lot of information available about this company, including how many users it has or how much it has in its accounts in total, although we estimate it to be in the $1 million-$2 million range.
Most interestingly, Hubdex’s only YouTube video promises the following three basic principles:
- User assets cannot be manipulated
- Trading orders cannot be altered
- All trading assets are genuine and cannot be forged
Unfortunately, our research proves that none of those promises were kept.
What data we found in research
In this unsecured database, we found similar data to Lykke’s database. However, we also discovered customers’ KYC documents. Here’s one example of what looks to be an ID card for a Chinese customer:
This database also held extensive user data, which allows us to see their private keys, as well as the ability to change the password hash to our own (after we sign up to the service ourselves) and thereby allow us to log into any account.
Hubdex’s unsecured database also contains the all-important private keys – 1.1 million private keys to be exact. This allows us direct, unfettered access to any of their customers’ accounts – and of course the ability to spend, exchange, or simply steal that money.
What did we discover?
The amount of data we stumbled across is quite staggering and significant. Instead of providing users with security and anonymity, these unsecured platforms have exposed their users, not only to getting their data stolen, but also their investments.
Here’s a quick overview of the data we discovered in our research.
KYC (Know Your Customer) data is a requirement for most businesses involved in cryptocurrencies, including exchanges, ATMs, and even ICOs. KYC data is made up of identifying documents, such as passports, driver’s licenses, ID cards, bank statements or utility bills, and basic data, such as names, addresses, social security number, and the like.
This requirement is to help prevent money laundering, terrorism and other corrupt acts.
API keys allow users to give access to their accounts to third-party software. This can help them by, for example, letting the third-party tool buy and sell various coins for them automatically, based on rules that the user defines.
Generally, depending on the marketplace, with API keys, a tool (or malicious actor) can view, trade and even transfer funds (bypassing any two-factor authentication the user has set up).
Private Keys and multisig wallet keys
When users create their crypto accounts, they are warned not to let anyone see their private keys. That’s because the private keys act like authentication (or more simply, a password), allowing a user to withdraw money from their account.
Multisig wallet keys require that users have access to multiple private keys in order to make a single transaction. In this way, it offers more protection and is normally employed by more advanced users.
Mainnet RPC keys
Some cryptocurrencies allow users to “stake” coins, which means holding the coins in a “node” that acts as a type of wallet. The mainnet RPC keys will allow us to access those staked coins (think of this as access to a “remote wallet”), and sell, exchange, or withdraw those funds as we please.
We attempted to contact the two marketplaces that we could identify from our analysis. Our attempts were unsuccessful for Hubdex, whose listed email address did not work:
Other attempts to contact them were also fruitless.
We were much more successful with the Swiss-based Lykke. Not only did they immediately respond to our emails, but we were also able to set up a secure communication via Telegram. They confirmed that the IP belonged to them, and they were able to close it after we informed them:
We also asked about whether they notified their customers, as well as the significance of the breach. Oleg from Lykke assured us that all affected clients had been notified.
About the size of the breach, they claim that it was “a slave instance of a cluster” that was available as “read-only,” but that the most critical were the “API keys for HFT api.” (HFT here means high-frequency trading, which concerns the automation of a large number of orders in fractions of a second.)
Overall, they state that this had no real impact in terms of third-party usage or access detected. The rest, according to Oleg, were a “few blockchain integrations operational data” that only “revealed some internals” but that “no personal data was exposed and no fund lost”.
However, while it may have been “read-only” data, it doesn’t appear to be 100% true that the most critical were the API keys. The fact is that we were able to clearly view their customers’ private keys, which is most certainly a critical leak.
Nonetheless, we appreciate their quick response and transparency.
We are happy to report that both Hubdex’s and Lykke’s databases are now no longer accessible.
The significance of our initial findings is pretty severe. When people put money on cryptocurrency exchanges, hoping to buy and sell various cryptocurrencies, they are putting their faith into the exchanges to provide the utmost security and anonymity. After all, that’s what cryptocurrencies are known for.
But the fact that the opposite is true is eye-opening. Not only are they not anonymous (by leaking KYC data), which means that their exchanges can be traced, but they also stand to lose all of their money. At this moment, with the data we have, we are able to steal or manipulate millions of dollars in these exchanges. That represents a deep betrayal of users’ security and privacy.