Cesius data breach of thousands of users was due to a court order

A corporation that lends out cryptocurrency, Cesius Network LLC, is bankrupt. Cesius had its main office in Hoboken, New Jersey, and it conducted business internationally. Users could invest a variety of digital currencies, such as Bitcoin and Ethereum, into a Cesius wallet to receive a percentage yield and could borrow money by using their digital currencies as collateral. The corporation had lent $8 billion to customers as of May 2022 and was managing assets worth close to $12 billion. Due to “extreme market conditions,” the firm acquired attention in June 2022 by indefinitely pausing all transfers and withdrawals, which caused sharp drops in the price of bitcoin and other cryptocurrencies. Cesius filed into Chapter 11 bankruptcy on July 13, 2022.

The defunct cryptocurrency lender Cesius Network unintentionally breached the data of all of its subscribers. More than 29,000 pages of court documents were downloaded last week, exposing the financial information of millions of users who held money in the “neobank” Cesius. The information appears to have been made public in accordance with regular bankruptcy practice as Cesius, which froze customer accounts in July, is currently going through the Chapter 11 restructuring process. The disclosure affects almost 600,000 user accounts, exposing their wallet addresses, transaction history, cryptocurrency holdings, most recent transactions, and other data. The incident has caused severe concerns about financial transparency and worries that users of Cesius may become the targets of theft or harassment as a result of this information being made public. As many initially speculated, it does not seem to be a data breach.

Martin Glenn, the chief bankruptcy judge supervising the case and who ordered Cesius to reveal this data cache, cited prior legal decisions and insufficient evidence that breach in customer’s data would put them in danger. The Court is hesitant to change the open and transparent bankruptcy process without a strong showing of real and not speculative risks, Judge Glenn wrote in a September court filing. “Sealing information such as that sought by the Debtors from public disclosure risks transforming the open and transparent bankruptcy process into something very different,” Judge Glenn wrote. Cesius reportedly attempted to keep much of this material from becoming public, according to court records. Users’ home addresses and email addresses were ultimately permitted to be redacted. One of the company’s defenses was that disclosing this private data would “lower” the list’s value at auction.

However, because of the blockchain’s inherent transparency, even partially redacted information may be put together to data breach Cesius users’ other on-chain activity, as noticed on Twitter by Henry de Valence, the founder of Web3 firm Penumbra Labs. It can also be argued that the court in this case has made extremely high criteria. Usually, businesses that file for bankruptcy must disclose a complete accounting of their assets, which Judge Glenn in this case believed to mean Cesius’ custody records dating back to July.

All of this has given rise to the standard platitudes frequently heard on Crypto Twitter, such as the risks of relying on centralized intermediaries, the necessity of good “op-sec” practices when using public chains, and the demand for laws and regulations tailored specifically to the crypto industry. There are already hints that there may be more than one Neeraj Agrawal in the world as people look through the list for names they recognize. So far, there has been at least one instance of unjustified public shame, in which one bitcoiner falsely accused another of using Cesius.

More of this is to be anticipated now that a website has been built that makes the data publicly searchable by name. For simple schadenfreude, the website Cesiusnetworth.com ranks the breached Cesius members according to how much money they lost. The veracity of the site itself appears to be questionable at best because it appears to be combining various people and data. It’s ironic that Cesius hasn’t exactly been open and honest throughout the bankruptcy process and that its leaders withdrew millions of dollars from custody accounts while also deceiving the public before the services were frozen. After the company restructures, it is unclear if Cesius users will receive any payment. Their data might have been compromised without consequence.