Bit24.cash’s Data Breach: Exposing 230,000 Users’ Sensitive Information

Due to restricted access to international financial markets, Iran has actively embraced cryptocurrency. Last year, Iranian cryptocurrency exchanges conducted transactions totaling nearly $3 billion. Almost all incoming cryptocurrency in Iran complies with Know Your Customer (KYC) requirements.

Bit24.cash, an Iranian over-the-counter cryptocurrency exchange supporting over 300 cryptocurrencies, is no exception. During the KYC process, aimed at curbing criminal activities, users are required to verify their identity by uploading official documents. Considering the sensitive nature of these documents transmitted to exchanges, users rightfully expect these organizations to safeguard them securely.

However, researchers at Cybernews discovered a misconfigured instance of MinIO (a high-performance object storage system), inadvertently granting access to S3 buckets (cloud storage containers) containing the platform’s KYC data. This misconfiguration exposed the data of about 230,000 Iranian citizens, including their written consent forms, passports, identity cards, and credit cards.

Data example. A user holding its written consent to the platform rules, his credit card and ID attached and visible, too. | Image: Cybernews

Bit24.cash has not commented on the situation, but the instance is currently no longer accessible. Cybernews researchers emphasized the critical nature of the compromised KYC data on cryptocurrency exchange platforms. Experts highlighted that malicious actors could exploit the disclosed data for identity theft, fraudulent transactions, and phishing attacks.

Moreover, with access to such comprehensive personal and financial information, cybercriminals can impersonate individuals, gain unauthorized access to accounts, conduct fraudulent transactions, and potentially inflict substantial financial and personal harm on the affected users.