Deanonymizing Tor: Your Bitcoin Transactions May Come Back To Haunt You

jwhyche, Slashdot reader #6,192, writes: If you bought some illegal narcotics off Silk Road or even gave money to Wikileaks. Researchers at Qatar University and Hamad Bin Khalifa University have been able to link these transactions with real world identities. They have been able to do this even if the transactions are years old. Their research shows how easy it is to link accounts to these transactions without using any of the tools available to law enforcement like search warrants or subpoenas.
The researchers started with 88 unique bitcoin addresses from Tor hidden services, and then searched 5 billion tweets and 1 million pages on the Bitcoin Talk forum -- ultimately linking 125 unique users to 20 Tor hidden services. "Bitcoin addresses should always be considered exploitable," the researchers conclude, "as they can be used to deanonymize users retroactively."

Their paper is titled "When a Small Leak Sinks a Great Ship: Deanonymizing Tor Hidden Service Users Through Bitcoin Transactions Analysis," and Wired summarizes one of their conclusions. "Even deleting profile information that includes bitcoin addresses may not be enough if a post has been cached or captured by services like the Internet Archive, they point out. 'If you're vulnerable now, you're vulnerable in the future.'"

Schadenfreude

[Petersko]

HAHAHAHAHA

Re: Schadenfreude

[dougdonovan]

haunt me again bitcoin...my banker calls me weekly with good news.

Re:

[gnasher719]

haunt me again bitcoin...my banker calls me weekly with good news.

Of course he or she does. We all believe you.

Re:

[Pseudonym]

Yes, my doctor told me during a house call, while I was getting a coal delivery. Now if you'll excuse me, I need to get some carbon paper for my typewriter.

Re:

[PRMan]

Exactly. I already made 10 times and still have some left. Poor me.

one-time-use addresses

[phantomfive]

FWIW you can easily choose a one-time-use bitcoin address to deal with this problem. Some people advocate using a different address for each transaction (for example, if you are selling a lot of things, give each customer a different address, that way you can tell who has paid you).

OTOH bitcoin transactions are inherently traceable, so even if there's no known way to determine who you are at this moment, in the future someone might figure out a way.

Re:one-time-use addresses

[vadim_t]

This stopped working in the current state of Bitcoin, because you pay a fee for the amount of data you use on the blockchain, and the more addresses you accumulate, the more horrible the fees become.

Fees have got so high that addresses with a small balance (somewhere around $15-ish last time I checked, which is crazy) are effectively lost, because the fee is higher than the amount stored in the address.

The problem compounts for paying people. If I want to send you $15, I may have to spend somewhere around $15 in fees to do so, costing me a total of $30. At the end of this you will have an address with $15 worth on it, but which can't be actually spent, so I paid you, but you have effectively nothing anyway. At this point either you bump your prices, or try to consolidate your accounts through a very low fee transaction that might or not get processed, and that may take a week or so.

TL;DR: The modern bitcoin is completely useless as a payment system, and only remains of interest to people who hoard it and hope the price will rise. I expect it to crash and burn eventually as the realization sets in that it's not good for anything anymore except as a kind of gambling system.

Those people interested in something that approximates a currency can go with Bitcoin Cash, which is a fork that's far more in line with what Bitcoin used to be, or something else like Ethereum.

Re:

[vadim_t]

True, but that only makes the problem worse. The people and companies that accept BTC as payment don't use it as an independent system unrelated to everything else, but as something that converts to USD.

So if the minimum fee is 0.001 BTC, at $1/BTC that amounts to nothing, and at $10K/btc it's now $10 USD.

Bitcoin has a 1MB block size limit, which means people are also competing to get their transactions accepted by the network. The more competition there is, the higher the minimum fee rises.

Bitcoin also has

Re:

[borcharc]

But thankfully the minimum fee has never been 0.001 BTC. Some crappy services have charged this, but that isnt what the miners charge unless you have a very edge case UTXO. Take a look at the mempool, its empty. 6 stat/B transactions are getting included in the next block. The fee competition was the result of spam attack. Bitcoin transaction volume hasn't collapsed but the fees did as soon as the spam ended.

Re:

[mentil]

I heard the miners caused the 'spam' in order to drive up the fees and thus their own profits. What's preventing this from happening again?

Re:

[vadim_t]

I used 0.001 BTC as a round value to illustrate the problem. Currently I'm getting a suggestion of a $4 fee to send $10. Just slightly less insane than it used to be.

The mempool is sure as heck not empty, and hasn't been in a long time: https://blockchain.info/en/cha... [blockchain.info]

Bitcoin volume can't collapse in the current state because the blocks are always full. There's more people wanting to use the network than resources the network has, so a reduction in interest still results in full usage of what there is.

The

Re:

[LynnwoodRooster]

So back when one BTC would buy a Big Mac, you suggest we should still pay one BTC for a Big Mac? That, by pricing something in BTC, you've "severed" it's connection to real-world currencies?

Re:

[gweihir]

TL;DR: The modern bitcoin is completely useless as a payment system, and only remains of interest to people who hoard it and hope the price will rise. I expect it to crash and burn eventually as the realization sets in that it's not good for anything anymore except as a kind of gambling system.

This. I hope it crashes soon, I need a new graphics card and the market is either dry or you pay insane prices. This madness has to stop.

Re:

[gweihir]

I see the Bitcoin morons are getting more butt-hurt and even more stupid. Excellent. Please continue. And I do hope you never recover economically.

Re:

[gweihir]

I agree with you on all points, except that in order to be caught with your pants down in this way in the first place, you usually have to be pretty stupid and greedy. This was just an opportunity to insult them that I found myself unable to resist. Happen sometimes. And I will definitely watch the show when it all goes down in flames.

Re:

[gweihir]

There is also the little problem that manufacturing BC mining-ASICs takes production capacity away from other things and that does affect gfx-card prices and availability. But I expect that argument will fly right over the hollow heads that drive this madness.

Re:

[DontBeAMoran]

If Bitcoin crashes and Monero takes its place, then you haven't even seen what high GPU prices look like yet.

Re:

[gweihir]

An AC that is desperately envious? Hehehehehehe. You fucked up your life, but I did not.

Re:

[gweihir]

Who said I was envious?

I said it, because it was absolutely obvious. And you know it is true. Gotcha.

Re:

[Zontar The Mindless]

And I play LBreakout. Daily.

Deal with it.

Re:

[PRMan]

Those people interested in something that approximates a currency can go with Bitcoin Cash

Yes, let's go with something owned entirely by Chinese miners. No chance of a 51% attack by the Chinese government there.

Re:

[borcharc]

LOL brand new 6 stat/byte tx's ($0.0069) are getting included in the next block. fees are the lowest they have been for some time now that the spam attack has stopped. Your post demonstrated absolutely zero domain knowledge.

Re:

[StikyPad]

0.0001 what? BTC(C?) If Bitcoin Cash (or any other currency) becomes successful, it will inherently become a victim of its own value. It's like trying to use gold as cash when the supply is fluctuating faster than people can calculate the value.

The problem with cryptocoins is that they inherently represent value proportional to the amount of work they took to create. They are *always* valued (or worthless) based fundamentally on their intrinsic properties, and that makes them an asset, not a currency.

Th

Re:

[JesseMcDonald]

This [one-time-use addresses] stopped working in the current state of Bitcoin, because you pay a fee for the amount of data you use on the blockchain, and the more addresses you accumulate, the more horrible the fees become.

It makes no difference whether you use the same address or a different address. The fee is relative to the transaction size (in bytes); transaction size depends mainly on the number of inputs and outputs; and each time you receive funds, whether to an existing address or a new one, it creates a new output which requires a separate input in the spending transaction. If you make a payment using funds received in five previous transactions to the same address you pay exactly the same fees as you would if it ha

Re:

[gweihir]

Indeed. Bitcoin is not designed for anonymous payment, just for pseudonymous payment. That is something else entirely. All these people thinking Bitcoin is anonymous have either not bothered finding out any facts or are just kidding themselves. This has basically been known since Bitcoin exists and no expert is the least bit surprised by research results such as this one.

Anonymity must be a primary design goal in a communicating system or it will not be there. Sure, the effort for identifying a person will

Re:

[gravewax]

Bitcoin isn't really designed for payments full stop. The design lends itself more as an investment avenue as you can't realistically have a transaction system that takes minutes (or more realistically at the moment hours or days to confirm) and costs significant amounts of money for the privilege of a transaction slower than any of the traditional transfer mechanisms

Re:

[phantomfive]

Yeah, bitcoin is a transaction system, not a money laundering system.

so, uh, ...

[Anonymous Coward]

how come no one can catch these supposed hackers who make off with millions of dollars of coin?

on the other hand i always knew this kind of shit was going to happen so i never used it. only the paranoid survive as andy grove said.

Re:

[DontBeAMoran]

Wait, there's a flaw in your reasoning... what about the theme park and blackjack?

Re:

[sound+vision]

But there are mechanisms in the law where the exchanges are, which require the exchange to pay out to people who hold accounts. The exchange doesn't need to perform any criminal activity to gain BTC - they already have it. They just don't want to pay out. When they delete it, they don't have to.

Re:

[CaptainDork]

.. vigilante justice ...

Like swatting?

Re:

[Zontar The Mindless]

At least some of them live in countries where some upright citizen can tip off the authorities about their anti-government activities, and they just might not ever be heard from again.

So all this time the NSA could have done that?

[Babel-17]

And totally coincidentally it's served as a great tool for the NSA to get the international underworld, and terrorist rings, to identify themselves? Though it's inconceivable that anyone could have anticipated this so as to use it as a financial honey trap. It would take oodles of time, lots of resources, and a disregard for cost. ;) https://en.wikipedia.org/wiki/... [wikipedia.org] https://www.youtube.com/watch?... [youtube.com]

Re:

[AHuxley]

Yes but tracking is more interesting than telling people how they are been tracked and what to stop doing to avoid been tracked.
US law enforcement considers cyber as one big information only report. Everything is been tracked but no lawyer, human rights group, FOIA is going to find out collect it all methods.

Monero

[Plugh]

Monero [slashdot.org] is where the darknet markets are moving to, away from Bitcoin. The blockchain is itself encrypted, and soon it will be integrated with I2P

It's still stealing.

[Anonymous Coward]

You're still making up imaginary wealth, to devalue the wealth of everybody else (via inflation), and haven't worked a fucking second for it!
No, the work of sneaking in and stuffing shit into a bag does not qualify. Nor does the work of telling others to do your work for you.

Meanwhile, we here... the normal people, have actually made something of worth for our money. I created toys that allow children with disabilities to do the exercises that cure them while having a lot of fun and staying motivated. Your

A have to be reading this wrong.

[Fly Swatter]

But is it saying they just searched for idiots that publicly posted their bitcoin address under their real name? Wouldn't that be like tracking down a phone number to it's owner because they stupidly posted it publicly somewhere on the web?

It can't be that simple if it's called research, can it?

Re:

[slashrio]

How can we be identified through other people tweeting their wallet addresses?
I guess I'm the one missing here something.

Re:

[jwhyche]

Indeed, but some times the best research is simple research.

But what I took away from the article isn't that they could look up a bunch of idiots that used easy track able information in their transactions. But that if they could do this with little effort, what could a government agency do if they put their mind to it.

Re:

[PRMan]

That's exactly what it said. "If you bragged about a transaction amount or address on Twitter or on a Bitcoin forum, we can link you." Wow. However did you do that?

Re:

[hey!]

No, the researchers were able to us normal investigative techniques to recover real names. It'd hardly be news if someone's ID was determined because they told the world, would it?

I've long thought most Bitcoin users are naively confident that Bitcoin by itself protects their identity. This is typical in tech -- people rely too much on the properties of the technology to keep them safe and don't put enough thought into how they use the tech. Even if Bitcoin were technically perfect, every place where yo

Yup, those are two things I conflate all the time

[93 Escort Wagon]

1) Buying illegal narcotics on the Silk Road
2) Giving money to Wikileaks

Re:

[Pseudonym]

It's a reasonably standard English idiom, and extremely common in Slashdot writeups, to use constructions of this form: If [bad thing], or even if [fairly innocent thing], then [bad consequence either way].

Captain Obvious...

[Anonymous Coward]

Bitcoin is not, and was never intended to be, anonymous. It has always been pretty easy to associate a wallet with a person. Every transaction you make is public record on the Bitcoin blockchain.

Inaccurate Headline

[Anonymous Coward]

They did not deanonymize *TOR*, the onion router network for anonymizing web traffic. They deanonymized Bitcoin transactions.

Tor != Bitcoin.

XSPEC...

[D,Petkow]

with native obfs4 implementation and TOR integration. BOOM!

Okay???

[cshark]

So... what's the takeaway here?
If you're a criminal, don't advertise on the overnet with the same address you're using for crime?
Duh.

I mean, that should be obvious.

Show of hands

[JustAnotherOldGuy]

Okay, let's have a show of hands- who didn't see this coming?

Anytime anyone claims something is "anonymous" or "untrackable", bet on them being wrong.

There's nothing that's truly "anonymous" or "untrackable" and yet people keep falling for these absurd claims.