Be careful with your KYC documents

Stop handing out your information without doing your due diligence.

Apr 4, 2019 · 5 min read

KYC is a process known as “Know Your Customer.” It is needed to ensure the customer exists and has the ability to assess potential risks of illegal intentions for a business relationship.

A lot of projects running a crowdsale require KYC and you must pass before you are allowed to invest into the project. A lot of exchanges also require your information before allowing you to take action on their site.

With all the high profile exchange hacks happening in 2019 already, I think it’s best to bring this article to light (all discovered documents, both stolen and dumped, have been sent to the respective exchange fraud teams).

The following is a key example of why you should be careful with your information.

Be careful when handing over your information.

The terrifying discovery

My contact did some good initial investigation, and I had some time, so I confirmed their findings and tried to find anything else to warrant a blacklist across the lists I manage.

What I found was disturbing.

The project is running on WordPress — which inherently isn’t that bad — but WordPress isn’t the pinnacle of security, and is especially bad for a project running an ICO which requires KYC documents.

I browsed the directory that stores the WordPress uploads… and over 15,000 KYC documents were listed.

15,000 documents listed publicly.

15,000 documents available for all.

Keep in mind that this project is still in the pre-sale stage, so I’d expect there to be more than 15,000 documents once the project opens the sale to the public. The first ID document was uploaded to the server on 2018–08–29.

Let’s go through what was listed (a rough list — I haven’t looked through all ~15k documents):

  • Uniformed personnel holding their identity cards
  • Driver’s licenses for various countries
  • Documents containing fingerprint data for various countries
  • People’s Republic of Bangladesh national ID cards
  • ID cards titled “Government of India”
  • Italian passports
  • Russian Federation passports
  • Ukrainian passports
  • Algerian passports
  • Republic of Korea passports
  • Socialist Republic of Vietnam passports
  • Venezuelan passports
  • Indonesian passports
  • Japanese passports
  • Philippines Unified Multi-Purpose IDs
  • Thai National ID Cards
  • …and much, much more

These were a variation of “selfie pictures” and scanned documents.

Why did people upload so much documentation?

The following international team made up of experts from Data Management, business management, logistics specialists, IT-experts etc for developing complex IT- and blockchain-solutions, supports our ICO, and further realization of the project.

They mention straight off the bat that their team consists of experts within data management — which I suspect is a lie if they have open directories mismanaging such vital documents.

Quickly register an account, complete KYC and join Airdrop to receive 2500 tokens worth 0.175 ETH now!

This technique is all-so-common and catches many people out with few offers like this being legitimate. They use language to indicate the offer is ‘selling out’ really fast, soon to end, and people will miss their chance to get free money.

All ICO participants are required to complete a KYC check to join the whitelist and buy tokens.

They make it mandatory to complete the KYC check to participate in the crowdsale. The registration is now closed so I cannot confirm that the check is actually mandatory.

Actually, their contribution address is public on their website (without creating an account) and it seems to be a simple ERC20 contract — there are currently 0 token holders (but the presale starts in ~30 days).

Taking another peek at the server

I found some figures — though they could be wrong as they’re in the same directory as the WordPress theme files — that indicates they have raised 1,086 ETH, and a total of $1,060,386 (including Bitcoin).

A few days later, they have now zipped the KYC data and it is still publicly visible and downloadable.

A screenshot showing the 10GB zip of KYC data

The domain is no longer resolving and the product hasn’t launched.

A call to ‘think before action’

This is a call to action to think about if you really value the project, believe in their security, and believe their vision before you upload your identity documents to a random server run by faceless admins.

It is also a call to action to get projects to ensure that their security practices do not breach the security and trust of their users regarding their mandatory KYC upload.

I personally think IEOs (Initial Exchange Offering) will mitigate the risk of identities being stolen from crowdsale sites with sub-par security measures. If you’re uploading your KYC documents to an exchange or ICO that you trust, make sure you’re timestamping it with the domain so that it’s harder be used maliciously if it gets leaked.

That’s all for now. Stay safe.



The Official MyCrypto Blog

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store