I was informed about a fresh research: “When the cookie meets the blockchain: Privacy risks of web payments via cryptocurrencies”. In this post I give you a brief summary of the this paper. It presents a new attack vector (at least new for me), that can be used to deanonymize cryptocurrency users.

We find that at least 53/130 of merchants leak payment information to a total of at least 40 third parties, most frequently from shopping cart pages. This information can be used to link addresses together.

Explain Me Like I’m Five

Imagine you are a cryptocurrency user and you would relish to buy a Magic Wand Vibrator at Newegg, and order some groceries from your local super innovative, website having, cryptocurrency accepting grocery shop. I suppose you are not keen to connect those two purchases together, so you make sure there’s no connection between the coins you intend to use for each purchases on the blockchain.

But you are not only communicating with the blockchain, additionally you are communicating with your browser. And that’s what the research is about. If your browser tells the two websites: “Hey, I’m John” and leaks it to third parties, then the third parties will know that these two payments came from the same person: John.

So far, this would apply to credit card purchases, too, however the difference is: they have no public blockchain, thus data mining stops at there, while in crypto, it’s just where the blockchain analysis fun starts.

Just How Real This Attack Is?

After digesting the research my initial thoughts are: this attack can be only utilized against “the idiots and the innocents”.

The main self-defense available to users today is to use tracking-protection tools such as Ghostery or uBlock Origin, but we note several limitations. […] even with tracking protection enabled, 25 merchants still leak sensitive information to third parties.

If you can recall, the number without tracking protection was 53/130 leaks. With tracking protection it halved, but likely the “sensitive leaks” became also less sensitive, than they initially was, so the quantification of this data is slightly unfair.

However the research examined the “clean Bitcoin economy”, the darknet is an entirely different story.

First: the Tor Browser is in a different level, regarding tracking protection, than the tools above. I’m sufficiently certain, even malicious darknet markets find close to impossible establishing a connection between two of their accounts simply based on metadata.

Second: deepweb does not delegate payment processing to third parties (BitPay, CoinBase), which was the main way merchants leaked sensitive information and why the results of the research were so frightening. All of them have their own implementations.

Nevertheless, the rest of us, are vulnerable.

How To Defend?

Depending on your level of paranoia I’ll share what I think the most effective ways to defend this attack: