Recently, there was a hack at the Berlin-based identity startup Fractal ID, resulting in the theft of data from over 6,000 customers. This is particularly unfortunate, as Fractal ID offers an exciting product for decentralized finance.
On July 14th of this year, there must have been quite a commotion at Fractal ID’s Berlin office. At 7 o’clock in the morning, the systems raised alarms due to unusual activity detected on a server. Shortly thereafter, it was confirmed that an attack had taken place. The engineers shut down the subsystem to minimize the damage.
However, for 6,300 users, about 0.5 percent of all Fractal ID customers, it was already too late. The hackers had stolen sensitive data. The specifics of the stolen data vary by user. In the best-case scenario, only names, wallet, and email addresses were compromised; in the worst-case scenario, the entire suite of personal data, including postal addresses and ID scans, was taken. A nightmare scenario.
The incident appears to be a consequence of a hack from September 2022, when an „operator“ – a customer or service provider for Fractal ID – was infected with malware circulating at that time. This malware captured a password, and the operator did not change it despite being aware of the incident. Using this password, the hacker recently gained access to internal systems with admin privileges and stole personal data.
Fractal ID has now implemented new security measures, such as more robust login systems and stricter IP controls. Nonetheless, the incident is undoubtedly a significant setback for the startup. As they themselves acknowledge, this is „truly painful for the affected users“ and „also painful for us, as we have a duty to protect the users‘ data.“
Decentralized Identity for Decentralized Ecosystems
The Berlin-based startup operates as an identity service provider straddling the old web and the blockchain-based Web3. It offers software that allows users to verify their identity directly or enables companies such as exchanges or banks to outsource identity verification. Unlike other providers, Fractal ID links one’s identity with the Web3 of blockchains.
Users can link their identity to a wallet address. Decentralized applications (Dapps), such as decentralized exchanges, can then query Fractal ID’s database via API for a wallet address. Alternatively, smart contracts can connect with the DID-Registry to access lists of verified wallet addresses.
Those who see the strength of cryptocurrencies primarily in user anonymity or pseudonymity may vehemently reject such identity solutions. However, there are some applications where such solutions are inevitable; it’s not about whether they will be used, but about how severe the impact will be.
For instance, airdrops that distribute coins, DAOs where users vote, or social Dapps like Common Ground have an interest in not being overrun by sock puppets, bots, and AIs. „Proof of Personhood“ allows Dapps to verify whether a user is a unique individual.
Decentralized exchanges that permit trading with so-called „Real World Assets“ – such as government bonds, stocks, or other securities – require complete verification proof. These exchanges can verify with Fractal ID whether a wallet logging in is verified.
Not Perfect, but a Significant Progress
In both cases, the Dapp does not access any private data. It only learns that Fractal ID has verified the user and, if needed and depending on the verification level, holds the data.
Why should a decentralized exchange know who a user is if the police or tax authorities can determine the identity if necessary? And why should a Dapp perform an exhaustive identity check to exclude interaction with a bot if a simple „Proof of Personhood“ suffices?
Certainly, Fractal ID is not perfect. But it is a significant advancement compared to traditional identity procedures where private data, photos, ID scans, names, addresses, and so on, are stored not only on one but on numerous servers because each exchange and service provider collects them independently.
Above all, Fractal ID appears to be one of the first Web3 identity service providers to achieve a reasonably significant market penetration. The startup collaborates with blockchain ecosystems like Polygon, Avalanche, Ripple, Near, and Manta, as well as with Dapps, like Polytrade, a decentralized exchange for Real World Assets, or Common Ground, a token-based chat app similar to Discord or Slack. It would be unfortunate if the hack nullified these achievements.