As discerning dark web drug dealers and pseudonymous hackers have figured that Bitcoin is not magically private money, many have turned to Monero, a digital coin that promises a far higher degree of anonymity and untraceability baked into its design. But one group of researchers has found that Monero's privacy protections, while better than Bitcoin's, still aren’t the cloak of invisibility they might seem.

Monero is designed to mix up any given Monero "coin" with other payments, so that anyone scouring Monero's blockchain can't link it to any particular identity or previous transaction from the same source. But in a recent paper, a team of researchers from a broad collection of institutions—including Princeton, Carnegie Mellon, Boston University, MIT, and the University of Illinois at Urbana-Champaign—point to flaws in that mixing that make it possible to nonetheless extract individual transactions.

That shouldn’t just worry anyone trying to stealthily spend Monero today. It also means evidence of earlier not-quite-untraceable payments remain carved into Monero’s blockchain for years to come, visible for any snoop that cares to look.

'Those transactions were very, very vulnerable.' Nicolas Christin, Carnegie Mellon University

Those privacy flaws were especially acute before a change to Monero's code in February of 2017, the researchers note. But transactions before that time remain dangerously identifiable, and even payments after that change may be easier to identify than Monero's privacy-sensitive users might think. "The mental model that people have today for Monero is a simplistic one, that these transactions are private. That model is just incorrect," says Andrew Miller, a researcher at the University of Illinois at Urbana-Champaign who worked on the paper. "There's information that’s revealed and not covered up by Monero's cryptography." Miller is also an advisor to Zcash, another cryptocurrency that promises privacy protections.

The researchers' paper, which will be presented at the Privacy Enhancing Technologies Symposium in July, takes special note of a period starting in July 2016, when Monero was first adopted as an alternative to Bitcoin by the then-largest dark web black market for drugs, AlphaBay, and ending in February 2017, when Monero completed an upgrade to its privacy protections known as Ring Confidential Transactions. Roughly 200,000 Monero transactions occurred during that period, the researchers point out, many of which likely involved purchases of illegal narcotics or other sensitive payments made by users who believed their payments were fully untraceable.

"People took the privacy guarantees of the currency at face value," says Nicolas Christin, a dark web focused researcher who contributed to the paper. "All indications show people were really using this for applications where they needed privacy. And those transactions were very, very vulnerable."

Not So Stealthy

Despite Bitcoin's widespread use on the dark web and for other illicit applications like ransomware, scofflaws have become increasingly aware that if they're not ultra-careful in how they use it, the Bitcoin blockchain can help identify them—just as it helped connect the dark web drug market Silk Road's fortune to the laptop of its creator Ross Ulbricht, and even helped to track down the servers of another dark web marketplace, Hansa. As a result, the online underground has increasingly switched to Monero.

But researchers now point to two distinct cracks in Monero's untraceability, one of which was fixed in its early 2017 revamp, and one that still lingers today, even as Monero coders have taken steps to fix it. Both problems relate to how Monero hides the source of a payment, essentially by mixing the coin someone spends with a sampling of other coins used as decoys known as "mixins."

The researchers first note that simple tricks allow an observer to identify some of the decoy mixins used to cover for a real coin being spent. In Monero's first year, for instance, it allowed users to opt out of its privacy protections and spend coins with no mixins at all. (Today, Monero requires a minimum of four mixin decoys for every transaction.) The problem with that opt-out system: When an already spent and identified coin is later as a mixin, it can be easily plucked out of the mix to help identify the remaining coins. If that results in another coin being identified, and that coin is itself used as a mixin in a subsequent transaction, it can reduce the stealth of those later transactions, too.