How the Search for the Ethereum Attacker Revealed ShapeShift‘s Privacy Policy
While tracking the trails of the DoS attacker, an Ethereum developer stumbled upon an address belonging to cryptocurrency exchange ShapeShift. The following sequence of events demonstrated that the Panama-based exchange does a bad job protecting user’s privacy.
Sometimes the transparency of the blockchain can be spooky. Whenever you think you are private, it is better you assume you are not. Even the hacker who bothered Ethereum with weeks of DoS attacks had to learn this lesson.
Starting in mid-September, an anonymous hacker launched a DoS attack on Ethereum. Exploiting miscalculated gas prices, the attacker created contracts that consumed so much memory and CPU that nodes shut down or had problems synchronizing with the network. After some back and forth of closing attack vectors and discovering new exploits, a recently executed hard fork eased the situation.
Ethereum Community Strikes Back
Now the Ethereum community strikes back, whereby some of the developers have analyzed the mass of contracts and transactions the attacker created during the attacks and followed the trails he left. These analyses resulted in several thrilling revelations.
Firstly, the research indicates a connection with the developers of Ethereum Classic or even the DAO hacker himself. “Some of the attacking accounts donated a few Classic ethers (ETC) to the Ethereum Classic development account,” consultant and developer Bok Khoo writes. The account the hacker used to donate to the Ethereum Classic development fund is somehow connected to the account the DAO hacker used to donate to the same fund. This strengthens the assumption that the hacker might be driven by personal dislike against Ethereum.
Secondly, a trail of transactions led to EthPool and DwarfPool, indicating that the attacker did mine Ether some time ago. As Bok Khoo points out “EthPool requires IP address confirmation for change in account setting, and stores the miner’s IP address and would, therefore, have an association between the miner’s account and IP address.“ On DwarfPool it is even possible to access the public profile of the hacker, who mined around 26 Ether in April this year with a hash rate of around 125 MH/s. DwarfPool confirmed that the hacker‘s IP addresses are known.
Thirdly, another Ethereum developer followed the analysis of the attacker’s transaction and found an address that was funded by a transaction from ShapeShift’s well-known contract on the Ethereum blockchain. Now the creepy part of the story begins: “I have been harassing the customer service of Shapeshift and obtained these two BTC tx used to fund some of the attackers address,“ the developer wrote.
Wait. You can “harass” ShapeShift’s customer service and get the addresses of a trade? Really?
ShapeShift’s Privacy Policy Revelaed
If you ever thought exchanging coins via ShapeShift would increase your privacy, you were wrong. This is especially embarrassing since the Panama-based cryptocurrency exchange pride themselves for strongly respecting customer’s privacy.
ShapeShift was among a few companies which launched the website pleaseprotectconsumers.org as a reaction to New York’s infamous BitLicence in 2015. New York Customers of the exchange were redirected to the website where they could read fierce confessions to privacy:
“We believe it is reckless and ethically impermissible to extract personal, private information from our users if it is not necessary for the service they are using… After all, the best way to protect consumers is to not collect and store their sensitive data in the first place.“
Eric Vorhees, the CEO of Shapeshift, used this opportunity to put himself on the front of the resistance against privacy violating regulation: “It’s a moral and ethical stand we’re going take,“ he told CNBC and promised, “We’re not going to spy on thousands of people.“
Learning to know that ShapeShift does not consider cryptocurrency addresses as private information but carelessly shares them, was somehow shocking for the Bitcoin community and resulted in a social media outcry.
An representative of the exchange explained, that this is known, whereby the practice has been common for a long time and an example of the two-fold policy of the exchange; on the one hand, Shapeshift “requests as little information as possible in order to enable blockchain asset exchange“. To exchange cryptocurrencies with ShapeShift you do not need to give them any personal data like your name, your location or your email address. You just send funds to a specific address which serves as both an order and a receipt.
On the other hand, the representative explains, “all the information we do have, as a platform, we make transparent. We do not obscure any information.” Using ShapeShift as a mixer would be “a horrible idea.” The exchange “will always cooperate with reasonable requests for information,” be it from law enforcement agencies or private requests.
ShapeShift‘s privacy policy was the first discovery in the quest to find the Ethereum attacker and make it public. If the research results in some legal action against the attacker itself remains open at the time of writing. As Bok Khoon suggests, you could even set up such an event on prediction markets like Augur or Gnosis and place your bets.