The corporation exposed a significant violation in its consumers’ financial privacy by disclosing half a million users’ transactions in a bankruptcy court file.
The paradoxical aspect of bitcoin privacy is that the blockchain, is the permanent record of all transactions made with it. Functions as both a mask and a map: From one address to the next, Bitcoin is quite simple to follow. Only a select few organizations, such as cryptocurrency exchanges enable users to exchange their bitcoin for fiat money. They are able to link the baffling sequences of numbers and letters in those addresses to actual people. So, they haven’t merely leaked their own information when one of those exchanges suddenly posts a sizable internal user database online. They have provided a key to unlock a far bigger collection of financial mysteries.
This is what occurred last week when Celsius, a cryptocurrency exchange on the verge of bankruptcy, exposed a sizable amount of transaction data belonging to its users through an uncommon type of privacy breach: a court filing. The company’s attorneys recently released a document that appears to include the transaction data of half a million of its users from April of this year until it ceased trading in June as part of its bankruptcy proceedings, in which the company’s owners are accused of withdrawing tens of millions of dollars worth of cryptocurrency out of the exchange before disclosing its insolvency. Before it was removed, the database had been briefly made available as a 14,500-page PDF on the court records website PACER. However, not before Gizmodo transferred it to the Internet Archive, where it had been heavily downloaded.
The Issues
The data leak includes the names of Celsius users and information about their transactions, including the dates and amounts of each payment. The unique payment amounts are often detailed to more than a dozen decimal places of precision. Enable the payments to be matched to the blockchains’ records even though the database does not contain the cryptocurrency addresses that directly identify senders and recipients on cryptocurrency blockchains.
All in all, the Celsius Exchange data leak gives cryptocurrency tracers—both expert and novice—a unique opportunity to not only view transactions made by Celsius users. But also to identify and track those users’ cash across blockchains. That might create new opportunities for locating con artists, hackers, or any other unauthorized users who might have used Celsius as a means of cashing out stolen currency. However, it also exposes the users of Celsius to the advantage of fraudster or thief who searches through the data. Also for links it to other accounts, and determines that their bitcoin holdings are a prime target.
According to Nick Bax, head of research at security consulting and asset recovery company Convex Labs, this is actually one of the worst exchange data breaches since Mt. Gox. He compares the disastrous Mt. Gox attack, which resulted in the early Bitcoin exchange’s bankruptcy. And online transaction database release, to the catastrophic Celsius Exchange data leak. But he also refers to it as a “dream come true for analysts” who specialize in cryptocurrency tracing.
The Blockchain
According to Bax, you can correlate someone’s balance, deposits, and withdrawals with the blockchain. “We may utilize it for good, but there is little doubt that it can also be abused. Criminals are currently conducting this search for those with the largest balances. Bax cautions that affluent cryptocurrency owners may become the target of spear-phishing attacks, con games, and even physical extortion once they have been identified.
There is no question that cryptocurrency tracers work for law enforcement and government agencies. And commercial businesses are already monitoring the transfers of monies to and from Celsius and mining its data for information for their own study. According to Matt Edman, cofounder of the security startup Naxo, “this is data we’ll ingest, analyze. And have available as part of our investigations, and I expect others will too”. Edman formerly worked for the Mitre Corporation as an FBI contractor, where he assisted in the criminal investigation of Ross Ulbricht. The man behind the Silk Road dark web market, by tracing cryptocurrencies.
In terms of bitcoin tracing, Edman continues, “following the flow of funds is not actually the hard part.” “Associating an address or transaction with a specific person in these investigations is challenging. Such databases are essential in that situation.”
Celsius didn’t respond to WIRED’s request for comment.
Researchers have already started sharing findings from the database just days after Celsius revealed it in court documents. ZachXBT, a well-known independent cryptocurrency tracer, published proof from the breach that Lark Davis, a Celsius user. And influencer had promoted Celsius after taking his own $2.5 million worth of bitcoin out of the exchange. (WIRED’s request for comment from Davis was not immediately met with a response.) Anyone can already search the data for a person’s assets at the exchange, according to the website Celsiusnetworth.com.
The Final Thoughts
The PDF from Celsius Exchange data leak court case was transformed into a spreadsheet by Federico Notte, a cryptocurrency tracer. And developer for the decentralized finance company Viper Labs, and he shared the link on his open Twitter account. He tells WIRED that he plans to utilize the database along with blockchain research to track the transactions of significant trading funds in an effort to understand their strategies. It’s definitely something you can accomplish, adds Notte. These people have serious privacy concerns as well.
The data is being examined by reputable researchers and detectives. But some bitcoin tracers underline that criminals will appreciate it much more. According to Thibaud Madelin, who oversees research at cryptocurrency-tracking company Elliptic, “the amount of sensitive information is rather frightening, frankly.” Scammers will search this list and will be aware of how much people have spent. How much they have lost, and how much they want to recoup.
Madelin describes such crypto crooks as “ruthless.” And it will present them with countless opportunities.
