In the midst of the controversy over RainbowEx, the trading platform for an alleged cryptocurrency that is all the rage in the Buenos Aires city of San Pedro, an attacker uploaded a clandestine forum personal information of investors for sale. In addition, they published screenshots of the internal system of the app, coordinated by a group of operators known as Knight Consortium.
The first images appeared over the weekend, where the threat actor posted a display with 5,300 photos of what is known as KYC: Know Your Customerthat is, the process of verifying a client’s identity. For this reason, users are seen holding their ID, with images of the front and back of the documents. Clarion He was able to know that the attacker has data on all those registered.
This Monday, the same user showed in it the internal panel that RainbowEx uses to manage the assets of those who put money into this scheme that is suspected by Justice of being a ponzi-type scam.
This information is marketed by brokers, individuals (or companies) that collect personal data to sell to a third party. This data can be extracted through public sources (a technique called OSINT), or private, that is, hacking systems. Generally, those who purchase this information are interested in making various types of crimesfrom accessing accounts to steal assets to extracting information to carry out social engineering attacks.
What information is leaked
Clarion contacted Mauro Eldritch, a threat analyst at Birmingham Cyber Arms, a company that reports data leaks and that this year warned of leaks driver’s licenses in Argentina and Renaper data. The researcher reported the first RainbowEx leak over the weekend.
“On Monday, a threat actor posted internal screenshots of this admin panel, demonstrating have full access to it. This allows you to exercise absolute control over the operation of RainbowEx.” This would mean that a user outside the system could enter, which could denote poor security measures on the site.
An “administration panel” is a website where privileged users of the application can direct the operation of RainbowEx in all its aspects, from create, authorize and manage userstransactions (income and expenses), announcements and orders (the famous “signs“)”, he complements.
The “signals” are moments to invest that, on this platform, are sent by a user who identifies himself as Ali and is the leader of the scheme. Between 8 and 10 p.m. a message from Ali reaches the members of that Telegram group, who due to her Asian features is known as “The Chinese” among followers.
In the panel that appeared leaked this Monday you can “register, delete or freeze users; approve or reject transactions (particularly collections); view transaction details (wallets, amounts) and users (KYC documentation that includes selfies and personal documents, personal registration information such as telephone, email), send advertisements and ‘signals’, and also manipulate the price of the ‘assets’ circulating in the applicationto arbitrarily declare them up or down to accompany the illusion of ‘trading’“Eldritch continued.
The problem he warns about is that, in response to suspicions that all of this is basically a ponzi scam that is followed by the high returns that they promise and that The CNV warned this week that Knight Consortium is not registered to operatethis panel is added from which it can be deduced that the cryptocurrency exists only in an internal system.
“Los assets [activos] Traded in the application are usually internal (which cannot be found externally on other platforms), or imitations of other well-known ones. No real trading takes place“, he stated.
How the app works
The RainbowEx application was downloaded outside the official Google Play or AppStore stores. It was installed on the phone, but a user needed to enable the new registration in order to start operating. Any new entrant has to be sponsored by a person already in the group.
During the entry process, an identity check is carried out, in which they ask the user to send photos of their ID and even a photo of themselves. It is, in part, the material that was leaked over the weekend and is for sale.
Once the new investor has the OK, they can start putting money into the app. The person who brought it begins to charge a mini commission for the money earned by each new member added to the group.
Despite the referral scheme, it is not considered a classic pyramid scam since the main income is not made from introducing people to the group. Many of the savers who agreed to speak with Clarion They stressed that it was not necessary to add anyone. Even that they didn’t even offer it, to avoid possible conflicts in case the entire system collapsed.
Money income is made through virtual walletssuch as LemonCash or similar, to an account that they indicate from the group. That money was stored in the RainbowEx account, where it was transferred to USDT, the best-known stablecoin in the world (cryptocurrency tied to the value of the dollar).
Withdrawals were mostly made digitally through the same route and were also transferred as USDTto a wallet in which they could later be converted into pesos. Only a smaller handful withdrew their money through two financial institutions located on Miter Avenue, where they exchanged the stablecoin for bills, be it dollars or pesos. It was for those who were less accustomed to dealing with virtual environments.
The operation to multiply the capital took place every day between 9:00 p.m. and 10:00 p.m. the purchase signal from “La china” Ali.
Moments later, an order had to be placed to sell the acquired crypto at the price that Ali indicated in his message. For example, in a tutorial that circulated in the last few hours, the purchase of a SOX coin was shown, which was purchased at 12.0946 and then resold at 12.4351. The difference between both values was the profit for the day.
The signal arrives via Telegram and is executed in less than a minute
Ali’s signals arrived from Sunday to Friday, but a while ago it started sending seven days. They included the market price and the time window in which the operation had to be carried out, which was just under an hour. Marcos, a neighbor who did not invest, told Clarion with some annoyance how a soccer game with friends was momentarily interrupted when 6 of the 10 players went to look for their cell phone to answer the call of “La china”.
According to users who are still in the Telegram groups where the purchase orders dictated by Ali are sent, the operation continued as normal. This despite the statement released by Knight Consortium warning that withdrawals will be suspended until the end of October due to the intervention of Argentine regulatory bodies. This Wednesday, promotions and raffles were also offered for those who invited new investors.
The CNV report: “it is not authorized to operate”
For its part, the National Securities Commission (CNV) revealed this Wednesday that RainbowEx It is not authorized to operate in Argentina.
“As of the present date, ‘RainbowEX’; ‘Rainbow Exchange’ and/or ‘Knight Consortium’ are not registered in the Registry of Virtual Asset Service Providers -Legal Entities- and have not submitted a request for registration in the same, in the terms of the provisions of the CNV General Resolution No. 994/24″, states the CNV report. sent to the Decentralized Fiscal Headquarters of San Nicolás, in charge of federal prosecutor Matías Di Lello, at the request of Justice.
The Sampedrina justice, which initiated the case ex officio, is advancing on two possible lines of investigation. On the one hand, if there was unauthorized financial intermediation (Art. 310 of the Penal Code) by the promoters of Knight Consortium, a crime that carries 1 to 4 years in prison. On the other hand, if everything is framed as a scam.
This last scenario requires someone to come forward as a victim to report to the courts, something that has not yet happened despite informal talks between a handful of investors and local lawyers.