What To Do If Your Data Was Leaked by Celsius + Other Privacy Considerations
Level 3 - Virgin DeFi Analyst
Welcome Avatar!
As we covered last weekend, Celsius has doxxed everyone who used their Earn or Custody products in the 90 days leading up to the bankruptcy.
That means criminals can find the biggest wallets, and on-chain activity can be tracked by anyone.
Some people are definitely thinking “holy s**t.” And rightfully so.
Luckily we’ve brought in our resident Iguana here to do some firefighting.
In today’s post we’ll cover what data gets leaked during your day to day interactions with crypto and what to do if your data was leaked by Celsius.
We are sure most of the people reading this are familiar with Google Analytics. Many prominent DeFi apps such as Uniswap use it. That means Google also knows you use Uniswap.
If you ever signed in to a G* anything service on that computer, Google now knows you’re into DeFi. Even if you aren’t a Google customer, the sheer prevalence of its analytics tags all over the Internet means Google can build a profile of you based on the sites you’ve visited.
What Can Any dApp Frontend Find Out About You?
Let’s say you know better than to sign up to Google. You also use a VPN. You even clear your cookies and history before and after using DeFi.
What could Uniswap or any other dapp frontend possibly learn simply when you visit their website?
There is a technique called browser fingerprinting which combines information your browser gives about your computer, network, and device and combines it to create a set of characteristics which are nearly unique to you. The first paper describing this tech is nearly 13 years old.
You already know that your wallet address is shared when you click connect wallet, but what information could be transferred before you even make that choice?
Your operating system (Windows 10, Mac OS), Browser (Brave, Firefox) and software version numbers. These can be very specific, identifying your computer uniquely in some circumstances, or down to 1 in 20 people
Your timezone. You’re not fooling anyone with your VPN IP set to Singapore and your timezone set to EST
Your computer language e.g. “English - United States”
How many CPU cores your computer processor has
Your screen resolution (monitors and layout)
And more…
Did you install a 19” monitor to the right of your 24” monitor? Great, you’ve got a rare screen resolution that probably uniquely IDs you when combined with your timezone and browser version.
Now when you click connect wallet, *all* of this information could be permanently stored and used to associate a profile with your wallet. And if you connect another wallet later, with the same browser, the frontend could probably guess that these two wallets are connected.
That sounds a bit scary, but surely there’s lots of US - English computers running windows in the EST timezone with a standard 24” monitor, so how do they find me?
Here’s all the other stuff they can track:
Autist Note: Credit to the EFF’s Panopticlick project for raising awareness of this tracking
‘super cookies’ which monitor which websites you have visited and how long you spend on them, even if you delete cookies;
ID based on your video card hardware, installed video card driver, operating system, and fonts (canvas fingerprinting)
ID based on your audio devices (audiocontext fingerprinting)
Browser Plugins (if you still use them)
Click This Link For Proof: https://amiunique.org/fp
Was your browser unique? If so, any website you visit - including dapps - could run code which identifies you. If you hit ‘connect wallet’ then your wallet address can be linked with that profile. And. If you use the same computer and browser to log in to two wallets, it is possible that they can be linked as likely having the same owner.
Maybe you were not unique.
This is a reason why we recommend buying a *common* laptop, not installing any special software except your VPN, and then using it only for crypto. And it is important not to sign into any cloud services or do any other browsing except for DeFi transactions. Don’t register the device. Pay cash. Etc.
If you have a standard macbook or chromebook with no plugins and the standard browser you are unlikely to be unique. A common profile will be harder to trace back to you. Unless you give your timezone as EST while using a Singapore IP of course. Then you’re probably unique again.
Luckily, many of the metrics mentioned above and used at amiunique.org require special code which is unlikely to be used by Google Analytics or a dApp. The point is that this code can be run and extract the information without you knowing. Also, there is plenty of information which is sent by default and can be used to uniquely identify website visitors. Your IP address and browser user agent is often sufficient.
Autist note: Turbos can investigate the counter-fingerprinting feature of the Tor Browser, or using fresh Windows VMs with standard configuration under Qubes, plus a VPN proxyvm.
Section Summary
Whenever you use a website your computer leaks information. When you hit connect wallet the site could combine browser fingerprinting with your Ethereum address, possibly linking your different wallets together. This isn’t nefarious: the frontend team could be running analytics to improve the user experience or dumping everything into their Sentry.io server (see Slope Wallet seed phrase leak).
So you should make sure your device blends into the crowd.
Get a common device, use it for crypto only, and link your timezone / regional settings with the geo of your VPN IP address. 80% good.
Autist Note: If you have to manage a lot of different wallets and care about being tracked, you can use tools like Tor Browser and Qubes OS to help manage identity separation.
“I Was Doxxed By Celsius What Should I Do?”
After making sure you’ve understood how your computer and browser can leak information about you, make sure you’re using a separate laptop just for crypto.
Then start over with a clean wallet *and* change your VPN!
Remember, your Ethereum transactions go through a centralized service (Infura or Alchemy) which can track your IP.
Important: If you are still using the same dapps with the same browser fingerprint with your new wallet you’re likely creating a link between old and new wallet. It may only be seen by the dapp provider, their CDN, their DevOps/monitoring solution, or Google Analytics, or their B/D guys, or the Feds…get the picture? Only a matter of time before your info ends up online again - maybe this time sold to criminals on a darknet site and you never hear about it.
How to Make a Clean Wallet
If you’re running from the FBI or the IRS you’ve come to the wrong place. We can’t help with that. But. If you simply want to re-establish the privacy you have lost by moving assets out of wallets which may now be linked to your real name, read on.
We’ve seen some people recommend moving the assets back onto a CEX and transferring them out to a new wallet. While this stops people who *only* have access to the public blockchain from linking the funds, it rather misses the point. Once again your wallets are KYC’d and any future leak means that your entire on-chain history gets tied to your name, forever. Again.
Others have recommended an on-chain mixer protocol like Tornado Cash, CoinJoin, or Railgun (private DeFi). If you’re a US person it is currently illegal to use Tornado. If you’ve been following our ongoing regulatory updates for paid subscribers you’ll know why mixing with other services should be avoided for now.
Finally, although using a cross-chain bridge for privacy seems appealing, bridges have records of the source and destination transactions. Some even publish them like a block explorer as seen below. Meaning, if its worth someone’s time you can still be tracked.
Instead, after checking tax consequences, cash out all crypto linked to your doxxed wallets. They already know who you are. Use a separate bank account just for cashing out your crypto so your normal accounts don’t get bricked in any future bank crack-down. Pay all your taxes.
As far as the official record is concerned, you are done with crypto.
Fully reset your hardware wallets and don’t re-use your old seed phrases.
Now its time to earn money as an anon in crypto, buy crypto with cash OTC, or sell goods or assets to buyers willing to pay you in crypto.
Don’t KYC. Don’t use a CEX. Don’t link your coins to your real world identity again.
Now if you ever need to cross a border in an emergency without losing everything you own, you simply memorize your seed phrase and no one is the wiser.
Bonus: The Calls Are Coming From Inside The House
There are companies such as Chainalysis run by the standard profit motivated businessmen who see a huge TAM selling tracking data to exchanges, tax authorities, and police departments. How far do you think they would go?
How about setting up an entire block explorer site (like Etherscan) so they could track the real world IPs and browser information from people who looked up the balance of a crypto wallet? (this really happened)
It’s obvious the first few people to know the address of a wallet are the sender and receiver. It’s improbable you’d stumble upon a new address at random.
Tip: either run your own node, or wait for your wallet client to alert you to new funds, don’t paste tx ids or addresses into websites. Be careful where you enter your wallet address.
We don’t want to get too tinfoil hat on you, but you really don’t know for sure that Blockchair, Etherscan, Debank, Zapper, or any other popular tx tracking dashboard isn’t a honeypot. We’re not making accusations whatsoever, just that you never really know. Someone in a tech department could be bribed to add a hard-to-detect snippet of tracking code. With the amount of money at hand, political crossover, and headlines like the ones below making their rounds, it’s foolish to assume that crypto is just a fun little playground for some degens on Twitter.
If you enjoyed this post, sign up to our paid Substack for alpha, market commentary and more high security practices. We ain’t playing games anon. Until next time..
Disclaimer: None of this is to be deemed legal or financial advice of any kind. These are opinions from an anonymous group of cartoon animals with Wall Street and Software backgrounds.
Security: Our official views on how to store Crypto correctly (Click Here)
Thank you for the tutorial for running from the FBI or the IRS
We need an article on base-layer privacy!