The last week has been a PR nightmare for Coinbase. Not only has it come under fire for buying Neutrino, a company whose founding members had been involved in selling spyware to oppressive governments, the company’s director of sales has just admitted that Coinbase’s previous providers had been selling “client data.”

So far, Coinbase has not officially commented on the subject, despite its sales chief, Christine Sandler telling Cheddar TV that some of its partners had been doing exactly that. One of those providers was blockchain analytics company Elliptic, whose CEO, Dr. James Smith said in a public statement, that it had not been selling ‘identifiable’ customer data.

“Our exchange clients, including Coinbase, do not provide us with any personally identifiable information about their users,” Smith said, adding, “We do not require or request any transaction data that we can link to individuals, and do not have any other client information such as names, addresses or social security numbers.”

So, what information does Elliptic receive? According to Smith, details on transaction hashes—long strings of numbers and letters that specify a blockchain-based transaction—and customer IDs. The customer ID data, says Smith contains no identifying information, but it can be used to connect multiple transactions to the same person. This is data is chiefly used to identify suspicious actors, and is one of the main techniques used to prevent financial crime.

Elliptic used this type of data to trace funds that were stolen from the Bithumb exchange in June 2018 and identified that they went to a Russian crypto exchange. Binance has been known to use a similar technique.

Considering the value of blockchain data, it’s not hard to see why Coinbase wanted to bring such a service in-house by acquiring Neutrino. But, as we’ve reported previously, buying a company with an executive board known for selling spyware might not have been the best salve for a company that was selling data to the highest bidder.