Celsius filing last year revealed 15,000 personal crypto wallets holding $3 billion at their peak

Last year, a surprise filing in the Celsius Network bankruptcy case contained a list of hundreds of thousands of its customers, including their names and internal transactions made on the collapsed lending platform.

At the time, it was widely suspected that the sheer amount of information — including specific deposits and withdrawals made on specific days — could be used to pinpoint many of the wallets used for these transactions. The fear was this would potentially link real names to their on-chain identities. But it was unclear just how many wallets could be linked and whether they contained any crypto at all.

Working with The Block Research and crypto analytics platform Nansen, we took a dive into the filing and managed to link up just over 127,000 transactions in the filing to blockchain transactions made by a total of 52,057 unique wallets. 

After removing exchange wallets and decentralized entities, this left us with 15,759 wallets that are likely personal wallets belonging to named customers.

These personal wallets contain $900 million of cryptocurrency today and looked after as much as $3 billion when the price of luna peaked in April 2022.

During the Celsius bankruptcy process, the judge said that releasing the list of customer names, without physical and email addresses, was insufficient to “expose customers to risks of identity theft or personal danger.”

For the list of names alone, that might be the case. But the combination of the names, alongside information that revealed their personal crypto wallets — and when combined with other data leaks — is a far more dangerous prospect.

“I think people are blissfully unaware of just how much information is revealed about them via on-chain means alone,” said MetaMask Lead Product Manager Taylor Monahan. “But this information becomes even more dangerous when it is connected to a person's real-life information. Suddenly their on-chain wealth and degeneracy (or lack thereof) can potentially be connected to their real name, usernames, email addresses, employer, location, and even mailing address.”

“Besides being insanely invasive and making public what people assume to be private, it can also make people a target for phishers, hackers, and even physical attacks,” she added.

This research was conducted to understand the extent of the data that could be worked out from the filing and the potential ramifications without diving deeply into specific wallets.

Deducing the Celsius wallets

The filing contains a huge amount of data. There are 2.7 million records, from interest payments to internal account transfers. This includes over 568,000 deposits and withdrawals.

In this analysis, we only looked at transactions for four cryptocurrencies — ether (ETH), Celsius’s token CEL, and two stablecoins, USDC and USDT, on Ethereum — which accounted for less than half of the total transactions. This means there are potentially more wallets to be found, particularly on the Bitcoin network.

For the analysis, we matched up the specific deposit and withdrawal amounts on the days specified in the filing with transactions sent to and from wallets that are one hop away from the main Celsius cold wallets. This is because companies typically create new deposit wallets for each of their users to receive the funds before sweeping them into their main wallets. As for withdrawals, Celsius typically pulls funds from its cold wallets to a handful of wallets used to send out crypto.

Out of the 52,057 wallets that we found, Nansen identified 32,683 that were likely owned by centralized exchanges. This shows many Celsius users sent their funds from an exchange like Coinbase directly to Celsius, and vice versa. Nansen also found 3,615 wallets that belonged to some kind of decentralized entity, like an exchange or a smart contract used for bridging crypto to different blockchains.

Removing these addresses left us with 15,759 wallets tied to personal names in the filing. 

Around 1,600 of the personal wallets are linked to at least one Ethereum Name Service domain name. This is where crypto users tie their wallets to a human-readable name like example.eth, which they will sometimes build an online persona around. This is a strong sign that these are indeed wallets belonging to crypto native individuals.

More than 6,000 of the personal wallets have been used to make trades on decentralized exchanges, such as Uniswap, suggesting these wallets belong to crypto native traders. Looking at some of the biggest wallets, they typically tend to be very active traders on decentralized exchanges.

Many of the personal wallets own NFTs too, with 4,700 of them owning an NFT from at least one collection. These wallets each own NFTs from 21 NFT collections on average, according to Nansen data. They include some big NFT holders too, with one wallet holding more than 100 CryptoPunks.

This data also makes it easy to spot the wealthiest crypto investors among Celsius’ customer base. Nearly 900 of the personal wallets contain more than $100,000 at current prices  — and that’s excluding tokens on other chains and NFTs — while 128 of them contain over $1 million. Thirteen of the wallets each contain more than $10 million. 

Did this data need to be released?

The sheer amount of data released in the Celsius filing shows how important it is that bankruptcy proceedings pay close attention to how much blockchain-related data they release — as it can often be used to glean considerably more information about customers and their assets, as shown in this case, than might be obvious.

This is an important ongoing discussion as multiple crypto bankruptcy procedures are in the works after many large-scale collapses in 2022. Often these discussions have to address what data to release, particularly as they typically relate to large numbers of retail clients and hefty amounts of blockchain data, which is a new issue for courts to deal with. 

But what data is required to be released in a bankruptcy filing and was the Celsius filing necessary — or a step too far?

Adam Shiff, bankruptcy expert and partner at law firm Fried Frank, said that, in bankruptcy cases, there’s usually a list of creditors and parties related to the case and that these lists are supposed to have the name and address of each creditor. Courts also have a broad mandate to redact information and typically do so for home addresses.

Shiff said that in bankruptcy filings, it’s abnormal to list specific transactions made on the platform in question. He said the main purpose of the information that’s made public is to enable observers to look at the company’s debts and see what a potential distribution would be — not to review all the historical transactions.

“The purpose of the schedules is not really to sit there and unwind and go through the details of the due-tos and due-froms. With the schedules, debtors don't generally attach invoices or anything like that,” he noted. 

This suggests that the Celsius filing wasn’t typical of bankruptcy proceedings and may not be a feature of future crypto bankruptcy filings.

The death of crypto privacy

While the Celsius filing released the names of a lot of crypto investors and revealed many of their personal wallets, it’s the combination of this data alongside other data leaks that is the most worrying.

Such data troves include the hardware wallet maker Ledger hack in 2020, which included names, email addresses and home addresses of all of its customers. There were 100,000 KYC documents from 2017/2018 that were stolen from a vendor that worked with major crypto exchanges like Binance. Plus, there were a lot of emails linked to social media profiles that were accidentally revealed by blockchain analytics platform Arkham with its referral links. 

Let alone the list of Celsius email addresses released in an earlier security breach.

(Shortly after this story was published, there was yet another data breach of names, home addresses, email addresses and exchange balances for FTX and BlockFi creditors due to a phishing attack at bankruptcy claims agent Kroll.)

When combined, these data troves could theoretically provide a nearly complete overview of someone, including their name, email address, home address, passport, social media account and their crypto wallet, showing part of their finances.

“What I find particularly concerning is the potential of spear phishing attacks against long-term crypto users as attackers get a complete picture of their victims,” said Sebastian Bürgel, founder of privacy protocol HOPR.

Bürgel noted that it's the link between the off-chain and on-chain information that is most worrisome. “I.e. I know where you live and how much money you have and when you access that money. That would be a quite obvious physical threat to the individuals whose data was leaked,” he said.

There is an overlap between these data sets. For instance, The Block Research compared the Celsius creditor names with the Ledger leak and found 1,003 matching names. Some of these were common names, but others were quite unique and could likely belong to the same person. The Ledger leak contained home addresses and the Celsius wallets could identify which of those crypto investors have the most money. The Celsius data, therefore, makes it easier for criminals to identify high-value targets for potential home invasions.

Over the last few years there have been multiple instances of crypto investors targeted at their homes, with an elderly couple robbed of $156,000 in cryptocurrency at their home last month. Canadian police have also warned of an emerging trend of home invasion-style robberies targeting large crypto investors.

While it’s unclear whether bad actors are using these kinds of data sets to target wealthy crypto investors, the more data that’s revealed combining personal information with financial blockchain data, the more that crypto investors will feel exposed.

Update: Added Kroll data breach.