How to monetize an Exploit (Privilege Escalation) on Exchanges?

[PremiumCodeX]

Hello Fellow Members, Hi Dears!

Imagine that tonight you successfully wrote a zero-day (0day) exploit for unlimited privilege escalation and arbitrary remote code execution that surely anonymously works on several cryptocurrency exchanges.

You are able also to practically use the exploit anytime.
Now what would you do with it and how?

(Each answer contributes to non-profit academic research about hackers, Thank you.)

[hugeblack]

Most platforms discover hackers when they start withdrawing unnatural amounts of trading volumes, so as long as you keep yourself hidden for the longest period, they will not be able to exploit the vulnerability.

I will verify the safe volumes that can be withdrawn without verifying the identity and create accounts through them for as long as possible, then the discovery of hack becomes useless because the amounts have been withdrawn a long time ago and the tracking process is more difficult.


After that, will try to leave some backdoors.

[malevolent]

See if they have any bug bounty programs, if they do read about them, if they don't have a history of mistreating those who reported bugs to them, responsibly disclose the vulnerabilities and collect the rewards which would likely be bountiful.

[PremiumCodeX]

Most platforms discover hackers when they start withdrawing unnatural amounts of trading volumes, so as long as you keep yourself hidden for the longest period, they will not be able to exploit the vulnerability.

I will verify the safe volumes that can be withdrawn without verifying the identity and create accounts through them for as long as possible, then the discovery of hack becomes useless because the amounts have been withdrawn a long time ago and the tracking process is more difficult.


After that, will try to leave some backdoors.

Thank you very much! Wouldn't leaving backdoors make vanishing harder? Wouldn't your backdoors lead investigators to your systems?

See if they have any bug bounty programs, if they do read about them, if they don't have a history of mistreating those who reported bugs to them, responsibly disclose the vulnerabilities and collect the rewards which would likely be bountiful.

What if they do not have a bug bounty program or they have the bad habit of mistreating people who report dangerous vulnerabilities?

[malevolent]

What if they do not have a bug bounty program or they have the bad habit of mistreating people who report dangerous vulnerabilities?

Even if they don't have a bug bounty program, and if they wouldn't be willing to pay, I'd still share the info with the exchange(s).

In the other scenario, do nothing or if they had rightfully earned themselves a really bad reputation go full disclosure. Worst case their hot wallet gets drained and they have to cover it from their net profits.

[PremiumCodeX]

Even if they don't have a bug bounty program, and if they wouldn't be willing to pay, I'd still share the info with the exchange(s).

In the other scenario, do nothing or if they had rightfully earned themselves a really bad reputation go full disclosure. Worst case their hot wallet gets drained and they have to cover it from their net profits.

Fortunately, not personal, but I have indirect negative experiences with full disclosure.
Too many acquaintances had too many problems with fully disclosing vulnerabilities even of shady services.
What you say can be used as an excuse: providers "wanted to run a legit business", but the "evil hacker" ruined it.

What about reporting it to a competitor?
Or selling the exploit without specifying any exchange?

[malevolent]

Fortunately, not personal, but I have indirect negative experiences with full disclosure. Too many acquaintances had too many problems with fully disclosing vulnerabilities even of shady services. What you say can be used as an excuse: providers "wanted to run a legit business", but the "evil hacker" ruined it.

Obviously it's a last resort, and should obviously be done anonymously.

What about reporting it to a competitor? Or selling the exploit without specifying any exchange?

Nah. Wouldn't be interested in that.

[PixxelDesign]

If I would experience an exploit, I would report it to the security team of the exchange, because I believe if you do the right thing, you get the same back from life. Plus if it's a big exchange, a lots of money at stake for several users who has the funds there, at the end of the day, it's really about the users, not the exchange itself, especially if it's a payment system exploit. 

[carlfebz2]

If I would experience an exploit, I would report it to the security team of the exchange, because I believe if you do the right thing, you get the same back from life. Plus if it's a big exchange, a lots of money at stake for several users who has the funds there, at the end of the day, it's really about the users, not the exchange itself, especially if it's a payment system exploit. 

This is on the other side of things where its just ethical for you to report if you do find out exploits or bugs that would really be resulting a serious effect on them specially if this one
talks about finance the its just right for you to tell and dont expect something back but pretty sure that they would really be giving out some bounty with that
depending on the scope or serious of such exploit or bug.

Well, people does have different minds which means people could decide neither they would abuse it out or would report or do the right way.

[PremiumCodeX]

If I would experience an exploit, I would report it to the security team of the exchange, because I believe if you do the right thing, you get the same back from life.

How would the information change your "morals" if the exchange intentionally stole money from its users?

Well, people does have different minds which means people could decide neither they would abuse it out or would report or do the right way.

How would you change your mind if you knew that an infamous scammer used the same exchange and you had the chance to take back the money?

[PixxelDesign]

People are accusing exchanges all the time with stealing money, in 99.9% of the cases it’s not true.

[malevolent]

Many exchanges tend to use euphemisms such as 'locking', freezing' or 'suspending' when they steal or take the users' money hostage.

[PremiumCodeX]

Many exchanges tend to use euphemisms such as 'locking', freezing' or 'suspending' when they steal or take the users' money hostage.

How far would you go if an exchange has taken your funds as a hostage?
What behavior from the exchange would result in you calling your "last resort"?
https://bitcointalk.org/index.php?topic=5304720.msg56231039#msg56231039

People are accusing exchanges all the time with stealing money, in 99.9% of the cases it’s not true.

On the one hand, some exchanges would steal your money.
On the other hand, many users would steal money from the exchange.
"Refund services" are popular between hackers and their clients.
Haven't your money ever been frozen?

[kryme]

I once had a chance to exploit some shady Russian exchange. Didn't make a huge amount of money, but I was able to withdraw 2x of any ERC-20 token and rinse and repeat it for about two hours before they caught on. They asked for the money back and froze my account. Nothing else came from it.

[UserU]

Interesting to be the bad guy for once (I've always wanted to, hoho)

I'd start off with small withdraws to avoid raising the flag. As it happens across several exchanges, I'd go for different coins each time such as LTC for exchange A, BCH for exchange B and so forth.

[PremiumCodeX]

I once had a chance to exploit some shady Russian exchange. Didn't make a huge amount of money, but I was able to withdraw 2x of any ERC-20 token and rinse and repeat it for about two hours before they caught on. They asked for the money back and froze my account. Nothing else came from it.

Perhaps they have made much money to afford not caring about their small loss on you.
However, if they indeed made so much cabbage, why wouldn't they bit from it to send a lawyer after you?
Interesting.

Interesting to be the bad guy for once (I've always wanted to, hoho)

I'd start off with small withdraws to avoid raising the flag. As it happens across several exchanges, I'd go for different coins each time such as LTC for exchange A, BCH for exchange B and so forth.

Wouldn't you risk too much for too little?
Withdrawing even a bit could yield a court case.
The nature of every risk is that given enough time it becomes a loss.
In your case, the loss could be up to your freedom.
What would be your insurance to get away (with profit)?

[gadhashin]

Around 2019 PremiumCodeX posted on bitcointalk forum results of his tests of variuos trading bots [none of the results can be verified by backtesting because none of configurations/settings used were posted].
After that reviews PremiumCodeX posted on bitcointalk forum results of tests of his own bots he claimed were developed and offered to invest in these trading bots to share trading income.
To participate in such investments PremiumCodeX proposed to contact him via telegram where he gave the details of income sharing and promised investors that all investments up to USD 5.000 will be recovered in case of trading bots faults:
https://ibb.co/KsnW31W
https://ibb.co/phZNtB0
Around October, 2020 PremiumCodeX informed his investors in the telegram groups/accounts that he lost all money by doing manual trades with high leverage on deribit instead of tading bots operating.
During teleconference with investors on November 18, 2020 PremiumCodeX admited his fault and agreed to refund the investments made by investors.
Here is a link to a short summary of the conference (thanks to @wallier2t2):
https://docs.google.com/spreadsheets/d/1Nn14GlKV4x__EkTvHtyu1RDSpCZDEaIPOvVS5NQPMak/edit?usp=sharing
[in case Moderator is interested in, a video record from the conference is available]
Since that no any refund payments were done, apart from PremiumCodeX banned most of the investors in his telegram groups/accounts.

[slaman29]

^ Thanks for the information. Strange the user would pop up again with the old account, knowing that former investors would lose out.

He doesn't seem to be asking for money now, although you never know. Maybe he has something to say for himself?

On the topic of "privilege escalation" I actually never heard of it until now. Still not sure what it means here though even though Google says access to usually restricted resources. What would this mean for an exchange?

[PremiumCodeX]

Hey, do not believe scammy gadhashin's (u=3136965) irrational lies because we banned his "fake customer" gang for their shortsighted attempts to steal our cryptocurrencies.

On the topic of "privilege escalation" I actually never heard of it until now. Still not sure what it means here though even though Google says access to usually restricted resources. What would this mean for an exchange?

"Privilege escalation" means you acquire access to more privileges than your account is supposed to have for its function.
In this thread, I mean such extra privileges that enable you to run arbitrary program code on the exchange's servers.
Usually, this should be a privilege only to a restricted group of employees.

[malevolent]

How far would you go if an exchange has taken your funds as a hostage?

If I had my money taken hostage, obviously I would take it back if I were in a position to do so

What behavior from the exchange would result in you calling your "last resort"?
https://bitcointalk.org/index.php?topic=5304720.msg56231039#msg56231039

Already answered that.