BitMEX customers exposed after email mishap

Victims of the leak are now susceptible to hacks and targeted phishing attacks, and the reputation of the already controversial exchange has taken a hit.

23,000 emails or more

BitMEX says its internal processes “failed” exposing thousands of users to privacy risks. In a blog posted on Monday, the exchange said its mass email operation failed, causing “most BitMEX users” to have their email addresses exposed via carbon copy (CC).

The exact number of leaked email addresses is unknown, but a batch of 23,000 addresses is being circulated on Twitter — around the same figure as the number of traders that use the site each day, according to data analytics firm Skew.

According to The Block analyst Larry Cermak, there is a list of 30,000 emails from the leak already being sold on the darknet. He analyzed a portion of these addresses to reveal that 64 percent of them are on Gmail, with encrypted email account service ProtonMail representing only 3.2 percent.

Several email addresses were traced back to U.S. residents —who are strictly forbidden from trading on the exchange. These were mostly .edu emails belonging to American universities NYU, Berkeley, and Michigan.

"The number of people that use first.last name or unique domains is unreal," tweeted Cermak. "My eyeball estimate is that ~70% of people can be doxxed from the email alone."

This email exposure means that BitMEX users are likely to become targets of scams involving phishing pages — which resemble the login pages of popular online services but aim to steal your data — and spear-phishing emails, sent from criminals masquerading as members of customer support teams.

And, the email addresses give cybercriminals a key piece of the puzzle for stealing a complete online identity.

By matching the misplaced emails against lists of previously hacked credentials available on the darknet, cybercriminals can potentially identify the passwords needed to gain full access to BitMEX accounts, and accounts on other cryptocurrency exchanges where the person might have used the same email address.

Several hackers claim to be running the leaked emails against existing databases of hacked data in a bid to alert potential victims before it is too late.

"I ran a quick search on the Bitmex emails on 1 of my databases and I’ve gotten quite a few hits," said Twitter user TheMask. "Do you guys think I should email the people I found passwords for?"

Meanwhile, BitMEX hacking groups have already appeared on Telegram where cybercriminals are spreading the leak further and sharing their successes stealing Bitcoin from compromised accounts.

Another blow for BitMEX

A few hours after the flawed Bitmex email was sent, hackers appeared to take control of BitMEX’s twitter account, sending an ominous tweet warning users to “take your BTC and run.”

The tweet, which was quickly deleted, is thought to have been the parting words of the disgruntled communications manager that was responsible for the email mishap — adding a second embarrassing public blunder for the exchange.

In a statement, BitMEX said that it had identified "the root cause of the fault" and advised users to be aware of phishing attempts, create strong and unique passwords, and ensure they have two-factor authentication enabled.

But while this might help protect users, the reputational damage has already been done to BitMEX.

By sharing personal data without customer consent, the exchange could be in breach of regulations like General Data Protection Regulation (GDPR) and has opened itself to potential lawsuits over confidentiality breaches.

Additional scrutiny from regulators could barely come at a worse time for BitMEX, which was placed under investigation by the U.S. Commodity Futures Trading Commission (CFTC) in July for allegedly allowing Americans to trade on the platform without a license.

The leaked email addresses from U.S. users are a damning indictment for this ongoing regulatory probe, and as other commentators like Dovey Wan have pointed out, could also help government authorities like the tax department conduct their own investigations.

Meanwhile, the erosion of trust in BitMEX threatens its dominance over the crypto derivatives market. The recently launched Binance Futures platform now offers even higher leverage than BitMEX at 125x, and other upcoming contenders like ByBit and Deribit continue to attract more traders.