Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bitcoin Is Not Anonymous After All

Posted by samzenpus on from the pulling-back-the-curtain dept.

Taco Cowboy points out a new study that shows it is possible to figure out the IP address of someone who pays for transactions anonymously online using bitcoins. "The Bitcoin system is not managed by a central authority, but relies on a peer-to-peer network on the Internet. Anyone can join the network as a user or provide computing capacity to process the transactions. In the network, the user's identity is hidden behind a cryptographic pseudonym, which can be changed as often as is wanted. Transactions are signed with this pseudonym and broadcast to the public network to verify their authenticity and attribute the Bitcoins to the new owner. In their new study, researchers at the Laboratory of Algorithmics, Cryptology and Security of the University of Luxembourg have shown that Bitcoin does not protect user's IP address and that it can be linked to the user's transactions in real-time. To find this out, a hacker would need only a few computers and about €1500 per month for server and traffic costs. Moreover, the popular anonymization network "Tor" can do little to guarantee Bitcoin user's anonymity, since it can be blocked easily."

15 of 115 comments (clear)

  1. Aw man by Anonymous Coward · · Score: 5, Funny

    Now that hitman I hired to kill my bookie's drug dealer is going to be able to hire a hacker to find me.

  2. It never was by Anonymous Coward · · Score: 3, Insightful

    Only idiots thought it was anonymous.

  3. Duh by Aighearach · · Score: 5, Interesting

    Anonymity was never a feature. Whoever thought that didn't read the bitcoin summary. ;) You not only know where it came from, you know where it has been, too.

    The only reason it is popular is that governments didn't have tracking in place so it gained popularity as a currency for drug purchases. They do now have that tracking in place, however, so that ship sailed.

    I think the paranoid anti-government crowd are just not good enough at comprehension to know what they're saying or why. They heard that bitcoin was anti-government, so they decided it must be full of magical anonymous unicorns with anonymous rainbow farts.

    1. Re:Duh by Aighearach · · Score: 3, Insightful

      They have confiscated enough bitcoins that they can actually track most of the market now, for various reasons that have been explained on slashdot in the bitcoin-related stories.

      No noticeable country says that bitcoin is illegal. Barter is legal almost everywhere, so currencies are also legal. And the fact is, when it comes to bitcoin the US Government is a major market participant at this point.

      Bitcoin is way less anonymous than US Dollars, there is no question of that. No question at all. So if you're self-identifying as one of the "anti-government types," then yes, that is exactly what I was talking about. You believe something less anonymous to have been a step towards anonymity. You seem to fail to notice that I didn't pass any judgment or present any opinion on if anonymous payment is good or bad. I'm just pointing at the popular set of opinions that contract themselves. I would expect people who really believe in anonymous payment to use only non-electronic payment, at least until there is some sort of central authority that is trusted to maintain anonymity can back an electronic currency. You can't have a fiat currency without trust; you either need a trusted central authority, or the ability to track units of currency back to their original source, as in bitcoin. Lacking those, the most anonymous you can be is with cash, and things like CC cards purchased with cash, gift cards, or even money orders using an unknown alias.

      And how can bitcoin be a protest against unjust laws, when bitcoin is legal? That makes no sense at all.

  4. FUCK SAKE! It was NEVER anonymous by Anonymous Coward · · Score: 3, Insightful

    Bitcoin was NEVER meant to be anonymous. EVER.

  5. Every single transaction is broadcast to the world by Michael+Woodhams · · Score: 2, Informative

    And you can absolutely guarantee that the three letter agencies remember every one of them. They can look at who you've made transactions with and usually get a very good idea just from that who you are. I imagine they get more from fronts and hacked/infiltrated organizations. If they need more and you've ever transacted with a commercial entity within their jurisdiction, you are a National Security Letter or local equivalent away from being identified.

    This IP address thing is like discovering that the back door is unlocked and open when the front door is secured by a piece of string.

    --
    Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.
  6. The article is wrong. by ASDFnz · · Score: 2, Insightful

    Apart from the whole "bitcoin is only pseudo-anonymous" anyway, the article is wrong.

    The IP you can trace a transaction back to is only the IP of the person that told you about the transaction. So unless you're connected directly to the person that made the transaction on the p2p network you're just getting the IP of the client that told you about it. Even then, you don't know if that is the person making the transaction or someone telling you that the transaction was made.

    Bad research by people who should know better.

    1. Re:The article is wrong. by TubeSteak · · Score: 5, Informative

      The IP you can trace a transaction back to is only the IP of the person that told you about the transaction.

      Try reading the paper.

      The crucial idea is that each client can be uniquely identied by a set of nodes he connects to (entry nodes). We show that this set can be learned at the time of connection and then used to identify the origin of a transaction.

      The crucial
      idea of our attack is to identify each client by an octet of
      outgoing connections it establishes. This octet of Bitcoin
      peers (entry nodes) serves as a unique identier of a client
      for the whole duration of a user session and will dierenti-
      ate even those users who share the same NAT IP address.
      We showed that most of these connections can be learned if
      the attacker maintains connections to a majority of Bitcoin
      servers. Then we show that the transaction propagation
      rules imply that the entry nodes will be among the rst
      that report the transaction to the attacker. As soon as the
      attacker receives the transaction from just 2-3 entry nodes
      he can with very high probability link the transaction to a
      specic client. Moreover a sequence of successfully mapped
      transactions can help the attacker to track dynamic changes
      in the entry node set, to keep the client identier fresh. The
      cost of the deanonymisation attack on the full Bitcoin net-
      work is under 1500 EUR.

      /all spelling mistakes are in the original text

      --
      [Fuck Beta]
      o0t!
  7. clickbait study by TheCarp · · Score: 2

    I find it hillarious that they so easily conclude tor doesn't fill these gaps because they deem it too easy to break. That right there is some pretty extraordinary claim, I would want to see them do it if its so easy.

    I don't think there is any evidence that tor, in this particular use case, is actually so easy to break. So far all evidence is that weaknesses lie in the services behind hidden services, in browsers used to use web based services in particular, and potentially in hidden services themselves.

    A bitcoin node transmitting transactions really should be pretty safe, and if they have any evidence to the contrary, that would be much more interesting than their hand waving clickbait claims.

    --
    "I opened my eyes, and everything went dark again"
  8. And that killed the whole article by dindi · · Score: 2

    " Moreover, the popular anonymization network "Tor" can do little to guarantee Bitcoin user's anonymity, since it can be blocked easily"....

    What does this sentence even mean?

    Bitcoin (Litecoin, Maxcoin, *coin (ok, most) ) can use a proxy. This proxy can go through TOR, I2P, 55 VPNs zig-zagging over the globe.

    Bitcoin is Anonymous as you don't need to provide your identity. All transactions are however public: visible in the blockchain. It is like imagining a big mess of encrypted emails that everyone hosts on their machines, but you can only read the ones (spend bitcoins from) you have the key for.

    Did I mention: you don't need to run a full node, and you can also use an on-line wallet.

    Simple recipe:
    1. mine some bitcoins
    2. get a VPN
    3. Use the VPN to get a free email address (google, riseup or else)
    4. Use the VPN to get a VPS hosting
    5. set up TOR on VPS hosting (hidden service)
    6. and/or set up I2P on VPS hosting (eepsite)
    7. Install Bitcoin, Litecoin, *Coin on the machine and run a full node through the VPN, TOR, I2P or combination of them
    8. Use the VPN, TOR, I2P (or a combination of them) to access the machine where
    9. Use the command line interface to send funds
    10. Use any of the libraries to write your own web service to talk to the daemons to manage your funds

    There ... find the IP where it came from.... found it ?

    Rinse, repeat:

    1. buy raspberry PI
    2. buy throw-away anonymous SIM online (through VPN, I2P, TOR, with bitcoins)
    3. install TOR, VPN, I2P, solar panel, gsm modem, Bitcoind, *coind on raspberry PI
    4. Take a long ride from home where there is still reception, climb a tree/rock/old building/tower. Install it there ...

    Found my IP ?

    and so on ...

    Or did they mean: if you just run a full node from home and accidentally connect to one of their servers they propagate, they can see where the transaction was coming from the first time ?
    bitcoind --printtoconsole

    1. Re:And that killed the whole article by hawkeyeMI · · Score: 2

      Read the article. They have a way of forcing disconnection of a server from the Tor network. They concede it's quite noticeable and it may not work if no non-tor fallback is used.

      --
      Error 404 - Sig Not Found
  9. News flash by Anonymous Coward · · Score: 2, Insightful

    To be perfectly fair, computer science has a lot of things that "any student can tell you are true" that have not been proven to be true, and the difference is a really big deal in academia (where a significant portion of your job is proving things and publishing the paper explaining the proof).

    For example P!=NP is widely believed, highly intuitive, and the bases for some high profile algorithms (cryptography) but has never been proven.

  10. Re:bitcoin price manipulation by hawkeyeMI · · Score: 2

    As a big holder and long-time user of bitcoins, I'm in favor of the price not being pushed down. That said, TFS is inflammatory. TFA, which is open access, is actually an interesting read, and it's a clever attack. They also discuss possible mitigations. It's worth a read if you're into bitcoin.

    --
    Error 404 - Sig Not Found
  11. Re:Every single transaction is broadcast to the wo by Em+Adespoton · · Score: 2

    It's even simpler than that... the IPs are in a limited pool, and are used for all your network transactions during the period. All there needs to be is an IP correlation between the transaction and that check of your GMail account during the same time period, and the IP links the two, flagging who you are. No need to track back through the ISP who was supposed to have that IP at that time (although that's trivial with a warrant too).

  12. What?! by Anonymous Coward · · Score: 2, Interesting

    Who thought bitcoin was anonymous? It is a detailed, immutable list of transactions... it is downright transparent...