Editor's Picks News

Exclusively for BitJournal: Hacker leaked information on fraud on the EXMO

PART I

BACKGROUND

Introduction

To date, the topic of protecting confidential data is quite acute. Virtually every person can find information on the global network, and on social networks you can not even mention. Despite this, people in modern conditions are forced to take risks and share all sorts of data that are of higher value than photos from the rest. For example, in order to make their lives easier, many people make purchases over the Internet, register on currency exchangers, as well as on stock exchanges, providing their bank details, passport details, etc. But in fact, despite all the safety certificates, the data privacy policy and other distractions, real security and data protection are not guaranteed by anyone. All of these documents are sometimes from a legal point of view akin to an inscription on a fence. Today’s article will prove this to you.

Likbez

It will be a question of fraud on the famous cryptocurrency exchange EXMO.

In order to get acquainted with all the characters we offer you a short educational program about its founders and history.

The history of the large exchange EXMO began with the opening in 2013 of the ExMoney exchanger. It, by the way, was founded by businessmen from the CIS – Pavel Lerner and Ivan Petukhovsky. Today, EXMO is a large international company Exmo LLP Finance, which has a registered office in the UK and an open office in Barcelona. What does open mean? And the fact that absolutely any user can visit the management of the exchange.

Over the stable work of the exchange are working hundreds of professionals from different corners of the globe. These are programmers from Russia, Thailand, India, financial consultants from the USA, Lithuania, and the United Kingdom – all together they create a convenient trading platform that traders around the world can use 24 hours a day, 7 days a week. Here you can not only exchange currency, but also trade coins, store them.

The audience growth in 2017 was 250%. Now EXMO is used by more than 1 million people from 200 countries. Most of the traders on the platform are Russian speakers. There are many reasons for this. First, the exchange supports the Russian language. Secondly, here you can trade rubles.

The fact that they trust the exchange, says rewards. In 2017, according to the BTC Awards, CIS EXMO became the best exchange of the year. The key advantage of EXMO is its simplicity. In general, it is a convenient platform for trading and even cold storage of digital money, which is suitable for both beginners and professional traders.

Information borrowed from howtobuycoin.com

Exchanges are platforms that directly work with personal user data. For the organization of work, all data on users are made available to employees, the same people as the users of the exchange. It is worth reflecting this point, as it is of key importance in this matter. In spite of the fact that when applying for a job, they must surely sign a non-disclosure agreement, none of the higher-ranking persons can control the activities of an employee of the exchange for 100%. It is for this reason that acts of disclosure of information, fraud and hacking of accounts on trading platforms and other resources are subsequently committed, which happened at EXMO and, as you will see later, repeatedly.

The story of Jesus

A few days ago, a young man wrote to the post office, let's call him Jesus. He wrote to us with a request to disclose information that EXMO cryptocurrency exchange employees are engaged in fraud and sell confidential user data, and also promised to provide relevant evidence.

We went out with him for a dialogue, and he told us an interesting story that made us terrified and finally dissuade from the conscientiousness of some people. Below you can find a summary of this story.

Jesus said that he earns his daily bread by phishing. And once, by a lucky chance, he managed to find an announcement on the network’s open spaces that someone was selling the mail database of EXMO Exchange users. This offer seemed interesting to him, and he bought a base. With her help, he was able to earn enough, and later decided to begin to closely “cooperate” with the seller. For convenience, we will call him Michael.

Later, Michael told Jesus that he started doing all this because of the fact that he was absolutely not satisfied with the working conditions and the bosses on the stock exchange. To confirm his words, Michael sent Jesus screenshots of the administrative panel of the site.

For several months, Jesus and Michael worked as a soul mate with a good profit. According to Jesus, during this period he managed to buy an apartment for himself. However, the work of Jesus and Michael at some point did not go, and the following story happened:

“Once we hit a very bold account with a balance of about $ 100,000. After I successfully hacked the mail of this account, it turned out that this is an exchanger account. We processed this exchanger for about 2 weeks to wait for even greater balance. But this did not happen, and we decided to deduce what is, in order not to burn and not lose the grandmother. ”

Usually Michael took everything out to his wallet, and then sent the share to Jesus in the standard way. However, this time everything went wrong. After Jesus confirmed the withdrawal at the victim’s post office, Michael pulled the translation for a week and then disappeared altogether.

After that, Jesus decided to make the story public to punish Michael, so I am writing about it to you now.

The story is shocking, to be honest. It's a shame for people who were attacked by guys and lost their money. It's a shame that the partners throw each other for money. It's a shame that the leaders of serious organizations follow their employees this way. By the way, remember, I said that this happened to EXMO not for the first time? Below is another interesting story, the heroes of which are the same EXMO employees.

But let's see how realistic to restore justice? Why do such misconduct go unpunished and how does data protection legislation generally regulate the process of disclosing confidential data?

PART II

DETAILS

Legislative basis

Legislation regulating this sphere, as a rule, takes as a basis the same principles in different states. For example, in the Russian Federation there is a Federal Law of 27.07.2006 N 149-ФЗ (as amended on 12/18/2018) “On Information, Information Technologies and on the Protection of Information” . According to Art. 16 p. 4 of this law:

The information owner, the information system operator, in the cases established by the legislation of the Russian Federation, must provide:

1) prevention of unauthorized access to information and (or) its transfer to persons who do not have the right to access information;

2) timely detection of facts of unauthorized access to information;

3) prevention of the possibility of adverse consequences of violation of the procedure for access to information;

4) avoidance of impact on technical means of information processing, as a result of which their functioning is impaired;

5) the possibility of immediate recovery of information modified or destroyed due to unauthorized access to it;

6) constant control over ensuring the level of information security;

7) the presence on the territory of the Russian Federation of databases of information, with the use of which the collection, recording, systematization, accumulation, storage, refinement (updating, modification), extraction of personal data of citizens of the Russian Federation are carried out.

The UK law "On the protection of personal data" establishes such principles:

Anyone who is responsible for the use of personal data must follow strict rules called “data protection principles”. Information according to them:

  • used honestly, lawfully and transparently;
  • used for specified, explicit purposes;
  • used adequately, and only for what is needed;
  • only current, updated information is used;
  • stored no longer than necessary;
  • processed in such a way as to ensure adequate security, including protection against illegal or unauthorized processing, access, loss, destruction or damage to information.

Privacy Policy EXMO

Does EXMO privacy policy comply with UK law? Formally corresponds, really – no.

In the document on the “Privacy Policy” on the site you can find the following phrase:

“EXMO and its affiliates pledge to make every effort to protect your privacy. EXMO uses the information collected about you to fulfill its contractual obligations and improve customer service. ”

“And for the illegal sale of your data on the darknet,” they could safely add.

However, omit the sarcasm, and pay attention to important details of this document.

One of the goals below.

If you have a desire, you can also get acquainted with the list of data that the user provides to the exchange:

Precedent

And now more about the story that I promised to tell. This exchange was already involved in fraud in 2018. Then, funds in the total amount of $ 37,100 were illegally withdrawn from the three user accounts at EXMO, but this story was safely hushed up. Until now, it is not known whether one person acted, or whether these are three unrelated cases.

Then both the victims and the editors of this resource tried to figure out the situation, but they failed to achieve anything. However, after the publication of the article itself, they were answered.

These are key points.

The management of the exchange is confident that employees are not able to commit fraudulent acts with the access to information that they have. And, accordingly, control over them is hardly exercised.

* Note that the editors of Decenter.org informed the readers that they appealed to the representatives of EXMO and Mail.ru with a request to review the safety instructions, but, apparently, the EXMO management did not attach much importance to this.

Read more about this case here .

Details of this case

If you remember, to confirm the place of work, Michael threw out screenshots with the EXMO admin panel to Jesús. As it turned out later during the conversation, Jesus was also given access to the admin login page in the form of a VPN, a login and an administrator password, as well as his full name and e-mail address.

Jesús provided our editors with videos confirming that the password and login for the admin panel are truly real. We checked all the information. Below you can see examples of these same screenshots with specific information from EXMO.

According to Jesus, together with Michael they worked since March 2018. In total, their cooperation lasted 5 months. The hacking of the exchanger came just in July 2018. In order to confirm the fact of hacking, I wrote to the mail exchanger. Unfortunately, during that period of time while this article was being written, they did not rush me to respond. In order to speed up the process, I wrote an online consultant to transfer information to the management of the exchanger, but I was not answered.

On the sale of bases and fraud Jesus also wrote to the leadership of EXMO. To which he replied: "Information is not relevant." Whether this is due to the fact that EXMO has strengthened its system of control over employees or has found the same “loyal” employee is unknown. However, I am inclined to believe that the situation was simply decided to hush up. Especially since this has already happened once.

It remains to hope for public support. Maybe through the media information about the internal affairs of the company will reach the top of EXMO, although this is not so important. The main thing is that this information is acquired by you, dear readers.

PART III

SUBSCRIBE, DO NOT PRESENT!

The story has not yet come to an end. One question remains: “Will the punishment of the guilty overtake?”. Let's figure it out.

According to the article on tightening the EU personal data law:

“For breaking the rules, companies will have to pay a fine of up to 10 million euros, or 2% of revenue for the last fiscal year, and for non-compliance with certain special points, the deduction amount will be 20 million euros, or 4% of revenue.”

Also in the process of searching for information on this topic, I found this article . It says that “the British Information Commissioner (ICO) fined Facebook £ 500,000 ($ 644,000) for violating the law on the protection of users’ personal data. ” It is not excluded that a similar offense EXMO, as a company, will also arise in a round sum. What to say about “Michael”. However, the outcome is unclear. In order for organs to become interested in this story, it is necessary that it create noise.

How does this affect EXMO's reputation?

To begin with, let's see what kind of reputation EXMO had before this article was written.

Fresh reviews from BestChange .

Reviews from mining-cryptocurrency.ru .

But, according to cryptonisation.ru , in the ranking of the top 10, according to traders, EXMO exchanges is ranked 4th. And:

  • 3rd place in the ranking of exchanges with the withdrawal of money
  • 3rd place in the stock exchanges without verification for withdrawal
  • 4th place in the rating of exchanges in terms of the fee charged for trading

In some rankings in the EXMO network even takes the first place, how it succeeds is unclear. Of course, this article may spoil the reputation of this platform in the network, but it depends on how all the information provided will be distributed online.

In my opinion, the main thing is that it should be seen by as many people as possible who are engaged in trading on an ongoing basis or periodically. This will allow them to prevent fraud and loss of funds.

PART IV

HOW TO PROTECT YOUR PERSONAL DATA

Be vigilant and do not be afraid to once again worry for your money if you send them to some god-forgotten place (read “resource”) on the Internet. You almost every day read articles about hacking and theft, so be more vigilant.

After talking with Jesus, I thought that it would be nice to find out from him the real ways to protect personal data, since he can be said to know this kitchen from the inside, he knows how to circumvent certain security systems. And this is what he said to me about this:

  1. Do not keep all your cryptocurrency on the exchanges, if there is no great need.
  2. Always check the links in the browser line, as well as SSL-certificates of sites.
  3. Always use two-factor authentication, not only on the exchange, but also in the mail, which is tied to the exchange account. This is not a panacea, but sometimes it can save your money.
  4. Be sure to keep track of what you download to your computer, the virus can be in anything, either in an executable file or in a JPG photo of a cat, and antiviruses do not always cope with their work.
  5. Always be suspicious of letters about the need to change the password or cancel it, suspicious entry and similar messages. Even if this letter is poisoned from the official mail of the exchange or your mail service, know that the bad guys can fake these addresses.

And if you want to learn more about how to secure your work on the Internet, then go to Jesus's Telegram channel , and be careful in the network.

If you have any other information about fraud on the EXMO exchange, let us know.

Article prepared by Anna Wright on the materials and the initiative of Jesus.

Related posts

Study finds out that top 10,000 holders control more than one-third BTC supply

Afroz Ahmad

The Central Bank of the Russian Federation is studying the issue of issuing its own cryptocurrency

alfonso

Analysts predict the success of cryptocurrency Telegram Open Network (TON) Gram

alfonso