Attacks that unmask anonymous blockchain transactions can be used against everyone who ever relied on the defective technique

In An Empirical Analysis of Traceability in the Monero Blockchain, a group of eminent computer scientists analyze a longstanding privacy defect in the Monero cryptocurrency, and reveal a new, subtle flaw, both of which can be used to potentially reveal the details of transactions and identify their parties.


In some ways, this is normal: security is a process, not a product, so technologies thought to be secure are often revealed to be defective in some way and need to be patched.


But the Monero problems exemplify a special problem of blockchain anonymity. By design, every transaction in the blockchain is irrevocably, universally, permanently public. That means that when new defects are discovered in a blockchain-based anonymity tool, attackers can download all the transactions that ever took place under the flawed anonymity protocol and go to work de-anonymizing them.


That's a problem in other privacy domains: spy agencies are understood to be storing vast quantities of encrypted traffic intercepted from the public internet against the day that a defect is discovered in the encryption method used to scramble it; hashed password archives live on forever in the web, waiting to be decrypted using new, superior attacks on their hashing algorithms, and so on.


But one of the defenses against future disclosures of defects in encryption techniques is to throw away the old messages once they're done with, to reduce the availability of decryptable ciphertexts. And that's not possible on the blockchain, because the blockchain only works if you can't delete things from it.


It's a hard problem of anonymity in blockchainland: there's no way to deploy a security system and be assured that no one will ever find a new flaw in it, someday in the future, so any anonymity tool used in combination with the blockchain poses a special threat in that any defects that do emerge could uncloak all of the anonymized data ever generated by that tool.

In the Monero case, it's especially grave, as the cryptocurrency's initial adopters were largely people producing illegal substances on dark markets, who face legal reprisals if they're unmasked.


Monero users should be warned that their prior
transactions are likely vulnerable to tracing analysis
A significant fraction (91%) of non-RingCT Monero
transactions with one or more mixins are deducible (i.e.,
contain at least one deducible mixin), and therefore
can be conclusively traced. Furthermore, we estimate
that among all transaction inputs so far, the Guess-Newest heuristic can be used to identify the correct
mixin with 80% accuracy. Even after accounting for
publicly deanonymized transactions such as pool pay-
outs, we find that at least a few hundred transactions
per day in mid 2016 and more than a thousand transactions per day from September 2016 through January
2017 would be vulnerable. Furthermore, we estimate
that at most a quarter of these can be attributed to
illicit marketplaces like AlphaBay. These users might
have incorrectly assumed that Monero provided much
higher privacy, especially for transactions taking place
in late 2016. Because many transactions on AlphaBay
are criminal offenses, with statutes of limitations that
will not expire for many years (if ever), these users remain at risk of deanonymization attacks. We stress that
illicit businesses tend to be early adopters of new technology, but there exist many legitimate reasons to use
privacy-centric cryptocurrencies (e.g., a journalist protecting her sources). While such scenarios are less visible, their users face the same risk of deanonymization.

Towards fulfilling this recommendation, we released
an initial draft of this paper to the Monero community.
We believe it has been in the best interest of Monero
users that we offered this warning as soon as possible,
even before countermeasures have been deployed. One
reason for our decision is that the data from the Monero blockchain is public and widely replicated, and thus
delaying the release would not mitigate post-hoc analysis, which can be carried out at any future time. Second,
countermeasures in future versions of the Monero client
will not affect the vulnerability of transactions occurring
between the time of our publication and the deployment
of such future versions.

Complementing this paper, we have launched a
block explorer (https://monerolink.com), which displays the linkages between transactions inferred using
our techniques. We recommend additionally developing
a wallet tool that users can run locally to determine
whether their previous transactions are vulnerable.

An Empirical Analysis of Traceability in the Monero Blockchain [Malte Möser, Kyle Soska, Ethan Heilman, Kevin Lee, Henry Heffan, Shashvat Srivastava, Kyle Hogan, Jason Hennessey, Andrew Miller, Arvind Narayanan, and Nicolas Christin/Proceedings on Privacy Enhancing Technologies]

The Dark Web's Favorite Currency Is Less Untraceable Than It Seems [Andy Greenberg/Wired]