The paradoxical nature of cryptocurrency’s privacy is that the blockchain, that unchangeable ledger of all a cryptocurrency’s transactions, serves as both a map and a mask: Bitcoin are easy enough to follow from one address to the next. But only a few entities, like the cryptocurrency exchanges that allow users to trade their crypto for traditional currency, are able to match the inscrutable strings of numbers and letters in those addresses to real-world identities. So when one of those exchanges suddenly dumps a massive internal user database online, they haven’t just spilled their own data. They’ve offered a key to decipher a vastly larger set of financial secrets.
That’s what happened last week when Celsius, a cryptocurrency exchange facing bankruptcy, leaked an enormous collection of its users’ transaction data through an unusual sort of privacy breach: a court filing. As part of its bankruptcy proceedings—in which the company’s owners are accused of pulling tens of millions of dollars worth of crypto out of the exchange before revealing its insolvency—the company’s attorneys released a document that appears to include the transaction data of half a million of its users from April of this year until it ceased trading in June. That database was briefly posted as a 14,500-page PDF to the court records website PACER before being taken down—but not before Gizmodo copied it to the Internet Archive, where it was widely downloaded before being removed there, too.
The data dump includes the names and transaction details of Celsius’ users along with the dates and amounts of each payment. The database doesn’t include the cryptocurrency addresses that directly identify senders and recipients on cryptocurrencies’ blockchains, but the unique payment amounts, detailed down to more than a dozen decimal places of precision in many cases, nonetheless make it possible to match the payments to blockchains’ records.
All of that means that the Celsius leak offers a rare gift to both professional and amateur cryptocurrency tracers, allowing them to not only see Celsius users’ transactions, but also identify and trace those users’ funds across blockchains. That could potentially open new possibilities to identify scammers, hackers, or any other illicit users who might have exploited Celsius as a cash-out service for ill-gotten coins. But it also opens Celsius’ users to exploitation by any rip-off artist or thief who combs through the data, connects it to other accounts, and identifies their cryptocurrency holdings as a ripe target.
“This is really one of the worst exchange data breaches since Mt. Gox,” says Nick Bax, head of research at security consultancy and asset recovery firm Convex Labs. But even as he compares the Celsius leak to the disastrous breach of the early Bitcoin exchange Mt. Gox, which was bankrupted by hackers in 2014 and had its transaction database leaked online, he also calls it a “dream come true for analysts” focused on cryptocurrency tracing.
“You can find someone’s balance, deposits, and withdrawals and then correlate all that to the blockchain,” Bax says. “We can use it for good, but it can absolutely be misused too. Criminals are going through this right now, looking for whoever has the biggest balances.” Once they’re identified, Bax warns, those wealthy crypto holders could be targeted with spear-phishing, scams, and even physical extortion.