Topsy-Turvy Tale of White Collar Hacker and Binance 7000 BTC Hack Recovery

Binance KYC leak Binance KYC leak

Binance’s 7000 BTC which happened back in May theft is not unknown to anyone. A hacker with a pseudonym ‘Bnatov Platon’ was after the hackers who shaped this theft. The initial intention of Platon was selfless, and rather he wanted to bring justice. But this noble cause has soon turned sour. Platon then demanded money in lieu of not revealing customers identities. Many discussions took place been Platon and the crypto exchange which for a short while came to a deal but soon that too broke apart. The incident is not this straightforward. It has many details that have turned the flow on incidents and intentions topsy-turvy.

Swift but lethal. Questions raised on Binance’s data security competence-

According to many sources, the hacker has been offered millions of dollars for not releasing the customer data of Binance. Yesterday, Platon started releasing the customer data to the public on open websites and then on Telegram as well. This information about the infamous hack was collected over a period of 30 days. This naturally roared both public and the industry giants and raised a big question the security of customer data in the hands of the world’s largest crypto exchange- Binance. But what leads the white-collar, who was once defending this information, to publish it all like this?  To know the answer to this question, a little bit of background check is required-

Bitcoin hack of May-

At that point, Binance described the incident as a ‘large scale security breach.’ The exchange revealed that customers’ API keys, 2FA codes, and other sensitive information has been stolen. At that point, the exchange went silent about the leak of user identification information. On this, Platon argued that the information he had has been produced. He further disclosed that there is an ‘insider involved in the theft.

On the other hand, the exchange says that they got the customer information from a ‘third-party’ which the exchange contracted for doing KYC (know your customer) processes since February, last year. Sources reveal that two of the many leaked identification information of the customers are true.

Bug Bounty or Harassment?

Platon explained his stance saying that he hacked for the right reasons and are asking bug bounty of Binance for releasing the data. As per reports, the hacker requested for 300 BTC for revealing more information he had. To this, the exchange released the following statement-

We would like to inform you that an unidentified individual has threatened and harassed us, demanding 300 BTC in exchange for withholding 10,000 photos that bear similarity to Binance KYC data. We are still investigating this case for legitimacy and relevancy.

As per the hacker’s claim 60K KYC data is still under his control. It is hard to say where these negotiations will take the situation.

Hack or conspiracy?

The crypto exchange paints the incident as an unfortunate large scale breach of security that leads to the theft. But the hacker- Platon has a different take. According to the hacker-

  • ‘An insider’ is involved in the hack who paved the way to the stealing of the API keys and making them public. This, as per the hacker, is the key reason how the hacker (bad guys) got access to such sensitive information.
  • The stealing of information involved API keys, and codes that allowed access to the accounts remotely.
  • This information allowed the hacker to access the accounts remotely. This information was saved in text files, as per the hacker, which contained other serious data such as email addresses, account passwords,
  • The hack affected users who joined Binance from 2018 to 2019.

Further, the hackers with the help of ‘malicious script, were then able to steal 0.002 BTC at a time.’ The hackers manipulated the buying order for a token called- ‘BlockMason Credit Protocol’, which allowed them to do BTC conversion. The hacker further revealed that the stolen tokens were kept in a wallet which was from Blockchain. Overall, the hackers stole around 2,000 Bitcoins.

Platon’s attempts to make Binanace speak up honestly about the hack-

As per sources, Platon has shared six hundred and thirty-six files. His intention was to bring the data leak to get the media attention which would further push Binance to open up about the exact and full details of the hack. Platon was seeking justice and fair-mindedness.

Binance, on the other hand, said that the stolen coins were from corporate accounts and no customers were affected. The exchange froze any kind of deposits and withdrawal to safeguard the users’ funds and information. Even after Platon’s pressure to release the entire detail about the hack, the exchange still kept some details hushed up from getting public.

Leaked Information and the ‘backdoor entry’-

The hacker has provided customer identification information such as- ‘passports, drivers licenses, actual headshots of users holding up their IDs, and a few examples of metadata associated with the images.’ The hacker provided various codes that revealed information such as-

  • The date on which the KYC was held.
  • First and the last name of the user.
  • Gender of the user.
  • Country of origin.
  • Email address.
  • User ID and other IDs.

Further, the hacker revealed that there was an ‘insider’ who allowed access to such sensitive information. To prove the point the hacker provided codes which when tested supported his statement. On this, the CTO of blockchain development firm Visible Magic- Viktor Shpak said that the incident is like an API key attack. He further added that the hackers ‘harvested’ the API keys from an unknown source.

API keys are a crucial piece of information that is used to vouch for the services of exchanges and other applications. Getting access to APIs is to get the freedom to buy cryptos and have full control over the crypto account of the user.

The code that the hacker provided to prove the involvement of an insider is still to be fully verified, as there are mixed opinions about it as of now. The code provided by Platon is as follows-

 

Advertisement

public static String getApiKey(String uri, String userId) {

String time = “”;

time = get(“https://www.binance.com/api/v1/time”);

Map<String, String> param = new HashMap<String, String>();

param.put(“userId”, userId);

param.put(“desc”, “api” + JSON.parseObject(time).getString(“serverTime”));

return post(uri + “/exchange/mgmt/account/getApiKey”, param);

}

 

Binance reverse-questioned the proofs-

When one of the Binance representatives was asked about this, the response was more towards a denial. The representative explained that the as of now there is no proof that supports the KYC images are from the exchange and in addition, there is no ‘watermark’ on them, which according to the representative is a part of the exchange’s process.

Platon’s motivation and the conversation with Binance CGO-

Platon claims that the main intention is to bring justice. He said that the main aim is to support Binance to capture hackers and to make it the first exchange to do so. Platon further explained it to the CGO of the exchange- Ted Lin that he has- “insider information such as insider’s detail, insider’s communication details with outsiders and even insider’s photo”, and the details of the hacker that consist of- “server information, their identity, their phone numbers and etc.”

In response, Binance CGO- Ted Lin offered to pay for the information that will help in bringing justice, recovering funds, and putting the bad guys behind the bars. He further said that the exchange doesn’t react to extortions. To this Platon explained that if he needed money, he can easily hack hacker’s account and get around 600 to 700 BTC through this method. Despite the free access, he didn’t steal any money while big amounts of money were moved around by the hackers right in front of his eyes.

The 300 BTC request against information supplied-

The apparently altruistic behavior from Platon had one more detail to it. The hacker requested for 300 BTC coins in lieu of the information supplied by him.  He requested that the payment should be made in fifty installments. The negotiations went fine for a month until July 22nd. Platon opted out of the negotiations after a point, when there was no payment made from the exchange after a month-long discussion. That is why he walked out of the negotiation.

From Negotiation to Hostage-

This made Platon change the tune of the negotiation to tunes of a hostage. The hacker then warned that he will throw away all the information he has acquired to the public. To prove his point that the exchange disrupted the negotiation, the hacker produced a conversation he had with the CGO-

In the conversation held on 20th July, Lin opened up by highlighting that the hacker has exposed the information to the media. He then added that due to the harm this action has caused, it will decrease the bounty amount significantly. Further, he also said although the exchange does not react to extortions, if the hacker has any strong enough information that has the capacity to put the bad guys in prison, to recover the lost funds, then the exchange is ready to hear him out.

In response, Platon clarified that money is not his driving force. He further stated that he is ‘out of the deal’, and does not expect a reaction. He further added that he is keenly interested in learning about the reaction of that ‘insider’ and the hacker’s (bad guy’s) reaction upon learning about the news getting published.

To this, the CGO counter questioned the intention of Platon of seeing the bad guys in the prison. Platon simply replied that at one point he was, not anymore. Now, he wants to be a bystander.

At this point, Lin emphasized that the exchange is ready to pay for the additional information which Platon will supply which lead to – ‘arrest of hackers, insiders, recovery of funds.’ He further added that he would like to know if the hacker has any more information. The CGO suggested that before the hacker decides to opt-out, he should know that the exchange is checking the type of data that Platon is offering. He thanked for Platon’s help, to which Platon asked for the requested payment.

Platon deduced the situation in the following way-

Advertisement

“My decision for negotiation with Binance was wrong,” he said, “They are not the right people… so I will just publish all data to its customers.”

When Platon was pushed to the edge-

The hacker then walked his talk and on 5th August he uploaded around 500 photos of 166 KYC documents of Binance users on an open site. He did it with another pseudonym ‘Guardian M.’ He didn’t stop there. Soon he uploaded more such loaded documents that contained users’ IDs to Telegram group, yesterday.

He further added that his reason to publish the sensitive information is simply to raise questions on who is actually right? Through his actions, he is questioning the integrity of the exchange on offering him money in lieu of recovering the information. Platon’s statement still stands true to his initial cause of bringing justice. Initially, he thought that he and the exchange are on one side, but his experience revealed the opposite.

If Platon is telling the truth, then this situation raises many questions on the world’s largest crypto exchange’s integrity, core values, and competence of offering security. Otherwise, there is still room for the exchange to explain why it didn’t pay the white-collar hacker the requested amount in the first place.