That excellent video is by an analyst who attempts to debunk the thesis that monero and coinjoin offer decent privacy. He claims they do not pass the “sniff test” because with a “little bit” of thought you can easily identify 3 ways to attack their privacy and identify: (1) what exchange a monero or coinjoin user got their coins from (“overseer attack” discussed at 11:24—12:15) (2) the owner of a static monero or coinjoin address to which coins are frequently sent (“flashlight attack” discussed at 12:15—14:02) (3) where a monero or coinjoin user makes repeated purchases (“tainted dust attack” discussed in 14:15—16:00). The analysis relies heavily on analyzing “taint trees” and the human tendency to engage in repetitive behavior.
In the overseer attack, the analyst observes that monero and coinjoin both try to obscure the origin and destination of coins by hiding them in a set of possible decoys. E.g. if 30 senders are in your coinjoin, and you’re only one of them, it’s hard to identify – for a single transaction – which one was you. But he observes that the following repetitive behavior leaks data: if, every week, you buy your coins from coinbase, coinjoin them, and send some of them to bitrefill, bitrefill can see the coinjoins you were in, and they can see that in all of them, at least one sender bought their coins from coinbase. Coinbase may be popular, but even if 1 in 10 bitcoiners are coinbase customers (which is a very generous assumption), how likely is it that 20 randomly selected coinjoins would all have at least one sender who bought their coins from coinbase? Exceedingly unlikely. They must not be random, there must be a common thread: the same coinbase customer was in all of them. And since you are known to be in all of them (since you used them to send coins to bitrefill) the only plausible way you could be in the same coinjoin as that coinbase customer 20 times in a row is if you are that coinbase customer.
That’s the overseer attack and I don’t think it applies to me. I don’t buy my coins from coinbase, I received them from my customers. If I repeatedly send my coinjoined coins to bitrefill and they look at my taint trees, they are unlikely to see a common source for all of them unless everyone who paid me used coinbase. Even if they did, the taint trees would lead an investigator to coinbase, but not – then – straight to me. It would go from coinbase to all of my customers, who would then have to collude with the investigator to say they paid me. I don’t think it is likely that this kind of attack would be my downfall.
In the flashlight attack, the analyst seems to assume that people who receive money to a static coinjoin or monero address repeatedly sell them at an exchange that has their KYC info. He further assumes that exchange is compromised by a government, who observes the taint tree of every transaction you make sending money to that exchange, and identifies that – even if you coinjoined – your static address is a possible origin in each of your coinjoins. That is so unlikely to happen in 20 randomly selected coinjoins that it’s incriminating: the person who owned that static address was in each of those coinjoins. And since you were also in each of those coinjoins (since you sent money to the exchange in each of those coinjoins) the only plausible explanation for both facts is that you are the owner of that static address. Otherwise you would somehow randomly be in the same coinjoin as the real owner 20 times in a row – a statistically impossible phenomenon.
I don’t think this applies to me because (1) I don’t use a static monero or coinjoin address (2) I don’t repeatedly sell my coins at an exchange that has my KYC info. I invented the whisper address protocol so that I can have a static donation “page” without a static donation “address.” And instead of selling my coins at a KYC’d exchange, I use bisq and robosats. I think these protections allow me to escape the flashlight attack undetected.
In the tainted dust attack, the analyst deals with people who – like me – use a fresh address every time they receive. To deal with them, the attacker occasionally sends dust to your fresh addresses and then tries to watch where the dust goes. Even if you coinjoin it, if you repeatedly send money to bitrefill in those coinjoins (or subsequent ones), the attacker can observe that the dust has bitrefill as a possible destination in each of your taint trees. If that happens 20 times in a row, the only plausible explanation is that you repeatedly send money to bitrefill.
I think this one applies to me. Before I say why let me say this: I typically send my coinjoined money into a lightning channel on my own node, then to my various common trading partners, who are typically bitrefill, the bitcoin company, other users of robosats, and phoenix wallet (that – and not my own node – is what I typically use for “daily spending”). An attacker who “dusts” my non-static donation addresses can observe that after I do one or more coinjoins some of the money from each coinjoin almost always ends up in a lightning channel. That doesn’t seem like useful information by itself, though it seems to me a dust attacker could conclude I am probably a heavy lightning user. To go beyond that, the attacker would have to also listen in on lightning and break lightning’s privacy protections. Let me share a plausible attack that I think could be used against me.
A tainted dust attacker could observe that I probably send a good chunk of my money into fresh segwit script addresses which, after about a month, I “cooperatively close,” revealing them to be 2 of 2 multisigs and thus probable lightning channels. This analysis would give the attacker a list of addresses that might be my lightning channels, with some false positives. They could then go to well known lightning channel providers such as Acinq and bitrefill, show them their list of “probably mine” lightning channel addresses, and ask them “do these belong to any common user of lightning services?”
Anyone with whom I frequently create channels could probably tell them it’s me. At that point, the only thing protecting me from the attacker learning how I spend my money is lightning’s source routing technology. But this might not be much help. If I have a channel with bitrefill, and I often spend my money at bitrefill, bitrefill can tell them exactly what I’m purchasing. If I have a channel with Acinq, and I often send my money to my Phoenix wallet, Acinq can see that, and then tell them what I do with it after it arrives in my Phoenix wallet, since Phoenix wallet does not use source routing but rather asks Phoenix to find a route to your destination.
So it seems that there is a plausible attack against me using tainted dust: an attacker can create a list of channel addresses that might plausibly be mine, then show that list to common routing nodes, some of whom (since I use them) can identify which ones are definitely mine. I think I can mitigate this attack by not using common routing nodes, as well as dropping Phoenix wallet (though I need to find a better alternative first).
Worth pointing out: the attacks I’ve identified here are not the “sophisticated” kinds of attacks the analyst in the video seems really concerned about (which his talk does not discuss). They are, rather, just a “sniff test.” Basically, if a privacy protocol can’t pass the sniff test, regard it unseriously. He thinks coinjoin does not pass the “sniff test” but I think the way I personally use it comes pretty close, though I need to fix behaviors that leave me vulnerable to the tainted dust attack.
Even if I do end up passing the sniff test, there are other factors to consider. I’ve identified my typical recipients as bitrefill, the bitcoin company, phoenix, and robosats users. How am I protecting that info? (Certainly not by publicly saying so on stacker news.) Do I use tor when selling coins on bitrefill or the bitcoin company? Do I enable tor on Phoenix wallet? Am I confident that their implementation of tor stops them from knowing my ip address? (Answer: no, I think it only makes my channels tor channels, I think I still leak my ip address to them when my phone e.g. requests the bitcoin exchange rate.) Do I use a new identity every time on robosats? Do I take fiat in an easy to trace account?
If I want decent privacy, it’s not enough to use bitcoin privately. That’s just one step. It’s also important to use the internet privately and use my computer privately. How am I doing there? Sophisticated attackers don’t just scan the blockchain. They also collect data from spyware (e.g. Google Keyboard) and, if necessary, steal and scrape your hard drive. If I want to protect myself from sophisticated privacy attackers I have to take steps regarding those things as well.
But in the meantime, I hope this analysis proves enlightening and helpful for other people thinking about taking steps to improve their privacy. The analyst’s video was helpful to me, and I hope others find it good too.