By Jan Vermeulen for MyBroadband
A hacker collective calling itself Anonymous ZA has released explosive details about Mirror Trading International (MTI), stating that at least R4-billion in bitcoin has flowed through the scheme.
In response, MTI told MyBroadband the information stems from private member data that was illegally obtained and that it is “inaccurate at best”.
Mirror Trading International is a South African registered company offering Forex trading services by using an automated system to trade with the trading pool on behalf of its members.
Johann Steynberg is the CEO and founder of MTI, which focuses on Bitcoin trading and promising members a “truly passive income”.
According to MTI, it has over 90 000 active members in 177 countries, and its numbers are growing daily.
MTI made headlines recently after the Financial Sector Conduct Authority (FSCA) said it was investigating the company.
The FSCA said the current business model of MTI requires it to be in possession of a financial service provider licence.
“MTI has informed us that they accept clients’ funds in the form of Bitcoin, pool the funds into one trading account on a forex derivate trading platform, and conduct high-frequency trading through the utilisation of a bot,” the FSCA said.
If this is being done as described, then this amounts to financial services, hence the licence requirement.
However, the FSCA has a much greater concern about MTI’s activities.
The company claims to have more than R2.9 billion in clients’ funds in trading accounts, but the FSCA has not been able to conclusively confirm that the funds exist.
“Moreover, the returns on the investments claimed by MTI seems far-fetched and unrealistic,” the FSCA said.
At the time, MTI said that its bot-trading is able to generate consistent profits of an average of 10% per month. More recently it said it has seen an average return of 0.5% per day.
The FSCA recommended that MTI clients request refunds into their own accounts as soon as possible.
The Texas State Securities Board has also issued an emergency cease-and-desist order against MTI and accused it of perpetrating fraud through an illegal international multilevel marketing programme.
Canada’s Autorité des Marchés Financiers (AMF) has placed MTI on its list of illegal online platforms, issuing a warning that MTI illegally solicits investors.
Anonymous ZA publishes information about MTI
Anonymous ZA has published financial information about MTI online based on data collected through MTI’s members portal – mymticlub.com.
According to Anonymous ZA, it discovered glaring security vulnerabilities in the online systems of MTI, which it exploited to extract information about the inner workings of the scheme.
Anonymous ZA said the vulnerability that exposed MTI’s “back office” system was a lack of basic authentication.
Any registered member who is logged into the system could view the information of any other member’s account by simply changing a parameter in the URL.
“All data was acquired using simple enumeration and scraping techniques on the mymticlub.com site,” stated Anonymous ZA.
“No hacks were performed because the lack of basic security did not require it. Just incrementing an id=? parameter on various URLs provided all the data that you see here.”
Using this weakness, it was able to glean detailed information about MTI’s system and see the full names, usernames, e-mail addresses, bitcoin balances, and earnings linked to every account.
Anonymous ZA then published an anonymised copy of the data, which was current as of 14 September 2020, on a dark web site called MTILeaks.
It said the MTI database shows the company has handled over 22,984 bitcoin in member deposits, amounting to over R4 billion.
The data shows that members have withdrawn nearly 15,653 bitcoin (close to R2.9 billion), which means the scheme should still have at least 7,331 bitcoin (over R1.3 billion) of members’ capital in its accounts.
However, the data also shows that the scheme has allocated almost 9,916 bitcoin (over R1.8 billion) to members in interest and bonuses.
This means that MTI must have a minimum of 17,247 bitcoin (over R3.1 billion) to cover the remaining deposits and earnings of all members who have not yet been withdrawn from the scheme.
MyBroadband asked MTI CEO Johann Steynberg if the company has that much liquidity and if he could provide MTI’s bitcoin wallet addresses to prove that the company has the assets to cover its obligations.
Steynberg did not answer the question in his initial response to MyBroadband.
In a subsequent statement to MyBroadband, MTI said it declined to comment.