Why Celsius Doxxed Hundreds of Thousands of Users
Celsius Network, the bankrupt crypto lender, accidentally doxxed all of its users. Last week, more than 29,000 pages of court documents hit the servers, revealing the financial details of hundreds of thousands of users that kept money on the “neobank” Celsius.
The information appears to have been released as part of standard bankruptcy procedure as Celsius winds its way through the Chapter 11 restructuring process after freezing customer accounts in July. About 600,000 customer accounts are affected by the disclosure, revealing their wallet addresses, transaction histories, crypto holdings, recent transactions and other information.
This article is excerpted from The Node, CoinDesk's daily roundup of the most pivotal stories in blockchain and crypto news. You can subscribe to get the full newsletter here.
The incident has raised serious concerns about financial transparency and fears that this public information could make Celsius users targets for harassment or theft. It does not appear to be a data breach or hack, as many initially suggested.
According to court documents, Celsius fought to prevent much of this information from getting out. In the end, users’ emails and home addresses were allowed to be redacted. One of the company’s arguments was that publishing this personal information would “reduce” the list’s resale value.
Chief Bankruptcy Judge Martin Glenn, who’s overseeing the case and compelled Celsius to release this data trove, cited court precedent and inadequate proof that doxxing users would put them at risk.
“Sealing information such as that sought by the Debtors [Celsius] from public disclosure risks transforming the open and transparent bankruptcy process into something very different, which the Court is loath to do without a strong showing of real and not speculative risks,” Judge Glenn wrote in a September court filing.
Still, due to the default transparency of the blockchain, even the partially redacted information can be pieced together to “dox” Celsius users’ other on-chain activities, Henry de Valence, founder of Web3 startup Penumbra Labs, noted on Twitter.
It’s also arguable that the court’s demands here far exceed the norm. Typically, companies going through the bankruptcy process will have to expose a full accounting of their assets, which Judge Glenn here took to include Celsius’ custody books going back to July.
All of this has led to the usual bromides often heard on Crypto Twitter: the dangers of trusting centralized intermediaries, the importance of practicing good “op-sec” when using public chains and the need for crypto-specific laws and regulations that meet the industry where it is.
People are already scanning through the list for names they recognize, and sending reminders that there might be more than one Neeraj Agrawal in the world. There’s been at least one example of wrongful public shaming so far, where one bitcoiner erroneously called out another for apparently using Celsius.
See also: Celsius Resembled Ponzi Scheme at Times, VermonT Regulator Says
I’d expect more of this now that a website launched making the data publicly searchable by name. That website, called Celsiusnetworth.com, also includes a ranking of doxxed Celsius users by the amount they lost – for easy schadenfreude.
The site itself appears to be conflating different individuals and aggregating data, meaning its accuracy is questionable at best.
It’s worth noting the irony that Celsius has not been exactly forthcoming throughout the bankruptcy process, and that its executives not only misled the public in the lead up to freezing its services but withdrew millions of dollars from custody accounts.
Whether Celsius creditors (read: users) will receive any payout after the firm restructures is an open question. They could have been doxxed for nothing.
