As I said, it went to custody-looked-like wallets. It seems that Coinbase makes a new cold wallet for each customer after the OTC deal for institutions.
I’m very bullish on $BTC.
https://t.co/MrM1IgzB3B https://t.co/whmG287Pus
Ledger customers are being targeted for Bitcoin ransoms after their personal details were leaked and published on a public forum.
One Ledger customer received an email threatening physical violence if they did not pay $500 to the sender.
“If not, I’m not afraid to show up when you least expect it and see how my wrench works against your face, or maybe even wait for you to leave your home and take your belongings whilst you’re not there to call the police,” the anonymous person said in the email.
The Ledger customer said they are not worried, and that they receive several of these emails and text messages per day now.
“I now get 3-4 emails a day, and 5-6 text messages a day. GO TO HELL,” the customer said.
The Ledger hack was a leak of names, physical addresses and phone numbers of Ledger customers. It came from a hack of Ledger’s e-commerce database in June. Ledger has pointed out that data on users’ holdings has not been released, nor access to their cryptocurrencies (which Ledger doesn’t possess).
But the identifying data, however, has enabled those who have seen the database to identify who owns a Ledger wallet and in some cases find out where they live. Since Ledger wallets are expensive, those owning such wallets are likely to own reasonable amounts of cryptocurrency—making them prime targets.
This suggests that these kinds of email will soon be commonplace to those who had their data stolen. Or as Casa CTO Jameson Lopp put it, “Strap in for scareware.“
First, the good news, in a manner of speaking: Ledger customers can now see firsthand whether their personal information was exposed in the hack discovered in July.
Someone posted the complete lists of 1 million email addresses and 272,000 names, mailing addresses and phone numbers belonging to customers of the France-based maker of hardware cryptocurrency wallets. The latter list is a lot bigger than the number previously disclosed by Ledger (9,500).
Ledger did not address the discrepancy in a tweet storm Sunday apologizing again for the breach. A spokesperson did not immediately respond to an email requesting comment.
“It is a massive understatement to say we sincerely regret this situation. We take privacy extremely seriously,” the company said. “Avoiding situations like this are a top priority for our entire company, and we have learned valuable lessons from this situation which will make Ledger even more secure.” Among other steps, Ledger has hired a new chief information security officer and taken down 170 phishing sites since the breach, it said.
There are at least three file-sharing sites, reminiscent of the golden age of MP3 blogs, where you can download the two lists. I will not post the links but it took just a few minutes searching Twitter to find them.
If you do download the trove, please check for your own details, then delete it. If you keep the file, gawk at the names or gossip with friends about it, well, I’ll be very disappointed.
Several of the email addresses in the data leak match those which received phishing emails from scammers seeking to defraud CoinDesk readers.
As we reported in July, these scammers were copying legitimate CoinDesk newsletters, adding some fraudulent paragraphs and links about a crypto giveaway, and sending them to individuals who never signed up to receive CoinDesk emails to begin with.
Casa CTO Jameson Lopp suggested in November that Ledger customers may have been targeted; today’s data dump would suggest that’s true.
Read more: ‘Convincing’ Phishing Attack Targets Ledger Hardware Wallet Users
The bad news: O.K., it’s not news but Sunday’s data dump serves as a sobering reminder that even a maker of hardware crypto wallets can become a honeypot of sensitive data. (I’m using the term “honeypot” in the sense of “a valuable target for hackers,” not “a decoy site to trap them.”)
The reason is partly due to the marketing imperatives of a startup, and partly due to legal and regulatory requirements.
In an FAQ posted in July, the company said an attacker had accessed part of its marketing database through a third party’s API key that had been misconfigured on Ledger’s website.
As soon as the breach was discovered, the key was deactivated, Ledger said. But not in time to prevent the rascals from accessing the lists and, apparently, selling them to phishing artists.
Why would a third party have an API key? The FAQ goes on to explain:
Ledger e-commerce and marketing teams use a third-party solution (Iterable) to send and analyze transactional and marketing emails to customers who have bought products on ledger.com or have signed up to receive our newsletters. … In accordance with our Privacy Policy, as a data controller, we may transmit some of your data to third parties such as payment service providers (PSPs) infrastructure, logistics, and other services providers, within applicable contractual and legal frameworks.
That covers the emails. What about all those mailing addresses, names and phone numbers? Why not purge those after shipping the goods? Back to the FAQ:
For legal reasons, we are obliged to store some transactional information relating to our customers’ contact details and their orders data.
In accordance with the storage limitation principle set forth under applicable laws, we endeavor to retain data for no longer than the time required to comply with such legitimate and legal purposes, including satisfying any legal, accounting, tax, or other compliance reporting requirements.
We may archive some of your personal data, with restricted access, for an additional period of time when it is strictly necessary for us to comply with our legal and/or regulatory archiving obligations and for the applicable statute of limitation periods.
At the end of this additional period, your remaining personal data will be permanently erased or anonymized from our systems. If you purchased a product or a service from us, we may retain some transactional data attached to your Contact Details to comply with our legal, tax or accounting obligations for a maximum 10 years period set forth by French applicable laws, as well as to allow us to manage our rights (for example to assert our claims in Courts) during applicable French statutes of limitations.
We also need to retain some of your personal data contained in this database, in order for us to answer your questions, to process potential claims, and to retain evidence for the criminal investigation.
In other words, sometimes companies’ hands are tied and they have to hold on to the toxic waste that is customer data even if they don’t want to.
Take heart; there are ways to mitigate the risk of exposure even when ordering physical products, as CoinShares chief strategy officer Meltem Demirors noted on Twitter:
Read more: Let’s Be Privacy Scolds
A user on crypto twitter going by the handle ‘Jimmy McShill’ [@JimmyMcShill] posted screenshots of files that have been uploaded to forums purportedly contacting the ‘full database’ of Ledger customer’s emails, phone numbers, and addresses;
⚠️⚠️ Uhh shiit! A hacker is dumping the full @Ledger database dump for free on raidforums! Emails, phone numbers and addresses!
Get ready for a huge spam and phishing wave!#bitcoin #cryptcurrencies #phishing #security pic.twitter.com/XAQQHZ2wkW
— Jimmy McShill (@JimmyMcShill) December 20, 2020
Ledger responded stating that they believe the data is from a previous breach and not a new attack;
“Today we were alerted to the dump of the contents of a Ledger customer database on Raidforum. We are still confirming, but early signs tell us that this indeed could be the contents of our e-commerce database from June, 2020.”
If Ledger fails to keep personal information safe, can they really be trusted with digital assets? It is still unclear whether this is a new attack or the dumping of contents from the first attack which occurred in June 2020. At the time, it resulted in the exposure of as many as a million customer email addresses.
Following the breach, Ledger users were targeted by scammers and phishing attacks, some of which attempted to lure users into downloading fake Ledger software or revealing their key phrases. This indicates that the data had already been leaked and this could be a new set of customer information.
The Block’s director of research, Larry Cermak, is of the opinion that this is much worse than the previous data breach as it contains physical addresses;
This Ledger leak is much much worse than I thought. Did some cross checks with people that have purchased Ledgers and the hit rate (anecdotally) is like 50%. The info includes home addresses as well as phone numbers.
— Larry Cermak (@lawmaster) December 20, 2020
CryptoPotato spoke to one Ledger victim, an industry researcher, and journalist who requested to remain anonymous. According to the source, the device was accessed remotely and cleared out with several unauthorized transactions resulting in the loss of around $16,000 at the time in late 2019.
“The wallet was secured in a safe with the key phrase in another safe. Neither were broken into or accessed so I was dumbfounded to discover that the thing had been drained of all funds by three transactions I did not make.”
Realizing that there was little chance of recovering the losses, the victim contacted Ledger to try and find out how this could possibly have happened in order to warn others. The firm was unaccommodating, simply sending an apology and not even willing to investigate the fraudulent transactions.
With the leaking of more personal information, Ledger users should start to brace for an incoming maelstrom of attacks that could now start to target them personally.
Binance Futures 50 USDT FREE Voucher: Use this link to register & get 10% off fees and 50 USDT when trading 500 USDT (limited offer).
PrimeXBT Special Offer: Use this link to register & enter CRYPTOPOTATO35 code to get 35% free bonus on any deposit up to 1 BTC.
On Dec 18, 2020, The Financial Crimes Enforcement Network (FinCEN), took a step closer to implementing its long-dreaded crypto wallet regulation.
Under the proposed rule, crypto exchanges would be obliged to make crypto users comply with know your customer (KYC) requirements when transferring their digital assets to personal wallets.
FinCEN now seems set to implement the new rule after it recently posted two job listings for crypto advisers. The professionals would assist the top policy enforcement arm of the Treasury Department in developing policy responses to cryptocurrencies.
These Strategic Policy officers would also issue advisories to liaise with financial institutions and engage in crypto policy partnerships with the public and private sectors.
Crypto advocate Jack Chervinsky confirmed in a Dec 19 tweet that FinCEN was working on drafting AML regulations for unhosted crypto wallets. He noted:
“If adopted, the rule would require regulated companies to verify the name & address of non-custodial wallet users for any transaction > $3k.”
The crypto community on Twitter largely sees the regulatory policies as harmful to the crypto space, as they would stifle the privacy of digital asset holders.
The proposed FinCEN rule would require users wishing to send crypto from centralized exchanges to a personal wallet to provide their personal information to the exchanges.
The exchanges would then have to report all transactions greater than $3,000 to regulators, and also submit records of transactions that add up to more than $10K.
Essentially, the proposed rule increases the amount of personal data that exchanges must report to the Treasury Department, thus undermining crypto’s original promise of privacy and self-sovereignty.
FinCEN seems determined to close “loopholes” around digital currency transaction reporting and bring crypto closer in line with the traditional banking system.
The financial watchdog has long expressed its intention to impose more than just washed-down regulatory policies around crypto to stifle the ability of malign actors to use unhosted digital wallets in criminal activity.
The general public has until Jan. 4, 2021, to provide comments or feedback on the proposed FinCEN regulation that would centralize info on all crypto withdrawals with the US treasury.
Coinbase CEO Brian Armstrong was among the first prominent figures to expose plans by regulators to require exchanges to verify KYC information for recipients of crypto transfers to a self-hosted wallet. Armstrong clearly opposed the “rushed rule” that would infringe on the privacy of crypto users.
Another crypto enthusiast and senator-elect for Wyoming, Cynthia Lummis, has come out to oppose the proposed transaction reporting rule.
The senator, who recently stated that she would promote Bitcoin in congress, tweeted that she was deeply concerned about the move by regulators to govern self-hosted digital asset wallets.
The Financial Crimes Enforcement Network (FinCEN), an agency of the US Treasury Department, has proposed a new set of rules that would require financial institutions to keep a record of certain transactions sent to private cryptocurrency wallets.
According to the proposed rules, if a customer moves $10,000 or more in cryptocurrency in a 24-hour period, banks and money service providers are required to send data on the transaction directly to FinCEN. That data includes the name and physical address of the customer who sent the cryptocurrency to a private wallet.
ADVERTISEMENT
The rules also mandate that companies keep a record of all transactions sent to private, unhosted crypto wallets if the transaction is worth $3,000 or more.
FinCen says it’s also creating a new rule to prohibit “structuring,” which it defines as an attempt to break down large amounts of cryptocurrencies such as Bitcoin into smaller transactions to avoid reporting requirements.
FinCEN says the new requirements are necessary to address concerns about national security.
“The proposal seeks to establish appropriate controls to protect United States national security from a variety of threats from foreign nations and foreign actors, including state-sponsored ransomware and cybersecurity attacks, sanctions evasion, and financing of global terrorism, among others.”
Crypto lawyer and Compound general counsel, Jake Chervinsky, calls the proposed rule a terrible idea that could have been worse.
“Let’s look on the bright side for a minute. This doesn’t require KYC for every transaction with a non-custodial wallet. It isn’t an outright ban on self-custody. It doesn’t prohibit the act of using a permissionless network…
But it’s still an awful rule. I’ll give you three reasons why. (There are more.) First, it does nothing to accomplish its stated goals. Even if illicit activity was a major problem (it isn’t), this won’t stop the flow of funds to bad actors or help law enforcement do its job.
It doesn’t stop VASP customers from transacting with bad guys. It just forces them to pay an extra fee to withdraw to their own wallet first. It also doesn’t give investigators any new information. VASPs already KYC their customers and keep records of transactions.
ADVERTISEMENT
Second, it infringes on US citizens’ financial privacy rights. Today, law enforcement has to subpoena VASPs to get information about customers. VASPs can, should, and often do challenge these. This rule would force VASPs to hand over that information automatically, every time.
Third, the rule is vague and ambiguous. How exactly can a VASP obtain the name & physical address of the owner of a non-custodial wallet? How does someone prove that they “own” a private key? What about non-custodial smart contracts — who owns them? The rule doesn’t say.”
Chervinsky also says the 15-day window for public comment on the rule is “entirely out of order”.
“The Administrative Procedures Act (APA) requires agencies to provide notice of proposed rules & give the public “an opportunity to participate in the rulemaking through submission of written data, views, or arguments.” The law says these mandates are “not mere formalities.”
Regular order calls for an agency to accept public comment for at least 60 days for “significant” rules. It can be longer. FinCEN is giving us 15. At the end of December. With one month left before a new president is sworn in. There’s a name for this: “midnight rulemaking.”
Midnight rulemaking implies that an agency isn’t giving the public a genuine opportunity to participate in the rulemaking process, but rather trying to force through a predetermined result. Courts don’t take kindly to this. Midnight rules are often struck down under the APA.”
The new rules are open for public comment until January 4th, 2021.
Don’t Miss a Beat – Subscribe to get crypto email alerts delivered directly to your inbox
Follow us on Twitter, Facebook and Telegram
Featured Image: Shutterstock/Lux Blue
The Takeaway:
Regulated crypto is close to crossing the Rubicon – and we’re not talking about the next price breakthrough.
The steady creep of know-your-customer (KYC) requirements over firms that touch digital assets is now at the foot of private, self-hosted wallets.
This move, which begins with regulated exchanges being required to do due-diligence on non-custodial wallets they connect to, is already underway in places like Switzerland and Singapore, with the U.S. rumored to be next.
Self-custody (being your own bank) and carrying out peer-to-peer transactions with a modicum of privacy is how crypto was designed. And while the Financial Action Task Force (FATF) seeks to impose a traditional anti-money laundering (AML) framework onto virtual asset service providers (VASPs), it’s worth restating that crypto was born out of a desire to disintermediate traditional finance, rather than break the law or facilitate money laundering.
Deep in the thick of the standoff between crypto users and regulatory authorities are blockchain analytics firms such as CipherTrace, Chainalysis and Elliptic (which often act as a window into crypto for law enforcement agencies).
It’s uncertainty that regulators see as problematic.
Rightly or wrongly, these sleuthing companies are guided by certain red flags when it comes to tracking funds around the cryptosphere, seeing regulatory risk wherever money moves in and out of self-hosted wallets, privacy coins, peer-to-peer exchanges and bitcoin ATMs, for example.
Self-hosted wallets remain outside FATF’s reach for now, but the proportion of funds moved between exchanges and private wallets is a focal point for blockchain sleuths. This is not necessarily to do with criminal activity, said CipherTrace CEO Dave Jevans, but simply because authorities can’t see what’s going on.
“It’s uncertainty that regulators see as problematic,” Jevans said.
In a previous article, CipherTrace provided a snapshot of exchanges domiciled in the Seychelles, giving each a KYC score. Here, the analytics company dives into non-custodial and peer-to-peer exchanges such as ShapeShift, LocalBitcoins and Paxful.
ShapeShift, the non-custodial exchange launched in 2014 by privacy advocate Erik Voorhees, has been an ongoing subject of KYC and fund-flow analysis by CipherTrace. In August 2018, ShapeShift hired former Hogan Lovells partner Veronica McGregor as the exchange’s chief legal officer, and soon after began requiring customers to reveal their identities to the exchange.
ShapeShift had been given a “red” or weak KYC score by CipherTrace, which had also highlighted the proportion of funds flowing in and out of private wallets as a likely indicator of illicit activity.
However, this score has since been upgraded to green by CipherTrace, which acknowledges that grading the KYC processes of exchanges is a “dynamic state of affairs.”
“We agree that their KYC processes today are green,” said John Jefferies, chief financial analyst at CipherTrace. “ShapeShift is a very unique company, with an interesting past. This has spurred us to look at this edge case. Before September 2018 they had no KYC, and those hundreds of thousands of transactions are still on the blockchain and some are involved in ongoing investigations.”
Hannah Burke, ShapeShift director of compliance, said the firm’s revamped KYC involves the collection of a full range of personally identifiable information (PII) as well as screening for sanctions and politically exposed persons (PEPs), which the firm has been independently audited on.
As far as funds coming from private wallets is concerned, Burke said ShapeShift is non-custodial by design. “Our users will typically use their wallets rather than transferring between exchanges. So it’s not a shock to me that private wallets make up a pretty good percentage,” she said.
ShapeShift stands at the intersection of crypto privacy issues, having recently removed support for privacy coins, zcash, monero and dash.
“We’ve taken down the privacy coins because of their regulatory concerns,” said chief legal officer McGregor. “At least for the moment, we’re not working with those coins.”
It just comes down to a fundamental view they have on what crypto should be all about.
Privacy coins such as zcash and monero, and privacy-enhancing wallets (Wasabi, Samourai and others) have valid uses, but are also clear red flags, said Jefferies of CipherTrace.
“There are ways to be compliant with tech like privacy coins,” Jefferies said. “There are ways to make them safe and establish the source of funds, so they’re not inherently bad, per se. However, they do carry with them additional risk.”
The Electric Coin Company, the creators of Zcash, commissioned the RAND Corporation to explore the use of cryptocurrencies for illicit or criminal purposes, focusing on Zcash.
Rand’s yearlong study showed the top cryptocurrency being used on dark markets or for money laundering and terrorist financing is far and away bitcoin, said Josh Swihart, vice president of growth at the Electric Coin Company.
“Of course, it’s not the number one currency, because the number one currency used for illicit purposes is the dollar, through regulated banks. But the main cryptocurrency is bitcoin, way ahead of even Monero,” Swihart said.
In terms of what’s happening on exchanges with privacy coins, Swihart pointed to the U.S.-based exchange giant Gemini becoming the first regulated exchange to support sending funds to shielded Zcash transactions. In support of Zcash shielded deposits and withdrawals, Gemini stated that they use enhanced due-diligence and may request users provide information on their source of funds, Swihart said.
“Zcash is compliant under U.S. regulation,” said Swihart. “As evidenced by Zcash support at Gemini, Coinbase and others, ShapeShift’s delisting of zcash, monero and dash does not mean that Zcash isn’t compliant. It’s specific to ShapeShift.”
CipherTrace has some history when it comes to LocalBitcoins: A
“On the subject of private wallets, we recommend to our users not to keep funds in their LocalBitcoins wallet more than they are planning to trade with because we don’t want to act as a wallet service,” said Elena Tonoyan, the firm’s chief operating officer. “Generally, it’s not very safe to keep bitcoins on any platform. There are hundreds of reasons why users might have a couple of wallets or just choose to keep their bitcoins in private wallets.”
Tonoyan pointed out that LocalBitcoins’ revamped compliance procedures means KYC is done on all users of the platform, and it’s not the case that older or previously existing accounts are grandfathered into the new regime.
“I would like to point out that we do KYC on all our customers,” said Tonoyan. “Say you had created a LocalBitcoins account back in 2014, to continue using the platform you would have to comply with everything we are asking you to do. We give those users who want to continue with us a deadline of 30 days to comply.”
The LocalBitcoins tiered KYC system, which includes mandatory ID verification and face match when a user transacts over 1,000 euros ($1,190) per annum, kicked in for all users following the arrival of the Europe’s Fifth Anti-Money Laundering Directive (AMLD5).
P2P exchange Paxful has been upgraded to a green KYC score by CipherTrace.
In April of this year, Paxful made identity verification mandatory for U.S. citizens and residents, with European and Canadian users added in August, according to Lana Schwartzman, chief compliance officer at Paxful. Paxful has also teamed up with KYC experts Jumio and uses Chainalysis’ know-your-transaction (KYT) tools.
“We have various proactive controls in place, one of which automatically blocks send-outs to specific categories, clusters or addresses,” Schwartzman said. “For example, when the Twitter hack occurred, within minutes we were able to add the addresses associated with the hack and stop all outgoing send-outs.”
Analysis of Paxful fund flows carried out by CipherTrace shows “a fairly high percentage” coming in from gambling and high-risk exchanges, and going straight out to ATMs, said Jevans. In terms of private wallets, this accounts for some 75%, so the source of those funds is “questionable,” he said.
“So people are cashing out their fiat in a way that’s probably not KYC’d because the ATM vendors are probably some of the last – at least outside of the U.S. – to start to implement KYC and AML,” Jevans said. (Despite a recent drive to clean up its act, the bitcoin ATM industry is likely to remain a clear red flag for a number of reasons.)
Summing up, John Salmon, a London-based partner at law firm Hogan Lovells who specializes in fintech, said the CipherTrace findings show the difficult marriage of regulatory and ideological concerns.
“There are also reasons why people might want to use privacy coins and it doesn’t mean that they are all money launderers or criminals,” said Salmon. “It just comes down to a fundamental view they have on what crypto should be all about.”
