The stolen data includes passport and drivers license images and other sensitive information which allegedly belongs to over 8,000 traders registered on Digitex.
The Seychelles-headquartered cryptocurrency exchange told Cointelegraph that cannot provide any details, at the moment, about the data leak, but it’s in the process of seeking legal counsel.
The exchange’s management noted:
“Digitex Futures is aware of a leak of confidential data. We are not able to comment fully on the incident at this time and are currently seeking legal counsel. However, we can confirm that this was not an external hack but an internal security breach orchestrated by an ex-employee with a conflict of interest against the company. We will be releasing more information on the incident as soon as possible.”
According to sources familiar with the incident, the data of 8,000 users “has not been breached.”
They claim that only three user IDs have been compromised, however, the hacker claims that he has them all and is now “starting to post demands so as not to leak the rest.”
Via encrypted messaging service Telegram, the “Digileaker” said he has “the entire KYC documentation of every single user who has used the Digitex Treasury from its inception date until today.”
During an interview with crypto-related scam investigator CryptoVigilante, the Digileaker stated that he had used login information, which he stole when Digitex had submitted user IDs and other personally identifiable information to KYC provider Sum and Substance.
The hacker claims that the login “gives unrestricted access to all the KYC information of 8000+ customers,” which includes their personal documents, home or office address, phone numbers and other sensitive information like their IP addresses.
Digitex’s problems appear to be getting worse as a former employee of the firm recently took over its official Facebook account to publicly share users’ email addresses.
The exchange noted in a blog post, published earlier this month, that the security breach was an “internal” matter that had been carried out by a “scheming and highly manipulative ex-employee.”
Digitex’s management also claimed that “beyond [users’] email addresses, no other sensitive information was gathered or released.”