Home / News / Crypto / News / Crypto Exchange KYC a Hacker Target With Sensitive Data Honey Pot on Databases
6 min read

Crypto Exchange KYC a Hacker Target With Sensitive Data Honey Pot on Databases

Last Updated April 18, 2024 8:04 AM
Shraddha Sharma
Last Updated April 18, 2024 8:04 AM

Key Takeaways

  • Traditional KYC methods using centralized databases are highly susceptible to hacking.
  • Web3 executive promoted decentralized KYC processes such as liveness detection and private biometric search.
  • How can KYC maintain compliance and integrity of blockchain’s immutable nature?

Know Your Customer (KYC) processes have been a focal point for regulators in the traditional financial sector. Zachari Mandin, Co-Founder of Web3 development agency Build3rs Labs and NibID, told CCN about the vulnerabilities of centralized KYC databases. He advocated for decentralized solutions as several data leaks in the crypto sector made headlines in 2024.

Vulnerabilities With Centralized KYC’s

Zachari Mandin, Co-Founder of Web3 development agency Build3rs Labs and NibID, told CCN that centralized databases are most vulnerable to hacks.  

He said, “Traditional KYC [Know-Your-Client] methods tend to keep sensitive user data in centralized databases.”

The co-founder suggests that businesses need to find more secure ways to build trust without compromising user control over personal data.

The Financial Action Task Force (FATF) highlighted in its report  that Virtual Asset Service Providers (VASPs) that have weak or non-existent Customer Due Diligence (CDD) or Know Your Customer (KYC) processes are a red flag.

As per regulations, centralized exchanges have to adequately identify and verify the identities of their customers. Any inadequacies are known to make it easier for illicit activities, such as money laundering or terrorist financing.

However, privacy has been an emerging debate in the crypto space. According to Mandin, there are ways to adhere to the KYC norms without compromising user data and privacy.

Mandin told CCN, “Businesses need ways to enable trust, and that’s very difficult when users don’t have control of their personal data. One solution is through decentralized liveness detection.”

The method enhances security during the verification process, the executive explained. It happens by distinguishing real users from imposters using photos, masks, or AI-generated deepfakes. It also eliminates the need to store raw biometric data centrally, reducing the risk of data breaches.

Is KYC Good For Compliance But Bad for Privacy?

Mandin also mentions private biometric search and matching, a technique that verifies an individual’s uniqueness and humanity without compromising their privacy. The approach allows for the secure verification of identity without revealing or storing sensitive personal information as per the co-founder.

Mandin promotes decentralized KYC solutions over centralized storage. However, the crypto industry has been struggling to build legitimacy with conservative regulators. According to the executive, regular system audits and risk assessment systems have limitations, especially in the context of fintech firms.

He points out that despite efforts, a major problem lies with dormant or mule accounts. 

Mandin underlines that these accounts are often used for illicit activities like money laundering.

Mandin states, “Accounts like these often get away with using fake or incomplete details because of lapses in current, outdated KYC systems, which are more prone to human errors.”

The co-founder advocates for stopping the creation of fake centralized accounts in the first place. “A more trust-minimized system will not only help in detecting and preventing financial crimes — but also demonstrate a strong commitment to building trust with customers,” he added.

Data Breaches in 2024

In 2024, the crypto sector witnessed reports of several leaks involving Know Your Customer (KYC) data. In January, the Iranian cryptocurrency exchange Bit24.cash was reported to be a victim. Despite the exchange’s denials, researchers from Cybernews  discovered a severe security lapse attributed to misconfigured cloud storage containers.

The breach reportedly left the data of 230,000 users exposed.

The misconfiguration reportedly allowed unrestricted access to sensitive KYC information, including user IDs, passports, and credit card details.

In February, decentralized blockchain platform Aleo, ironically renowned for its privacy measures utilizing zero-knowledge (ZK) proofs, reported a breach. Aleo admitted to a KYC information leak caused by a mundane but critical metadata error.

Mandrin agrees that ZK proofs are an essential part of the toolbox when it comes to protecting sensitive data.

Later in the same month, Binance denied reports of a widespread leak of KYC documents. These documents reportedly made their way onto hacker forums on the dark web and GitHub, raising considerable privacy concerns.

The incidents are somewhat counterintuitive to the perception that Bitcoin and blockchain technology inherently enhance privacy and security. However, that might not be possible if the intermediary has vulnerabilities.

Mandrin notes that the industry faces challenges due to regulatory constraints and compliance issues. He argues that industry stakeholders must intensify their efforts to inform and educate regulatory bodies about the advancements in new technologies and methodologies.

The executive believes a better understanding can potentially lead to more informed and supportive regulatory frameworks, “without damaging the immutable nature of the blockchain.”

Mandrin underlines that decentralized KYC solutions and newer and more advanced approaches will benefit many sectors. He noted, ” In banking, a newer approach won’t only mitigate lapses in current KYC processes prone to human errors — but also reduce incidents of fraud and money laundering — while also allowing users to protect their personal, sensitive data. Also, in the insurance sector, this can streamline fraud-proof onboarding of users and make it easier for businesses to safeguard their data. This can collectively help us build more trust among users and regulators alike.”

Dual Challenges of Exchanges

Crypto exchanges which are centralized grapple with dual challenges- safeguarding sensitive data while being compliant in several regions.

Meanwhile, the crypto industry aims to maintain the integrity of blockchain. Turns out that by integrating decentralized technologies, centralized exchanges can likely prevent financial crimes and data breaches, while building trust with users and regulators.

Was this Article helpful? Yes No