Another day, another prominent BitcoinBitcoin service breached.
News broke out this morning that hackers had compromised accounts belonging to cryptocrypto lending firm BlockFi by using SIM swaps, a common tactic hackers use to essentially steal the identities of cell phone users by fooling cell providers. And the crypto community isn’t taking the news well.
The company said in an incident report sent to users that sensitive information from accounts, such as names, email addresses, dates of birth, physical addresses, and activity histories were revealed to the hackers.
According to BlockFi, however, the hackers were not able to access other personally identifiable data, including social security numbers, tax identification numbers, passports, licenses, passwords, bank account information, account preferences, and photo IDs.
Nevertheless, the news appears to have alarmed BlockFi clients and kicked up a storm of controversy on Twitter, especially among privacy-minded Bitcoiners.
"Any company that is serving as a custodian for any amount of bitcoin, let alone the amount that BlockFi is, should not have SMS 2FA integrated into any part of their operational process let alone their encrypted back-office system. This is borderline negligence." @MartyBent
Bitcoin privacy expert and Tales from the Crypt podcast host Matt Odell, told Decrypt that he’s personally disappointed in the “lack of public disclosure” on BlockFi’s website related to the hack. The incident report of the breach was dated May 14, but was only sent to users this morning, and was not posted to BlockFi’s website.
Instead, what users got was a “hand-waving post about 2FA and whitelisting addresses,” said Odell, seemingly before the news of the breach went public this morning, since the blog post was posted yesterday and updated today.
Two men in Massachusetts were charged by a Boston court yesterday, accused of using “SIM swapping” techniques to steal $550,000 in cryptocurrency, announced the US Department of Justice.
Eric Meiggs, 21, of Brockton, Massachussetts and Declan Harrington, of Rockport, Massachusetts, allegedly conducted, or planned to conduct, an “extensive scheme” to steal cryptocurrencies from at least 10 people the pair believed to hold lots of cryptocurrency, such as executives of crypto companies.
According...
“The fact that marketing personnel have access to this sensitive privacy information is troubling on its own but the fact that a simple SIM swap allowed malicious actors to get access is even worse,” Odell said. “It shows a complete disregard for user privacy.”
That lack of privacy appears to be at the center of the controversy, since BlockFi does not allow for funds that have been put through Bitcoin mixers to be deposited on its platform. Funds mixed through CoinJoin, a service that obfuscates Bitcoin transactions, are banned from BlockFi, which the company’s CEO Zac Prince has said is due to concerns with regulations.
It's prohibited activity and we reserve the right to freeze / return deposits from mixing services..is there something specific you want us to be more transparent about? We don't have a choice based on how we are regulated. https://t.co/uluVpePpLY
The argument goes that if BlockFi users had been able to make use of CoinJoin and other mixers then their data would not have been compromised by this breach.
You're following regulations that don't exist. Coinjoin is not illegal, nor is it suspicious without more evidence of the same.
Chainalysis has convinced you to pay them to solve problems they created for you and pushed on our industry.
According to crypto lawyer Rafael Yakobi, services like CoinJoin are not illegal, but blockchain forensic firms such as Chainalysis have convinced BlockFi and others to prohibit their use among their clients.
“Using CoinJoin for deposits and withdrawals would have helped users mitigate the privacy concerns present with a hack like this, however BlockFi is one of five companies that explicitly prohibits CoinJoin usage,” Odell said. “The malicious actor who compromised their system can now easily use deposit and withdrawal addresses to track users past and future transactions as well as their balances,” he said. “Anti-coinjoin policies are anti-user.”
We are unaware of regulations that require us to discriminate against mixed coins. Future regulations and/or new financial services may require chainalysis, but we don't do it now. As much as possible we design our services to preserve bitcoin's native censorship resistance.
Yakobi concurred. “If malicious actors obtain transaction histories linked to real names,” he told Decrypt, “users could now be vulnerable to targeted attacks, since the hackers may be able to discern how much Bitcoin a person owns, and where that Bitcoin might be stored.”
Said Yakobi: “Dragnet information collection should be scrutinized and limited given the inherent risks associated with the unauthorized dissemination of sensitive private information and questionable value as an AML tool.”
In light of the BlockFi personal information hack, remember how its this same company who ban users from protecting their own privacy with CoinJoin. There's nothing in regulations saying CoinJoin must be banned, these guys have just drunk the Chainalysis koolaid. https://t.co/GhO8kr1B9r
What this will mean for BlockFi’s business, and for the trust that it may have lost among its users, is yet to be determined. The company has yet to make any public comments about the hack, other than the incident report. BlockFi CEO Zac Prince was not available to respond to Decrypt’s request for an interview.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
On Wednesday, Westpac CEO Anthony Miller apologised to a customer after the bank blocked a $30,000 transfer to Australian crypto exchange CoinSpot and froze their accounts.
The customer, known only as Tim, had deposited $50,000 into his Westpac account earlier this month and attempted to move a portion of the funds to CoinSpot to invest in Bitcoin.
The transaction was halted, triggering a call from Westpac’s risk management team.
Tim recorded the conversation and played it on Sydney’s 2GB radi...
The price of various crypto-linked stocks soared on Wednesday after U.S. President Donald Trump unveiled a 90-day pause on implementing most of his “reciprocal” tariffs.
Strategy, Coinbase and major Bitcoin miners were well into positive territory as U.S. markets closed, reversing more than a week of steep losses.
The president said over 180 countries would see temporary relief “effective immediately,” although Chinese goods would still be subject to stiff levies, raising the total rate on the...
After teasing a big announcement and an announcement of an announcement, Magic Eden has finally revealed the news: It’s pivoting into fungible token and meme coin trading across multiple chains.
In a move signaling its growing ambitions beyond NFTs, Magic Eden revealed Wednesday that it will acquire Slingshot Finance, the mobile-first crypto trading application known for its cross-chain swaps and retail-friendly interface.
The acquisition strategy positions Magic Eden as an alternative to tradit...
