PayBito Customer Data Breach

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Notice: Some details of this case study are inconsistent with one another, and there is a lack of credible sources found to resolve the discrepancies. This could be because information has been reported inaccurately, details from multiple separate incidents have been incorrectly considered to be related, or there are additional facts not yet discovered which explain the discrepancies. Please check the References at the bottom for further information and perform your own assessment. If you have some time, please contribute back to our database by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

PayBito

PayBito is a large cryptocurrency exchange operating in the US and India. On February 3rd, 2022, a ransom group apparently gained access to the records of over 100,000 customers, including weakly hashed passwords. The group also claimed they were going to publish the records if a ransom was not paid by February 21st. There is no indication that the platform has responded or disclosed the breach to any affected users.

This exchange or platform is based in United States/India, or the incident targeted people primarily in United States/India. [1][2][3][4][5][6]

About PayBito

[7][8][9][10][11][12][13]

"PayBito is the easiest and the most trusted place for individuals and institutions to buy, sell and trade a variety of Cryptocurrencies such as Bitcoin, Bitcoin Cash, and more." "PayBito is a Bitcoin and cryptocurrency exchange trading platform for major cryptocurrencies including Bitcoin, Ether, Bitcoin cash, Litecoin, HCX, ECR20 and many more. The platform allows purchases in INR, USD, AED and supports cryptocurrency trading pairs. Available in Web version, Android & iOS App."

"Founded Date Dec 11, 2017" "PayBito.com was founded in 2018." "Launch Date: 12.06.2018" "As of 22 November, 2019 the exchange is running a trading volume of USD238,568,498 (as per CoinMarketCap)."

"Despite its young age, PayBito became one of the top trading platforms for a global userbase. Its trading volumes are on the rise, and it even supports fiat-to-crypto and crypto-to-fiat conversion, which made it an excellent choice for those who are only entering the crypto industry now."

"PayBito is a leading cryptocurrency asset trading platform operating in USA and India. The platform is designed and operated by a team with rich experience in Banking security systems, Cryptocurrency trading and Blockchain technology. Available in iOS and Android stores, PayBito offers some of the best rates and top-notch security on the planet."

The new firm’s Managing Director, Raj Chowdhury, commented by saying that “We at PayBito are constantly upgrading our platform and include novel factors in interface features or more coin options for trading so that the users can diversify their portfolio, as well as enjoy a profit margin through the exchange of varied coins. Our team has been dedicating itself in adding more cryptocurrencies to the platform while ensuring the best price to the traders.“

"PayBito is multi-signature and security-focused. It implements advanced security protocols to protect users from cyber breaches. The exchange monitors AML and KYC checks before users can load their wallets for purchase from the app. Three-point architecture, hot wallet, multi-signature cold vault, DDoS Mitigation, firewall protection, monitoring and logging, identity and access controls and data encryption are some of the technological advancements employed by Paybito."

"PayBito, which has been showing consistent growth in trading volume, aims to offer a seamless experience to users. It is Segwit enabled and has liquidity integration with major exchanges, as well as advanced features like two-factor authentication with Firebase, GA, and BIP-32, pending transaction handling, and block confirmation tracking. The exchange offers users with an open order book a venue where they can trade in crypto as per their requirements."

The Reality

"According to the attackers, PayBito used weak hashing algorithms, which makes it easy to decrypt passwords and emails of affected users. In addition, the group extracted the personal data of administrators." "The hackers say the e-mail addresses and passwords were only very inadequately protected by the Californian operating company. It is easy to decrypt the data. In addition, the cyber criminals claim that they also gained access to the addresses of the owners of the operating company."

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

LockBit ransomware gang claims to have stolen customers' data from the PayBito crypto exchange, operated by HashCash. The gang published the name of the company on their Tor leak site and announced the theft of a database containing personal data of over 100,000 customers worldwide. They also claim to have stolen email and password hashes, which they say can be easily decrypted due to a weak hash algorithm. The stolen data will be published on February 21st, 2022 if the company does not pay the ransom. The LockBit ransomware gang has been active since 2019 and recently launched LockBit 2.0, targeting systems and users not matching specific Eastern European languages. The FBI has released a flash alert with technical details associated with the LockBit ransomware operation[14].

What Happened

"On February 8, the LockBit ransomware group claimed to have stolen substantial customer data from cryptocurrency exchange PayBito. PayBito is a cryptocurrency exchange operated by HashCash, a global blockchain, and IT services company." "The group claimed the attack on Thursday, February 3rd on its official website on the so-called dark web accessible through the Tor browser. In its post, the operators of LockBit ransomware stated the stolen database contains personal information of customers in the United States and other countries worldwide."

Key Event Timeline - PayBito Customer Data Breach
Date Event Description
February 3rd, 2022 2:03:00 PM MST Fusion Intelligence Center Alert The Fusion Intelligence Center reports on Twitter that the "LockBit ransomware gang has announced Cryptocurrency Exchange "paybito" on the victim list."[15]
February 5th, 2022 1:30:51 PM MST Security Affairs Article Security Affairs reports that the LockBit ransomware gang claims to have stolen customers' data from the PayBito crypto exchange, operated by HashCash. The gang published the name of the company on their Tor leak site and announced the theft of a database containing personal data of over 100,000 customers worldwide. They also claim to have stolen email and password hashes, which they say can be easily decrypted due to a weak hash algorithm. The stolen data will be published on February 21st, 2022 if the company does not pay the ransom. The LockBit ransomware gang has been active since 2019 and recently launched LockBit 2.0, targeting systems and users not matching specific Eastern European languages. The FBI has released a flash alert with technical details associated with the LockBit ransomware operation[14].
February 8th, 2022 LockBit Ransomware Group Claim "On February 8, the LockBit ransomware group claimed to have stolen substantial customer data from cryptocurrency exchange PayBito. PayBito is a cryptocurrency exchange operated by HashCash, a global blockchain, and IT services company."

Technical Details

"At the beginning of February, it was announced that the ransomware group LockBit was able to penetrate the crypto trading exchange PayBito.com. They claim to have captured the data of at least 100,000 PayBito customers on February 3rd."

"Cryptocurrency exchange company "HashCashConsultant" > database of 100 thousand users. PD of customers worldwide, administrators, as well as emails and hashes. If you want to purchase all of this, please contact us via TOX,” write the ransomware operators." "According to the hackers, the dataset contains all important personal information of customers from the United States and around the world."

"Some of the stolen data is published on the group's Tor leak site. In this cyberattack, the ransomware group successfully stole a database containing personal data information from more than 100,000 customers worldwide. In addition, the group also stole some email data and password hashes, some of which can easily be decrypted."

"According to the attackers, PayBito used weak hashing algorithms, which makes it easy to decrypt passwords and emails of affected users. In addition, the group extracted the personal data of administrators." "The hackers say the e-mail addresses and passwords were only very inadequately protected by the Californian operating company. It is easy to decrypt the data. In addition, the cyber criminals claim that they also gained access to the addresses of the owners of the operating company."

Total Amount Lost

"At the beginning of February, it was announced that the ransomware group LockBit was able to penetrate the crypto trading exchange PayBito.com. They claim to have captured the data of at least 100,000 PayBito customers on February 3rd."

No funds were lost.

Immediate Reactions

"The group claimed the attack on Thursday, February 3rd on its official website on the so-called dark web accessible through the Tor browser. In its post, the operators of LockBit ransomware stated the stolen database contains personal information of customers in the United States and other countries worldwide."

Fusion Intelligence Center Tweet

[15]

[ALERT] LockBit ransomware gang has announced Cryptocurrency Exchange "paybito" on the victim list.

False Claim Controversy

[16] TBD to resolve controversy.

"This is a false claim, please do not publish/promote misleading information."

Ultimate Outcome

"Threat intelligence feeds like Dark Tracer and Dark Feed have also tweeted (1 & 2) about the alleged ransomware attack on PayBito."

"The Californian operator Hashcash Consultants is silent on the in- house blog about the matter . There is also no message about the copied user data in the paybito.com news. The members of the LockBit extortion group had announced that they would publish PayBito data from February 21 if their demands were not met."

"To make matters worse, the gang also managed to steal the administrator's personal data, claiming that the stolen data would be released on February 21, 2022, if the ransom is not paid." "If the affected company does not pay the ransom by February 21, 2022, all of the information listed will be published online."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

Ongoing Developments

TBD

Individual Prevention Policies

Individuals can protect themselves by minimizing the information which is shared with platforms. In particular, using a different email address for each service can limit the impact of a breach of one service on any other service. Educate yourself on phishing scams and store most funds offline.

Set up separate email addresses for each service, and avoid providing your phone number whenever possible. Any received emails or phone calls must be viewed with scrutiny, especially if unsolicited. Interact with companies only through their official websites and confirm anything with the company directly via multiple official sources, especially if it promises a significant incentive to take an action or threatens access to your funds if an action is not taken. It would be recommended to also establish a network of multiple trusted individuals who use the same services and have a strong level of security knowledge.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Platforms need to constantly be monitoring their security and ensuring that best practices are followed. It would be recommended that access to sensitive information operate under a multi-signature model where approval is needed from several people to access this information.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

Improving the education of users can decrease the effectiveness of any phishing attacks. In the event of loss due to compromised information, an industry insurance fund can assist users.

Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

The primary solution is to remove the need for platforms to handle large amounts of sensitive user information. A secondary solution is to improve and validate the security of platforms.

A key challenge is the increased reliance on an incredible amount of personal data by financial firms. Having this information shared as part of a normal business relationship and floating around on multiple platforms poses a severe risk to all users when it comes to identity theft, phishing attacks, and other targeted criminal activities. While various frameworks have been proposed for how platforms can safeguard this information, they all suffer from the problem of depending on individuals within the organization who can be coerced, bribed, or tricked into violating the policies. They also do not address situations in which customers divulge information to unregulated platforms, either deliberately or by being tricked via a phishing attack. Criminals only need to breach one platform, and the information is permanently exposed to the black market. As an alternative, a single digital access token could be used to validate identity, with the associated personal information stored in a single secure location. The personal information is much less likely to be breached. If the token is breached on any third party platform, the access token can be revoked and swapped with a new token, while criminals have no way of utilizing the old token.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Improving the education of users can decrease the effectiveness of any phishing attacks. In the event that funds are stolen using the compromised data, an insurance fund can be used to assist victims.

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. SlowMist Hacked - SlowMist Zone (Jun 26, 2021)
  2. Cardano (ADA) gets listed on a prominent US exchange | Invezz (Mar 12, 2022)
  3. Crypto Weekly News: PayBito Halts XRP Trading, Cryptos New All-Time Highs, and More - Crypto.co (Mar 12, 2022)
  4. Операторы LockBit уверяют, что похитили ПДн клиентов криптобиржи PayBito (Mar 12, 2022)
  5. PayBito: Erpresserbande LockBit veröffentlicht Datenbankauszug (Mar 12, 2022)
  6. LockBit ransomware gang claims PayBito crypto exchange as new victim (Mar 12, 2022)
  7. Buy & Sell Bitcoin and Altcoins | Cryptocurrency Exchange - PayBito (Mar 12, 2022)
  8. https://coinmarketcap.com/exchanges/paybito/ (Mar 12, 2022)
  9. Team - PayBito (Mar 12, 2022)
  10. Crypto exchange PayBito reports surge in trading volume | Institutional Asset Manager (Mar 12, 2022)
  11. https://www.crunchbase.com/organization/paybito (Mar 12, 2022)
  12. Twitter / Account Suspended (Mar 12, 2022)
  13. Bitcoin exchange PayBito launches FIX API » CryptoNinjas (Mar 12, 2022)
  14. 14.0 14.1 LockBit ransomware gang claims to have stolen data from PayBito - Security Affairs (Mar 12, 2022)
  15. 15.0 15.1 Fusion Intelligence Center - "LockBit ransomware gang has announced Cryptocurrency Exchange "paybito" on the victim list." - Twitter (Mar 12, 2022)
  16. Hash Cash Admin - "This is a false claim, please do not publish/promote misleading information." - Twitter (Jul 14, 2023)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=PayBito_Customer_Data_Breach&oldid=4807"