The hacker claiming to have accessed tens-of-thousands of know-your-customer (KYC) documents supposedly originating from Binance claims to have obtained the stolen documents by hacking an “insider.”

This person, the hacker claims, facilitated the breach in May which saw 7,000 BTC stolen from the exchange. The hacker, who has opened a Twitter account under the pseudonym “Bnatov Platon,” has reportedly been in contact with CoinDesk reporters for approximately one month. 

According to the publication, Platon claimed to have obtained the documents by hacking “an exchange ‘insider’ involved in the heist,” adding that the stolen documents were first obtained from an unnamed third-party company that Binance contracted to help out with its KYC processes in February 2018, according to the exchange.

Hacker Claims He Stole KYC Documentation From Binance “Insider”

Platon described himself as a “white hat hacker” who approached Binance seeking a bug bounty in exchange for the documentation. However, negotiations broke down between the two parties, with Binance announcing that the hacker had requested 300 BTC in exchange for “withholding 10,000 photos that bear similarity to Binane KYC data.”

Platon claims to be acting to drive media attention and community pressure aimed at forcing Binance to reveal the full extent of the breach. The 7,000 BTC hack in May was described by Binance as a “large-scale security breach” in which “hackers were able to obtain a large number of user API keys, 2FA codes, and potentially other info.”

According to Platon, the breach resulted from “an insider within the organization” who made the APIs of many Binance clients public. The public APIs “allowed the hackers to directly access client accounts,” with Platon claiming to have acquired text files from the insider containing lists of client APIs, email addresses, and passwords.

Binance Rejects Authenticity of KYC Documentation

Through the APIs, Platon asserts that the hackers wrote a script that allowed the instant withdrawal of 0.002 BTC (roughly $23), with the funds being sent to a wallet hosted by Blockchain. After purportedly tracing the capital flows from the wallet, Platon alleges that the hackers laundered 2,000 BTC through exchanges Bitmex, Yobit, KuCoin, and Huobi.

After examining the metadata provided alongside some of the leaked images, Viktor Shpak of VisibleMagic stated: 

This is highly likely to be an API key attack […] Most likely an insider created a handler to get access to user API keys then they harvested those API keys and got access to user data and have built nice toolkit to work through this.

In response to Shpak’s comments, a Binance representative stated: “As of the latest from the team, there is currently no evidence that these are KYC images from Binance and they are not watermarked per our system process.”

Platon Claims to Possess 60,000 KYC Documents

On Aug. 7, 2019, the hacker set up a Telegram through which several hundred images purportedly comprising Binance KYC documentation were leaked. By the end of the day, 500 images of passports, documents, and individuals had been uploaded to the group, which comprised more than 10,000 members. The documents appeared to be of British, France, Turkey, the United States, Japan, Russia, and South Korean origin.

CoinDesk has reportedly confirmed that two of the individuals depicted in the leaked images belong to real Binance customers who provided identifying documentation to the exchange. However, detailed analysis has revealed one of the images appears to have been altered at some time.