Another day, another prominent Bitcoin service breached.
News broke out this morning that hackers had compromised accounts belonging to crypto lending firm BlockFi by using SIM swaps, a common tactic hackers use to essentially steal the identities of cell phone users by fooling cell providers. And the crypto community isn’t taking the news well.
The company said in an incident report sent to users that sensitive information from accounts, such as names, email addresses, dates of birth, physical addresses, and activity histories were revealed to the hackers.
According to BlockFi, however, the hackers were not able to access other personally identifiable data, including social security numbers, tax identification numbers, passports, licenses, passwords, bank account information, account preferences, and photo IDs.
Nevertheless, the news appears to have alarmed BlockFi clients and kicked up a storm of controversy on Twitter, especially among privacy-minded Bitcoiners.
Bitcoin privacy expert and Tales from the Crypt podcast host Matt Odell, told Decrypt that he’s personally disappointed in the “lack of public disclosure” on BlockFi’s website related to the hack. The incident report of the breach was dated May 14, but was only sent to users this morning, and was not posted to BlockFi’s website.
Instead, what users got was a “hand-waving post about 2FA and whitelisting addresses,” said Odell, seemingly before the news of the breach went public this morning, since the blog post was posted yesterday and updated today.
“The fact that marketing personnel have access to this sensitive privacy information is troubling on its own but the fact that a simple SIM swap allowed malicious actors to get access is even worse,” Odell said. “It shows a complete disregard for user privacy.”
That lack of privacy appears to be at the center of the controversy, since BlockFi does not allow for funds that have been put through Bitcoin mixers to be deposited on its platform. Funds mixed through CoinJoin, a service that obfuscates Bitcoin transactions, are banned from BlockFi, which the company’s CEO Zac Prince has said is due to concerns with regulations.
The argument goes that if BlockFi users had been able to make use of CoinJoin and other mixers then their data would not have been compromised by this breach.
According to crypto lawyer Rafael Yakobi, services like CoinJoin are not illegal, but blockchain forensic firms such as Chainalysis have convinced BlockFi and others to prohibit their use among their clients.
“Using CoinJoin for deposits and withdrawals would have helped users mitigate the privacy concerns present with a hack like this, however BlockFi is one of five companies that explicitly prohibits CoinJoin usage,” Odell said. “The malicious actor who compromised their system can now easily use deposit and withdrawal addresses to track users past and future transactions as well as their balances,” he said. “Anti-coinjoin policies are anti-user.”
Yakobi concurred. “If malicious actors obtain transaction histories linked to real names,” he told Decrypt, “users could now be vulnerable to targeted attacks, since the hackers may be able to discern how much Bitcoin a person owns, and where that Bitcoin might be stored.”
Said Yakobi: “Dragnet information collection should be scrutinized and limited given the inherent risks associated with the unauthorized dissemination of sensitive private information and questionable value as an AML tool.”
What this will mean for BlockFi’s business, and for the trust that it may have lost among its users, is yet to be determined. The company has yet to make any public comments about the hack, other than the incident report. BlockFi CEO Zac Prince was not available to respond to Decrypt’s request for an interview.