A darknet vendor is allegedly selling images and data associated with crypto exchange identity verification processes

A user going by the name of "ExploitDOT" is allegedly selling 100,000 personal documents that were used to comply with the know-your-customer (KYC) regulations on cryptocurrency exchanges, as first reported by CCN. He posted the sale on July 17, 2018 on a sub-community (DNMAds) of Dread, which is a hidden Reddit-like community that operates on darknets such as Tor and "provides a platform for open community discussion without as much censorship and limitations."

ExploitDOT claims that he was a vendor on Tor Carding Forum (TCF), which was one of the earliest and largest darknet forums focused on the trade of stolen credit card details, identity theft, and currency counterfeiting. TCF closed in 2014 following a hack. ExploitDOT was also allegedly a vendor on AlphaBay, a darknet marketplace with over 400,000 users that police shut down after a law enforcement action in July 2017.

The documents were supposedly 'dumped' in the first half of 2018 when an unnamed third party KYC solution provider which was providing services to crypto exchanges and ICOs suffered a breach. At the time of writing, it's not immediately clear which KYC provider got hacked or even whether the hack actually took place. ExploitDOT claims that the documents include sensitive information and high quality photos with EXIF including geographic information "for every country" about users that KYC'd on Binance, Bitfinex, Poloniex and Bittrex.

When reached out for comment, Binance said:

"We’re aware of this allegation and have investigated the photos in question, but there is no evidence that the leak is from Binance. We have even seen photoshopped versions of the photos. Security is our highest priority and we do our utmost to ensure data breaches do not happen on our platform."

It's possible that the KYC documents come from a phishing attack and are not actually a result of a breach of third party KYC solution provider.

The data dump, which is being sold in bulk, includes selfies, scans of identity documents and proof of address of each person. Following the report by CCN, ExploitDOT posted again on Dread and asked whether he should "try to start a crowdfunding to delete all the hacked documents" because "if you ever sent a KYC, chances are there [are] also your documents in my dump." He wrote that he wants to crowdfund an amount that "helps [him to] work on [his] legit business with [his] ideas that could change the world."

According to ExploitDOT, asking the affected exchanges to pay for the removal would not make sense because "the exchanges are completely denying the documents were took from them, whereas there is clearly docs with 'Binance', 'Poloniex' and such written on the paper."

This post has been updated with Binance's statement.