pull down to refresh

That excellent video is by an analyst who attempts to debunk the thesis that monero and coinjoin offer decent privacy. He claims they do not pass the “sniff test” because with a “little bit” of thought you can easily identify 3 ways to attack their privacy and identify: (1) what exchange a monero or coinjoin user got their coins from (“overseer attack” discussed at 11:24—12:15) (2) the owner of a static monero or coinjoin address to which coins are frequently sent (“flashlight attack” discussed at 12:15—14:02) (3) where a monero or coinjoin user makes repeated purchases (“tainted dust attack” discussed in 14:15—16:00). The analysis relies heavily on analyzing “taint trees” and the human tendency to engage in repetitive behavior.
In the overseer attack, the analyst observes that monero and coinjoin both try to obscure the origin and destination of coins by hiding them in a set of possible decoys. E.g. if 30 senders are in your coinjoin, and you’re only one of them, it’s hard to identify – for a single transaction – which one was you. But he observes that the following repetitive behavior leaks data: if, every week, you buy your coins from coinbase, coinjoin them, and send some of them to bitrefill, bitrefill can see the coinjoins you were in, and they can see that in all of them, at least one sender bought their coins from coinbase. Coinbase may be popular, but even if 1 in 10 bitcoiners are coinbase customers (which is a very generous assumption), how likely is it that 20 randomly selected coinjoins would all have at least one sender who bought their coins from coinbase? Exceedingly unlikely. They must not be random, there must be a common thread: the same coinbase customer was in all of them. And since you are known to be in all of them (since you used them to send coins to bitrefill) the only plausible way you could be in the same coinjoin as that coinbase customer 20 times in a row is if you are that coinbase customer.
That’s the overseer attack and I don’t think it applies to me. I don’t buy my coins from coinbase, I received them from my customers. If I repeatedly send my coinjoined coins to bitrefill and they look at my taint trees, they are unlikely to see a common source for all of them unless everyone who paid me used coinbase. Even if they did, the taint trees would lead an investigator to coinbase, but not – then – straight to me. It would go from coinbase to all of my customers, who would then have to collude with the investigator to say they paid me. I don’t think it is likely that this kind of attack would be my downfall.
In the flashlight attack, the analyst seems to assume that people who receive money to a static coinjoin or monero address repeatedly sell them at an exchange that has their KYC info. He further assumes that exchange is compromised by a government, who observes the taint tree of every transaction you make sending money to that exchange, and identifies that – even if you coinjoined – your static address is a possible origin in each of your coinjoins. That is so unlikely to happen in 20 randomly selected coinjoins that it’s incriminating: the person who owned that static address was in each of those coinjoins. And since you were also in each of those coinjoins (since you sent money to the exchange in each of those coinjoins) the only plausible explanation for both facts is that you are the owner of that static address. Otherwise you would somehow randomly be in the same coinjoin as the real owner 20 times in a row – a statistically impossible phenomenon.
I don’t think this applies to me because (1) I don’t use a static monero or coinjoin address (2) I don’t repeatedly sell my coins at an exchange that has my KYC info. I invented the whisper address protocol so that I can have a static donation “page” without a static donation “address.” And instead of selling my coins at a KYC’d exchange, I use bisq and robosats. I think these protections allow me to escape the flashlight attack undetected.
In the tainted dust attack, the analyst deals with people who – like me – use a fresh address every time they receive. To deal with them, the attacker occasionally sends dust to your fresh addresses and then tries to watch where the dust goes. Even if you coinjoin it, if you repeatedly send money to bitrefill in those coinjoins (or subsequent ones), the attacker can observe that the dust has bitrefill as a possible destination in each of your taint trees. If that happens 20 times in a row, the only plausible explanation is that you repeatedly send money to bitrefill.
I think this one applies to me. Before I say why let me say this: I typically send my coinjoined money into a lightning channel on my own node, then to my various common trading partners, who are typically bitrefill, the bitcoin company, other users of robosats, and phoenix wallet (that – and not my own node – is what I typically use for “daily spending”). An attacker who “dusts” my non-static donation addresses can observe that after I do one or more coinjoins some of the money from each coinjoin almost always ends up in a lightning channel. That doesn’t seem like useful information by itself, though it seems to me a dust attacker could conclude I am probably a heavy lightning user. To go beyond that, the attacker would have to also listen in on lightning and break lightning’s privacy protections. Let me share a plausible attack that I think could be used against me.
A tainted dust attacker could observe that I probably send a good chunk of my money into fresh segwit script addresses which, after about a month, I “cooperatively close,” revealing them to be 2 of 2 multisigs and thus probable lightning channels. This analysis would give the attacker a list of addresses that might be my lightning channels, with some false positives. They could then go to well known lightning channel providers such as Acinq and bitrefill, show them their list of “probably mine” lightning channel addresses, and ask them “do these belong to any common user of lightning services?”
Anyone with whom I frequently create channels could probably tell them it’s me. At that point, the only thing protecting me from the attacker learning how I spend my money is lightning’s source routing technology. But this might not be much help. If I have a channel with bitrefill, and I often spend my money at bitrefill, bitrefill can tell them exactly what I’m purchasing. If I have a channel with Acinq, and I often send my money to my Phoenix wallet, Acinq can see that, and then tell them what I do with it after it arrives in my Phoenix wallet, since Phoenix wallet does not use source routing but rather asks Phoenix to find a route to your destination.
So it seems that there is a plausible attack against me using tainted dust: an attacker can create a list of channel addresses that might plausibly be mine, then show that list to common routing nodes, some of whom (since I use them) can identify which ones are definitely mine. I think I can mitigate this attack by not using common routing nodes, as well as dropping Phoenix wallet (though I need to find a better alternative first).
Worth pointing out: the attacks I’ve identified here are not the “sophisticated” kinds of attacks the analyst in the video seems really concerned about (which his talk does not discuss). They are, rather, just a “sniff test.” Basically, if a privacy protocol can’t pass the sniff test, regard it unseriously. He thinks coinjoin does not pass the “sniff test” but I think the way I personally use it comes pretty close, though I need to fix behaviors that leave me vulnerable to the tainted dust attack.
Even if I do end up passing the sniff test, there are other factors to consider. I’ve identified my typical recipients as bitrefill, the bitcoin company, phoenix, and robosats users. How am I protecting that info? (Certainly not by publicly saying so on stacker news.) Do I use tor when selling coins on bitrefill or the bitcoin company? Do I enable tor on Phoenix wallet? Am I confident that their implementation of tor stops them from knowing my ip address? (Answer: no, I think it only makes my channels tor channels, I think I still leak my ip address to them when my phone e.g. requests the bitcoin exchange rate.) Do I use a new identity every time on robosats? Do I take fiat in an easy to trace account?
If I want decent privacy, it’s not enough to use bitcoin privately. That’s just one step. It’s also important to use the internet privately and use my computer privately. How am I doing there? Sophisticated attackers don’t just scan the blockchain. They also collect data from spyware (e.g. Google Keyboard) and, if necessary, steal and scrape your hard drive. If I want to protect myself from sophisticated privacy attackers I have to take steps regarding those things as well.
But in the meantime, I hope this analysis proves enlightening and helpful for other people thinking about taking steps to improve their privacy. The analyst’s video was helpful to me, and I hope others find it good too.
Excellent analysis. I guess most of us have some work to do.
reply
second this
If I want decent privacy, it’s not enough to use bitcoin privately. That’s just one step. It’s also important to use the internet privately and use my computer privately.
Glad you highlighted this @supertestnet. Have to cover all bases..
reply
yes, and a single essay can't cover all the bases. I recommend looking up how tor works in particular if further information is desired.
reply
Have you looked into teleports or would that just not help? https://github.com/bitcoin-teleport/teleport-transactions
reply
Teleports aka coinswaps do help and I have my own implementation of them here: https://github.com/supertestnet/utxo-dealership/
They let you "sell" your taint tree to someone else (and buy theirs) in a way that can't be easily identified on the blockchain. If you do coinswaps frequently, you make the overseer attack, in particular, much harder to do, because the taint tree they are analyzing is the wrong taint tree. Taint tree analysis relies on users engaging in repetitive behavior, but with coin swaps you "purchase" someone else's repetitive behavior, disrupting the analysis.
reply
I'm sorry that I will continue to call coinswaps teleports, LNsymettry Eltoo, and everything else by the first name it was called XD
As always, thank you for your contributions
reply
Let me buy you a beer for this in depth analysis! Here are my 10k sats for whatever beer you like. I could send you in private but I prefer to do it through SN so your post will stay more time on top posts.
reply
Nice piece.
I'm interested into the overseer: up to which point does remixing solve it? it seems that after 2 consecutive coinjoins, the attack must be an amount analysis, where you analyze all coins going in and out coinjoin rounds from a same coordinator.
Wasabi already handles quite efficiently all 3 cases (even in the economic profile) because:
  1. it enforces 2 remixes as a minimum
  2. it never reuses addresses, and won't consider that you gained privacy if you did
  3. there is a configurable dust threshold, and if you receive UTXOs lower than this threshold on already used addresses, they're ignored.
But as you mentioned, correct usage of privacy software is primordial to stay private. For eg in Wasabi we see some user deanon themselves because they swept 100% of their funds, and didn't pay enough fees to avoid amount analysis. I've seen the same in Samourai rounds
reply
based on the presenter's information I don't think the amount of remixes matters. Suppose a coin is mined directly into a coinjoin and spends its entire history in mixes and remixes with 30 participants apiece, except when it's held by an exchange. Suppose you buy it from kraken and do 2 remixes (in coinjoin 382 and coinjoin 4773) before sending it to bitrefill.
In such a case, bitrefill can still see kraken in its taint tree, because they can see (1) it came to them in coinjoin 4773 which had 30 possible "inputs i.e. senders (2) one of which was an "output" from coinjoin 382 which also had 30 possible "inputs" i.e. senders (3) one of which was from someone who got the coins from kraken. So it had at least 60 possible senders, 1 of which was kraken. Therefore kraken is in its taint tree.
If you send coins to bitrefill repeatedly and kraken always appears in all of your taint trees, then even if you do 2 remixes, 10 remixes, or 1000 remixes, bitrefill can conclusively infer you must be a customer of kraken, because it is statistically impossible for kraken to show up in all of your taint trees unless that is where you get your coins.
reply
So you're saying we should all use kraken so we stand out less :p (I'm joking lol)
reply
I still like the facade it provides
reply
Wow great, thanks for the homework!
reply
Who is this "attacker" you are considering? Some gov agencies?
I personally don't give a shit about any gov agency. Why? Because in order for them to come to me and ask me anything about my BTC, I will ask first under which authority or jurisdiction they came to my door. They MUST prove me they have any authority over my money and how do I use them.
If you say that the "attacker" is some kind of bad actor / hacker / criminal etc, then yes, maybe I must take in consideration more secure ways to hide my tracks.
Govs are NOT a threat for me when I use BTC.