How Chainalysis made their way into popular Monero wallets
Comments
not_a_dane
oefrha
I thought the entire point of cryptocurrency is you operate in an adversarial environment where you can trust no one. In that light calling nodes that log IPs addresses rogue seems foolish (it’s not like they’re trying to undermine the protocol, in which case rogue might be the right word); they are exactly what you should expect.
ementally
https://odysee.com/@tuxsudo:6/chainalysis_XMR:69 if it is removed for some reason, there are other copies uploaded.
redrove
I assume running your own nodes and only connecting to them renders the attack moot?
zigararu
Yes, in the Chainalysis video they say clearly that Dandelion++ is very effective so they have no confidence in IP addresses collected in those cases. You need to be foolish enough to directly connect to a malicious node while using your home IP, which obviously will leak the IP. I think a lot of people are just confused by the video because they go through examples that seem very 'constructed' and unrealistic. I mean, this is all very well known information to monero users and I can't believe anyone would be doing important transactions without using their own node and/or I2P/Tor etc
Scoundreller
> I mean, this is all very well known information to monero users and I can't believe anyone would be doing important transactions without using their own node and/or I2P/Tor etc
And I wonder what an estimate is of % of transactions (by volume and value) that are sent from a full node vs public remote node and public web vs tor/i2p.
Obviously won’t be able to get an accurate answer, but one of the remote nodes in that pool might be able to provide some absolute numbers and a rough estimate of their share of connections in that pool.
Should be easy for them to differentiate clearnet vs tor exit node (and dunno how detectable i2p is).
Even the geo-dns mentioned in the article would be interesting data to see geo-source of transactions.
madars
There are multiple attacks in that video. IP is one, but a much bigger one is knowing the real output (or maybe real output plus one other output) among 16 ring signature members. They do not explain how they achieved it but one could guess that maybe by just doing a lot of tx themselves - 15 decoys is just way too small and flooding blockchain with transactions all but ensures that someone picking random ring members will pick a lot of your outputs (and thus have little privacy from you). It is also for sure too small for targeted active attacks (e.g., it is not safe to have repeat interactions with the same entity), see https://www.youtube.com/watch?v=9s3EbSKDA3o You really want more than 16 ring members, preferably all outputs ever created like in Zcash. FCMP work promises to bring similar privacy to Monero but is years on the roadmap.
popol12
TLDR: no
Your own node is connected to other nodes to get latest blocks and publish transactions to the network. These peers are selected randomly among the pool of available nodes. If the attacker has enough nodes, there is a good probability that your node's peers are partly controlled by the attacker. When you publish a new transaction and broadcast it to your peers, the attacker can detect that it is indeed a new transaction (since it is the first time it's seen by the attacker nodes) and that the IP address of your node is the IP address of the transaction sender. It's not going to work 100% of the time (except if _all_ your node's peers are controlled by the attacker) but with a few transactions it's eventually going to lead the attacker to your IP address.
It's the same kind of attacks that are used to deanonymize people on TOR.
If you want to protect yourself from that, you need to add a few layers of trusted no-logs VPN in front of your node, so that the attacker is lead to a dead end.
tromp
> When you publish a new transaction and broadcast it to your peers, the attacker can detect that it is indeed a new transaction (since it is the first time it's seen by the attacker nodes) and that the IP address of your node is the IP address of the transaction sender.
You're assuming that peers will relay new transactions to all their peers, but that is not the case with the Dandelion protocol that Monero adopted [1].
popol12
Yes, you're right However, even if Dandelion makes this task harder, the task remains essentially the same: controlling a significant amount of node
zigararu
What proportion of nodes? There are papers that analyse it but I haven't read closely or found a clear answer.
I suppose even if they controlled all but 2 nodes - the extreme case - even then they couldn't know with certainty which of the 2 nodes sent the transaction, so it could be argued that there is always plausible deniability.
popol12
Let’s call these 2 nodes N1 and N2. The case you mention only works if N1 is connected to the network only through N2, in which case when the attacker’s nodes receive a new transaction from N2 there is plausible deniability for both N1 and N2. In any other network topology, N1 and N2 are broadcasting their transactions to attackers node, which can then link then directly to N1 or N2. So no, this attack doesn’t require to own all the network.
I don’t know which threshold makes the attack practical though. I guess there is probably no threshold: the bigger the share of the network you own, the bigger your percentage of successful IP tagging is.
zigararu
I dont think that's how dandelion++ works; one of us is mistaken. In any network topology, I think it is possible that in the first step of the stem phase the transaction is propagated only from N1 to N2. It will be impossible for the other nodes to know if that happened or not, so they can't know whether N1 or N2 transmitted the transaction first. I could be mistaken but this is how i understand it.
I agree with what you say about the threshold.
redrove
It seems we can combat this kind of attack as a community by just running more nodes.
swinglock
It seems an attacker can combat that defense by just running more nodes.
greener_grass
Are there still websites where you can submit transactions as text via a web form?
You could craft your transaction and then submit it using a browser on Tor.
omgtehlion
Even more: they are too lazy to run real nodes, they just proxy to other's real nodes and collect information on their way.
earnesti
What is lazy about that. Their goal is just to collect info, not to run nodes. The right term is "effective".
vlugorilla
Basically, Chainalisys was able to gather more offchain metadata (IP in this case by setting ip-logging nodes) that then helped them narrow down some heuristics to try to guess some things on the blockchain. From the leaked video, they can't trace nothing and they say "Monero is awesome". Cool.
earnesti
The article doesn't really explain how that helps Chainanalysis to track the transactions.
yamrzou
They run "malicious" nodes, to capture IPs and timestamps, and possibly correlate that with transaction data from exchanges.
See: https://x.com/tuxpizza/status/1833251940429377639
The leaked video is here: https://x.com/tuxpizza/status/1832073169978487057
rvnx
A bit like Tor if you think about it
nunobrito
That would make a lot of sense.
486sx33
“possibly correlate that with transaction data from exchanges”
So it gives them an IP that might be associated with a transaction …
Monero is still by far the best we’ve got for privacy
yamrzou
Related: Chainalysis Successful Deanonymization Attack on Monero – https://darkwebinformer.com/chainalysis-successful-deanonymi...
mrkramer
Reminds me of this case: https://b10c.me/observations/06-linkinglion/
Btw, I wish Satoshi thought more of the concept of nodes' reputation so you can somewhat know how efficient and legitimate the node is.
petertodd
The problem is legitimacy in this case is not keeping logs. That is impossible to prove. The best you can do is human scale things like "how likely is it that Joe is a fed?", which can't be automated.
mrkramer
>The best you can do is human scale things like "how likely is it that Joe is a fed?", which can't be automated.
I agree with that but is there a site which analyses efficiency of the mining nodes from the economic point of view e.g. how fast the nodes confirms transactions, how much fee does it charge/take on average etc. etc. The good old statistics which are sexy to see and observe over time.
P.S. I have this one in my bookmarks directory: https://mempool.space/ are there any others? I didn't follow the crypto scene for the last 5 years so idk.
petertodd
No offense, but your understanding of how Bitcoin works is quite incorrect. There aren't publicly accessible "mining nodes". Rather, there is a P2P flood-fill network of tens of thousands of nodes, of which a tiny % belong to miners. What nodes are actually operated by miners is very difficult to figure out, and that's a good thing.
All miners confirm transactions essentially the same way: highest fee has priority because that's the most profitable way to mine (specifically, feerate: fees/byte). There's no such thing as confirming transactions "faster" or "slower": blocks are found on average every 10 minutes, and all miners have (essentially) the same set of candidate unconfirmed transactions because the P2P network reliably propagates all candidate transactions paying sufficient fees to all miners (there is a dynamically adjusted minimum feerate limit, below which transactions don't propagate, which prevents spam).
mrkramer
I'm interested more in the game theory behind mining and corresponding economic stats....for example mempool.space tells me:
Reward stats (Last 144 blocks):
Avg Tx Fee, 1.01k sats/tx, $0.58
Avg Block Fees, 0.0449 BTC/block, $2,592
Miners Reward, 456.46 BTC, $26,352,619
nunobrito
Thank you for the investigation. It was very well done.
nabla9
Finland has recently a significant attack against one of Finland's largest psychotherapy clinics, Vastaamo, The criminal stole all personal information + therapy notes, then started to blackmail company and patients (over 20k victims, many of them very vulnerable, leading to suicides).
National Bureau of Investigation traced the hacker trough Monero transaction. First they sent 0.1 Bitcoin to the blackmailer's address and used that for statistical analysis tracing the money into and out of Monero.
ps.
The police unecrypted 64-character password was used to protect sensitive data on his hard drive. It was not random enough.
They 'took fingerprint' from a digital imange and used it for identification. The criminal on the run took a photo showing only his hand holding a glass. It was enough to see a fingerprint.
nunobrito
That statement is incorrect. The payment was made in bitcoin to a wallet on binance: https://www.bleepingcomputer.com/news/security/vastaamo-hack...
Inside binance the attacker converted the money to monero and from there the trail was lost but they already had enough personal info from binance to inspect his personal bank accounts.
In summary, Monero remains untraceable. Even more now that the goverments forced binance to remove monero support. Now attackers will use centralized exchange sites where no western authorities can ask for help or simply use decentralized P2P exchanges.
nabla9
Statement is correct.
Monero remains technically untraceable, not in practice. Money must go in and out to be useful and it can be traced.
They payment was made into bitcoin address, then transferred into Monero, then it was sent into another Monero wallet. After that they used statistical analysis to determine the most likely receiver.
All sections of the additional investigation report where KRP discloses its methods have been retracted. Details about the analysis of Monero traffic are not revealed.
nunobrito
Fortunately it was an incredibly inexperienced criminal.
There are details about the Monero analysis, it is written on the report they lost track of the money when it got sent to a monero wallet.
How it was guessed: "KRP claims that by employing heuristic analysis involving educated guesses based on patterns and probabilities, they could infer the most likely path of the funds.
The small amount, together with other funds, possibly from victim payments, was sent to a second Bitcoin address linked to the same email address, which was later found to be linked to an email server managed by Kivimäki."
There isn't much magic here. In a small country is fairly easy to spot anomalies across bank accounts. That's it.
ruthmarx
> Statement is correct.
No, it wasn't, and please admit that.
You claimed law enforcement traced the attacker through Monero. They didn't. They couldn't. They traced him through Binance.
Tiberium
"Money must go in and out to be useful and it can be traced." - not if you pay directly in Monero.
nabla9
When people start paying their toilet paper with Monero that becomes an issue.
jamil7
Are you arguing that the attacker would have to eventually exchange XMR for something they could purchase goods with, like toilet paper? Because I think that's shifting the original argument a little. The point being made is that had they had the victim(s) buy XMR on an exchange and send it directly to their XMR wallet and maybe cycle it through a few wallets, it would not have been traceable, which still holds true.
How the attacker would actually use that money is a separate discussion. I've never looked into it but I'd guess there are illegal/grey services that would provide this service for a fee.
futuramaconarma
A few sites you can buy $500+ gift cards with them for low fee
nabla9
original argument: In this instance police was able to trace Modero payment trough with statistical analysis. Monero is technically safe, not necessarily in practice.
>and maybe cycle it through a few wallets,
Your argument: Monero + extra protocol is safe.
The general pattern of these arguments:
Argument: Technology X is not necessarily 100% safe.
Counterargument: there exist way to use technology safely so it is.
nunobrito
Cycling through a few wallets is unnecessary, that is mostly applicable to bitcoin users trying to make their transactions harder to follow.
In monero there is privacy on each transaction. Of course it isn't complicated to match public transactions if you transfer 100k EUR from binance to monero and then magically 99k EUR are credited into your personal bank account within 1~2 days. Finland is a small country, deposits from bank accounts related to crypto exchanges are easy to find.
Not even monero could save a person with such awful practices.
jamil7
You may or may not be correct that Monero is not untraceable but this example doesn't prove or disprove anything because the transaction wasn't entirely in Monero. Your argument seems to be about the traceability of the whole extortion process rather than the tech, which I think everyone agrees leaves a lot of room for error.
zigararu
Easily possible, here for example: https://shopinbit.com/Toilet-Roll-Seda-PH-Neutro-Foxy-6-uds/...
nunobrito
If the person would have made 2~3 payments to his account with different values or waited a year, binance records wouldn't look so suspicious. In fact, why the heck was that dumb guy even using binance to begin with.
Anyways, you can pay toilet paper with monero quite OK. Just convert some value into a government-approved currency like bitcoin or BNB and buy stuff with a mastercard at grocery stores.
Borgz
The hacker accidentally published their entire home directory (including ~/.ssh) along with the stolen patient records, which I imagine made things pretty easy for the authorities.
https://krebsonsecurity.com/2022/11/hacker-charged-with-exto...
yamrzou
Here is a discussion about it in r/Monero subreddit: https://www.reddit.com/r/Monero/comments/19emsfe/finlands_na...
See also: Tracing the WannaCry 2.0 Monero Transactions — https://medium.com/@nbax/tracing-the-wannacry-2-0-monero-tra..., https://twitter.com/bax1337/status/1442846034460282886
meowster
Old reddit, clickable link:
https://old.reddit.com/r/Monero/comments/19emsfe/finlands_na...
kuskosho
> The police unecrypted 64-character password was used to protect sensitive data on his hard drive. It was not random enough.
Any source of this? Was this some bitlocker or another FDE?
edm0nd
That is not how the hacker was caught.
He was caught because he uploaded all of the stolen data but accidently included a directory of all his passwords and personal information.
dgellow
That was in 2022, no?
There is a leak video from Chainalysis, they basically deploy rogue nodes or reverse proxies able to capture IP address along with the monero tx. Before reading the article, I suggest to watch that leak before.