De-anonymization attacks against the privacy coin XMR
113 comments
·May 28, 2025ianmiers
mike_d
I will word this carefully since I previously worked on crypto de-anonymization attacks, but nothing in this "analysis" seems to be grounded in more than the blockchain developers echo chamber of self congratulation.
Amusingly, assume the CIA has figured out a clever trick for opening up Acme Secure Envelopes in transit. If they publish a report detailing at length how amazing and tamper proof Acme products are, the world would take note and sales would plummet overnight. If, however, you publish the same report on a blog about how to mail documents securely...
Calwestjobs
Your point is correct, you sound like salty CIA spreading FUD because it is job of NSA to provide them with solution which did not came. :) So you are saying that ZKSnarks are CIA approved ? XD
duke_leto
100% agree that this is not a comprehensive analysis.
For instance, recently a core Monero dev published something called OSPEAD which is a proposed fix to the "Map Decoder Attack" which he also publicly disclosed at the same time : https://github.com/Rucknium/OSPEAD
The TLDR is that Monero has about 75% less privacy than anybody thought, and this attack is still "live" in production. It requires a mandatory upgrade by every node on the network to fix and as far as I know, no fix has been decided upon yet. The attack can be combined with other attacks to completely de-anonymize transactions. I recently wrote about the bug and my proposed mitigation that users can do to regain privacy here: https://duke.hush.is/memos/6/ . AMA, if you desire.
This attack (and mitigation) is not getting the attention it deserves, partially because it is technical and hard to explain and partially because it does not serve the interests of content marketers and Monero influencers.
Monero is indeed moving to ZK proofs because they are mathematically superior in every way. At a very high level, they are moving towards being more like Zcash but they are not using Zcash ZK machinery, they are rolling their own. They are called "Full Chain Membership Proofs" or FCMPs. You can read the paper about those here: https://github.com/kayabaNerve/fcmp-plus-plus-paper/blob/dev...
As another example, recently an anonymous researcher published http://maldomapyy5d5wn7l36mkragw3nk2fgab6tycbjlpsruch7kdninh... (you will need Tor Browser to access that) which explains how the Monero network is being spied on by malicious nodes, with the end result being that transaction id's can be linked to IP addresses.
There are various other examples of de-anonymization attacks on Monero but OSPEAD and network spying (which can be combined) are some of the worst, because they are very inexpensive and effective.
piracyrules
[dead]
yieldcrv
Correct, I don't find these to be limitations for any user of Monero, its just a way not to use it.
> repeatedly withdraw money from one exchange and then deposit it to another
right, don't do that. Withdraw to your wallet. Wait several days. Transfer elsewhere in different denominations.
Problem solved for everything you wrote, and its been nearly the same for the entire lifespan of Monero, 11 years now.
> Breaks will not always be public.
There are court cases that give the confidence necessary. It is also something to stay abreast of. Always just ask yourself who the transaction is intended to be hidden from.
beeflet
>right, don't do that. Withdraw to your wallet. Wait several days. Transfer elsewhere in different denominations.
Unfortunately, it doesn't work like that. The EAE attacks only require that the end destination is colluding with the start destination.
Like everything with decoys, privacy is stochastic. So I wouldn't go around making absolute claims about the privacy as many proponents of monero like to do. The developers advise against making these sorts of claims. Monero makes privacy a lot easier, but it's not perfect.
>There are court cases that give the confidence necessary. It is also something to stay abreast of. Always just ask yourself who the transaction is intended to be hidden from.
In the free world, we have the concept of innocent-until-proven-guilty and evidence-beyond-a-reasonable-doubt. Decoy-based approaches give you plausible deniability, but this often isn't enough for more domains where a lower standard of proof is needed.
Fortunately, all this and more will be fixed in FCMP++ upgrade.
yieldcrv
Thats good FCMP++ will fix it
Right now it seems Eve just needs to do a dust attack and addresses she’s seen before
And wallets like Featherwallet just need to segregate dust from the pool of outputs, and that kind of attack is totally thwarted
Fortunately Eve doesnt know if an address is part of the same wallet and Featherwallet hides the ability to reuse addresses, although users are lazy and may rely on old addresses being accepted destinations for anyone sending them funds. It would be great if wallets notified of dust, or asked you to recognize transactions in.
bcoates
"right, don't do that."
As a non-user of Monero, how do I find out what the security properties are and what information is leaked when various actions are taken? The OP's analysis is deeply lacking in this and the apparent rule against repeated transactions is non-obvious
yieldcrv
At this point I’m not sure
there would be the monero subreddit where you could ask these questions
LLMs would be trained on them by now
Books like Mastering Monero exist, and will become obsolete if the proposed upgrades go through
Annual DNM OPSEC GUIDE will likely cover it (darknet market operational security guide)
Calwestjobs
"There are court cases that give the confidence necessary. " NO!
many times police will made up "plausible way" how they uncovered something, but this "plausible way" was constructed after the "secret" or illegal way was employed to do it.
rephrase : police will do illegal thing to obtain info where you stash your drugs. for example installing NGO Pegasus to your phone, gps tracker under car... so they already have that info. then they call anonymously 911 saying there is smell of gas on street. (maybe they even spray some of mercaptan to make it even more plausible) firefighters, etc will come investigate gas leak and police will say that they uncovered drug stash in investigation of gas leak... illegal way to obtain info, then brainstorming how to make that data available "lawfully". they will not tell in front of judge/court about first part... so no your assumption is not correct.
in computer world it is million time easier.
99% of youtube videos about criminals failing at operational security is intentionally bad information.
IF you are believed to be criminal / "bad person" police(men) will justify doing almost anything, because you are bad person IN THEIR EYES.
also they are trained to and expected to disinform :
For example, Ross Ulbricht. every news paper said that "closing his laptop lid will lock his computer and police will be unable to decrypt it" they pushed it and said it so many times that researchers jumped on LUKS and in 1.5 years there was almost complete rewrite of LUKS.... (not even talking about constant TOR effort)
Whole not closing his notebook also proves that they obtain data legally. It does not say they did not have that data already.
One info can mean multiple things to multitude of people.
yieldcrv
Parallel construction is possible and I agree that Ross got railroaded with some unanswered and questionable and paradoxical evidence gathering tactics
My confidence in Monero comes from following what the administrative state has said in court cases
Often times they don’t know the balance, location, and are unable to seize it. As designed
FabHK
Fun fact: After some $330m of BTC were stolen last month, Monero spiked 40%+, presumably because the proceeds of that theft were laundered.
JumpCrisscross
Wouldn't the interface between BTC and Monero be the weak point? Where do they make that swap reliably?
max51
exchanges that only support cryptos and not fiat money don't require KYC. In some cases, you don't even need to create an account at all. It is extremelly easy to swap from one crypto to another in a few clicks.
ofjcihen
I wonder how common this kind of swapping is. Its an interesting financial vehicle when a valid and legal investment strategy is to try to time the laundering of different assets.
multjoy
It's massively common. USDT is the usual coin of choice because even though the ledger is public, the convenience and relative stability massively outweighs the security risks. In the jobs I've seen, the marks will be 'investing' in BTC but the criminals will be moving those funds out into USDT the moment it hits the bandit wallet.
hoppp
USDT can be frozen so its not the best choice. Its definitely a failure of the Tether team if criminals can openly use it to launder funds without it getting frozen, but they are famously anti regulation.
piracyrules
[dead]
yieldcrv
> presumably because the proceeds of that theft were laundered
this phrase highlights some really common but unnecessary misunderstandings
1) the proceeds swapped to Monero. there is nothing "presumably" about that because we can see they were swapped to Monero. It isn't a correlation, the instant exchanges show and retain records that they were swapped to Monero.
2) they are unlinking the origin and destination of illicitly obtained funds, so that is laundering BUT
3) its equally as likely that Monero is the destination. there is no further swapping out to hide. no further laundering to complete. Monero can be used to purchase goods, services, and invest with as well. I think this is as misunderstood as people actually wanting to hold bitcoin was 10 years ago.
4) Monero is an old coin, from one of the first crypto cycles, one thing that's held people back from using it and other mixers is the liquidity. If a large hack of funds used any one of them, then most of the funds coming out would be probabilistically part of the hack and illicit. But if MANY of the hacks used it and other licit sources, this would improve the liquidity for everyone and other hacks. Liquidity begets liquidity. It was only a matter of time before someone started it.
IceHegel
All I know is that if the government is trying to ban it, the tech probably works.
DJHenry56
I agree, that's the biggest proof so far.
Retric
Alternatively, because they’re talking about banning it without actually banning it, it must be compromised.
j-krieger
It is defacto banned at most fiat exchanges. The ban is happening.
piracyrules
[dead]
TarikHassan3
Great article, and I'm glad to see privacy being a focus in a cryptocurrency, but I would like to see some other sources that aren't also promoting the token.
That said, I do think it's got the brightest future of any coin besides BTC for the very reason.
candiddevmike
Preface this by saying I am not a fan of any cryptocurrency, but I really struggle to understand why Monero has a smaller market cap than BTC. It has to be inertia related right? Monero just seems like a fundamentally better piece of technology.
Are there scaling issues with Monero, similar/worse than BTC?
tromp
Yes, it scales much worse:
* node resources scale with the size of the UTXO set (unspent outputs), which in Monero's case balloons to the entire TXO set (all outputs, orders of magnitude larger)
* a typical 2-input 2-output transaction is 4 times larger
* wallets have to track all outputs to choose random decoys for transaction inputs
One can argue that this is the price to pay for significantly better privacy, but the largest benefits come from having no visible amounts or addresses, which can be achieved with significantly better scalability than BTC [1].
[1] https://forum.grin.mw/t/scalability-vs-privacy-chart/8114
beeflet
>but the largest benefits come from having no visible amounts or addresses
MWEB is certainly an improvement over transparent transactions (and other methods such as coinjoin, coinswap, cashfusion, etc.), and I welcome the litecoin upgrade. I agree that decoy-based privacy is weak.
However, I don't believe that the mimblewimble meets the standard of privacy needed for most users. It's not the visible amounts and addresses, but the links between transactions that are the main problem. CTs on their own are just a "nice-to-have".
The end goal should be a zcash or firo style of privacy. I think you can scale that to a global network with an adjustable block size, payment channels, and atomic swaps between multiple cryptocurrencies. The problem is that zcash and firo have weak tokenomics compared to monero. Grin will have a hard time finding an initial niche that isn't currently satisfied by monero, and if it does take off, its changes could be merged into bitcoin (https://www.truthcoin.info/blog/imex/).
proxynoproxy
Don’t forget that opaque blockchains can have invisible inflation. Transparent blockchains will always be worth more, as the user can verify that inflation has not occurred. This applies to grin as much as xmr.
coldblues
Tari uses Mimblewimble (privacy coin developed by previous Monero devs with a focus on privacy), so we're not far from being able to benefit from it.
PokedBear
It doesn't need a lot of speculative value in order to be useful. It just needs enough value to make the transactions meaningful. And that means people are a lot less likely to drive up the price via speculation.
sfjailbird
Isn't BTC privacy achievable these days with coinjoin, lightning network etc.? In that case no much reason for monero.
tsimionescu
It still seems fantastical to me that lightning network is presented as "something running on BTC", when it is "something running completely separately, instead of BTC". Transactions on Lightning network are not transactions on BTC, and have none of the guarantees of BTC (and in fact have no reliable guarantees of no double spending).
The only way to get BTC-like guarantees of no double-spending for Lightning network transactions is to put every transaction on the BTC block chain ("close the channel" after every transaction). And then, of course, you get back all of the problems of BTC (minuscule TPS not enough for a small village, 0 privacy, huge energy costs).
protocolture
>It has to be inertia related right?
Consider that a lot of Bitcoin is assumed to be locked up.
If an old satoshi wallet started moving funds, the price would probably halve.
lawn
> Are there scaling issues with Monero, similar/worse than BTC?
While there are scaling issues with BTC it's severely worsened by the fact that BTC had refused to scale on-chain.
Monero is technically much harder to scale but since it doesn't have the same self-imposed restriction it can handle more transactions than Bitcoin can.
im3w1l
One important factor is that Monero are printed at a constant rate, unlike BTC that are printed at an exponentially slowing rate.
A constant rate of printing means the supply is uncapped but the inflation rate will approach zero.
Monero's choice is arguably better for actual use as a currency, as the printing will prevent deflation from lost coins. But it makes it less attractive as an investment.
wkat4242
> But it makes it less attractive as an investment.
For me that's a feature not a bug. The investor cryptobros have thoroughly killed the interest in BTC as a real payment method and made it just a vaporware pyramid scheme. They have accumulated a lot of influence.
Also they corrupted the whole idea behind bitcoin which was independence from the old centralised banking system where others control your money. To guarantee their investments they've rebuilt the whole old system in bitcoin with the exchanges and some regulators even demanding you use them to store your BTC.
short_sells_poo
Mindshare and hype tend to be self reinforcing and create their own gravity. BTC has the largest market share because it has the largest market share. The moment it got derivatives and ETFs listed and traded on major US exchanges (e.g. CME futures), it became the clear winner because if you are a hedge fund and want to get on the crypto bandwagon, it's easily accessible, liquid and doesn't require extra paperwork. So you trade that instead of going on some unregulated exchange where you might end up as a news headline of "Hedge Fund loses money in crypto exchange exit scam".
dboreham
> better piece of technology
Technology quality is uncorrelated with market cap. This would be like saying Frontier Airlines should have a higher market cap than United because one uses Linux and the other is still on mainframes..
stuxnet79
> That said, I do think it's got the brightest future of any coin besides BTC for the very reason.
Brightest future in terms of what? Traction? Market cap? This is what I thought 7 years ago, and I beefed up my XMR position as a result. Meanwhile, Bitcoin an objectively inferior technology, has 25x since then.
welsandjeremy
The recent ByBit hack and subsequent takedown of the exchange that was used to convert the USDT and BTC to Monero essentially proves that XMR is private from even western governments.
jijijijij
It's evidence at best.
zargon
I can’t find a date on this article. And this is exactly the type of content that needs a date.
MoneroDotForex
Thank you for the input. As the linked news and opinion blog's editor I saw a spike in traffic from this HN thread, and I'm happy to answer any question anyone here may have about it. I have added the date and author's name to this article and will make that the standard.
LegionMammal978
2024-12-23 through 2024-12-30, if the HTML metadata is to be believed. It's always a pain when article-oriented websites try to hide this sort of thing.
madars
This reads like standard AI slop. A giveaway is structured Attempt/Methodology/Efficacy pattern repeated all the way through the article, while top level categories are overlapping. (ZeroGPT: "Your Text is Likely generated by AI/GPT".)
TBaaddi
You just used some bullshit AI tool to call my work, that took me several weeks to research and write, "AI slop".
That's after getting a degree and spending over a decade in financial journalism.
You will read this but still insist you are smart.
People like you are the reason people are falling for "AI slop".
password4321
What is the least amount of effort to setup a Monero address like a tip jar, deferring transfers and if necessary even checking the balance until setting up something more full-blown later?
beeflet
Check out feather wallet (https://featherwallet.org/) on desktop or cake wallet (https://cakewallet.com/) on mobile.
Once you create a wallet and write down the seed phrase, generate a "view key". Creating a new wallet from this "view key" allows you to see incoming transactions to your addresses, but not spend them. So you don't need as much security for "view-only" wallets.
You can generate an address from either wallet. It's a long string of numbers and letters that begins with an "8", under "Receive".
password4321
I don't have a link but I vaguely recall some criminal being tracked down because they cashed out the exact same value of Monero they received for their crime in a single transaction. I believe this falls under item 1 in the article but the reference link does not even discuss Monero.
I am interested in any references to tracking Monero in criminal court cases. So far it seems to be one of the most effective ways to "keep getting away with it".
woah
Timing and amount correlation is something that not even the most sophisticated cryptography can stop.
ddtaylor
I was interested to see some AI providers support crypto as their payment. I think we are entering a future where AI regulation puts more people on the darknet.
jijijijij
Very cyberpunk and all, but how are AI regulations driving people to the darknet? You think those highly centralized billion dollar compute operations will secretly offer hidden services so people can ... what? Generate fucked up shit without restrictions? Lol, you could probably do traffic analysis with thermal imaging from a satellite.
ddtaylor
> Generate fucked up shit without restrictions? No, that already exists and is not relevant IMO. My comment has nothing to do with what kind of content you generate.
The USA in specific has had a similar problem before with encryption being classified as a munition making very problematic to import or export encryption. That's actually pretty well documented in various pieces of Java code from Sun if you're curious, because different algorithms could not be part of the JRE/JDK that was distributed publicly.
Your mention of "highly centralized billion dollar compute operations" is actually related to the training of the models not the inference. Doing inference for many of these models is readily available at modest consumer hardware availability. There are many different ways to break up models (MoE) etc. The notion that you need a large super computer to do inference is unfounded.
Also, as a reminder, cryptocurrency mining has already proven this to be a thing. Some stay above ground, some go to geopolitical areas for shelter and some stay underground entirely.
For your entertainment I will also include a more simplified play-by-play of how this can play out in the near future:
1. OpenAI or some other USA based AI company continues to get outplayed by foreign models (Qwen, Deepseek)
2. Company cries to government
3. Government does a similar munitions or tariff to what we saw with encryption. Requires at the least anyone wanting to use AI gets one from the good boy list etc.
Now you either (a) use only AI from the good boy list and get outplayed in the global marketplace where our main export is global technology or (b) start acting like a Chinese citizen and using a VPN to access AI services not available only on the approved good boy list.
I will stop here because the rest is already very well documented with how this progresses and you get the same result as the darknet marketplaces (DNM). DNS censorship for AI services not on the good boy list. DNS censorship and legal pressure for VPNs that allow non-good-boy-list services, etc.
Why wouldn't someone change a few .com endpoints to .onion and keep it moving while you send some coin to a wallet?
hoppp
There is no point in hosting Ai endpoint on a .onion domain. The point of Tor is privacy so if you want private Ai prompts just run a local model.
The philosophy behind Tor is maximum privacy, the most private way to do AI is locally.
jijijijij
Good times, when you were able to restrict information export through airport security... Don't forget Paypal and Wikileaks! Oh my bad, that was Bitcoin talk. That's not a currency anymore, but an asset. Like gold.
> Doing inference for many of these models is readily available at modest consumer hardware availability.
Then why exactly do I need a darknet service for that, instead of running it locally?
> Now you either (a) use only AI from the good boy list and get outplayed in the global marketplace where our main export is global technology or (b) start acting like a Chinese citizen and using a VPN to access AI services not available only on the approved good boy list.
Yeah, businesses are totally gonna buy tons of crypto to pay for outlawed services from China to stay competitive. Instead of running models locally as you suggested above. And of course the government will just fold in face of this crypto enabled libertarian hell.. I mean utopia. Can't beat math, amirite? There will be no more taxes, everyone will be free, armed and get as much fentanyl as they want, and we will just build a Dyson sphere around the sun to power this awesome new financial behemoth. It will be so worth it.
Better invest now!
null
coldblues
https://www.getmonero.org/2024/04/27/fcmps.html
After this is implemented, it will really strengthen its privacy. It will take a few years of development, iteration and planning. Move slow and... don't break things?
storus
Given EU is going to ban all privacy-preserving cryptocurrencies in 2027, what are the options for EU citizens?
protocolture
Do it anyway
stasmo
If the US debt problem leads to capital controls, using Monero will become a federal offence overnight. Might as well call it money-laundering coin.
ChrisfromLees
Do you think that is a likely scenario under this government?
ty6853
IDK about this particular administration, but the government did place Tornado cash on the sanctions list (now removed). Which does operate differently than monero, but from the view of a bureaucrat I think similar effect.
ujkhsjkdhf234
Yes. I would bet on it. Certain Democrats don't like Monero because of the criminal activity around it. If the king told Republicans to ban it, they would be able to get enough Dems on board to avoid any filibuster problems.
yieldcrv
> Might as well call it money-laundering coin
The state's concept of money is private and it has just enjoyed help in getting data about electronic ledgers for the last 55 years, by deputizing banks. And for the last 18 it has also enjoyed public ledgers of crypto currencies.
But the successful stigma of financial privacy doesn't invent its right to having data. This is just a privilege, and private money is a reversion to the mean.
im3w1l
I long used to think that private money was a good thing for freedom helping the little guy living under state repression, but I'm recently starting to worry that it will do the opposite, by helping the ultra-rich engage in corrupt schemes.
The rumors that people bought Trump-coin for the sole purpose of currying favor got to me.
hiatus
> but I'm recently starting to worry that it will do the opposite, by helping the ultra-rich engage in corrupt schemes. The rumors that people bought Trump-coin for the sole purpose of currying favor got to me.
How would government knowing exactly who spends what where help in that scenario?
yieldcrv
None of the transactions systems are aiming to solve for that. The legacy financial system enables this too. Trump coin just happens to be more liquid than expensive dinner seats, campaign donations, and less cumbersome than a Trust. It is not private.
So its fine to feel disillusioned from that goal because it was a misplaced goal.
Monero on the other hand is private by default, and you can disclose transactions. It has optional auditability. This is a power dynamic I can appreciate.
NoMoreNicksLeft
[flagged]
greenavocado
The second capital controls drop, the feds will rebrand privacy as "terrorism" faster than you can say "civil forfeiture."
ty6853
Lol they already have. Hawaladars are basically synonymous with terrorists now.
ty6853
No I think money laundering is when you knowingly mix proceeds of crime, obscuring it.
Like if I make drug dealing illegal, then require drug dealer to pay taxes. And then take the tax money, and conceal and intermix it into the form of the value of the 8th street bridge to cross the creek.
NoMoreNicksLeft
>No I think money laundering is when you knowingly mix proceeds of crime, obscuring it.
I can exempt myself from the $10k deposit/withdrawal/structuring rules at the bank by affirming to them that it's not the proceeds of a crime? If a cop decides to take the $300 out of my wallet, I just state "that's not drug money" and he has to give it back then and there?
Keep in mind that I can lose the money without a conviction, trial, or even being charged, so I don't think this has anything to do with it being the proceeds of a crime.
8note
properly, money laundering is:
1. a predicate crime - the illegal thing you did to make money 2. placement - getting that money into the financial system 2. layering - hiding the money in legitimate transactions 3. integration - getting the money out
it sounds like you do have the predicate crime though, in some form of illegal drug dealing, since you mention trying to interfere with the government. if you actually think its unconstitutional, you might consider getting caught, and bringing your case up to the supreme court so that it can be struck for being unconstitutional.
This is by no means a comprehensive analysis. This analysis misses the most major limitation with Monero's decoy based approach to transaction obfuscation: Eve-Alice-Eve attacks (also known as ABA attacks). It also misses an analysis of the possible insecurity of churning and a significant history of randomness implementation errors and flooding attacks specific to Monero. The exact consequences of some of these attacks remain an open question, but worthy of mention.
A simple and surprising limitation of Monero and any other decoy-based approach is that if you repeatedly withdraw money from one exchange and then deposit it to another, those transactions are not private (edit: even if we ignore payment value). This is a form of Eve-Alice-Eve attack.
Monero uses decoy transactions to obscure the transaction history on-chain, but it does not remove the history. There's a reason every other major privacy protocol (Zcash, Tornado Cash, Railgun, Aleo, Penumbra, etc.) does not use Monero's decoy-based approach, and even the Monero developers are moving to the standard zero-knowledge proof over an accumulator (IIRC a merkle tree like everyone else) based approach that they call Full Chain Anonymity Proofs.
As a meta-comment, this is one of a genre of Monero "privacy" analysis documents that are circulated as a way to claim there are no known actively used exploits. This is little better than the classic "my scheme is secure; here's a bounty for anyone who breaks it" form of cryptographic analysis we often see with flawed encryption schemes. Breaks will not always be public.