At first, Cynthia Gutierrez refused to download Chivo, the digital wallet developed by El Salvador’s government for the use of bitcoin throughout the country and released on Sept. 7.
She decided to open the app on Oct. 16 after learning from fellow Salvadorans that hackers had activated wallets associated with the nine-digit numbers on their identity cards, known as DUI for its acronym in Spanish.
“This was growing more and more, reaching into my close circle,” Gutierrez, 28, told CoinDesk.
When Gutierrez entered her personal information, a screen popped up saying her document number was already associated with a wallet. Immediately, she took a screenshot, fearing that her data would be used for illicit purposes.
Gutierrez’s case is one of the hundreds that Salvadorans have reported on social media and to local advocates since September, when bitcoin was established as legal tender and Chivo started being massively used in the country.
Between Oct. 9 and Oct. 14, Cristosal, a human rights organization in El Salvador, received 755 notifications of Salvadorans reporting identity theft with their Chivo Wallets, Rina Montti, the group’s director of human rights research, told CoinDesk.
In the majority of those cases, the affected Salvadorans tried to activate their wallets after they learned of the large number of people reporting that their identities had been stolen.
The hackers had an incentive: Each wallet came loaded with $30 worth of bitcoin, provided by the administration of Salvadoran President Nayib Bukele to encourage citizens to use the cryptocurrency.
El Salvador’s government did not respond to a request for comment about claims of identity theft involving the wallets by press time.
With the adoption of bitcoin, Bukele positioned his Central American country at the center of a global discussion about the future of money. The process was not without its critics, such as those made against Article 7 of the law, which stipulates that all merchants must accept bitcoin as a form of payment when customers offer it.
The president later denied that bitcoin acceptance would be mandatory. Salvadorans were baffled by the discrepancy between what the president said and what the law stated.
In August, polls showed that 65% to 70% of Salvadorans opposed the adoption of bitcoin, and several protest marches took place in the streets. According to the latest official data provided by Bukele at the end of September, more than 2 million people downloaded the Chivo Wallet, as part of an aggressive agenda that also included bitcoin mining with volcanic energy.
Easy to fool
According to Chivo’s official website, opening an account requires scanning the DUI front and back, and then performing facial recognition to check the registrant’s identity. But several Salvadorans reported evidence that the system is flawed.
When Adam Flores, a Salvadoran YouTuber who runs the channel La Gatada SV, heard about the hacks, he remembered that his grandmother had not opened her Chivo Wallet and decided to use the case as a test. Even though he only had a photocopy of her DUI, he tried it anyway and, to his amazement, the application accepted the document as valid.
Flores followed through with the verification process, which then asked for real-time facial recognition. The YouTuber snapped a photo of a poster on his wall of Sarah Connor — a character from the “Terminator” movie series.
Seconds later, Chivo Wallet welcomed his grandmother and released the $30 incentive, according to a video Flores sent to CoinDesk as evidence.
Other cases uploaded to social media directly showed how just a random photo — in one case, of a coffee mug — was enough to replace the DUI and then fool the face recognition test.
Salvadorans do not always try to open their accounts themselves. According to Montti, of Cristosal, most of the 700 Salvadorans who reported identity theft asked acquaintances to try to transfer money through Chivo by putting their DUI numbers in the recipient field. They discovered the addresses were ready to receive transfers. In other words, the ID numbers were already registered, by someone other than the rightful owner.
Worried about impersonation, Ramón Esquivel asked an acquaintance to send money to a wallet with his DUI on Oct. 11. To his surprise, the transfer was successful, even though he had never activated his account.
“With anger, I realized that they had used my DUI,” Esquivel told CoinDesk, adding that after the episode he filed a complaint in the attorney general’s office. “I’m exposed to being used to commit acts of money laundering that would be registered under my identity, compromising my integrity,” he stated.
Other cases showed that the fraudsters diverted the money to accounts that were not even their own, but those of other hacked people.
Two weeks ago, Gabriela Sosa, a Salvadoran media host, tried to activate a Chivo Wallet with her DUI, but an error message jumped up on the screen informing her it was already registered.
As soon as it happened, she called the official support number for Chivo, 192. “I kept calling for several days until they told me I had to go to a Chivo point,” Sosa told CoinDesk. Last Saturday, she went to that help center and her account was finally recovered, but the money was not.
On her Twitter account, Sosa released details of the account to which the $30 had been directed. The owner’s name was Michael Santacruz.
Days later, co-workers and university colleagues sent screenshots of that tweet to Santacruz, who had never activated his Chivo account until then, according to private chat messages he sent to Sosa that she posted.
He tried, then, to open his account but a notification said his DUI had already been registered. Like Sosa, Santacruz approached a Chivo help center, and after recovering his account, he realized that it had been used to receive money from five hacked accounts, he said. (Attempts to reach Santacruz for comment were unsuccessful.)
Cristosal was not the only nongovernmental organization (NGO) to tackle the problem. Acción Ciudadana, a non-profit specializing in social auditing, filed a notice to the Attorney General’s Office (FGR) on Oct. 12 after the group’s President Humberto Sáenz and Director Eduardo Escobar found hackers had registered their Chivo Wallets.
Acción Ciudadana told CoinDesk that up to now, two weeks after the filing, there was no response from the FGR.
Laura Nathalie Hernández, a tech lawyer at the Salvadoran firm Legal Novis, has been receiving requests for help from victims of identity theft regarding their Chivo Wallets. The first recommendation she gave to the affected people was to post the incident on social media to make it public and also file a report with the attorney general’s office.
According to Hernández, the entity that manages the application should be the first place to turn to. “But we don’t have much information about who is responsible either,” she said, adding: “We don’t know who manages it, if there is a third company. There has been no transparency.”
According to Chivo’s terms and conditions, the authorization of an account is conditioned on a know-your-customer (KYC) process carried out by CHIVO S.A. de C.V., a private company created by the government to launch the wallet. This verification process “includes the provision of the information and documents required for full compliance with the process.”
The company’s accountability is unclear. According to the terms and conditions, users agree “not to disclose or divulge to third parties any information, DUIs, passwords or any code used to access the site.” But the terms also state that it “will not be liable for any loss or damage that the user may suffer as a result of unauthorized third party access to your account as a result of hacks or lost passwords.”
Chivo’s support staff did not answer CoinDesk’s questions about who is responsible for a hack where the real account owner does not provide information.
The wallet adds that the verification services will be provided by the company directly and/or through a third party contracted by the company for such purpose. But by press time, it had not answered CoinDesk’s question about what other third party provides identification services to the platform.
Sosa, the Salvadoran media host, told CoinDesk that she eventually got her money back and emphasized that her complaint is not against the application or Bukele’s government, just that she wants to raise awareness of the problem.
Gutierrez has not yet recouped her money. “I tried to contact customer service, and they did not give me an answer, nor is there an institution that is clear about the process to follow in this case,” she said.
Esquivel said he is not interested in either the $30 incentive or the government app.
“If I use bitcoin at all, it will be with a wallet in which I have custody of my money,” he said.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.