Monero is a cryptocurrency designed for privacy, promising “all the benefits of a decentralized cryptocurrency, without any of the typical privacy concessions”.
It’s where Dark Web market AlphaBay, at the time the most popular site of its kind, looked in 2016 when it wanted to adopt a cryptocurrency that offered users more protection than Bitcoin.
It’s also where the authors of WannaCry, the infamous ransomware that went global in May 2017, turned when they wanted to transform their ill-gotten ransoms into something harder to trace.
But recently updated research on traceability in the Monero blockchain suggests that the currency’s privacy protections can be weakened, and in many cases stripped away entirely, leaving users exposed.
The researchers detail a pair of attacks, one that works on transactions up to the beginning of 2017 and one that still works today.
In this article we’ll examine the first of those attacks, but we’ll begin by looking at how Monero attempts to avoid the pitfalls of Bitcoin.
Exposing Bitcoin users
Bitcoin and Monero are both cryptocurrencies that rely on a blockchain, a cryptographically protected, decentralised ledger of transactions.
The robustness of each relies, in part, on transparency: there are thousands of copies of both the Bitcoin and Monero blockchains in existence and every copy carefully details every single transaction ever made in that currency.
Changing the history enshrined in those blockchains is effectively impossible. If you’ve ever spent a bitcoin or a monero then the proof that it happened is etched indelibly into that currency’s blockchain, forever.
In the Bitcoin blockchain each transaction points to a previous transaction, making it possible to see what any given Bitcoin wallet (and by extension, any given Bitcoin wallet owner) has spent and received.
That makes Bitcoin users pseudonymous – their privacy is protected by one or more false names, their wallet addresses.
Bitcoin users can be exposed if any one of a wallet’s transactions can be linked to a real identity.
If a Bitcoin user pays for something at an online market that requires personal information, such as a delivery address, then that one single transaction creates a link between the user’s real identity and every other transaction they’ve made with that Bitcoin wallet.
A similar link is created if a Bitcoin user signs up to an online exchange that requires an ID to open an account.
Even usernames can be used to unmask Bitcoin users if they’re reused across, say, a Dark Web site where bitcoins have been spent and a public site like Reddit or GitHub that requires a login.
Monero attempts to make users fully anonymous by obscuring the links between transactions. Unmasking the person behind a single transaction does not unmask their other transactions too.
It does this using decoy coins, known as mixins.
Whereas the Bitcoin paper trail clearly identifies the coin being spent in every transaction, Monero identifies a number of coins in every transaction, one real one and at least four mixins.
Anyone attempting to piece together a user’s transaction history from the Monero blockchain will find themselves running down blind alleyways.
However, if an attacker can find a way to tell the real coins from the decoys then Monero users are no better off than Bitcoin users and just as vulnerable to the tactics used to expose them.
And that’s exactly what the researchers did.
Exposing Monero users
Just like any software, cryptocurrencies can adapt and change over time. However, while the rules that govern transactions can evolve, old transactions made under older rules (including rules their writers may come to regret) cannot be erased.
There is a fee for adding mixins to a transaction and until a couple of years ago adding them wasn’t mandatory.
This created an incentive for users who weren’t particularly interested in Monero’s privacy protections to set them aside.
Because of this, at the time the research was conducted, about two thirds of the transactions in the Monero blockchain had been made without any mixins. These transactions can be linked to previous transactions in the same way as with Bitcoin transactions.
The people who did this didn’t care about their own anonymity enough to pay for mixins but inadvertently weakened the protection of people who did (my emphasis).
0-mixin transactions not only provide no privacy to the users that created them, but also present a privacy hazard if other users include the provably-spent outputs as mixins in other transactions. When the Monero client chooses mixins, it does not take into account whether the potential mixins have already been spent.
In other words, the potential pool of decoys includes coins that an attacker can prove have been spent elsewhere.
That’s a problem because if you’re presented with a Monero transaction that contains a number of coins (the ‘real’ one and a number of mixin phantoms) and you know for sure that some of the coins have been spent before, then they cannot be the real coin.
Given their prevalence, these zero-mixin transactions are actually very likely to be deployed as mixins in other transactions.
So, the researchers began by removing all of the decoys that they could prove had already been spent, stripping the camouflage from a number of previously obscured transactions.
Once the decoys had gone, these transactions were not only provably linked to previous transactions but also no longer useful as mixins either, which exposed another layer of transactions, which exposed another, which exposed another and so on.
According to the researchers, this recursive “chain-reaction analysis” can be used to remove all of the decoys from two thirds of the transactions that used them, prior to 2017.
We find that among Monero transaction inputs with one or more mixins, 63% of these are deducible, i.e. we can irrefutably identify the prior TXO that they spend.
Two changes, the last in early 2017, prevent this kind attack on more recent transactions.
From January 2016 all new Monero transactions required a minimum of two mixins. That was followed a year later by a hard fork that introduced a new type of transaction called RingCT that can only contain other RingCT transactions as mixins.
Since all RingCT transactions exist after the two mixin minimum was introduced, they form a separate pool of transactions without a zero-mixin foothold.
Without that foothold, the chain-reaction analysis doesn’t work.
That’s good news for people who are new to Monero (although the research details another, less effective, attack for them that we’ll cover in a later article) but cold comfort to anyone who used it for its anonymisation features prior to 10 January 2017, such as buyers on AlphaBay:
Users who made privacy-sensitive transactions prior to February 2017 are at significant risk of post hoc deanonymization.
The research shows that the transparency and immutability that make blockchains trustworthy may also leave users vulnerable to retrospective action.
The transactions inside them are artefacts frozen in time according to rules that were considered good enough or strong enough at the time.
Immune to correction, their protections have to survive the cycles of Moore’s Law, and as yet unseen advances in technology, techniques and research.