Did Celsius “dox” its clientele? How an attempt to dodge regulators ended in thousands of pages of user data being published online

While the filing provided vital information, such as confirmation that Celsius executives withdrew large sums from the platform before stopping withdrawals, people on Twitter immediately described Celsius’ sharing of data as doxing. Anyone could easily match on-chain activity and named Celsius user addresses with transaction dates and amounts.

Legal and identity experts say the move was a legal requirement for Celsius, but it still exposed the dangers of centralized encryption services, especially as the industry relies on inconsistent regulation, at best. .

“Celsius’ lawyers don’t actually ‘dox’ anyone,” said Joseph Collement, an attorney who leads Bitcoin.com’s legal and compliance team.

Before Celsius went bankrupt, it was one of the largest crypto-lending platforms, attracting almost 2 million customers by offering returns of up to 17% on deposits and managing nearly 12 billion. dollars of assets.

While Celsius acted as a bank in direct contact with its customers, it did not want to be regulated as such. People who deposit money in banks are protected by bank secrecy laws. To avoid such regulations, including FDIC requirements, Celsius has instead categorized its customers as “creditors,” a distinction typically reserved for major financial players.

“Since these types of creditors represent a potential systemic risk, it is important that their activities are transparent,” Collement said. Fortune.

Since Celsius had registered its users as creditors and not as depositors, they were subject to creditor disclosures.

“Obviously, this makes little sense on its face – Celsius customers are not systematically important in the same way as bank creditors,” Collement continued. “However, because the creditor disclosure regulations were not designed for quasi-crypto banks, we are stuck with the legal framework we have.”

As part of the bankruptcy proceedings, Celsius has tried to have the names of its customers (or creditors) redacted, arguing that disclosing the list would affect the company’s chances of selling it as part of its reorganization. . In late September, the judge agreed that Celsius could remove the physical and email addresses of its individual creditors, but would have to include their names.

A lawyer who spoke to Fortune on condition of anonymity explained that debtors are required to identify creditors who received payments or transfers within 90 days or one year, depending on their status. Celsius was not exempted because it took a non-traditional approach to classifying its clients.

Phillip Shoemaker, executive director and CEO of decentralized verification service Identity.com, said Celsius’ failure to protect its customers is representative of the dangers of centralized encryption platforms.

“This is problematic because blockchain transactions are intended to inherently protect a user’s identity, and it is assumed that when operating in Web3, an individual’s identity is not exposed,” said- he declared. Fortune. “Many crypto users view this repository as going against decentralization and believe that Celsius no longer values ​​its users’ right to privacy.”

Crypto Twitter’s outcry that Celsius had doxed its customers wasn’t entirely accurate – in fact, this lack of privacy was built into its business model and was trying to game the system.

The episode shows how the promise of decentralization is often just veneer for many crypto companies, especially as their shortcomings come to light in a market downturn.

“The moral of the story here,” Shoemaker said, “is that if a company wants to do business in Web3, every aspect of its operations must reflect the Web3 and blockchain values ​​of being secure, decentralized, and transparent.”