An account application under the name Kim Jong-Un cleared Gate.io’s Know Your Customer (KYC) checks and was approved within minutes.
Gate.io KYC process draws scrutiny
On-chain sleuth, ZachXBT, sought to test the hypothesis that crypto exchange accounts provide a degree of security when tracking down stolen funds.
“When stolen funds go to a crypto exchange people like to assume that there is a real person with a real identity tied to an account“
To debunk this, he applied for a Gate.io account with the name Kim Jong-Un and an email address “notlazarus.” ZachXBT screenshotted the application approval showing he had passed KYC and was cleared to trade cryptocurrencies on the exchange.
Furthermore, the company’s “KYC-1” basic verification tier enabled the account holder to withdraw up to 100,000 USDT daily.
It’s unclear whether ZachXBT had altered ID documentation to get to this point. Nonetheless, the outcome highlighted flaws in Gate.io’s application process – particularly with regard to name checks.
To hammer home the point, ZachXBT repeated this process using made-up names and names listed on the Office of Foreign Assets Control (OFAC) sanctions list with email addresses such as “harmonyhacker” and “lazaruslover” – all of which were approved – thus contradicting the idea that bad actors shy away from using exchanges.
The Lazarus Group refers to a collective of hackers and scammers, reportedly under the direction of the North Korean government.
The group employs many strategies, including malware, as used in the 2017 WannaCry ransomware attack. And social engineering, such as baiting a senior Axie Infinity engineer to open a “job offer” file, subsequently infecting the engineer’s computer and leading to several Axie nodes being seized.
Know Your Customer
To meet Financial Action Task Force (FATF) compliance, crypto exchanges have been incorporating mandatory KYC requirements – with ByBit becoming the latest to fall in line. The company announced that all users will need to upload ID starting from May 8.
KYC critics argue that the practice limits crypto participation. Moreover, bad actors have the means and know-how to easily bypass checks – making KYC pointless in terms of achieving its goal of stopping money laundering.
Also, as demonstrated in the Ledger data breach in July 2020, storing customer information provides hackers with an additional avenue of attack. Ledger customers were threatened and doxxed after their contact information was made public.
CryptoSlate reached out to Gate.io for comment on ZachXBT’s findings. No comment was received at the time of press.