82 comments

[ 3.0 ms ] story [ 156 ms ] thread
Doing anything illegal with transactions on a public ledger strikes me as foolhardy.
You get the pseudonymity and open/easy access there on the other hand.
> pseudonymity

I worry that many people are confused by this, and don’t understand that this will continue to get eroded as time goes on for completed transactions.

Could you explain a bit more about what you mean by that? My interpretation is that even if you completed a bunch of BTC transactions in a way that allowed you to maintain anonymity, over time, new methodologies or technologies will allow future investigators to trace you as a real person through those old transactions. This? Or something else?
That's the just of it. Many of these public ledgers, like Bitcoin, form a massive transaction graph. Blockchain analytics tools and companies de-anonymize nodes in these graphs by matching real-world transactions to blockchain transactions.
> just

gist

(in case you've ever wondered why gist.github.com is so named)

Yes that’s what I meant — my interpretation is the same as yours
And if you use a mixer or complex wallet setup to try and hide your identity, you are highlighting yourself in the future when more advanced analysis methods start to get used.
It is much much smarter compared to any electronic alternative. It is actually the smartest way to do it if done correctly. Only people who do not understand crypto say stuff like that.
It's extremely hard not to taint addresses in Bitcoin. As an example if you have a Trezor (which makes using Bitcoin safe and easy) and buy another one as a backup, you can't export your private key from the original one, but you can easily send all Bitcoins to a new address. The only option you have is to get the paper backup (which is guarded somewhere physically separated from your Trezor) and use that to initialize the new device.
That's just how wallet backup works, I'm not sure how that is related to taint.

Perhaps a better illustration of the taint issue is "change". Whenever you need to send an amount of bitcoin that does not exactly match one of the UTXOs ("unspent transaction output") in your wallet, you will

- potentially need to use multiple UTXOs as input (thus linking together the past transaction that produced them)

- very likely have a "change" output that sends the excess amount back to a new address in your own wallet. Which output is change can be guessed with heuristics, and that UTXO will eventually be used in a future transaction, linking it to the current transaction.

Basically, all transactions associated with a wallet tend to become linkable over time.

I think you don't have experience with the Trezor. It uses BIP32 wallet (hierarchical deterministic wallet) which derives the private keys from one master seed stored on the device. Older wallets could import separate private keys, but Trezor doesn't have this feature.

If you want to move to a new device without having access to the master key, you need to make a transaction that connects all addresses (both inputs and change addresses).

It's not just ,,linkable over time'', it means that you link all UTXOs in 1 transaction.

What you are wrighting is also a problem, but different from what I had in practice.

If you want to import N UTXOs into a Trezor you can generate N fresh addresses and use N independent transactions to move the money over. Then you have to be careful about joining those UTXOs later. I'm not aware of any wallet that allows this, but it's theoretically possible. I think the advantages of the BIP32 model are worth it considering how many people lost private keys in the old wallet.dat model.
Thanks, but no thanks! Have you tried doing it? For me it was easier to locate the original paper backup even though it meant significant amount of travelling to the place where it was kept just so that the UTXOs don't get joined.

I'm talking about the UX itself trying to make me lose privacy, and you suggest a solution that is even more complicated and especially expensive. Also what you suggest needs to be done slow enough so that the transactions can't be joined by the time of sending.

I'm writing about a real problem that happened to me just a few days ago and getting answers without practical real solutions that would be better than what I have done.

(comment deleted)
The key assumption which underlies tracking UTXOs is that the people sending UTXOs to each other have some sort of real-world relationship and they are both using the same blockchain.

But this is not necessarily true. Two strangers could meet anonymously in an online chat and agree to trade e.g. Bitcoin for Ethereum using a cross-chain atomic swap. In this case the transactions occur on two separate chains, and any available metadata is likely very hard or perhaps impossible for a third party to discover.

As a noob to this stuff, what if BTC was sent through a Monero chain? Isn't Monero purported to be super anonymous?
Monero uses special techniques to obfuscate activity on its chain, increasing the cost of chainanalysis significantly. However, for an attacker that is well funded (e.g. NSA) it's likely a very small challenge to overcome.

Besides brute-force tracking of the chain, a clever way to track cryptocurrency users (including Monero users) is to add backdoored cryptocurrency wallets/apps into app stores and capture the data at the point it is created, just as Facebook/Whatsapp capture keystroke input in realtime. This is probably even cheaper than breaking Monero's obfuscation techniques, and also works well against better privacy technologies such as Zcash.

> However, for an attacker that is well funded (e.g. NSA) it's likely a very small challenge to overcome.

Yeah that's a solid "citation needed", you are talking about breaking serious cryptographic assumptions there.

> and also works well against better privacy technologies such as Zcash.

It's not even worth responding to this person.

I'm not sure there is an educational moment with people like this.

For the record, to anyone passing by, I and many others view things in the opposite way. Zcash is less private, it operates in two states with the default state being just like bitcoin, with a separate state having opt-in privacy. Many/most Zcash users think they are using the opt-in state by default which is unfortunate. The Zcash opt-in state is not as anonymous as Monero and is easier to deanonymize and harder to use best practices to thwart. Zcash is developed and run by a US based company which can be much more easily coerced than a distributed team like Monero has doing open source work that collectively funds development when necessary. Zcash organization has budget for advertisement. It is suspicious that Zcash followers present an alternate reality so opposite to this that it is gaslighting, and does exactly what people are worried a centralized VC backed US based company would do.

A Zcash user recently made a challenge for anyone to tell where his coins came from that went from taddress->zaddress->zaddress->taddress. The winner only had to look at past transactions and find the same coin amount to find the original t-address.

That is why privacy-by-default is very important, and why right now Monero should be considered more private.

Yes this would be better as far as on-chain privacy goes. Although something to consider is liquidity issues.
> Although something to consider is liquidity issues.

Right... if you have tens to hundreds of millions of U.S. dollar's worth.

Monero has a significantly higher "base level" privacy than other cryptocurrencies, and it's great for many use-cases. However, it still has limitations. You should check out the Breaking Monero series: https://www.monerooutreach.org/breaking-monero/
Cross-chain swaps are an extremely rare, very power user move. If you discount them you're still left with the vast majority of transactions on the chain. I would guess over 99.9999% Most people who want a cross-chain trade just use an exchange like Coinbase.

But even if we decide to include cross-chain swaps, its not untraceable at all. You still need to verify hashes match up, its just an extra hop to have an oracle look on the other chain.

I'm not sure how rare they are.

And it really depends on the surveillance vector.

For example, I'm not worried about the government having records, via a subpoena, but I don't want customers, merchants, random blockchain sleuths and pencil pushers having any usable information.

As such, I often trade with OTC desks. OTC desks have reportedly had more volume than deposit/withdrawal-based exchanges for years. This is not a "lit" market, it is the opposite.

When I trade with an OTC desk, they give me a new address, and they send me the other crypto I asked for at an agreed upon price. OTC desk addresses are not giant labelled hot/cold exchange wallets that everyone watches on a block explorer. So when you are following a transaction on chain, lets say it was bitcoin you felt was stolen because thats a circumstance where people watch the transactions, you and others would assume that the transfers to new addresses are all the thief attempting to hide their tracks, and then everyone waits until some of that bitcoin is transferred to a known exchange wallet to then notify the exchange, hoping to freeze the assets as well as identify a KYC'd user. What nobody knows is that the actual bitcoin changed ownership amongst distinct humans 10 addresses ago. The "thief" being followed already received a completely different cryptocurrency from the OTC desk, ages ago and there is no way of knowing that. If the person actually committed a crime, then in this model the OTC desk has records if anyone identifies the OTC desk instead of simply inconveniencing or framing the person that received tainted bitcoin to their KYC'd account.

I wouldn't be surprised if the wrong people are getting inconvenienced or even charged with their tainted cryptocurrencies more often. Don't use surveillance coins.

I often transfer digital assets to Monero for any reason, and then when I want fiat I sell the Monero to an OTC desk.

Or if the amounts are too small (OTC desk minimums are often $100,000), I convert the Monero to another large cryptocurrency and cash that out on an exchange.

I work in compliance for an OTC desk that supports Bitcoin, Ethereum, Monero, others: https://dvchain.co

We conduct AML on everyone who is onboarded, but we're of the opinion that trades should not be public information.

The metadata for cross-chain swaps are stored right on the blockchains for everyone to see.

The same time-locked hashes which make atomic swaps safe, permanently tag both sides of a completed atomic swap transaction with a unique hash making it easy to link them together.

Atomic swaps are not designed to prevent tracking of funds.

Monero is quite anonymous, and https://xmr.to/ allows you to send small amounts of Monero and have them send Bitcoin for you. Just one solution of many to preserve privacy!
and by small, we mean 2 BTC per order, which is $21,600 at time of writing.

no limit on distinct orders.

Americans just turn on your VPN to access the frontend website, the server and operator don't actually care.

> Sorry...

> XMR.to is currently not available in your region.

I guess no Americans allowed

(comment deleted)
That's just based off of IP...
I'm sure it is, but I just wanted to window shop and see what they even had to offer for myself, now I'm just walking away.
If you care about privacy, don't use Bitcoin or any coins for that matter for which privacy is not default. Look at Monero instead.
Bitcoin mixers aren't private as the real transaction is in the mix-set somewhere and it is really a matter of time until a determined researcher will find it. Mixers work better the higher number of coin-joins in the mix, and it is better than nothing in that sense, but it gives users a false sense of privacy.

Privacy can be had in obfuscating your Bitcoin by sending them using the Lightning Network. You have your own LN Channel and then send them to yourself routing through as many other channels as possible. Bitcoin cleaned.

https://bitcoinmagazine.com/articles/how-the-lightning-netwo...

Another way is to use ZCoin. Zcoin uses zero knowledge proofs which burns the minted coin and redeems a new coin. SO I convert my 0.5 Bitcoin to Zcoin, the orginal transaction iin Zcoin is burned and new equivalent Zcoin is minted. No trace.

Monero is good but it is now under attack by Chainalysis to crack it on behalf of the IRS.

https://cointelegraph.com/news/chainalysis-and-texas-firm-wi...

When it comes to anonymity from the solutions available; coinjoins, Monero or Zcoin, personally Zcoin seems the most private way to obfuscate one's blockchain trail.

A Zcash user recently made a challenge for anyone to tell where his coins came from that went from taddress->zaddress->zaddress->taddress. The winner only had to look at past public transactions and find the same coin amount to find the original t-address.

That is why privacy-by-default is very important, and why right now Monero should be considered more private.

Monero has been "under attack" for a long time now, well before the IRS started giving money out. There are possible attack vectors and subsequent remedies. The Monero people made a series called Breaking Monero where they talk about all of that stuff.

Zcash and Zcoin are two very different things run by very different groups with very different protocols.

The poster was talking about Zcoin, and you responded with a canned line about Zcash.

That's weird. I would have sworn the comment said Zcash when I posted.
Zcoin destroys the original and mints a new anonymous set in place
Does anybody know of any papers about attacking coinjoins? From what I understand Wasabi + TOR is still the gold standard of Bitcoin mixing.
Chainanalysis released a publication saying they can trace coins that went through CoinJoin.
Since Bitcoin is not fundamentally private, any attempt to tumble your BTC is fruitless because the Bitcoin blockchain and every transaction is public and transparent. There are even companies like Chainalysis[0] who profit off this fact and help law enforcement with e-crime. I imagine if Satoshi wanted to do Bitcoin again, she would bake in privacy as a core feature?

[0] https://www.chainalysis.com/

Possibly not. Satoshi likely did not intend nor desire their currency to be used to facilitate crimes. In fact, they were infamously weary of WikiLeaks using the currency for donations due to the legal issues surrounding them, and WikiLeaks "crimes" are not comparable to say arms trafficking or something substantially illegal. The public nature of the BTC blockchain helps facilitate decentralized, equal participation.
> Satoshi likely did not intend nor desire their currency to be used to facilitate crimes.

This is certainly false; the whole point is to invalidate money transmission laws.

One can "invalidate" money transmission laws without committing crimes.
How?
Use Bitcoin for legitimate purchases?
How does this invalidate money transmission laws?

If all the transactions being done wouldn't be forbidden by money transmission laws even if they were transmitting money normally, then the transactions aren't doing anything to negate the effects of the money transmission laws.

On the other hand, if a transaction would go against money transaction laws if it were going by some other method, even if it would currently be legal if done with bitcoin (which I doubt is the case, but even supposing), the money transmission laws could just be amended to also forbid the analogous transactions which use bitcoin instead of whatever other method, therefore then making it a crime.

A plan to invalidate a law by making a technology that fits through a loophole in a law, and hoping the loophole never gets patched, seems, an odd plan.

A plan to make a law practically un-enforceable by making a technology, seems like a more reasonable plan to me, and is also inherently facilitating a crime.

They were not wary of WikiLeaks using Bitcoin because of possible crime association, but because Bitcoin was so new and they didn't want to draw attention so early in the project.
Isn't it meant to be censorship resistant? If a state made a law which forbade the use of bitcoin, that would make the use of bitcoin in that state a crime, but I think that making it difficult for a state to enforce such a law is kind of a design goal for bitcoin? Or at least, closely aligned with design goals of bitcoin.

Of course, it wouldn't be desired that it be made illegal, but I think the desire would be that, if possible, even if it was illegal, people would still be successful in attempting to use it.

> Isn't it meant to be censorship resistant?

I don't think so. Satoshi included the headline of bank bailouts in the first block. It's been a decade since I scanned over the whitepaper, but I think it was to create a currency that people couldn't manipulate.

Bitcoin may be censorship resistant, but it is not censorship proof.

The reason I said "if possible" was to suggest that some sufficiently powerful adversaries could censor it, but that this is just because it can't be avoided, not because it is desired that they be able to do so.
Satoshi mentioned things like Ring Signatures. In another timeline, I think it's possible that Satoshi might have kept working on it to make it private by default.

Sidenote: The original author of CryptoNote which Monero is based on, Nicolas van Saberhagen, is also an anonymous identity like Satoshi.

Just because every transaction is public does not mean that it's impossible to mix bitcoins, as transactions can have multiple inputs and outputs. It's difficult to mix, but keep in mind perfect information isn't available to those doing analysis, and companies like chainalysis also use a lot of off-chain information to help them draw conclusions.
It's not impossible to use properly, but it requires time and money. Just to enter the Samourai mixing pools, for example, costs ~$5-270, exclusive of Bitcoin miner fees. Mixing can also take days. Mixing may provide the intended effect for some people, but it's certainly not something for non-enthusiasts. Plus, Chainalysis and other companies will just mark the whole mixing pool as higher risk anyway and flag those deposits with exchanges, even if they can't trace it.
I don't get how referring to an unknown person as "she" is not reverse-sexism? Why not use 'they'?
Some people don't like using "they" as a singular, myself included, in serious writing.

Though the singular "they" has been in the English language since something like the 14th century, for the past hundred-and-fifty or so years, some prescriptive grammarians have been advising against it, insisting that it's an error. I is perhaps due to the efforts of these grammarians that "they" has come to be regarded as informal, giving text a colloquial or conversational flavor.

How you can avoid sexism is my sometimes using "he" and sometimes "she" as a meta-variable for some unspecified person (consistently for the same person).

If you make the he:she ratio exactly 50% in your corpus, you're above all accusation of sexism.

This bothers me as well. Using "he" generically is accepted use of the English language so one could be forgiven for continuing to use it. By using "she" you are going out of you way to choose a gender, when you could easily use a gender-neutral pronoun.
Or the person who wrote that might genuinely believe that Satoshi was female.

I don't like reverse-sexism/racism/etc because adding the term "reverse" doesn't stop it from being sexist/racist/etc itself, but Hacker News guidelines say we should "respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize. Assume good faith."

Satoshi (さとし, サトシ) is generally a masculine Japanese given name
Using a screen name of the opposite sex is a good way to help hide one's identity. I wouldn't read into it.
If you care about privacy, use Ethereum and zero knowledge proof mixers like tornado.cash.
There's already a privacy-focused coin that isn't a total mess. And no premines. And no mixing hoops to go through. So, why use Ethereum?
Because everything is on Ethereum. Once you're in the Ethereum eco-system, there's no reason to leave. Once you're in Ethereum, then you can do whatever you want. Trade on DEXs, do swaps, lend, borrow, leverage, stablecoins, zk mixing, farm liquduity tokens, etc. Once you use Monero, if you ever want to do anything useful with your crypto, you're going to have to inject it into the Ethereum ecosystem, and that inherently means interacting with a CEX. So why not skip that step and just deposit your crypto into tornado.cash and wait for the pool to be sufficiently mixed. That way, you never need to interact with a CEX to actually use dapps on Ethereum.
That's true. It would be great to see some more variety in chains being used, but right now everything is being done on ethereum. We need some more bridges to other chains, otherwise there is no reason for anyone to spread out.
This paper is about tracking Bitcoin through centralized mixing services. There is no mention of coordinated CoinJoin services, like Samourai Whirlpool or Wasabi.
Correct, not as far as I can tell. The methods they describe may be applicable to CoinJoin services (at least the very high-level methods are applicable), but they didn't show any testing with these sort of transactions (unless that's covered by one of the two "Unknown"s, which isn't likely).
What's the utility of this? Do people track bitcoins as part of their trading schemes? Or is this only something that the IRS & law enforcement would do?
I don't people understand the potential consequences of using mixers and anonymized bitcoins.

If you have large sums in bitcoins you have anonymized and want to start withdrawing it as USD or some other currency, it can be confiscated unless you can proof it's origin (yes, there is reverse burden of proof).

Anonymize only bitcoins you use on the internet as anonymous user. Don't anonymize bitcoins you want to withdraw or convert into legal tender someday.

I don't understand people who insist on using a cryptocurrency that they have to jump through hoops to mix and hope they do it properly, spending lots of time and money on fees, rather than just using a cryptocurrency that is private by default.
Cryptocurrency that is anonymous by default has the same problem. You can use it only on the net for small purchases.

Every time you try take larger sum of cryptocurrency into the financial system, anonymity becomes a legal burden.

> Every time you try take larger sum of cryptocurrency into the financial system, anonymity becomes a legal burden.

Not every time. Maybe for some countries or some people. I am a US Citizen and use the US-based exchanges Kraken and Coinbase and have not had a problem with depositing significant amounts of cryptocurrency. (Of course I verified and requested higher limits and reported the capital gains to the IRS).

>depositing

The problem rarely happens during depositing as the source of money is known. It's the withdraw you must worry about, especially if you have deposited significantly less than what you withdraw.

In the US FinCEN is extra strict and US money laundering regulations are tough.

That makes even less sense.

Further anecdata: I bought those coins and withdrew those same coins from those exchanges first.

Even at banks when I've withdrawn more than $10,000 cash, and have made $10,000+ wire transfers, no one cares.

Where are you getting these ideas from?