Celsius exchange data dump is a godsend for crypto-sweepers – and thieves

The paradoxical nature of cryptocurrency privacy is that the blockchain, the immutable ledger of all a cryptocurrency’s transactions, acts as both a map and a mask: Bitcoins are easy enough to follow from one address to the next. But only a few entities, such as the cryptocurrency exchanges that allow users to exchange crypto for traditional currency, are able to match the inscrutable strings of numbers and letters in these addresses to real identities. So when one of these exchanges suddenly dumps a massive internal user database online, they haven’t just spilled their own data. They have offered a key to deciphering a far greater set of financial secrets.

That’s what happened last week when Celsius, a cryptocurrency exchange facing bankruptcy, leaked a huge collection of its users’ transaction data through an unusual form of privacy breach: a lawsuit. As part of the bankruptcy proceedings – in which the company’s owners are accused of delisting tens of millions of dollars worth of crypto before disclosing insolvency – the company’s lawyers released a document that appears to include the transaction data of half a million. of users from April this year until it stopped trading in June. That database was briefly posted as a 14,500-page PDF to the court records website PACER before it was taken down — but not before Gizmodo copied it to the Internet Archive, where it was widely downloaded before being taken down there as well.

The data dump includes the names and transaction details of Celsius’ users along with the dates and amounts of each payment. The database does not include the cryptocurrency addresses that directly identify senders and receivers on cryptocurrency blockchains, but the unique payment amounts, detailed down to more than a dozen decimal places with precision in many cases, still make it possible to match the payments to blockchain records.

All of this means that the Celsius leak offers a rare gift to professional and amateur cryptocurrency trackers alike, allowing them to not only see Celsius users’ transactions, but also identify and track those users’ funds across blockchains. It could potentially open new opportunities to identify fraudsters, hackers or other illegal users who may have exploited Celsius as a payout service for ill-gotten coins. But it also opens up Celsius’ users to exploitation by any rip-off artist or thief who combs through the data, links it to other accounts and identifies their cryptocurrency holdings as a ripe target.

“This is truly one of the worst data breaches since Mt. Gox,” said Nick Bax, head of research at security consulting and recovery firm Convex Labs. But while he compares the Celsius leak to the catastrophic breach of early Bitcoin exchange Mt. Gox, which was bankrupted by hackers in 2014 and had its transaction database leaked online, he also calls it a “dream come true for analysts” focused on cryptocurrency tracking.

“You can find someone’s balance, deposits and withdrawals and then correlate all of that to the blockchain,” Bax says. “We can use it for good, but it can certainly be abused as well. Criminals are going through this right now, looking for whoever has the most balance.” Once identified, Bax warns, these wealthy crypto holders can be targeted with spear-phishing, fraud and even physical extortion.