Sensitive data from crypto event attendees is being sold as “marketing lists,” posing a valuable target for scammers and malicious actors.
Lists containing sensitive information on crypto event attendees are being sold under the pretense of “marketing, promoting, and finding clients,” which presents a potential data gold mine for scammers and malicious actors.
The lists may include personal and business social media links, as well as entire names, phone numbers, nationalities, job roles, and companies.
Some even include the date on which the attendees purchased their tickets, the type of ticket they purchased, the operating system they used to make the purchase, the number of followers they have on social media, the addresses of their crypto wallets, and any messages they entered into a text field that was sent to the event organizers.
This type of data is typically gathered through event registration forms at conferences or side events.
In recent years, it has become increasingly common for events to require connections to specific social media accounts when using platforms like lu.ma to issue tickets.
Cointelegraph acquired “samples” of these lists from a vendor via Telegram.
The lists consisted of four groups, each with approximately 60 to 100 participants, and appeared to be derived from multiple events.
Different data elements regarding the attendees were included in each.
The events appeared to have taken place predominantly in the fall of 2024, and the phone numbers of the attendees indicated that they took place in various countries, with a particular emphasis on India and Southeast Asia.
The presence of a single merchant with access to lists from multiple countries implies that there is an organized international trade in blockchain event attendee data, rather than an isolated incident.
The lists may only be the beginning; images of supplementary samples that are purportedly associated with Blockchain Fest and Devcon were also disclosed.
Cointelegraph is not insinuating that the organizers or personnel of significant events are engaged in the trade, as hundreds of side events at conferences also collect comparable information.
An apparent inventory of 1,700 attendees at the November 2024 AIBC conference in Malta was of particular value.
The vendor claimed that the list would be distributed to “only a few persons” and had an asking price of nearly $4,000; however, this was reduced to $650 after a few days.
“This datas very insider and exclusive information.”
The vendor asserted that the sales proceeds would be allocated to the acquisition of supplementary lists from other events, specifically Coinfest and DevCon.
They provided database screenshots to support this claim.
The vendor appeared to be a reseller of the data, and despite being anonymous, both the seller and the compiler of the data are believed to be Russian.
This is supported by the fact that one of the tabs in the sample data set is titled “List2” in Russian, and an AI analysis of the seller’s writing indicates that they are a native Russian speaker.
The seller attempted to substantiate the sale of the “not leaked” data by asserting that it was “not sensitive information” and that “most people are open to such marketing.”
The information could be used by social engineering fraudsters to target individuals on the lists with malicious links and phishing attempts.
Eman Pulis, the founder of AIBC, inquired about the size of the list when Cointelegraph requested a response.
He stated that the event has “extremely stringent protocols against data breaches.”
Pulis also stated that numerous databases that are comparable to his are fraudulent, and that “we are frequently presented with databases from our competitors.”
The vendor has offered to cross-validate their data against any known AIBC attendee, but the entire database is not verifiable.
“AIBC if you know anyone who was there ,I can prove reality ,give me surname and I will find the person.”
It is evident that unscrupulous actors are interested in lists of this nature, even though the source of the data is unclear.
Crypto event attendees should be alert to the potential risks associated with providing confidential information in online forms.
