CryptocurrencyWeb3NFTsInvestingBitcoin

Did Celsius ‘dox’ its customer base? How an attempt to dodge regulators ended with thousands of pages of user data published online

October 7, 2022, 7:25 PM UTC
Alex Mashinsky, chief executive officer of Celsius Network, speaks during the Milken Institute Global Conference in Beverly Hills, California, U.S., on Wednesday, May 2, 2018. The conference brings together leaders in business, government, technology, philanthropy, academia, and the media to discuss actionable and collaborative solutions to some of the most important questions of our time. Photographer: Dania Maxwell/Bloomberg via Getty Images
Alex Mashinsky, CEO of Celsius Network.
Dania Maxwell—Bloomberg/Getty Images

Bankruptcy proceedings have battered the crypto platform Celsius, exposing the imprudent behavior of its executives and its inability to pay back customers. The latest controversy arose on Thursday, after Gizmodo uploaded a 14,532-page court filing to the Internet Archive. The reason it was so long? The file contained the names and transaction history of every user on the platform.  

While the filing provided vital information—such as confirmation that Celsius executives had withdrawn large sums from the platform before halting withdrawals—people on Twitter immediately described Celsius’s data sharing as doxing. Anybody could easily match the on-chain activity and addresses of named Celsius users with the dates and amounts of transactions.

According to legal and identity experts, the move was a legal requirement for Celsius, but it still revealed the dangers of centralized crypto services, especially as the industry reckons with, at best, inconsistent regulation.  

“Celsius’s lawyers didn’t actually ‘dox’ anyone,” said Joseph Collement, an attorney who leads the legal and compliance team for Bitcoin.com. 

Before Celsius went bankrupt, it was one of the largest crypto-lending platforms, attracting almost 2 million customers by offering yields as high as 17% on deposits and managing almost $12 billion in assets.

While Celsius acted like a customer-facing bank, it didn’t want to be regulated as one. People who deposit money in banks are protected by bank secrecy laws. To avoid such regulations, including FDIC requirements, Celsius instead classified its customers as “creditors”—a distinction usually reserved for major financial players.

“Since these types of creditors represent potential systemic risk, it’s important that their activities are transparent,” Collement told Fortune

Because Celsius had registered its users as creditors, not depositors, they were subject to creditor disclosures.

“Clearly this makes little sense at face value—Celsius’s customers are not systemically important in the same way banks’ creditors are,” Collement continued. “However, because regulations about creditor disclosures were not designed with quasi–crypto banks in mind, we are stuck with the legal framework we have.”

As part of the bankruptcy proceedings, Celsius tried to have the names of its customers (or creditors) redacted, arguing that disclosure of the list would affect the firm’s chances of selling it as part of its reorganization. At the end of September, the judge agreed that Celsius could redact the physical and email addresses of its individual creditors, but that it would have to include their names.  

A lawyer who spoke to Fortune on the condition of anonymity explained that debtors are required to identify creditors that have received payments or transfers within either 90 days or a year, depending on their status. Celsius was not exempted because it had taken a nontraditional approach to classification of its customers.

Phillip Shoemaker, executive director and CEO of decentralized verification service Identity.com, said Celsius’s failure to protect its customers is representative of the dangers of centralized crypto platforms.

“This is problematic because blockchain transactions are intended to inherently protect a user’s identity, and it is assumed that when operating in Web3, an individual’s identity is not unveiled,” he told Fortune. “Many crypto users are considering this filing as going against decentralization, and believe Celsius no longer values a right to privacy for its users.” 

Crypto Twitter’s uproar that Celsius had doxed its customers was not quite accurate—in reality, that lack of privacy was baked into its business model and attempt to game the system.

The episode demonstrates how the promise of decentralization is often just a veneer for many crypto companies, especially as their shortcomings are revealed in a market downturn.

“The moral of the story here,” Shoemaker said, “is that if a company is going to do business in Web3, every aspect of its operations should reflect Web3 and blockchain values of being secure, decentralized, and transparent.”

Sign up for the Fortune Features email list so you don’t miss our biggest features, exclusive interviews, and investigations.