The Curious Case of the “Digitex Leaker”
Who's to blame in the latest data breach?
Share this article
One by one, identity cards and passports began flowing into a Telegram channel called “The Digileaker.” The anonymous individual posting the documents claimed to have “unrestricted” access to several thousand more records from the crypto project, Digitex.
“I would I would like to see [Digitex’s] problem-solving abilities in identifying the issue,” said the individual in an email with Crypto Briefing.
The Rise of the Digitex Leaker
The slow leak that began on Feb. 28 quickly picked up steam in the crypto media space.
Although unconfirmed at that time, initial reports indicated that the leaker had full access to all of Digitex’s KYC data and that they were also directly affiliated with the company. Commentators hinted at this affiliation due to a similar breach at the beginning of February.
On Feb.10, a screenshot of various ETH addresses and their respective emails had been uploaded was posted on the company’s official Facebook page. Each identity was allegedly pulled from Digitex’s KYC portal.
In a Telegram conversation with the Digitex communications lead, Christina Comben, she explained that the culprit’s identity was “not 100% confirmed” at that time.
Later, the team identified that the source of this particular leak was a disgruntled ex-employee. Comben told Crypto Briefing at that time that:
“It was all arranged by an ex-employee, I can’t say much more about this in terms of motives except that he was let go when it was discovered that he was working with a competing company (conflict of interest), since then he has tried to discredit Digitex and [the CEO, Adam Todd].”
She also explained how this former staff member had trusted access to multiple Digtex accounts, including the KYC portal.
Last week, it appeared that the same ex-employee had struck again, leaking blurred images of identity cards and passports of various Digitex users. In an email exchange with the leaker, they denied having any relation to Digitex. “I was not tipped off, these findings were my own, and I did not receive help,” they wrote. Adding:
“Digitex has always blamed external people for issues that arise, and I found it strange, so after a little bit of work, I was able to access some of their systems and logins. “
They also explained that they would not reveal their identity other than that they were “not located far from Adam and his developer team [in] Moscow.” As to any clue when the leaks would stop, they responded:
“The leaks will continue for as long as Mr. Adam Todd continues to hide in silence and not be at all bothered by losing the data of his customers. He can have it end now with [five] people, or he can have it end with everyone, the choice is his.”
The Digitex Leaker’s Demands
Yesterday, however, the Digitex team has confirmed that the leaker was indeed the original poster from earlier last month. They have enlisted the services of a third-party, SmartDec, to block all admin access to the KYC platform. The leaker also indicated in the Telegram channel on Monday that users “should be safe doing KYC now.”
This is not the first time that Digitex has tapped SmartDec. The company has also been helping build out Digitex’s exchange product.
In the post regarding the latest debacle, the Digitex team wrote that the culprit had made specific demands in exchange for a halt to the dissemination of user data. A spokesperson from Digitex said that these demands were not monetary, but could not comment further.
They added further that “SmartDec is reviewing everything now. We have proof it was internal, I can’t say any more than that.”
Bug bounties are common in the crypto community, especially considering the nascence of many emerging technologies. Indeed, developers can turn a small profit moving from project to project and investigating their code.
A common practice is then to inform the project of its vulnerability via recommended channels. When done in good faith, projects enjoy higher security standards, and the roving bounty hunter claims a prize for their efforts.
Based on the evidence provided, it appears that a malicious agent held private data hostage in exchange for a reward. They were able to leverage this position via sensitive, internal access that may or may not have been available to an independent bounty hunter.
Unfortunately, neither Digitex nor the leaker has been willing to confirm or deny the above.