How to Anonymize your CryptoCurrencies and CryptoAssets
Required Skills
List of previous knowledge required to understand the paper. Contents that will not be explained and without knowing them it will be very difficult to follow the paper content.
- Familiarity with VMs, Tor, and VPNs
- Own cryptocurrencies
Disclaimer
This method can be used to illegally launder cryptocurrency and cryptoassets. Don’t do anything illegal. There’s your warning.
The paper
When it comes to anonymity, bitcoin doesn’t provide the privacy that we want it to. I would say it was enough back in the day to just use a different address per transaction, but because InfoSec keeps getting bigger and the ledger will always be public, even old transactions aren’t private. In fact, I’d say as time progresses, the privacy of older methods of anonymity surrounding Bitcoin are becoming less and less private. Let’s start from the beginning.
1. Bitcoin is not Anonymous. It’s Pseudonymous.
Then Bitcoin’s ledger is public. That means anyone can download all transactions and de-anonymize others by an attack on k-anonymity. Since cryptocurrencies are the main form of currency on DarkNet Marketplaces (DNM), this has lead to a rise in security firms that specialize in determining who owns certain addresses. While I may not not know who owns addressA, I do know that addressA made a transaction to addressB, which is a known Drug Dealer and who’s private key is held by Coinbase. Enter subpoena to Coinbase.
2. The Feds are collecting important financial secrets
On November 17th, 2016, The United States Department of Justice sent a subpoena to Coinbase and Jeffrey K Berns to request the following:
“The John Does whose identities are
sought by the summons are United States persons who, at any time during the period January 1, 2013,
through December 31, 2015, conducted transactions in a convertible virtual currency.”
-https://www.justice.gov/opa/press-release/file/914256/download
What can the Feds do with Coinbase information?
If, for whatever reason, you used a Coinbase account to assist with private transactions, you’re in trouble. As this currently and will most likely never be the lowest hanging fruit, it is still a very low fruit nonetheless.
3. There are Anonymous Cryptocurrencies
They’re are many cryptocurrencies that specialize in providing private transactions between all parties. Many of the stronger privacy-centric altcoins use CryptoNote’s design to secure privacy, the most popular being Monero (XMR). These technologies include ring signatures and one-time-keys. Here is the whitepaper for CryptoNote. These coins have a high enough entropy, that it’s just improbable that your transactions will be liked. As Bitcoin is 1-to-1 transaction, Monero uses many-to-many approach, and constantly moves your XMR around in wallets you own. Your money doesn’t just sit, it’s constantly moving.
Ring Signatures
One-Time-Keys
And here’s an very nerdy graph. I had to stare at this for some time to understand it, so don’t feel intimidating, especially if you’re new to anonymous cryptocurrencies.
4. Bitcoin Mixers/Tumblers
Bitcoin mixing services have to be one of the most dangerous scams/services out there. About as bad as storing your private keys on a marketplace server, mixing services require you to send your money to a third party, that will then “clean” your money, and return it to one or many addresses you specify. I can’t really emphasize how stupid it is to give anyone/any service your money, without any assurance that it will end up on the other side. The risk is just too great, and yet people spend millions of dollars on these services. The best method for this, is to send micro-payments and hope that if a payment doesn’t go through, you haven’t lost too much.
Privacy: Some tumblers and mixers place your coins into a big pot, and sends it to many different addresses, until it ends up at your designated address(es). In some cases, the coins that enter your destination wallet were never apart of the original transaction. An issue arrises, when you have large enough amounts of money, or you keep your money in your wallet for some time. These are clear indicators that the destination wallet is linked to a source wallet. $40M from one hacked address, and $40M - fees into another wallet that has not had a single transaction in a week builds the case that they are linked. It might not be enough to confirm 100%, but it’s enough to start an investigation.
5. Financial Fruits
Threat and Risk Modeling is critical when it comes to securing your financial privacy. Let’s start with the most risky/dangerous ways of sending and receiving transactions via Bitcoin, and move towards the most privacy centric method.
-
Same address for all transactions, linked SSN / ID to Online Wallet.
This is the worst way of providing any privacy for your transactions. If you use one address and have it linked via your identity, you can kinda kiss any private transaction out the window. The 3rd party that verified your identity knows you and all your transactions, which they might then provide to other ad networks or worse, government agencies. I have known some CryptoAnalysis that will scrape a forum for bitcoin addresses and link them to that user. Do enough mining, and you get see who’s close to whom. -
Multiple addresses for all transactions, linked SSN / ID to Online Wallet.
Again, you have an account/ID linked with at least 1 of your addresses. This is your ID leark. -
Single address for all transactions
While you might not have your identity associated with your bitcoin address, you do have other meta-data that can de-anonymize you. (IP address, cookies, MAC address and untrusted routers, etc). -
Multiple addresses + Mixing/Tumbling all transactions
Still vulnerable to meta-data attack like 3, but less others whom don’t have this metadata to be able to track you. Also able to de-anonymize the mixing process by sitting wallets and large balances. -
Leveraging Anonymous Cryptocurrencies to Anonymize Bitcoin
This is one of the most powerful ways to anonymize your cryptocurrency finances. While there are many exchanges that require personal information, there are a few locations that do not require any information (ShapeShift.io). Be aware, you are STILL susceptible to metadata attacks if you aren’t using VPN or Tor. -
Tor ==> VPN ==> Tor ==> [BTC ↔ XMR ↔ BTC]
So here’s the real deal. While this might be out of most people’s OpSec, this is a critical way of securing your financial privacy via BTC and other Anonymous Cryptocurrencies, while avoiding a metadata attack. This can be managed much more easier with the assistance of Virtual Machines. Qubes is great for this. Whonix Gateway + Whonix Workstation is enough to provide the ability to connect to any blockchain anonymously. You can setup a VM for that’s a VPN “proxy” (technically it’s not a proxy, but you get what I mean) that sits between two Whonix Gateways. A very privacy centric VPN provider is Mullvad. They also allow for 3 free hours via a captcha, just incase you need a VPN because a site blocked tor or something silly. Sticking with Monero, what brings more privacy, is running your own monerod node on a Whonix Workstation. WhonixWS ==> WhonixGW ==> vpnVM ==> WhonixGW ==> Internet. On your Workstation, you would have your Monero and Bitcoin Wallets. Secure your password, seeds, and private keys off the WorkstationVM for security reasons. Shift your BTC → XMR → BTC via ShapeShift.io, and enjoy the financial freedom and privacy of your Bitcoins. For XMR, make sure to use integrated_addresses when sending BTC to your integrated_address, as this provides anonymity of your BTC into the XMR blockchain. Be Aware: If you’re doing anything illegal and ShapeShift can assist with an federal investigation, they will.
6. Busting Threat Actors via Bitcoin Transactions
Because the IRS has launched investigations into different exchanges, we can determine that they, at the very least, have the public addresses of any account used on there. If one corresponds those public addresses with the ones in DNMs such as The Silk Road, which Law Enforcement can obtain via a raid, one can determine more links between illegal actors and their financial “havens”.
Conclusions
Don’t be the lowest hanging fruit, ever. If you care about privacy in terms of your cryptocurrencies or cryptoassets, don’t use mixers. Mix it yourself and leverage anonymous cryptocurrencies you trust. I trust Monero, but if for whatever reason you don’t, use anon coins you do trust. It also doesn’t hurt to use multiple anonymous cryptocurrencies to further increase your entropy and privacy.
There are other methods that can be used to secure your privacy more, but they involve breaking the law or causing fraud. I have only provided legal ways to secure your financial privacy.
Please provide comments, feedback, and references to support your claims. We’re all here to learn, including myself. Happy to share what I’ve seen, to others that are happy to share what they have seen. Thanks everyone!
Resources
K-Anonymity
chainalysis
https://www.plainsite.org/dockets/330oss6rw/california-northern-district-court/-v-united-states-of-america/
https://www.justice.gov/opa/press-release/file/914256/download
https://cryptonote.org/inside/