As the SEC clamps down on many fraudulent ICOs and cryptocurrency projects, most of the legit ones try to follow the unwritten rules. They now more often than not try and opt to go with KYC/AML procedures for their investors rather than incorporate their startup/ICO in a grey-zone country.
But just as the investment side of ICOs can be packed with scams, so too can the KYC/AML side. Here is why you shouldn’t give your information to ICOs without thinking very hard about it.
1. Projects sell your data
There’s quite a lot of demand for personal data, especially data which contextually describes email addresses of identities.
A list of 10000 email addresses from a given conference will go for about 0.1 BTC. If those addresses have personal data like names, addresses, or phone numbers, it can easily quadruple in price. If the list comes with submitted images of IDs of those people following a successful and fruitful KYC or AML process, or even their Ethereum or Bitcoin address, it can easily fetch up to 5–10 bitcoin. Sell it to more than one buyer and you’ve made a decent buck.
These emails are purchased for several reasons:
- Spamming people with upcoming scam ICOs or crypto projects with hopes of catching someone naïve enough to buy in. Many “ICO marketing” companies buy the lists for this reason.
- Analyzing and tracking transactions. If the lists contain people’s crypto addresses, tracking databases can be significantly upgraded by replacing unknowns with the data provided, enriching the graph and making further unmasking and tracking easier.
- Phishing people into giving you their access credentials on various popular sites like MyEtherWallet or an exchange, stealing their accounts (this becomes more valuable with phone numbers because you can easily get access to their SMS-based 2FA authentication too).
- Robbing people who are known to have large amounts of cryptocurrency. Especially easy if addresses are presented alongside names and emails.
- Stealing identities with the obtained personal information combined with the submitted IDs.
Let’s look at the last one in a bit more detail.
2. Identity theft
Online, identity theft takes much less work than real-life identity theft. Very few sites will ask for a social security number, so even if your ID wasn’t sold but a lot of metadata was, you’re easy to impersonate.
That said, there are three purposes behind online identity theft:
- traditional financial theft, like impersonating you in online stores or on credit card providers’ websites.
- investing as “you” so that when the IRS comes knocking, they get you for investing and earning millions rather than the original investor who is safely hidden away with his crypto riches or his cashed out fiat.
- laundering money through your name, or other hard crime: a criminal can easily buy goods from the dark web as you. They can commit fraud as you. They can even blackmail you or your loved ones.
Of course, there are many other reasons why people steal someone’s online identity. These are just the ones we encounter most often.
How do I protect myself?
There are three main ways to protect oneself from leaking private information this way:
Do your due diligence: investigate the team or have someone do it for you. It’s important to look into their credentials, skills, past projects and associations. Only move ahead if they seem trustworthy, but never trust them based on the whitepaper or the website alone – anyone can make a half-readable whitepaper or put together a fancy website. What you discover beyond that is what matters.
Use investment pools and proxies. Certain companies offer the option of investing for you. They enter an agreement with a legit ICO beforehand for certain bonuses and higher limits and then provide a full service like investigating the team, associating only with ICOs that seem legit, and sending you the tokens after everything is done (for a fee, of course). This comes with the added advantage of never having to deal with hardware wallets, wallet security, sending to the proper address, waiting nervously to see if the transaction was successful, etc. The proxy does it all for you.
This involves a huge trust factor where the company has the chance to run away with your money, so only do this with companies that have much to lose by betraying you and that have very, very public team members. In other words – if you know who to blame and the person behind the company or project is trustworthy, the company is okay to get in bed with.
These proxy companies are also good for masking your identity, as they are the only ones exposing themselves so the project has nothing to sell. In some cases, these proxy companies will require you to identify with them, so again, an additional trust factor is in place, but others won’t. It’s up to you to find the right one.
If you suspect your information has been sold, use a tool like Have I Been Sold to find out by whom. Then attack that company with full force. Expose them on social media, organize class action lawsuits, push them out of business. The best way to do this is to generate a new throwaway email address for each service you sign up to, as described on the HIBS website.
Disclaimer: Bitfalls.com is one such proxy investment company. If you’d like to talk about investing through us, let us know.