While Coin Cloud, the company operating Bitcoin ATMs, has been in bankruptcy since February, its devices have allegedly been exploited by hackers. This would have led to the theft of 300,000 pieces of personal data and 70,000 selfies: proven or not, this case study is rich in lessons.
Hackers reportedly target Coin Cloud’s Bitcoin ATMs
Automated teller machines (ATMs) for Bitcoin (BTC) and other cryptocurrencies are a simple and original way to enter the ecosystem, and we can find them in various countries around the world.
But while Coin Cloud, one of the companies offering such services, filed for bankruptcy last February, the cybersecurity experts at vx-underground revealed that hackers had managed to steal the personal data of thousands of ATM customers.
In total, this personal information would number 300,000, as well as 70,000 selfies, as suggested by the screenshots shared in the tweet below:
An unknown Threat Actor(s) claim to have compromised Coin Cloud.
They allege to have exfiltrated 70,000 customer selfies (via ATM cameras), and 300,000 customers PII which includes Social Security Number, Date of Birth, First Name, Last Name, e-mail address, Telephone Number,… pic.twitter.com/TJ7RUK18Yq
– vx-underground (@vxunderground) November 12, 2023
Contacted by our colleagues at The Block, the vx-underground teams clarified that the hacker(s) shared this information on private channels and “the leaked database could soon be online. “
What conclusions can we draw from this affair?
First of all, we need to take a step back from this information. Indeed, without more detailed sources, it is difficult for us to attest to its veracity. Nevertheless, whether or not it’s true, this case raises some very interesting issues.
And for good reason: when buying crypto-currencies, as is the case on a centralized exchange, it will sometimes be necessary to carry out a Know Your Customer (KYC) identity check, depending on the country we’re in.
While this process may be legally justified, it nevertheless involves the collection of large amounts of personal data by a multitude of centralized players. What’s more, the way in which these databases are stored, secured and used is relatively opaque.
While for such players, hackers are primarily interested in stealing the money that passes through their services, personal data is just as valuable a booty. Indeed, if we consider the ATM Coin Cloud hack to be a real one, the criminals possess a very detailed transaction history that can be exploited for phishing purposes.
It would then be possible for these people to write to the investors concerned, making them believe, for example, that as a security measure, it would be necessary to proceed with some action for the crypto-currencies purchased “on such and such a day, at such and such an hour, on such and such an ATM Coin Cloud in such and such a city”. Such action would in fact result in the theft of these crypto-currencies for those falling into the trap.
Furthermore, knowing that these people are familiar with the crypto ecosystem, another phishing attempt could seek to trick them into downloading a malicious program, scanning their computer for a wallet with an insecure private key.
So, while a personal data leak doesn’t involve stealing money directly, it’s important to be aware of how these can be used by a malicious person. As the human factor is often the weakest link in a security system, this effectively opens the door to numerous social engineering techniques.
