Last week, an employee of South Korean cryptocurrency exchange Bitkoex leaked the private account details of 19 customers during a group chat on social messaging platform KakaoTalk. The leak included the real names and email addresses of Bitkoex customers who had balances of Karma (KRM) tokens, as well as their public wallet addresses and private keys. Combined, these tokens were worth around $620,000 (750 million won). While Bitkoex has claimed that the leak was accidental, the incident is a stark reminder of just how insecure customer data often is within an exchange.
Bitkoex responded quickly after the customer data was leaked, moving customer KRM balances into offline wallets until new accounts and wallets could be established. The exchange claims that no KRM balances were altered between the leak and the move to cold storage. While nothing was stolen, Bitkoex’s reputation has taken a major body blow, something that could prove fatal for the relatively small exchange. Bitkoex’s demonstrably lax security practices could more than justify a mass migration of customers to a established firm.
One of the issues at the heart of the Bitkoex controversy is the question of why such sensitive data was ever posted to KakaoTalk in the first place. The popular South Korean messaging system has around 50 million active users, but has been widely criticized by security experts due to a lack of end-to-end encryption. (In fact, “private” KakaoTalk messages are often examined by government authorities.) Even if there was a legitimate reason to share customer data in a group chat context, KakaoTalk’s unencrypted and notoriously insecure platform wasn’t the place to post it. Shortly after the details were posted, as if looking to prove that point, a participant in the group chat released the account details to the public.
The most troubling element of the Bitkoex leak isn’t the customer data leak, however, but what it suggests about the generally poor quality of security practices at South Korean crypto exchanges. Only three weeks ago, Coinrail was hacked for around $40 million in various tokens. Less than a week ago, hackers stole around $31 million from Bithumb, one of the country’s most popular and successful exchanges. If poor security practices are the rule at South Korean cryptocurrency exchanges, their operators are effectively inviting both future heists and heavy-handed regulation.
It’s also worth noting that there is little reason to believe that data security is better at most exchanges outside of South Korea. While a few larger exchanges and brokerages have invested heavily in security infrastructure, there’s no reason to believe that a negligent employee at a high-profile U.S. or European exchange couldn’t accidentally leak customer data in a similar way to what happened at Bitkoex. As a best practice, customers should only keep tokens on exchanges immediately before they trade or sell them. When they need to securely store their BTC, ETH, XRP, or other cryptocurrency, the best option is to move their token balances to a tethered, air-gapped hardware wallet.