We constantly hear the dangers that centralized exchanges face. Stealing of assets is the biggest concern. The remote nature of a crypto hack causes people to feel they’re so vulnerable since inherently, it can come from anywhere. I think there is a bigger threat than a crypto robbery of an exchange. The information that is potentially available to attackers if they are to gain access to crypto exchange data will cause much more damage than funnelling of stolen crypto funds.

Linkability

The linkability of real world identities to crypto addresses make it extremely easy to use publicly available information against someone. With enough data points, an attacker can use websites like people finder or been verified, that host publicly available data to discover the residences of their targets within minutes.

It is only a matter of time before KYC data for some of these larger exchanges are breached. Binance (the world’s largest crypto exchange by volume) has not only suffered a cryptocurrency hack but also recently suffered a KYC data breach, Though their CEO suggested it might have been a third-party that was breached, the customer’s personal data was still linked to Binance.

“Data Breaches Happen All the Time”

It seems like every other week there is another data breach. This doesn’t prove that its a natural part of society. People should be their biggest protectors of their own data. Learn from the data breaches and apply what you know moving forward.

Data breaches like the recent Capital One breach, the LinkedIn breach from a few years ago, and Cambridge Anayltica are a few different examples of how varied the data sets are. It doesn’t only affect the private sector. When dealing with this information, many knee-jerk responses beg for more regulation to help “protect” or make it tougher for the bad guys to get this information. Bureaucratic involvement, contrary to popular belief, does not actually solve this. History tells us, even the government cannot protect their own from massive data breaches. Both the Office of Personnel Management Breach and the recent Border Patrol breach , which are very different from the other breaches mentioned above because these governmental breaches also include biometrics.

When you lose access to your biometrics, you obviously can’t change/reset your biometric password. The realization that you will manage your identity better than others puts you in control of what you deem appropriate for your data. Data management by different platforms can be one indicator for someone when choosing a platform.

The issue exists when an end-user is made to forcibly give up data. A response to people involved in Law Enforcement were told they needed to give their fingerprints to justify background searches on potential hires. They are told they need to give their fingerprints or they wouldn’t be hired. When speaking about this topic, I aim to address the root cause. The digitizing of these records make it much easier for someone to gain access from remote locations as opposed to physical copies. You give up convenience for a much more secure setup.

I point out this topic to address the current issue of data that is stored by these centralized cryptocurrency exchanges. New AML/KYC regulation that was introduced with the PATRIOT Act of 2001 created larger barriers that not only institutions needed to comply with but also affected the regular individual on the street. There was KYC/AML regulation that already existed but attacks on U.S. soil gave the government a pretext to implement the PATRIOT Act in the name of “security”. Funding terrorism was the underlying reason that the government needed to watch how all money was moving throughout the world.

THE major focal point of this data management/breach issue. It is the crux of the issue. It is what allows and forces the collection of this sensitive data. It is now mandated across all U.S. exchanges, that there needs to be some kind of KYC/AML information on every end-user if they are planning on using an American crypto exchange. Even if and individual chooses to deposit $5, there must be AML/KYC information on this person.

The institutional players are used to this so they have no worries using legal entities or operations and handing over the information of the legal entities that can protect their identities. The retail crypto user doesn’t have the luxury to have their cash flow through some obscure legal entity to protect their identity so they must give all of this private data away.

How Do Hackers Get this Information?

There are many different attacks that can be launched against a normal company. This includes the various ways attackers can gain access to personal information. When you then consider a company that is holding financial assets that can move cross-border extremely easily as well as a trove of personal data, you can understand why. This article addresses a few of the major reasons why they make such a viable target including: “Monetary gain, human error and security vulnerabilities” Human error can lead to most vulnerabilities but as we’ve seen from specific types of attacks, browser zero day exploits are being used as well.

When there is a data breach, most of the time it can come from a misconfigured server. A public facing server that is misconfigured can allow outside access to the server. Once an attacker gains access to the server, the attacker will attempt to do as much as they can to gain access to whatever information this database is holding. Searchable internet connected devices provided by Shodan gives people the ability to poke around anything that is touching the internet.

If it is connected to the internet and not properly secured/configured for a company’s use case, they’re left vulnerable to people around the world that are looking to exploit this. A crypto exchange has a large target on its back due to all of the information/crypto centralized there, so they have their work cut out for them.

What Do You Have to Lose?

Everything or mostly everything. Barring the crypto assets being stolen from the exchange (I am assuming there is no exchange assets stolen, just the databases managing the exchange accounts). To understand what a data breach of this size/scale would look like, we need to first understand what information is at risk. Assuming that the attackers can collate the data on every user using the breached crypto exchange, the data that could possibly be included in a data set like this would be:

physical address

photos including images of the account holder/passports/licenses

withdrawal addresses (This information tied with the physical address is THE information that a potential attacker would need to carry out monitoring/attempts on your crypto)

information that a potential attacker would need to carry out monitoring/attempts on your crypto) IP information (This can be mitigated using a VPN but it won’t help obfuscate your KYC information that the attackers also obtain)

financials (source of wealth, employer, bank account information) This doesn’t affect every KYC’d account, but the larger accounts will have needed to supply this which would then make these the larger targets.

trading activity (trading activity shows how much capital is flowing through the account)

login activity

“If You Don’t Like it Don’t Use it”

You hear this from people telling you to not use it if you have such a big problem with it. That would be a proper response if there were other options available to use, but there isn’t. If you are on-boarding to an American exchange, you MUST complete the AML/KYC data for the crypto exchange. Its mandatory, there is no way around it. If I took this approach and decided not to use it because I’m worried about my data, I am essentially shut out of buying crypto. The other options are illegal(or near illegal) for U.S. citizens to use(So you are stuck using their monopolistic process or be a [potential?] criminal). This personal data transferal occurs after having done a very similar process with your bank to open an account. Now the crypto exchange must manage this very sensitive personal information for all of their clients as well as their actual business line.

What’s Worse Than Having Your Crypto Stolen?

The picture I’m painting is to build a foundation for what users of these KYC exchanges will face in the near future. The KYC exchange hack that affected some Binance users, the crypto hack of Binance, as well as other exchanges being hacked since the beginning of crypto exchanges shows that they’re very profitable. Now, imagine if that KYC data and account data were to be extracted(No funds lost, just information on the end-user leaked). The implications from this kind of attack are huge. We know there are attacks launched against these exchanges daily. Coinbase publicly came out and spoke about some of these extremely sophisticated attacks just recently. These exchanges aren’t impenetrable and as a security researcher directly involved in data management, it is only of matter of time until there is a breach of this nature. The goal is to keep the damage as minimal as possible.

Once data regarding your personal information/crypto exchange account are breached together, the public is going to be exposed to a data set we have not seen before. Crypto addresses can now be linked to personal identities. These hacks will be publicly available on the dark web and on the clear web soon after. This breached information is indexed into a database, and will allow anyone that obtains this info to then search for anyone in that breach. Your real name/physical address and crypto addresses are now tied together. This gives the attackers and users of this data full access to end-user’s crypto holdings/physical address. Even if end-users have moved funds out of these wallets, attackers can always chase the crypto. This differs if using a private cryptocurrency, but I’m sure it wouldn’t be a very big lift to compute how much private crypto an end-user has bought on the breached exchange.

This is even more telling than the information that a blockchain forensics company can compile. This is the exact personal identity of the owner of that address.

The Danger Surrounding this Data Set

We have already seen that attackers are trying to de-anonymize Bitcoin, Litecoin, and other coins similar to them. The aim for these attacks is to obtain the real world identity of these crypto holders and extort funds from them. If attackers are looking to go through an arduous process of de-anonymizing users one at a time, imagine how this data could be leveraged against the users of the breached exchange. It completes 2 steps for the attackers already.

This puts a name to everyone’s crypto address that is using these exchanges. Physical risk now becomes a major threat. It is no longer a string of characters. There are faces and names tied to these addresses(both physical and crypto).

What’s Really at Stake

Source: FBI Bank Crime Statistics 2011

Bank robbery statistics from the FBI in 2011 show us that the average heist garnered a little more than $7,500.00. Criminals are willing to employ violence/threat of violence to steal money from facilities whose sole purpose is to protect that money. An individual that has their crypto account information leaked alongside their physical address makes it that much easier for an attacker.

There are a few things that can be done but it isn’t very easy. That’s why people opt to use centralized providers. Most KYC data doesn’t change very often. There are a few available options that I’ll touch on but it doesn’t completely remove the risk.