Hani, a mainstream media outlet in South Korea, has reported on Sunday that Bitkoex, a small crypto exchange in the country, absurdly released $650,000 worth of user data in a group chat.
Upon the hacking attack of Coinrail, industry experts and security specialists heavily criticized the business model and roadmap of minor crypto exchanges that attempt to squeeze as much profit as possible with small operational budgets.
Previously, Moon Byung-ki, the department director of SK Infotech, a technology arm of South Korea’s biggest telecommunications company SK, said that small to medium-sized exchanges in South Korea do not allocate any budget in security and infrastructure development, leaving user funds and information vulnerable to security breaches.
“Small to medium-sized cryptocurrency exchanges delay the implementation of necessary security measures and are only focusing on business expansion,” Moon said, adding that any competent and experienced hacker can easily breach into small cryptocurrency exchanges in China that have poor security measures.
This week, an employee of Bitkoex, a small cryptocurrency exchange that targets a niche market in the local crypto sector, for reasons that still remain unknown, released user information worth $650,000 in a KakaoTalk group chat, including valuable data such as private and public keys, amount held in accounts, and the name of the account owner.
Unlike Signal or Telegram that have end-to-end encryption options that enable users to send and receive information that can self-destruct, KakaoTalk is the most widely utilized messenger in South Korea with a 90 percent market share with no additional encryption options, known for its simplicity.
Comically, the Bitkoex team released sensitive financial information of its own users in a group chat, which inevitably led a member of the group chat to disclose the information of Bitkoex users to the public, leaving more than $650,000 worth of funds in crypto and accounts vulnerable.
The Bitkoex security breach was not a result of a hacking attack or a phishing attack; but rather the controversial decision of the exchange to release user information in an unencrypted and unsecure group chat.
Bitkoex received harsh criticism after it was disclosed that even after releasing the private keys of users, after it had known that user funds were in jeopardy, the exchange did not bother to move existing funds out of the vulnerable wallets to a cold storage.
Ironically, prior to its launch in May, Bitkoex promised its users that it had integrated a “security system that is on par with leading financial institutions in the traditional finance system” and it had implemented a high-quality standard of securing user information, account data, and funds.
It is said to be the first case in which an exchange purposefully leaked the data of its own users in a messenger and in a group chat that likely had members that were not part of the company or the management side of the exchange.
No regulation or security standard can prevent an exchange from disclosing the private keys of users to the public. Throwing away the private keys of users is similar to disclosing the bank account numbers and its passcodes to the public and hoping that no one tries to steal funds from the accounts.
The recent Bitkoex user information leak case was a result of sheer stupidity and the company’s lack of desire to protect user data. No employee should have the authority to release the private keys of users to outsiders and to individuals that are not related to the company.
Featured image from Shutterstock.
Last modified: May 20, 2020 8:39 PM UTC