Celsius Exchange Data Dump Is a Gift to Crypto Sleuths—and Thieves

The paradoxical nature of cryptocurrency’s privacy is that the blockchain, that unchangeable ledger of all a cryptocurrency’s transactions, serves as both a map and a mask: Bitcoin are easy enough to follow from one address to the next. But only a few entities, like the cryptocurrency exchanges that allow users to trade their crypto for traditional currency, are able to match the inscrutable strings of numbers and letters in those addresses to real-world identities. So when one of those exchanges suddenly dumps a massive internal user database online, they haven’t just spilled their own data. They’ve offered a key to decipher a vastly larger set of financial secrets.

That’s what happened last week when Celsius, a cryptocurrency exchange facing bankruptcy, leaked an enormous collection of its users’ transaction data through an unusual sort of privacy breach: a court filing. As part of its bankruptcy proceedings—in which the company’s owners are accused of pulling tens of millions of dollars worth of crypto out of the exchange before revealing its insolvency—the company’s attorneys released a document that appears to include the transaction data of half a million of its users from April of this year until it ceased trading in June. That database was briefly posted as a 14,500-page PDF to the court records website PACER before being taken down—but not before Gizmodo copied it to the Internet Archive, where it was widely downloaded before being removed there, too.

The data dump includes the names and transaction details of Celsius’ users along with the dates and amounts of each payment. The database doesn’t include the cryptocurrency addresses that directly identify senders and recipients on cryptocurrencies’ blockchains, but the unique payment amounts, detailed down to more than a dozen decimal places of precision in many cases, nonetheless make it possible to match the payments to blockchains’ records.

All of that means that the Celsius leak offers a rare gift to both professional and amateur cryptocurrency tracers, allowing them to not only see Celsius users’ transactions, but also identify and trace those users’ funds across the blockchains. That could potentially open new possibilities to identify scammers, hackers, or any other illicit users who might have exploited Celsius as a cash-out service for ill-gotten coins. But it also opens Celsius’ users to exploitation by any rip-off artist or thief who combs through the data, connects it to other accounts, and identifies their cryptocurrency holdings as a ripe target.

“This is really one of the worst exchange data breaches since Mt. Gox,” says Nick Bax, head of research at security consultancy and asset recovery firm Convex Labs. But even as he compares the Celsius leak to the disastrous breach of the early Bitcoin exchange Mt. Gox, which was bankrupted by hackers in 2014 and had its transaction database leaked online, he also calls it a “dream come true for analysts” focused on cryptocurrency tracing.

“You can find someone’s balance, deposits, and withdrawals and then correlate all that to the blockchain,” Bax says. “We can use it for good, but it can absolutely be misused too. Criminals are going through this right now, looking for whoever has the biggest balances.” Once they’re identified, Bax warns, those wealthy crypto holders could be targeted with spear-phishing, scams, and even physical extortion.

Cryptocurrency tracers in law enforcement, government regulators, and private firms are no doubt already following flows of funds to and from Celsius, scouring it for leads in their own research. “This is data we’ll ingest, analyze, and have available as part of our investigations, and I suspect others will too,” says Matt Edman, cofounder of the security startup Naxo. Edman previously worked as an FBI contractor at the Mitre Corporation, where he helped trace cryptocurrency in the criminal case of Ross Ulbricht, the creator of the Silk Road dark web market.

“When it comes to cryptocurrency tracing, following the flow of funds is not really the hard part,” Edman adds. “The tricky part in those investigations is the attribution—associating an address or transaction with an individual. That’s where datasets like this are key.”

Celsius didn’t respond to WIRED’s request for comment.

In just the days following Celsius’ disclosure of the database in court records, internet sleuths have already begun posting findings from the data. One well-known independent cryptocurrency tracer, who goes by the Twitter handle ZachXBT, posted evidence from the leak that a Celsius user and influencer named Lark Davis had promoted Celsius after pulling his own $2.5 million worth of crypto out of the exchange. (Davis didn’t immediately respond to WIRED’s request for comment.) The website Celsiusnetworth.com already claims to allow anyone to search the data for individuals’ holdings at the exchange.

Meanwhile, a cryptocurrency tracer and developer for decentralized finance firm Viper Labs, who goes by the name Federico Notte, converted the PDF from Celsius’ court filing into a spreadsheet and posted a link to his public Twitter account. He tells WIRED he hopes to use the database in combination with blockchain analysis to figure out the transactions of major trading funds, in hopes of learning their tactics. “It’s something you can definitely do,” says Notte. “It’s also a major privacy concern for these people, too.”

But even as legitimate analysts and investigators dig into the data, some cryptocurrency tracers emphasize that it will be of far more value to criminals. “The amount of private information is quite scary, really,” says Thibaud Madelin, who leads research at cryptocurrency-tracing firm Elliptic. “Scammers will be scouting this list, and they’ll know how much people have spent, how much they’ve lost, how much they hope to make back.”

“They’re ruthless,” Madelin adds, referring to scammers. “And this will give them thousands of opportunities.”