Unlike its unknown creator, the world’s first blockchain is not truly anonymous. For a techno-utopian currency that found its first mainstream use in illicit transactions on the dark web, Bitcoin is surprisingly traceable nowadays. New techniques for linking pseudonymous addresses now allow independent analysts and law enforcement agencies to unveil real identities behind alphanumeric cloaks.
Our latest addition to the “DeFi 101” series looks at the different levels of anonymity in Bitcoin and other blockchains, discussing the linkability between pseudonyms and physical identities and how to protect yourself against privacy-related security risks when using crypto.
“In Code We Trust”
Bitcoin’s inventor, only known by his pseudonym of Satoshi Nakamoto, conceived of his new financial creation as not only trustless and inflation-proof but also anonymous. Bitcoin’s 2008 whitepaper positioned the new electronic money system as a leap in digital privacy, where “… the real world identity of the parties of a transaction can be kept hidden from the public”. Even though cryptographic proofs would require a record of everyone’s transactions to be visible to all, real user identities would forever remain cloaked under their 26–35 character-long pseudonyms.
It was this promise of anonymity that would go on to inspire the currency’s first mainstream adoption as a medium of exchange on Silk Road, the most famous darknet marketplace, launched in 2011. Half a year later, WikiLeaks announced that it would start accepting donations in Bitcoin, signaling that it too placed trust in the currency’s untraceable and anonymous nature. Only over time did it become clear that the anonymity Bitcoin offered was far from airtight.
Follow the Money
Recent high-profile busts — with $3.6bn seized by the authorities following the Bitfinex hack and $2.3m recovered in connection with the Colonial Pipeline hack — have once again reminded everyone that Bitcoin is far from anonymous. Independent analysts and law enforcement agencies can now leverage information about user online behavior and exploit blockchain operational features to link physical identities to pseudonymous addresses.
The tracing process can be resource-intensive, but the identities behind Bitcoin’s addresses are some of the easiest to crack. This much has been admitted by one U.S. Drug Enforcement Association (DEA) agent, who confessed to Bloomberg back in 2018 that she wanted criminals to continue using Bitcoin because it gave the agency more tools to trace their transactions and eventually find out their identities.
That is because as soon as a Bitcoin address is linked to a physical identity once — e.g., it was topped up from an exchange with Know-Your-Customer (KYC) checks or was shared on a personal blog — it is no longer anonymous. And since its entire transaction history is publicly visible, it becomes relatively easy to look up whether any bitcoins were sent to addresses associated with illicit activity.
Bitcoin’s 2008 whitepaper suggests creating a new address for every transaction. Nevertheless, if the new wallet is topped up from another address associated with your physical identity, that only trivially obscures the payment origin. Moreover, data leaks are also quite common since Bitcoin is an ordinary peer-to-peer network that exposes users to various network-level attacks. Everyone between the user and the network (say, Internet Service Provider) can reveal the “anonymous” user’s IP address.
Worse yet, even taking more precautions today may not protect your anonymity in the future. Because a record of all transaction data is forever kept on the immutable public ledger, future data leaks and more advanced linking techniques will undoubtedly uncover some of the identities behind the transactions we consider “anonymous” today.
Hidden from Public Eyes
Protecting your anonymity and privacy when transacting in crypto is all about severing the links between your pseudonyms and your physical identity. And since anonymity is not a binary choice — it comes in a spectrum from completely public to fully private — each extra precaution you take is likely to increase the level of anonymity you can achieve.
A Virtual Private Network (VPN) is a good place to start. A VPN will reroute your internet connection through a different IP, masking your actual location and preventing some network-level attacks. Nevertheless, remember that some VPN providers might still be able to monitor your traffic and that using a VPN service in combination with Tor, an anonymous browser, might compromise your privacy unless you know how to configure the two correctly.
Tumblers and Mixers are services designed to break traceability. In a process some call “virtual money laundering”, your tokens are mixed with those from thousands of other addresses. The same amount (minus a small fee) is then sent to a different address of yours, thus obscuring the origin. Just remember that sending your tokens to a tumbler directly from a KYC exchange might be considered a red flag.
CoinJoin is a similar feature used in some privacy wallets like Samourai and Wasabi, where multiple payments are combined in a pool first and then distributed to recipients accordingly. The transactions are thus obscured and more challenging to trace.
Nevertheless, it is probably fair to say that unless you can buy Bitcoin directly from someone off a street corner, the above-mentioned methods will only go so far. To ensure a truly high level of anonymity, it is best to ditch Bitcoin entirely.
Privacy tokens are cryptocurrencies with built-in privacy features, which are much better at severing the links between different user addresses and interactions. Some of the major ones use truly mind-boggling cryptography. ZCash uses zero-knowledged proofs (zK-SNARKs), Dash has a PrivateSend feature, Beam utilizes MimbleWimble algorithms, and Monero employs ring signatures. All of these techniques are used to ensure that transactions are truly trustless and to make tracing a computationally infeasible task.
About Lossless
Restoring trust in web3 security. Lossless incorporates a new layer of blockchain transaction security, protecting projects and their communities from malicious exploits and the associated financial loss.
Lossless protocol implements an additional layer of blockchain transaction security for ERC-20 standard tokens, mitigating the financial impact of smart contract exploits and private key theft. Lossless protocol utilizes community-driven threat identification tools and a unique stake-based reporting system to identify suspicious transactions, providing real-time protection.
Twitter | Platform | Telegram | Discord | Website | Documentation | Github
