In brief
- We analyzed 133,000 Ethereum names and their respective balances.
- We found it was possible to identify several high-profile people, even if they weren’t using their real names.
- We were able to see business deals and watch people’s movements, just using the blockchain.
The Ethereum Name Service was designed to make sending and receiving crypto easier. You take your Ethereum (ETH) address—an alphanumeric string of characters, which shows how much ETH you have in your account—and replace it with a simple name. Much like how email addresses replaced clunky pieces of code, it was supposed to make crypto simpler.
But Decrypt has learned that this step forward in user design, has meant several steps backward when it comes to privacy. Since the Ethereum blockchain is transparent, anyone can use your Ethereum name to peer at your finances. It's the difference between sending someone an email and them being able to look at your entire inbox.
In our investigation we found it possible to work out where people would be in the future, see insights into business deals and know just how much money people really have—all by observing public blockchain data.
What is the Ethereum Name Service?
Lead developer Nick Johnson set up the Ethereum Name Service (ENS) in May 2017. Ethereum names look like domain names: “decrypt.eth.” Anyone can use an Ethereum address to register a name, or multiple names. They can then assign any of the names to other addresses they own, or sell them. All a user needs is a pre-existing Ethereum address to make the purchase.
Johnson told Decrypt Ethereum fans have spent 6,235 ETH ($1.7 million) so far, just buying up Ethereum names. But even if they assign the Ethereum name to one of their accounts that only has a handful of crypto in it, the address they used to register the name is available too. And this allows snoopers to see how much money was stored in those accounts.
Inside the 15,000 unique addresses that have bought the 133,000 Ethereum names, there is a combined total of 364,000 ETH ($100 million)—and thousands, if not millions, of dollars of Ethereum-based tokens too. So we decided to see how much we could glean just from these crumbs of information. Turns out it's quite a lot.
We reached out to everybody we looked into and have included any replies received.
Identifying high-net-worth individuals
While the richest Ethereum addresses tend to be attached to pseudonymous names—hiding the owner's real identity—not all of them are. And even the most abstract names aren't always foolproof.
Let’s start with a challenge. The Ethereum name “neutral.eth” is connected to an address that’s empty of Ethereum, and contains just $0.08 in OmiseGo tokens. There are no other names associated with the address and it has made just four transactions, ever. Not much to go on.
But the address that registered the name tells a different story. It contains 58,000 Ethereum, worth $15 million, and an extra $2.5 million in tokens. What’s interesting about this address is that it regularly received large payments from crypto exchange Poloniex’s main wallet (while most payments are typically handed out using its secondary wallets). These payments stopped the same day that Circle—which owned the exchange at the time—scrapped trading fees, suggesting it’s a company wallet. This may also explain why the name is so understated.
The third biggest address owns: “consensys.eth,” “weifund.eth,” and “metamask.eth.” It contains 31,600 ETH, worth $8 million. Could this be our very own financier, Ethereum billionaire Joe Lubin who owns ConsenSys, which funds an editorially independent Decrypt and was the incubator for none other than MetaMask and Weifund? It just might be.
Sometimes it’s surprisingly easy to identify an Ethereum name. Take “silberjunge.eth.” While the address linked to it contains just $17 of Ethereum, the address used to register it contains a hefty 1,163 ETH, worth $255,000, alongside a further $121,000 of Ethereum-based tokens.
A quick Google search reveals that “silberjunge” is simply a pseudonym for Thorsten Schulte, a well-known silver and gold expert, bestselling author and former investment banker. He even used the pseudonym as his Twitter handle. He’s also spoken about Bitcoin and other cryptocurrencies, including a 20 minute interview with Hamburg-based Grosse Freiheit TV on the subject. It’s possible the Ethereum name isn’t his, but it sure looks likely.
The issue here is that Ethereum names make it trivially easy for criminals to create a list of people that have the most amount of Ethereum and likely have a crypto wallet—such as a Ledger Nano—sitting in their bedroom at home. Not because Ethereum names themselves are a bad idea, but because Ethereum is too open.
“It's well known that public ledgers like Bitcoin and Ethereum lack privacy, and that as a result it's easy to track transactions made on these public blockchains,” Johnson told Decrypt, adding, “ENS makes it easier to exchange addresses for Ethereum and other cryptocurrencies, which makes them more generally useful to everyone. It doesn't attempt to address the privacy issues inherent in public ledgers.
“Ongoing research into privacy in distributed ledgers has led to breakthroughs such as ZCash and Tornado Cash. We strongly recommend people take care with what activities they expose on public ledgers, and take advantage of these solutions where appropriate,” he said.
Watching business deals in real-time
This level of oversight also makes it possible to see what people are doing with their money.
SpankChain CEO Ameen Soleimani owns both “ameen.eth” and “ameensol.eth.” Looking at the blockchain, you can see a transaction he made for 10 ETH on November 30, 2019, worth $1,540 at the time. It seems likely that it was sent to James Kim, CEO at Global Block Branding, who sells domain names for a living—and claims to own 20,000 crypto domain names. It's possible he was either buying Ethereum names or some crypto-related domain names.
(Update: It turned out that this analysis was incorrect. MetaCartel operator Peter Pan tweeted that, in fact, he owned the domain name for "jameskim.eth," and Soleimani sent him the money.)
“I know the risks of using public ENS names,” Soleimani said, adding, “That's why we're all so excited about privacy technology like Tornado Cash so we can create fresh Ethereum accounts without a direct link to previous accounts, without having to go through an exchange.”
Another example is Jordan Muir, creator of Frame, who owns multiple Ethereum names, including “jordan.eth,” “framehq.eth,” and “smartaccounts.eth.” In these accounts he owns a total of $106,000 in ETH and various tokens. Back in May 2018, Aragon announced it had given a grant of $48,000 to Frame. It added that the project could receive a bonus of up to $50,000 if certain deliverables were met.
It appears that they were, although no further announcement was made. Just three days after Frame released an alpha mainnet version on April 1, 25,000 Aragon tokens, worth $17,000, were sent from Aragon’s main wallet to Muir’s account, implying that releasing the mainnet was one of the deliverables. While this isn’t particularly secretive, it does provide some extra insight into the project than was publicly available.
It’s possible to see people’s salaries too, when they’re paid in Ethereum, or in token form. For example, Jack Cheng, “chief evangelist” at Breaker—formerly SingularityDTV—who owns “jackcheng.eth” and “ethoutlet.eth,” received payments in SNGLS, its native token.
Cheng was paid 33,055 tokens, worth $4,600, in August, 2017, and then one million SNGLS tokens, worth $15,000, in May 2019. Since the payments came directly from the main “SingularDTV: Wallet,” it is likely they were part of his salary. But watching how much people are getting paid is not all you can do.
Stalking someone on the blockchain
Ethereum names can be used to track people’s whereabouts.
Bobby Ong, co-founder of data site CoinGecko, owns the Ethereum name “bobbyong.eth.” Anyone watching the blockchain address linked to the name, would have known that Ong would be at Unshudo 7-2 Sugaharacho, Kita Ward, Osaka on October 7, 2019, attending the DAIsucki meetup—focused on the stablecoin DAI—17 days before the event even happened. And, two days after the event, they would have seen strong evidence that he did, in fact, attend.
The event in question was run by Kickback events, where you put down a deposit for the event and if you don’t turn up, your deposit gets shared between those who do—it’s designed to incentivize people to only sign up for events they plan on attending. While that might be effective, it also lets people observe attendees from the comfort of their own home.
In this case, Ong sent $10 of DAI to an address labelled on block explorer Etherscan as “Kickback: DAIsuki Meetup,” on September 20, 2019—indicating that he planned on attending the event the following month. Then, on October 9, he received the “kickback” of $19 in DAI, showing that not only did he turn up, but he was rewarded handsomely for doing so.
“In this case, I should have been more careful with my Ethereum address hygiene and segregated transactions that I wanted to make public from those that I wanted to keep private,” Ong told Decrypt, adding, “ENS provides convenience to users but it is up to the users to preserve their privacy. I hope that more privacy features will be built on Ethereum to improve privacy and security for users.”
Ethereum is privacy
Ethereum is money
Ethereum is cool games
Ethereum is IoT
Ethereum is a hedge on Bitcoin
Ethereum is a digital passportEthereum is smart contracts, payments, & a better internet.
Great minds build on great platforms, and that's what we're seeing.
— Omar Bham (Crypt0) (@crypt0snews) February 2, 2020
Ethereum’s selling points have always been that it offers control over your own data, identity, and privacy. Crypto YouTuber and Ethereum bull Omar Bham, who has 119,000 subscribers, even recently tweeted that “Ethereum is privacy”. But, if anything, the Ethereum Name Service opens a door into people's private lives that we've never seen before.
This article has been updated with a comment from Peter Pan.
The purpose of this article is to inform Ethereum users of the risks of combining their personal and financial data on a public blockchain. It is an argument for greater privacy on Ethereum, which teams like Aztec, EY, and JP Morgan are working on.
We would like to thank Alex Svanevik, cofounder of D5—The Data Science DAO—and TM Lee, co-founder of CoinGecko, who contributed to this article.
Tips
Have a news tip or inside information on a crypto, blockchain, or Web3 project? Email us at: tips@decrypt.co.