- Bitcoin investing service BlockFi was breached on May 14, revealing to hackers sensitive user data.
- BlockFi users took to Twitter to vent their frustrations.
- Privacy experts told Decrypt the use of Bitcoin mixing services could have prevented the data breach.
Another day, another prominent Bitcoin service breached.
News broke out this morning that hackers had compromised accounts belonging to crypto lending firm BlockFi by using SIM swaps, a common tactic hackers use to essentially steal the identities of cell phone users by fooling cell providers. And the crypto community isn’t taking the news well.
The company said in an incident report sent to users that sensitive information from accounts, such as names, email addresses, dates of birth, physical addresses, and activity histories were revealed to the hackers.
According to BlockFi, however, the hackers were not able to access other personally identifiable data, including social security numbers, tax identification numbers, passports, licenses, passwords, bank account information, account preferences, and photo IDs.
Nevertheless, the news appears to have alarmed BlockFi clients and kicked up a storm of controversy on Twitter, especially among privacy-minded Bitcoiners.
"Any company that is serving as a custodian for any amount of bitcoin, let alone the amount that BlockFi is, should not have SMS 2FA integrated into any part of their operational process let alone their encrypted back-office system. This is borderline negligence." @MartyBent
— Dan Hannum (@DHannum8) May 19, 2020
Bitcoin privacy expert and Tales from the Crypt podcast host Matt Odell, told Decrypt that he’s personally disappointed in the “lack of public disclosure” on BlockFi’s website related to the hack. The incident report of the breach was dated May 14, but was only sent to users this morning, and was not posted to BlockFi’s website.
Instead, what users got was a “hand-waving post about 2FA and whitelisting addresses,” said Odell, seemingly before the news of the breach went public this morning, since the blog post was posted yesterday and updated today.
“The fact that marketing personnel have access to this sensitive privacy information is troubling on its own but the fact that a simple SIM swap allowed malicious actors to get access is even worse,” Odell said. “It shows a complete disregard for user privacy.”
That lack of privacy appears to be at the center of the controversy, since BlockFi does not allow for funds that have been put through Bitcoin mixers to be deposited on its platform. Funds mixed through CoinJoin, a service that obfuscates Bitcoin transactions, are banned from BlockFi, which the company’s CEO Zac Prince has said is due to concerns with regulations.
It's prohibited activity and we reserve the right to freeze / return deposits from mixing services..is there something specific you want us to be more transparent about? We don't have a choice based on how we are regulated. https://t.co/uluVpePpLY
— Zac Prince (@BlockFiZac) March 2, 2020
The argument goes that if BlockFi users had been able to make use of CoinJoin and other mixers then their data would not have been compromised by this breach.
You're following regulations that don't exist. Coinjoin is not illegal, nor is it suspicious without more evidence of the same.
Chainalysis has convinced you to pay them to solve problems they created for you and pushed on our industry.
Please reconsider your position.
— Rafael Yakobi, Esq. (@Deliver8tor) March 3, 2020
According to crypto lawyer Rafael Yakobi, services like CoinJoin are not illegal, but blockchain forensic firms such as Chainalysis have convinced BlockFi and others to prohibit their use among their clients.
“Using CoinJoin for deposits and withdrawals would have helped users mitigate the privacy concerns present with a hack like this, however BlockFi is one of five companies that explicitly prohibits CoinJoin usage,” Odell said. “The malicious actor who compromised their system can now easily use deposit and withdrawal addresses to track users past and future transactions as well as their balances,” he said. “Anti-coinjoin policies are anti-user.”
We are unaware of regulations that require us to discriminate against mixed coins. Future regulations and/or new financial services may require chainalysis, but we don't do it now. As much as possible we design our services to preserve bitcoin's native censorship resistance.
— Unchained Capital (@unchainedcap) May 19, 2020
Yakobi concurred. “If malicious actors obtain transaction histories linked to real names,” he told Decrypt, “users could now be vulnerable to targeted attacks, since the hackers may be able to discern how much Bitcoin a person owns, and where that Bitcoin might be stored.”
Said Yakobi: “Dragnet information collection should be scrutinized and limited given the inherent risks associated with the unauthorized dissemination of sensitive private information and questionable value as an AML tool.”
In light of the BlockFi personal information hack, remember how its this same company who ban users from protecting their own privacy with CoinJoin.
There's nothing in regulations saying CoinJoin must be banned, these guys have just drunk the Chainalysis koolaid. https://t.co/GhO8kr1B9r
— belcher (@chris_belcher_) May 19, 2020
What this will mean for BlockFi’s business, and for the trust that it may have lost among its users, is yet to be determined. The company has yet to make any public comments about the hack, other than the incident report. BlockFi CEO Zac Prince was not available to respond to Decrypt’s request for an interview.