As discerning dark web drug dealers and pseudonymous hackers have figured that Bitcoin is not magically private money, many have turned to Monero, a digital coin that promises a far higher degree of anonymity and untraceability baked into its design.
But one group of researchers has found that Monero's privacy protections, while better than Bitcoin's, still aren’t the cloak of invisibility they might seem.
Monero is designed to mix up any given Monero "coin" with other payments, so that anyone scouring Monero's blockchain can't link it to any particular identity or previous transaction from the same source. But in a recent paper, a team of researchers from a broad collection of institutions—including Princeton, Carnegie Mellon, Boston University, MIT, and the University of Illinois at Urbana-Champaign—point to flaws in that mixing that make it possible to nonetheless extract individual transactions. That shouldn’t just worry anyone trying to stealthily spend Monero today. It also means evidence of earlier not-quite-untraceable payments remain carved into Monero’s blockchain for years to come, visible for any snoop that cares to look.
Those privacy flaws were especially acute before a change to Monero's code in February of 2017, the researchers note. But transactions before that time remain dangerously identifiable, and even payments after that change may be easier to identify than Monero's privacy-sensitive users might think.
"The mental model that people have today for Monero is a simplistic one, that these transactions are private. That model is just incorrect," says Andrew Miller, a researcher at the University of Illinois at Urbana-Champaign who worked on the paper. "There's information that’s revealed and not covered up by Monero's cryptography." Miller is also an advisor to Zcash, another cryptocurrency that promises privacy protections.
The researchers' paper, which will be presented at the Privacy Enhancing Technologies Symposium in July, takes special note of a period starting in July 2016, when Monero was first adopted as an alternative to Bitcoin by the then-largest dark web black market for drugs, AlphaBay, and ending in February 2017, when Monero completed an upgrade to its privacy protections known as Ring Confidential Transactions. Roughly 200,000 Monero transactions occurred during that period, the researchers point out, many of which likely involved purchases of illegal narcotics or other sensitive payments made by users who believed their payments were fully untraceable.
"People took the privacy guarantees of the currency at face value," says Nicolas Christin, a dark web focused researcher who contributed to the paper. "All indications show people were really using this for applications where they needed privacy. And those transactions were very, very vulnerable."
Not So Stealthy
Despite Bitcoin's widespread use on the dark web and for other illicit applications like ransomware, scofflaws have become increasingly aware that if they're not ultra-careful in how they use it, the Bitcoin blockchain can help identify them—just as it helped connect the dark web drug market Silk Road's fortune to the laptop of its creator Ross Ulbricht, and even helped to track down the servers of another dark web marketplace, Hansa. As a result, the online underground has increasingly switched to Monero.
But researchers now point to two distinct cracks in Monero's untraceability, one of which was fixed in its early 2017 revamp, and one that still lingers today, even as Monero coders have taken steps to fix it. Both problems relate to how Monero hides the source of a payment, essentially by mixing the coin someone spends with a sampling of other coins used as decoys known as "mixins."
The researchers first note that simple tricks allow an observer to identify some of the decoy mixins used to cover for a real coin being spent. In Monero's first year, for instance, it allowed users to opt out of its privacy protections and spend coins with no mixins at all. (Today, Monero requires a minimum of four mixin decoys for every transaction.) The problem with that opt-out system: When an already spent and identified coin is later as a mixin, it can be easily plucked out of the mix to help identify the remaining coins. If that results in another coin being identified, and that coin is itself used as a mixin in a subsequent transaction, it can reduce the stealth of those later transactions, too.
The researchers also found a second problem in Monero's untraceability system tied to the timing of transactions. In any mix of one real coin and a set of fake coins bundled up in a transaction, the real one is very likely to have been the most recent coin to have moved prior to that transaction. Before a recent change from Monero's developers, that timing analysis correctly identified the real coin more than 90 percent of the time, virtually nullifying Monero's privacy safeguards. After that change to how Monero chooses its mixins, that trick now can spot the real coin just 45 percent of the time—but still narrows down the real coin to about two possibilities, far fewer than most Monero users would like.
It's important to note that all of this only helps a snoop identify the spender of a coin, not its recipient, since Monero hides recipients' addresses with another technique called "stealth addresses." But if, as just one example, someone were to make a payment to a Monero exchange that knew their identity, and then later to an undercover cop posing as a drug dealer on the dark web, that second payment could be tied to the first, and thus to their identity. That threat becomes even more tangible given that AlphaBay was shut down and its servers seized last summer, potentially helping cops to identify the recipients of thousands of transactions during the seven months during which AlphaBay accepted Monero in its most traceable form. "Anyone who expected privacy at that point is still susceptible to being tracked down," says Miller.
When expert reached out to Monero core developer and spokeperson Riccardo Spagni, he responded to the paper's findings by pointing out that Monero's stealth addresses and Ring Confidential Transactions do limit which transactions can be traced. He also says that Monero's developers have been aware of the problems the researchers point out for years, and have made periodic and ongoing improvements to Monero's protocols designed to shore up its privacy shortcomings. "Privacy isn’t a thing you achieve, it’s a constant cat-and-mouse battle," Spagni says.
On the issue of identifying coins based on analyzing the timing of transactions, however, Spagni admits there's no simple solution. "There are steps we can take to continue to improve the sampling, but the reality is that this isn’t a solvable problem by just pecking away at it," he says. "We need to have a better scheme that allows us to sample a much bigger set [of coins]." But he also notes that the larger the set of decoy coins in every transaction, the more storage Monero requires on users' computers and the longer its transactions take. "We're trying to find the balance," he says.
All of which means Monero may continue to leak small amounts of information that could be used to point to likely spenders—even if not providing a smoking gun. Even so, the researchers warn that small information leaks can build up over time, and can be combined with other data sources to provide that more concrete evidence.
Perhaps more disturbingly for Monero users who spent coins before its privacy improvements, indelible fingerprints could lead to their front door. And that points to a more fundamental problem for cryptocurrencies offering privacy: Any security flaw discovered in the future might apply retroactively, allowing observers to dig up old skeletons buried in the currency's blockchain.
"You have a permanent record of everything taking place. If, down the road, someone finds a vulnerability that can reveal what happened in the past, you may still be at risk," says Carnegie Mellon's Christin. "We don’t know what the future holds."