Why Your Crypto Tracker Knows Too Much About You

Most crypto portfolio trackers ask for more information than they need. Some want your full name and government ID before you can see your own portfolio. Others generate wallets on your behalf and store the private keys on their infrastructure. And a surprising number ask for exchange API keys with withdrawal permissions attached, even though a portfolio tracker has no reason to move your money.

That data becomes a liability the moment it exists in someone else's database.

The Track Record Speaks for Itself

In June 2024, CoinStats was breached by a group later attributed to North Korea's Lazarus Group. An employee was socially engineered into downloading malicious software, which gave the attackers access to CoinStats' AWS infrastructure and third-party services. Through a combination of intrusions across multiple services, they accessed private keys for exactly 1,590 wallets that CoinStats had generated on behalf of users. $2.2 million was stolen directly from those wallets. Externally connected wallets were not affected. Only the wallets CoinStats created and held keys for were drained.

CoinStats did not need to hold private keys to function as a portfolio tracker. But they offered a hosted wallet feature. That feature required private key infrastructure to exist somewhere accessible, and that infrastructure got compromised. Users who never asked for a wallet feature paid the price for one.

Eight months later, in February 2025, Bybit lost $1.5 billion in ETH when attackers compromised a developer machine at Safe Wallet, the third-party multisig service Bybit used for cold wallet transactions. The attackers injected malicious JavaScript into the transaction signing interface, making fraudulent transfers look legitimate to the human signers approving them. The FBI attributed the attack to North Korea's Lazarus Group. Bybit is not a portfolio tracker. But the principle is the same: any third party that holds signing capability over your assets is a target, and a breach there is a breach of your funds.

Then in May 2025, Coinbase disclosed that overseas customer support agents had been bribed to copy customer data from internal support tools. Names, dates of birth, addresses, email addresses, masked Social Security numbers, masked bank account numbers, and government ID images for 69,461 users were stolen. The attackers used that data to impersonate Coinbase support and trick users into transferring funds. Coinbase estimated the cost at $180 million to $400 million in remediation and voluntary customer reimbursements, according to their SEC 8-K filing. All of it was personal information that Coinbase collected as part of its regulatory KYC requirements.

In 2025, the crypto industry lost over $3.4 billion to theft according to Chainalysis, with the Bybit attack alone accounting for nearly half of it.

What a Portfolio Tracker Actually Needs

A portfolio tracker needs to see your transaction history and current balances. That is it.

Exchange connections work through read-only API keys. The tracker pulls your trade history and balances. It cannot place trades, withdraw funds, or access personal information. If an attacker stole every read-only API key in a tracker's database, they could see balances. They could not touch a single dollar.

On-chain wallets are even simpler. Every transaction on Ethereum, Avalanche, Solana, and other public blockchains is already visible to anyone with the wallet address. The tracker reads public blockchain data and classifies your transactions. There is nothing to “connect” in the traditional sense. No authentication token, no private key, no signing permission needed.

A portfolio tracker does not need to generate wallets for you or store private keys. It does not need withdrawal permissions on your exchange account. And it certainly does not need your name, address, or government ID to show you what your crypto is worth. For a breakdown of what separates a real portfolio tracker from a balance aggregator, see our guide to choosing a crypto portfolio tracker. For more on what a tracker needs to connect to give you accurate numbers across exchanges, wallets, and chains, see our tracking guide.

If your tracker asks for any of these, ask yourself why.

How Cryptofolio Is Built Differently

Cryptofolio does not have a wallet. There is no wallet feature to breach because the feature does not exist. We do not custody funds and we do not store private keys.

Exchange connections use read-only API keys. We can see your trades and balances. We cannot place orders, initiate withdrawals, or access any account settings. If our entire database were compromised tomorrow, an attacker would have read-only keys that can view data and nothing else.

On-chain tracking uses public wallet addresses. We read your transaction history from the blockchain. Same data anyone can see on Etherscan. No connection required beyond your public address.

You can create a Cryptofolio account with just a crypto wallet. No name, no email, no phone number, no government ID. Pay for your subscription with crypto. There is no credit card on file, no billing address, no payment processor storing your financial details. If you want to sign up with email or a social account, that option exists. But it is not required. You can use the full product without ever providing a single piece of personally identifiable information.

We do not collect KYC data because we do not custody funds. There is no regulatory requirement for a read-only portfolio tracker to know who you are. For more on what Cryptofolio tracks and how it works, see our full product breakdown.

This is a deliberate architectural choice. Data you do not collect cannot be stolen. CoinStats did not lose $2.2 million because their tracking engine was flawed. They lost it because they built a wallet feature that required private key infrastructure to exist. Coinbase did not lose hundreds of millions because their exchange was insecure. They lost it because KYC data sitting in support tools became a target for bribery.

What to Check Before You Connect

Before you connect any wallet or exchange to a tracking app, look at what the app is asking for.

Check the API key permissions. If the app asks for withdrawal access, do not connect. A tracker never needs to move your money. Most exchanges let you create API keys with granular permissions. Select read-only and nothing else. For context on how API connections work and how trackers handle exchange data, see our guide to tracking crypto across multiple wallets.

Look at whether the app generates or hosts wallets. If it does, that means private key infrastructure exists somewhere in its stack. That infrastructure is a target whether or not you personally use the wallet feature. The CoinStats breach affected only hosted wallets, but it forced the entire platform offline for over a week while CoinStats rebuilt its production environment from scratch.

Consider what personal data the app requires. If a portfolio tracker collects your name, address, and government ID, that data sits in a database that can be breached, leaked, or accessed by an employee who gets the right offer. The Coinbase incident proved that even internal support agents can be bought. A portfolio tracker that collects your identity carries the same data liability as a financial institution without necessarily having the same security budget.

The Bottom Line

The safest crypto app is the one that has nothing worth stealing. If a tracker holds no private keys, an attacker who breaches it cannot drain wallets. If it collects no personal data, there is nothing to use for impersonation or social engineering. If it only has read-only access to data that is already public on the blockchain, a breach is an inconvenience, not a catastrophe. That is how Cryptofolio is built.

The protocols you use in DeFi introduce a separate category of risk. When a protocol is exploited or paused, your tracker may continue showing the pre-hack balance while your tokens are frozen or gone. For more on DeFi protocol exploit risks and what to check when a protocol you use is compromised, see our DeFi hack guide.

Disclaimer: This article is for informational purposes only and does not constitute legal, tax, financial, or investment advice. Cryptocurrency tax rules are complex, depend on your specific situation, and are subject to frequent regulatory changes. While we strive to keep our content accurate and up to date, information in this article may become outdated as policies evolve. Consult a qualified professional for advice on your individual circumstances.