Slashdot Mirror

← Back to Stories (view on slashdot.org)

Deanonymizing Tor: Your Bitcoin Transactions May Come Back To Haunt You (wired.com)

Posted by EditorDavid on from the like-a-bad-penny dept.

jwhyche, Slashdot reader #6,192, writes: If you bought some illegal narcotics off Silk Road or even gave money to Wikileaks. Researchers at Qatar University and Hamad Bin Khalifa University have been able to link these transactions with real world identities. They have been able to do this even if the transactions are years old. Their research shows how easy it is to link accounts to these transactions without using any of the tools available to law enforcement like search warrants or subpoenas.
The researchers started with 88 unique bitcoin addresses from Tor hidden services, and then searched 5 billion tweets and 1 million pages on the Bitcoin Talk forum -- ultimately linking 125 unique users to 20 Tor hidden services. "Bitcoin addresses should always be considered exploitable," the researchers conclude, "as they can be used to deanonymize users retroactively."

Their paper is titled "When a Small Leak Sinks a Great Ship: Deanonymizing Tor Hidden Service Users Through Bitcoin Transactions Analysis," and Wired summarizes one of their conclusions. "Even deleting profile information that includes bitcoin addresses may not be enough if a post has been cached or captured by services like the Internet Archive, they point out. 'If you're vulnerable now, you're vulnerable in the future.'"

48 of 106 comments (clear)

  1. Schadenfreude by Petersko · · Score: 1

    HAHAHAHAHA

    1. Re: Schadenfreude by dougdonovan · · Score: 1

      haunt me again bitcoin...my banker calls me weekly with good news.

    2. Re: Schadenfreude by gnasher719 · · Score: 1

      haunt me again bitcoin...my banker calls me weekly with good news.

      Of course he or she does. We all believe you.

    3. Re: Schadenfreude by Pseudonym · · Score: 1

      Yes, my doctor told me during a house call, while I was getting a coal delivery. Now if you'll excuse me, I need to get some carbon paper for my typewriter.

      --
      sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
    4. Re: Schadenfreude by PRMan · · Score: 1

      Exactly. I already made 10 times and still have some left. Poor me.

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
  2. one-time-use addresses by phantomfive · · Score: 1

    FWIW you can easily choose a one-time-use bitcoin address to deal with this problem. Some people advocate using a different address for each transaction (for example, if you are selling a lot of things, give each customer a different address, that way you can tell who has paid you).

    OTOH bitcoin transactions are inherently traceable, so even if there's no known way to determine who you are at this moment, in the future someone might figure out a way.

    --
    "First they came for the slanderers and i said nothing."
    1. Re:one-time-use addresses by vadim_t · · Score: 5, Interesting

      This stopped working in the current state of Bitcoin, because you pay a fee for the amount of data you use on the blockchain, and the more addresses you accumulate, the more horrible the fees become.

      Fees have got so high that addresses with a small balance (somewhere around $15-ish last time I checked, which is crazy) are effectively lost, because the fee is higher than the amount stored in the address.

      The problem compounts for paying people. If I want to send you $15, I may have to spend somewhere around $15 in fees to do so, costing me a total of $30. At the end of this you will have an address with $15 worth on it, but which can't be actually spent, so I paid you, but you have effectively nothing anyway. At this point either you bump your prices, or try to consolidate your accounts through a very low fee transaction that might or not get processed, and that may take a week or so.

      TL;DR: The modern bitcoin is completely useless as a payment system, and only remains of interest to people who hoard it and hope the price will rise. I expect it to crash and burn eventually as the realization sets in that it's not good for anything anymore except as a kind of gambling system.

      Those people interested in something that approximates a currency can go with Bitcoin Cash, which is a fork that's far more in line with what Bitcoin used to be, or something else like Ethereum.

    2. Re:one-time-use addresses by gweihir · · Score: 1

      Indeed. Bitcoin is not designed for anonymous payment, just for pseudonymous payment. That is something else entirely. All these people thinking Bitcoin is anonymous have either not bothered finding out any facts or are just kidding themselves. This has basically been known since Bitcoin exists and no expert is the least bit surprised by research results such as this one.

      Anonymity must be a primary design goal in a communicating system or it will not be there. Sure, the effort for identifying a person will vary, but it will be possible.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re:one-time-use addresses by gravewax · · Score: 1

      Bitcoin isn't really designed for payments full stop. The design lends itself more as an investment avenue as you can't realistically have a transaction system that takes minutes (or more realistically at the moment hours or days to confirm) and costs significant amounts of money for the privilege of a transaction slower than any of the traditional transfer mechanisms

    4. Re:one-time-use addresses by phantomfive · · Score: 1

      Yeah, bitcoin is a transaction system, not a money laundering system.

      --
      "First they came for the slanderers and i said nothing."
    5. Re:one-time-use addresses by gweihir · · Score: 1

      TL;DR: The modern bitcoin is completely useless as a payment system, and only remains of interest to people who hoard it and hope the price will rise. I expect it to crash and burn eventually as the realization sets in that it's not good for anything anymore except as a kind of gambling system.

      This. I hope it crashes soon, I need a new graphics card and the market is either dry or you pay insane prices. This madness has to stop.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    6. Re:one-time-use addresses by vadim_t · · Score: 1

      True, but that only makes the problem worse. The people and companies that accept BTC as payment don't use it as an independent system unrelated to everything else, but as something that converts to USD.

      So if the minimum fee is 0.001 BTC, at $1/BTC that amounts to nothing, and at $10K/btc it's now $10 USD.

      Bitcoin has a 1MB block size limit, which means people are also competing to get their transactions accepted by the network. The more competition there is, the higher the minimum fee rises.

      Bitcoin also has a supply that grows at a fixed rate, and the more people get interested in it, the more competition there is for that supply, therefore the more the price rises, and with it so does the value of the minimum fee.

      The two problems together add up to a complete clusterfuck that means that the more interest there is in BTC, the worse it actually it performs at being a curency.

    7. Re:one-time-use addresses by DontBeAMoran · · Score: 1

      If Bitcoin crashes and Monero takes its place, then you haven't even seen what high GPU prices look like yet.

      --
      #DeleteFacebook
    8. Re:one-time-use addresses by PRMan · · Score: 1

      Those people interested in something that approximates a currency can go with Bitcoin Cash

      Yes, let's go with something owned entirely by Chinese miners. No chance of a 51% attack by the Chinese government there.

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
    9. Re:one-time-use addresses by borcharc · · Score: 1

      LOL brand new 6 stat/byte tx's ($0.0069) are getting included in the next block. fees are the lowest they have been for some time now that the spam attack has stopped. Your post demonstrated absolutely zero domain knowledge.

    10. Re:one-time-use addresses by borcharc · · Score: 1

      But thankfully the minimum fee has never been 0.001 BTC. Some crappy services have charged this, but that isnt what the miners charge unless you have a very edge case UTXO. Take a look at the mempool, its empty. 6 stat/B transactions are getting included in the next block. The fee competition was the result of spam attack. Bitcoin transaction volume hasn't collapsed but the fees did as soon as the spam ended.

    11. Re:one-time-use addresses by gweihir · · Score: 1

      I see the Bitcoin morons are getting more butt-hurt and even more stupid. Excellent. Please continue. And I do hope you never recover economically.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    12. Re:one-time-use addresses by gweihir · · Score: 1

      There is also the little problem that manufacturing BC mining-ASICs takes production capacity away from other things and that does affect gfx-card prices and availability. But I expect that argument will fly right over the hollow heads that drive this madness.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    13. Re:one-time-use addresses by gweihir · · Score: 1

      An AC that is desperately envious? Hehehehehehe. You fucked up your life, but I did not.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    14. Re:one-time-use addresses by LynnwoodRooster · · Score: 1

      So back when one BTC would buy a Big Mac, you suggest we should still pay one BTC for a Big Mac? That, by pricing something in BTC, you've "severed" it's connection to real-world currencies?

      --
      Browsing at +1 - no ACs, I ignore their posts. So refreshing!
    15. Re:one-time-use addresses by Zontar+The+Mindless · · Score: 1

      And I play LBreakout. Daily.

      Deal with it.

      --
      Il n'y a pas de Planet B.
    16. Re:one-time-use addresses by mentil · · Score: 1

      I heard the miners caused the 'spam' in order to drive up the fees and thus their own profits. What's preventing this from happening again?

      --
      Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
    17. Re:one-time-use addresses by vadim_t · · Score: 1

      I used 0.001 BTC as a round value to illustrate the problem. Currently I'm getting a suggestion of a $4 fee to send $10. Just slightly less insane than it used to be.

      The mempool is sure as heck not empty, and hasn't been in a long time: https://blockchain.info/en/cha...

      Bitcoin volume can't collapse in the current state because the blocks are always full. There's more people wanting to use the network than resources the network has, so a reduction in interest still results in full usage of what there is.

      The whole spam argument is complete bullshit. The fees are high enough that it would cost insane amounts of money to send enough transactions to affect the network, and even if somebody did, guess what? Sending transactions is what the network exists for in the first place. If it can be defeated so trivially, it's just a bad design that should be replaced with something better.

    18. Re:one-time-use addresses by gweihir · · Score: 1

      I agree with you on all points, except that in order to be caught with your pants down in this way in the first place, you usually have to be pretty stupid and greedy. This was just an opportunity to insult them that I found myself unable to resist. Happen sometimes. And I will definitely watch the show when it all goes down in flames.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    19. Re:one-time-use addresses by gweihir · · Score: 1

      Who said I was envious?

      I said it, because it was absolutely obvious. And you know it is true. Gotcha.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    20. Re:one-time-use addresses by JesseMcDonald · · Score: 1

      This [one-time-use addresses] stopped working in the current state of Bitcoin, because you pay a fee for the amount of data you use on the blockchain, and the more addresses you accumulate, the more horrible the fees become.

      It makes no difference whether you use the same address or a different address. The fee is relative to the transaction size (in bytes); transaction size depends mainly on the number of inputs and outputs; and each time you receive funds, whether to an existing address or a new one, it creates a new output which requires a separate input in the spending transaction. If you make a payment using funds received in five previous transactions to the same address you pay exactly the same fees as you would if it had been five transactions to five different single-use addresses.

      Also, your information on fees is outdated. Current fees are around $5 for a typical transaction, less if you use the new SegWit protocol. Not $15.

      --
      "The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
  3. so, uh, ... by Anonymous Coward · · Score: 1

    how come no one can catch these supposed hackers who make off with millions of dollars of coin?

    on the other hand i always knew this kind of shit was going to happen so i never used it. only the paranoid survive as andy grove said.

    1. Re: so, uh, ... by sound+vision · · Score: 1

      But there are mechanisms in the law where the exchanges are, which require the exchange to pay out to people who hold accounts. The exchange doesn't need to perform any criminal activity to gain BTC - they already have it. They just don't want to pay out. When they delete it, they don't have to.

    2. Re: so, uh, ... by DontBeAMoran · · Score: 1

      Wait, there's a flaw in your reasoning... what about the theme park and blackjack?

      --
      #DeleteFacebook
  4. Re:Excellent by CaptainDork · · Score: 1

    .. vigilante justice ...

    Like swatting?

    --
    It little behooves the best of us to comment on the rest of us.
  5. So all this time the NSA could have done that? by Babel-17 · · Score: 1

    And totally coincidentally it's served as a great tool for the NSA to get the international underworld, and terrorist rings, to identify themselves? Though it's inconceivable that anyone could have anticipated this so as to use it as a financial honey trap. It would take oodles of time, lots of resources, and a disregard for cost. ;) https://en.wikipedia.org/wiki/... https://www.youtube.com/watch?...

    1. Re:So all this time the NSA could have done that? by AHuxley · · Score: 1

      Yes but tracking is more interesting than telling people how they are been tracked and what to stop doing to avoid been tracked.
      US law enforcement considers cyber as one big information only report. Everything is been tracked but no lawyer, human rights group, FOIA is going to find out collect it all methods.

      --
      Domestic spying is now "Benign Information Gathering"
  6. Monero by Plugh · · Score: 3, Informative

    Monero is where the darknet markets are moving to, away from Bitcoin. The blockchain is itself encrypted, and soon it will be integrated with I2P

    --
    Part of the Second American Revolution!
  7. A have to be reading this wrong. by Fly+Swatter · · Score: 4, Informative

    But is it saying they just searched for idiots that publicly posted their bitcoin address under their real name? Wouldn't that be like tracking down a phone number to it's owner because they stupidly posted it publicly somewhere on the web?

    It can't be that simple if it's called research, can it?

    1. Re:A have to be reading this wrong. by jwhyche · · Score: 2

      Indeed, but some times the best research is simple research.

      But what I took away from the article isn't that they could look up a bunch of idiots that used easy track able information in their transactions. But that if they could do this with little effort, what could a government agency do if they put their mind to it.

      --
      I read at +2. If your post doesn't reach that level I will not see or respond to it.
    2. Re:A have to be reading this wrong. by PRMan · · Score: 1

      That's exactly what it said. "If you bragged about a transaction amount or address on Twitter or on a Bitcoin forum, we can link you." Wow. However did you do that?

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
    3. Re: A have to be reading this wrong. by slashrio · · Score: 1

      How can we be identified through other people tweeting their wallet addresses?
      I guess I'm the one missing here something.

      --
      "Trump!!", the new Godwin.
    4. Re:A have to be reading this wrong. by hey! · · Score: 1

      No, the researchers were able to us normal investigative techniques to recover real names. It'd hardly be news if someone's ID was determined because they told the world, would it?

      I've long thought most Bitcoin users are naively confident that Bitcoin by itself protects their identity. This is typical in tech -- people rely too much on the properties of the technology to keep them safe and don't put enough thought into how they use the tech. Even if Bitcoin were technically perfect, every place where your transactions interface with the real world is a loose thread that law enforcement could pull -- and at the other end of that thread is your identity.

      Bitcoin only has marginal value in protecting privacy. To someone already taking extraordinary steps to protect themselves it has some value. But to someone who thinks it will magically shield them from law enforcement, I'd be surprised if it has any value at all. If you convert Bitcoins to dollars and vice versa, you'd better have laundered them first. And if you have contraband shipped, you'd better have it shipped to a neighbor and then grab it off his porch.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  8. Yup, those are two things I conflate all the time by 93+Escort+Wagon · · Score: 1

    1) Buying illegal narcotics on the Silk Road
    2) Giving money to Wikileaks

    --
    #DeleteChrome
  9. Captain Obvious... by Anonymous Coward · · Score: 1

    Bitcoin is not, and was never intended to be, anonymous. It has always been pretty easy to associate a wallet with a person. Every transaction you make is public record on the Bitcoin blockchain.

  10. Inaccurate Headline by Anonymous Coward · · Score: 4, Informative

    They did not deanonymize *TOR*, the onion router network for anonymizing web traffic. They deanonymized Bitcoin transactions.

    Tor != Bitcoin.

  11. Re:Yup, those are two things I conflate all the ti by Pseudonym · · Score: 2

    It's a reasonably standard English idiom, and extremely common in Slashdot writeups, to use constructions of this form: If [bad thing], or even if [fairly innocent thing], then [bad consequence either way].

    --
    sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
  12. XSPEC... by D,Petkow · · Score: 1

    with native obfs4 implementation and TOR integration. BOOM!

  13. Re:Excellent by Zontar+The+Mindless · · Score: 1

    At least some of them live in countries where some upright citizen can tip off the authorities about their anti-government activities, and they just might not ever be heard from again.

    --
    Il n'y a pas de Planet B.
  14. Re:Bitcoin Cash is the real Bitcoin by StikyPad · · Score: 1

    0.0001 what? BTC(C?) If Bitcoin Cash (or any other currency) becomes successful, it will inherently become a victim of its own value. It's like trying to use gold as cash when the supply is fluctuating faster than people can calculate the value.

    The problem with cryptocoins is that they inherently represent value proportional to the amount of work they took to create. They are *always* valued (or worthless) based fundamentally on their intrinsic properties, and that makes them an asset, not a currency.

    There's a reason societies around the world switched to fiat currency: The only things that make good currencies are things that are otherwise without any utility or intrinsic value, like cash, or imaginary cash inside of an imaginary vault. As soon as the representation of worth becomes itself worth something, it stops being useful as a currency. See also: coin collecting.

    , whereas cash is only tied to work or value through mutual agreement in the exchange for goods or services.

    --
    https://www.eff.org/https-everywhere
  15. It's still stealing. by Anonymous Coward · · Score: 1

    You're still making up imaginary wealth, to devalue the wealth of everybody else (via inflation), and haven't worked a fucking second for it!
    No, the work of sneaking in and stuffing shit into a bag does not qualify. Nor does the work of telling others to do your work for you.

    Meanwhile, we here... the normal people, have actually made something of worth for our money. I created toys that allow children with disabilities to do the exercises that cure them while having a lot of fun and staying motivated. Your average Joe next door built the shit that you use, keeps it from breaking down, or even invents and engineers things that permanently improve the world.
    You just found a moron to give imaginary glass beads to for more money than you paid for them when you were being the moron.

    And for the record: There's nothing wrong with the concept of money, nor the concept of crypto-currencies per se. They're quite nice concepts.
    The problems start, when it becomes something representing actual work, and hence actual worth, for some, while being something made up without working, and hence without worth, for others.
    Yes, this includes "mining", "management", re-selling, trading, "intellectual property", interest, and any other way banks are allowed to make up money.

    The only things of *actual* worth, are natural real resources, like spacetime/-energy/-entropy, and work.
    (When you buy a chair, you pay the work of making it, plus the natural resources it was made out of.)

  16. Okay??? by cshark · · Score: 1

    So... what's the takeaway here?
    If you're a criminal, don't advertise on the overnet with the same address you're using for crime?
    Duh.

    I mean, that should be obvious.

    --

    This signature has Super Cow Powers

  17. Show of hands by JustAnotherOldGuy · · Score: 1

    Okay, let's have a show of hands- who didn't see this coming?

    Anytime anyone claims something is "anonymous" or "untrackable", bet on them being wrong.

    There's nothing that's truly "anonymous" or "untrackable" and yet people keep falling for these absurd claims.

    --
    Just cruising through this digital world at 33 1/3 rpm...