El Salvador’s $30 bitcoin wool was targeted by hackers, and a large number of residents’ identities were stolen


Chivo Wallet is a national digital wallet issued by the government of El Salvador on September 7 to implement the Bitcoin Act. To this end, El Salvador promised that users of Chivo Wallet who download and authenticate will receive a $30 Bitcoin reward. This move allowed the official wallet of El Salvador to exceed 2 million users in one month.

El Salvador’s President Nayib Bukele said: “Compared with the nationalization and privatization of traditional banks in 40 years, we seem to be able to provide banking services to more people within a month.”

With the adoption of Bitcoin, Buckler put his country at the center of "global discussions about the future of currencies." Article 7 of the Bitcoin Act stipulates that all merchants must accept Bitcoin as a payment method when customers provide Bitcoin payment.

El Salvador’s $30 bitcoin wool was targeted by hackers, and a large number of residents’ identities were stolen

Hackers target Chivo wallet

At first, Cynthia Gutierrez, a citizen of Salvador, refused to download Chivo, but she finally decided to open the wallet on October 16th because she learned from fellow Salvadorans that hackers had stolen their identity information and activated it The wallet associated with their ID.

In an interview, Gutierrez said: "This situation is increasing and it has entered my intimate circle."

When Gutierrez entered her personal information, a window popped up in Chivo's wallet stating that her ID number had been associated with the wallet.

El Salvador’s $30 bitcoin wool was targeted by hackers, and a large number of residents’ identities were stolen

The identity theft of Gutierrez is one of hundreds of cases reported by Salvadorans since September. Between October 9th and October 14th, Cristosal, a human rights organization in El Salvador, received 755 notifications about Salvadorans reporting that their Chivo wallet identity was stolen.

The hackers’ large-scale identity theft was based on a motive: each wallet contained $30 worth of Bitcoin, provided by the government of President Nayib Bukele of El Salvador to encourage citizens to use this cryptocurrency .

Chivo's system is flawed

According to the official website of Chivo Wallet, opening an account requires scanning the front and back of an individual's car driver's license, and then performing face recognition to verify the identity of the registrant. But some Salvadorans reported evidence of flaws in the system.

Adam Flores, a Salvadoran YouTube user, heard about a case of identity theft by hackers. He remembered that his grandmother hadn't registered the Chivo wallet and decided to test it on the spot. Although Flores only had a copy of his grandmother's car driver's license, he tried it. Surprisingly, Chivo accepted the validity of the application.

Flores completed the verification process and was then asked to perform real-time facial recognition. So I took a picture of a poster on the wall of his room, which shows Sarah Connor, a character in the "Terminator" movie series. After a few seconds of verification by the facial recognition system, the photo of the poster passed the verification and a $30 reward was issued.

Afterwards, Flores made another attempt, using a coffee cup to replace the car driver's license, defrauding the facial recognition of the Chivo wallet.

El Salvador’s $30 bitcoin wool was targeted by hackers, and a large number of residents’ identities were stolen

Salvadorans don’t always try to open an account on their own. According to the human rights organization Cristosal, of the 700 Salvadorans who reported their identity theft, most people asked their acquaintances to try to transfer money through Chivo by putting their ID number in the payee, but they found that the address was "prepared Good to receive transfers". In other words, their ID number has been illegally registered.

Fearing being impersonated, Ramón Esquivel, another citizen of El Salvador, asked an acquaintance to use his car driver's license to transfer money to a wallet on October 11. To his surprise, the transfer was successful, even though he never activated his account. After the incident, he filed a complaint with the Attorney General’s Office: “I was very angry, and I realized that the hacker had used my identity information. I was used to conduct money laundering activities. These actions were registered in my identity and damaged my integrity. ."

Savvy hacker

In other identity theft cases, hackers even transferred $30 to other hacked accounts instead of hacking their own wallets.

Two weeks ago, Salwar multimedia host Gabriela Sosa (Gabriela Sosa) tried to activate the Chivo wallet with a driver's license, but an error message popped up on the screen to inform her that she was registered. After the incident, Souza immediately dialed Chivo's official number and was told that she had to go to Chivo's local site. So she went to the help center and finally recovered her account, but the $30 was transferred away.

So Sosa posted on Twitter the details of the account to which the $30 was transferred. The account user’s name was Michael Santa Cruz.

A few days later, Santa Cruz received the news from Twitter, but he had never activated his Chivo account before. So he tried to open his wallet, but the system showed that the driver's license had been registered. Like Souza, he also found the Chivo Help Center. After restoring his account, he realized that the wallet had been used to receive funds from other hacked accounts.

El Salvador’s $30 bitcoin fleece was targeted by hackers, and a large number of residents’ identities were stolen. Picture: Transaction carried out with Santa Cruz’s wallet

Acción Ciudadana, a non-profit organization that specializes in audits, submitted a notice to the Attorney General's Office (FGR) on October 12 after Humberto Sáenz, president of the group, and Eduardo Escobar, director, discovered that hackers had registered their Chivo wallets.

Acción Ciudadana stated that as of now, two weeks after submitting the application, the Attorney General's Office has not responded.

Laura Nathalie Hernández is a technical attorney for Legal Novis in El Salvador. She has been receiving assistance requests from victims of identity theft regarding Chivo wallets. According to Hernández, Chivo Wallet should be the first to turn to the identity theft. "But we don't have much information about who is responsible. We don't know who is managing it. There is no transparency."

Chivo is not responsible for this, and there is no clear resolution process

According to the Chivo Wallet's terms of use, the authorization of the account is conditional on the KYC process executed by CHIVO SA de CV, and the wallet is created and activated by the government. The verification process "includes providing the information and documents required to fully comply with the process."

At the same time, the clause also stipulates that the user agrees to "not disclose or divulge any information, identity information, password or any code used to access the website to a third party." For unauthorized third-party access due to hacker attacks or loss of passwords It is not responsible for any loss or damage caused by your account to the user.

The reporter interviewed Chivo's staff and asked the question: "Who is responsible for the hacker attack without the information provided by the real account owner?" But the staff did not answer.

Salwar multimedia host Souza finally recovered her $30 in bitcoin and emphasized that her complaint was not directed at President Bukler, but she wanted to raise awareness of this issue.

Gutierrez has not recovered her money. "I tried to contact customer service, but they didn't reply to me, nor did any agency clarify the process to follow in this case."

Eskivir said he is not interested in the $30 reward or government applications. "If I use Bitcoin at all, I will use a wallet to keep my money."


CC BY-NC-ND 2.0 版權聲明