Once upon a time initial coin offerings were open to everyone. That time was last year, and since then gaining entry to ICOs has become increasingly difficult. In response to regulatory attention from the SEC, crypto startups have begun to perform due diligence on aspiring investors. Thanks to onerous KYC requirements, the pendulum has swung the other way, presenting hackers with an additional prize – the data of tens of thousands of investors.
KYC Requirements Are an Accident Waiting to Happen
Last year, the U.S. Securities and Exchange Commission went after a number of ICOs for failing to perform due diligence to ensure their investors didn't hail from the U.S. Spurred partially by a desire to avoid censure or shutdown from the SEC, ICOs have taken things to the opposite extreme, using Know Your Customer procedures to weed out investors from the U.S., China, and a handful of other countries. To date, all of 2018's major crowdsales have required some sort of KYC in order to gain admittance to their whitelist, with many outsourcing the task to third parties that specialize in such matters.
To merely be considered for a token sale, it is now commonplace for an individual to have to submit a passport scan, bank statement, and various other documents and to answer a string of questions about their background and the origin of their cryptocurrency. Legolas, for example, requested that investors "Provide as much detail as possible about the origin of the BTC". Being whitelisted for a token sale is no guarantee of participation either. Oversubscribed ICOs such as Arcblock returned ether to hundreds of participants who had failed to contribute in time or who were deemed to have "cheated" by using over the prescribed gas limit. Twitter traders now encourage investors to submit KYC to as many promising ICOs as possible, just in case they later decide to participate.
A Data Leak In the Making
In Sentinel's Telegram chat, investors were deeply critical.
With ICOs now holding the passports and other identification documents of thousands of crypto investors together with their emails and wallet addresses, hackers have an added incentive to target crowdsales. Even if they're unsuccessful in altering the contribution address, the raw data of tens of thousands of crypto holders is a honeypot of significant value in its own right. Some of that honey was stolen from The Bee Token, whose email database was accessed and used to send out phishing emails which raised over $1 million.
This week, Sentinel ICO had an even bigger fail after the passport data of its users was leaked. In a Medium post, the startup confessed that a website vulnerability had allowed uploaded files to be accessed by another user. To compound the problem, the user who discovered the flaw then claimed to have been reported to the police by Sentinel for their actions, despite having done nothing wrong.