Iranian crypto exchange Bit24.cash leaks user passports and IDs

Pierluigi Paganini January 07, 2024

Bit24.cash has inadvertently exposed sensitive data belonging to nearly 230,000 users, as revealed by Cybernews research.

Due to its limited access to foreign financial markets, Iran has embraced cryptocurrency significantly. Last year, Iranian crypto exchanges facilitated transactions totaling nearly $3 billion. Almost all incoming crypto volume in Iran adheres to Know Your Customer (KYC) requirements.

Bit24.cash, Iran’s over-the-counter crypto exchange supporting over 300 coins and tokens, is no exception. During the KYC process, which aims to curb criminal activity, users are required to confirm their identity by uploading official documents. Considering the sensitive nature of these documents shared with exchanges, users rightfully expect organizations to safeguard them securely.

However, Cybernews researchers uncovered a misconfigured MinIO (a high-performance object storage system) instance, inadvertently granting access to S3 buckets (cloud storage containers) containing the platform’s KYC data.

Bit24.cash data leak
Data example. A user holding its written consent to the platform rules, his credit card and ID attached and visible, too.

This misconfiguration compromised approximately 230,000 Iranian citizens, exposing their written consent to regulations, as well as passports, IDs, and credit cards.

We reached out to the company but did not receive a response before publishing this article. The instance has since been secured and is no longer accessible.

Cybernews researchers emphasized the critical nature of compromised KYC verification data on cryptocurrency exchange platforms.

If you want to know more about this case take a look at the original post:

About the author: , Chief Editor @CyberNews

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, Bit24.cash)



you might also like

leave a comment