Why Celsius ‘Doxed’ Over 600k of its Customers
The crypto-verse was shocked when news broke that the now-bankrupt crypto lender Celsius Network had published a 14,500-page document detailing every one of its users’ full names alongside the types and amounts of transactions they carried out on the platform. The data included crypto holdings, deposits, withdrawals, interest earnings, and other sensitive financial information belonging to over 600,000 Celsius customers.
At First Glance, it Looked Like an Intentional Data Leak
Initially, crypto-community members had concluded that the 14,500-page document had been leaked intentionally for potentially malicious reasons. Crypto Twitter was soon full of comments that the doxing by Celsius was brutal and could have far-reaching consequences, including compromising the safety of large bag holders exposed through the document.
Some of the large bag holders included Celsius executives. The document exposed them for having withdrawn large sums from Celsius before the function was paused on the platform in July, thus adding fuel to the theory that the document’s release was intentional.
The document showed that former Celsius CEO, Alex Mashinsky, withdrew $10 million in May. Its former strategy chief Daniel Leon took out almost $7 million and used $4 million in CEL for collateral for a loan in late May. The company’s CTO, Nuke Goldstein, withdrew $13 million and used an additional $6 million in CEL tokens for loan collateral.
Chapter 11 Bankruptcy Involves a Lot of Transparency.
But further information has emerged that the information provided was part of standard legal bankruptcy procedures as Celsius continues to navigate its Chapter 11 filing and restructuring process after freezing user accounts in July.
Most bankruptcy cases of this magnitude require creditors to be identified for them to claim the assets of the estate that owes them. The creditors must prove that the funds belong to them by revealing their identity and the amounts owed.
Celsius Had Made Attempts to Redact the Information
According to court documents, Celsius had initially requested that such information be kept confidential, citing three reasons.
Firstly, Celsius highlighted that customers’ home and email addresses constitute confidential ‘commercial information’ under the Bankruptcy code. They believed such information on its customers was too valuable to publicize. Doing so ‘would significantly decrease the value of the customer list as an asset in any future potential asset sale.’
Secondly, Celsius argued that exposing home addresses, email addresses, and names could result in their customers being the targets of ‘identity theft, blackmail, harassment, stalking, and doxing.’
Thirdly, the company pointed out that many of its customers resided in jurisdictions spread out across the world, and exposing them would break various laws, such as the United Kingdom General Data Protection Regulation (UK GDPR) and the European Union General Data Protection Regulation (EU GDPR). In addition, the customer information would expose the company ‘to potential civil liability and significant financial penalties.’
However, the court denied most of Celsius’ requests but agreed to redact individual creditors’ home addresses and email addresses.
Someone Created a Website With All the Data
Still, the 14,500-page document with Celsius’ customer information remains public on the internet. It has even led to the creation of a website, CesliusNetWorth.com, where anyone can do a query on individual customers, finding out how much they lost when Celsius Network went bankrupt. The website also has a leaderboard of Celsius’ top ten creditors owed an estimated combined total of $220 million.
Top 10 Celsius creditors. Source, CelsiusNetWorth.com
Is KYC (Know Your Customer) a Liability?
The unfortunate incident of customer personal information being made public has raised a few questions regarding the long-term consequences of the legally required procedure of KYC: Know Your Customer.
Many crypto traders and investors have now begun questioning the security of their personal information submitted to crypto platforms as part of their compliance procedures. KYC is becoming mandatory as regulators narrow down how crypto platforms can be used for money laundering, tax evasion, and terrorist financing.
Furthermore, the fact that the courts allowed for the customer names and transactional history to be made public shows how the same laws can lead to the breach of personal privacy.
Coincidentally, countries and regions across the world are in the process of drafting laws and regulations aimed at streamlining the crypto industry.
For example, the EU is in the final stages of approving the Markets in Crypto Assets (MiCA) and Transfer of Funds Regulation (TFR) bills. Both legislations propose mandatory verification of customer identity and information by crypto asset service providers (CASPs), particularly for transactions that exceed €1,000.
The US White House has also taken the first step of regulating the crypto industry by publishing its ‘Comprehensive Framework for Responsible Development of Digital Assets.’ The document also stresses the importance of fighting against illicit finance through the use and possible future modification of the Bank Secrecy Act (BSA). At the BSA’s core are KYC and Anti-Money Laundering (AML) procedures that require verifying and collecting personal information.
The Celsius incident has therefore opened another chapter in drafting crypto regulations or modifying existing laws to include watertight procedures for guaranteeing the security of personal data, even during legal proceedings such as bankruptcies.
The EU is already one step ahead, as its MiCA and TFR bills outline that CASPs should adhere to the current General Data Protection Requirements (GDPR). User information will only be available to CASPs carrying out the transitions and major authorities. This then leaves the United States lawmakers with a new task of figuring out how to protect crypto traders and investors in the country from privacy breaches such as the one by Ceslius’ customers.
Customers Now View Centralized Exchanges and Platforms in a Different Light
In hindsight, crypto traders and investors are now aware of the dangers of entrusting their personal data with centralized exchanges and platforms, particularly those based in the United States. Many will now start skimming through the often long ‘Terms of Service’ before agreeing to sign up for a crypto exchange or platform.
Others might take the Celsius incident as a reason to migrate to decentralized exchanges and decentralized finance protocols run by decentralized autonomous organizations to protect their privacy.