Crypto experts call out the serious flaws in the privacy guarantees of stealth crypto coin, Monero.
As perceptive dark web drug traders and pseudonymous hackers have comprehended that Bitcoin is not magically special money.
Many have shifted to Monero, a digital coin that encourages a far higher degree of anonymity and untraceable tempered into its design. But one group of experts has determined that Monero’s privacy protections, while better than Bitcoin’s, still aren’t the cloak of invisibility they might seem.
Monero is intended to mix up any given Monero “coin” with other payments to explore Monero’s blockchain can’t connect it to any distinct identification or previous transaction from the same source. But in a recent paper, a group of specialists from a vast number of organizations — including Princeton, Carnegie Mellon, Boston University, MIT, and the University of Illinois at Urbana-Champaign—point to flaws in that mixing that make it feasible to select individual transactions nonetheless.
That shouldn’t just trouble anyone trying to transact with Monero nowadays secretly. It also suggests proof of earlier not-quite-untraceable transactions remains etched into Monero’s blockchain for years to come, evident for any snoop that bothers to look.
‘Those activities were very, very exposed.’Nicolas Christin, Carnegie Mellon University
The experts perceive those privacy defects as necessary before a transition to Monero’s code in February of 2017. Before that time, activities continue severely apparent, and also transactions after that change may be more obvious to distinguish than Monero’s privacy-sensitive users might think. “The mental model that people have today for Monero is a simplistic one, that these transactions are private. That model is just incorrect,” says Andrew Miller, a researcher at the University of Illinois at Urbana-Champaign who worked on the paper. “There’s data that’s revealed and not covered up by Monero’s cryptography.” Miller is also an advisor to Zcash, another cryptocurrency that guarantees privacy protections.
Roughly 200,000 Monero transactions occurred during that period; the specialist points out that many of them likely involved purchases of illegal narcotics or other sensitive payments made by users who believed their payments were entirely untraceable.
“People took the privacy guarantees of the currency at face value,” says Nicolas Christin, a dark web-focused researcher who contributed to the paper. “All suggestions show people were actually utilizing this for applications where they needed privacy. And those transactions were very, very vulnerable.”
Not So Private
Notwithstanding Bitcoin’s extensive use on the dark web and for other illicit applications like ransomware, scofflaws have become increasingly aware that if they’re not ultra-careful in how they use it, the Bitcoin blockchain can help identify them—just as it helped connect the dark web drug market Silk Road’s fortune to the laptop of its creator Ross Ulbricht, and even helped to track down the servers of another dark web marketplace, Hansa. As a result, the online underground has increasingly switched to Monero.
But researchers now point to two distinct cracks in Monero’s untraceability, one of which was fixed in its early 2017 revamp, and one that still lingers today, even as Monero coders have taken steps to fix it.
Both problems relate to how Monero hides the source of payment, virtually by mixing the coin someone spends with a sampling of other coins used as decoys known as “mixins.”
The researchers first note that simple tricks allow an observer to identify some of the decoy mixins used to cover for a real coin being spent. In Monero’s first year, for instance, it allowed users to opt-out of its privacy protections and spend coins with no mixins at all. (Today, Monero requires a minimum of four mixin decoys for every transaction.)
The problem with that opt-out system: When an already spent and identified coin is later as a mixin, it can be easily plucked out of the mix to help identify the remaining coins. If that results in another coin being identified, and that coin is itself used as a mixin in a subsequent transaction, it can reduce the stealth of those later transactions.
The researchers also found a second problem in Monero’s untraceability system tied to the timing of transactions. In any mix of one real coin and a set of fake coins bundled up in a deal, the real one is likely to have been the most recent coin to have moved before that transaction.
Before a recent change from Monero’s developers, that timing analysis correctly identified the real coin more than 90 percent of the time, virtually nullifying Monero’s privacy protection.
After that move to how Monero determines its mixins, that trick now can spot the real coin just 45 percent of the time—but still narrows down the exact coin to about two possibilities, far less than most Monero users would prefer.
Permanent Digital Fingerprints
It’s significant to note that all of this only helps a snoop distinguish the spender of a coin, not its recipient since Monero hides recipients’ addresses with another technique called “stealth addresses.”
But if, as just one example, someone were to make a payment to a Monero exchange that knew their identity, and then later to an undercover cop posing as a drug dealer on the dark web, that second payment could be tied to the first, and thus to their identity.
That threat becomes even more tangible given that AlphaBay was shut down and its servers seized last summer, potentially helping cops identify the recipients of thousands of transactions during the seven months during which AlphaBay accepted Monero in its most traceable form. “Anyone who expected privacy at that point is still susceptible to being tracked down,” says Miller.
Monero core developer and spokesperson Riccardo Spagni announced that document’s findings by pointing out that Monero’s stealth addresses and ring-confidential Transactions limit which transactions can be traced.
He also says that Monero’s developers have been aware of the problems the researchers point out for years and have made periodic and ongoing improvements to Monero’s protocols designed to shore up its privacy shortcomings. “Privacy isn’t a thing you achieve, it’s a constant cat-and-mouse battle,” Spagni says.
‘Anyone who expected privacy at that point is still susceptible to being tracked down.’Andrew Miller, University of Illinois at Urbana-Champaign
On the issue of identifying coins based on analyzing the timing of transactions, Spagni admits there’s no simple solution.
“There are steps we can take to continue to improve the sampling, but the reality is that this isn’t a solvable problem by just pecking away at it,” he says. “We need to have a better scheme that allows us to sample a much bigger set [of coins].”
But he also notes that the larger the set of decoy coins in every transaction, the more storage Monero needs on users’ machines and the longer its processes take. “We’re trying to find the balance,” he says.
All of this indicates Monero may remain to leak small amounts of information that could be used to point to likely spenders—even if not providing a smoking gun.
Even so, the researchers warn that little data leaks can build up over time, and can be combined with other data sources to provide that more concrete evidence.
Possibly more disturbingly, for Monero users who spent coins before its privacy enhancements, indelible fingerprints could lead to their front door. And that points to a more fundamental problem for cryptocurrencies offering privacy: Any security defect found in the future might apply retroactively, allowing observers to dig up old skeletons buried in the currency’s blockchain.
“You have a permanent record of everything taking place. If, down the road, someone finds a vulnerability that can reveal what happened in the past, you may still be at risk,”
says Carnegie Mellon’s Christin.