#22 Crypto cards will get you robbed

How paying for a coffee can reveal your entire investment history

Not many people know that is actually trivial to dox anyone using a self-custodial crypto payments card, such as Gnosis Pay.

Note: I’m using GnosisPay as an example here because it’s one of the more well-know self-custodial crypto debit cards.

I explained in detail how the GnosisPay card works in my previous article, but the TLDR of the user flow is that:

1. User sends 100 GBPe from their Metamask to their Safe wallet

2. User taps their GnosisPay card at Starbucks for a £3 coffee

3. Then, 3 GBPe is automatically transferred from their Safe wallet to GnosisPay’s address (0x4822521e6135cd2599199c83ea35179229a172ee)

This means that you can see every single “tap” on every GnosisPay card.

And more scarily, if you see someone using a GnosisPay card in front of you at Starbucks, you can work out their entire spending history and potentially investment history just by knowing either the exact time of the tx or the exact amount paid.

artist interpretation of a wrench attack in London

How to dox all GnosisPay users

To get my data source, I looked up the GnosisPay payments address on GnosisScan and downloaded the tx data as a csv. This shows me every single tx, the time, amount, source address and EUR/GBP amounts.

Here I show the top 10 spenders on GnosisPay. As an example, I will pick on the #3 top spender, Safe address “0x3b” who has spent ~€23K over the past 3 months.

I do realize the irony of censoring data from a public blockchain

Slapping this address onto your preferred blockchain stalking tool (I prefer Zerion), you can see every single time this person has tapped their GnosisPay card. Both the exact second (just look at the csv) and amount.

Looks like someone had an expensive lunch and an afternoon snack?

This isn’t even that bad.

You can then find out what this person used to fund their wallet, which is typically an EOA, aka a “metamask account”.

In this case, I found that user “0x3b” funds his account through this “0x17” EOA. He sent a €10 test tx before sending the full amount, €6,354.

The Safe wallet was funded by this EOA

Looking at “0x17”, it only has ~$300 of assets. Phew, he has good operational security. Privacy prevails!

But wait a minute… looking at tx history from last year, it seems like he always funds this wallet from another EOA “0x16” which holds ~$340K worth of crypto and an ENS…

And voila, now I can see his entire “investment” history all the way back to October 2021. And I know every single $DEGEN and $FRIEND trade he’s made and every single protocol he’s interacted with.

I use Debank here as it indexes many more protocols

Clearly a degen

The thing is, this didn’t even take much effort. 15mins tops. He could be a millionaire and this is just a small shitcoin wallet, but if I were to pull a zachxbt I could probably find out this person’s real identity and first pet’s name.

I chose this example because he still remains pseudonymous. There was another address I chose which was attached to an ENS which gave me the person’s twitter, linkedin (real name), location (Spain), where he works, etc.

I did another exercise with a VC friend who told me he bought a coffee in the morning on a certain day with his card. I could trace his tx even though he didn’t tell me the exact amount or time, and even managed to dox his main wallet!

So what do we take away from this?

Takeaway one: Have better operational security.

You should either fund a fresh new EOA through an international CEX such as Binance or Monerium (the EURe/GBPe issuer), then send the EURe / GBPe to your Safe on Gnosis chain. GnosisPay also has “IBAN integration” on its roadmap so you can do it directly.

There are actually a few GnosisPay funder addresses I looked up which were clean and only funded with ETH and USDT through MEXC. In this case, I could only see the person’s full GnosisPay tx history (which is also pretty bad), but not their entire investment history or figure out their identity.

Takeaway two: GnosisPay should make it extremely clear to their users about the dangers of using a non-custodial crypto card. GnosisPay users are susceptible to a targeted $5 wrench attack, at least before GnosisPay transitions to a private L2.

Takeaway three: You need to run self-custodial payments on a blockchain with built-in privacy.

To their credit, GnosisPay announced in July last year that they will be transitioning to the GnosisPay zkEVM L2 based on Polygon zkEVM which will allow for private transactions.

Note that there are also other live solutions such as Railgun, zkBOB and Payy.link (payments app on their ZK-based L2). Also, given that GnosisPay users are already KYC’d, you could in theory make a compliant privacy pool out of them. Hence, many potential solutions out there.

I remain bullish on crypto payments, especially cross-border payments where money is exchanged across multiple Real Time Gross Settlement (“RTGS”) systems. This is an area I’m seeing many people building in, and I think will become one of the very few cash-generating crypto businesses that create real world value.

Shout out to @GoldenbergLior and @0xSkyMine for the idea!