Iranian cryptocurrency exchange denies massive data breach

 Iranian cryptocurrency exchange denies massive data breach
In the past year alone, Iranian crypto exchanges facilitated transactions totalling almost $3bn. / bne IntelliNews
By bne IntelliNews January 8, 2024

A potential data breach has been uncovered at Bit24.cash, an Iranian cryptocurrency exchange, raising concerns about the exposure of sensitive information belonging to nearly 230,000 users, Cybernews reported on January 8.

Given Iran's restricted access to global financial markets because of sanctions, the country has increasingly turned to cryptocurrencies. In the past year alone, Iranian crypto exchanges facilitated transactions totalling almost $3bn, with the majority adhering to Know Your Customer (KYC) requirements.

Bit24.cash, a prominent over-the-counter crypto exchange in Iran supporting over 300 coins and tokens, is now under scrutiny. The KYC process, crucial for preventing criminal activities, mandates users to verify their identity by submitting official documents. Despite the confidential nature of these documents, users expect exchanges to diligently safeguard them.

However, a misconfigured MinIO instance was discovered by Cybernews researchers, inadvertently providing access to S3 buckets containing the exchange's KYC data. This misconfiguration exposed critical details of approximately 230,000 Iranian citizens, including written consent to regulations, passports, IDs, and credit cards. The exchange has reported that the instance has been secured and is no longer accessible.

Cybernews researchers emphasise the severity of compromised KYC verification data on cryptocurrency exchanges, stating that such a breach poses a significant threat. Malicious actors could exploit the exposed data for identity theft, fraudulent transactions, and phishing attacks, potentially causing substantial financial and personal harm to affected users.

Hossein Amini, a security engineer at Bit24.cash, dismissed Cybernews' claims as "inaccurate and misleading", stating that the company found no evidence of a data breach or unauthorised access to sensitive user information.

"The reference to a misconfigured MinIO instance is wholly untrue, and there has been no unauthorised access to any sensitive user data," Amini stated.

News

Dismiss