Crypto Startup Arkham Has Apparently Been Doxxing Users for Months
The company had already angered the crypto community Monday with a service that unmasks anonymous crypto users. Then came allegations it used an easy-to-decipher method for hiding customers’ email addresses.
Jul 10, 2023 at 8:59 p.m. UTC
/arc-photo-coindesk/arc2-prod/public/LXF2COBSKBCNHNRE3WTK2BZ7GE.png)
Crypto data firm Arkham Intelligence stirred controversy Monday by announcing a new service aimed at unmasking the owners of digital wallets, angering privacy-focused crypto advocates.
It turns out Arkham has already been leaking its own customers’ private information, a revelation that also seems to have emerged Monday, putting a spotlight on Arkham’s own approach to user privacy just as it was rolling out a service meant to unmask crypto wallet owners on a massive scale.
The issue stems from the way Arkham set up its weblink referral program. Users of Arkham’s wallet tracking dashboard can invite others onto the platform by sharing their unique referral URL. Those URLs appear to end with a meaningless jumble of characters. In reality, they’re an easy-to-decipher version of the user’s email address written in Base64, which is trivial to decode.
Arkham did not reply to a request for comment.
Arkham Intelligence builds a popular service for tracking crypto transactions and identifying the owners of crypto wallets. It’s hardly the only wallet labeling service, but on Monday Arkham unveiled the “Intel Exchange,” a marketplace for placing bounties on the identity of anonymous crypto wallets.
While wallet labeling services such as Nansen and Chainalysis have long rankled privacy-focused corners of the crypto universe, Arkham’s plans for a bounty-focused marketplace hit a particular chord.
Regarding the separate issue with referrals, anyone who shared their Arkham link may have inadvertently put their anonymity (or at least their email address) at risk. The pseudonymous m4gicpotato, a contributor to the privacy blockchain Beam, posted about the issue on Twitter on Monday, where it quickly went viral. M4gicpotato described themselves as a privacy advocate who has worked in crypto under various names since 2017.
:format(webp)/cloudfront-us-east-1.images.arcpublishing.com/coindesk/Y3UBQXHRWVA2PCEPXSFZZ4B2UM.png)
“As a staunch privacy advocate, I believe these tools infringe upon user privacy,” m4gicpotato said in a Telegram interview with CoinDesk. They said they started looking into Arkham after Binance announced it would host the public sale of ARKM, which Arkham described as an intel-to-earn token.
“I was quite taken aback when Binance and [CEO Changpeng Zhao] chose to endorse Arkham, especially so soon after the global delisting of Beam and other privacy coins in the EU,” m4gicpotato said.
The choice to encode user emails in Base64 “just added another layer of incredulity to the situation,” m4gicpotato added.
It’s unclear how many users could be affected by the setup. In theory, anyone who generated a referral link and shared it sent their email address into the ether. Some users have shared their links on Twitter.
But the setup has been this way since at least December. Back then, Arkham’s Twitter account shared a referral code for the private beta. The code’s URL includes the Base64 version of the CEO’s email address.
:format(webp)/s3.amazonaws.com/arc-authors/coindesk/fa5ce9a3-9c4d-4ed4-bb04-c7af51bf1a0d.jpg)
Danny is CoinDesk's Managing Editor for Data & Tokens. He owns BTC, ETH and SOL.