Author

Topic: Bitcoin Privacy - How easy it is for someone to find all your wallets addresses (Read 466 times)

legendary
Activity: 2268
Merit: 18748
I'm always wondering why consumer protection doesn't play any role in the KYC discussion.
Because exchanges don't care. They care only about their profits, and not at all about their customers.

Take Coinbase as an example. At the end of last year they upgraded their cold storage system. They spent millions on research, development, and implementation. They spent months doing practice runs of moving all their coins from the old to the new wallets. It was a huge undertaking, and most valuable mass movement of bitcoin ever.

Where is the millions spent on securing their KYC database? Where are the months of practicing to make sure that database is secure before it is used? Nowhere. In fact, a few months after this cold storage upgrade and it emerges they are willingly selling clients' data to third parties.

Add in unannounced and surprise KYC, accounts being locked for weeks or months on end, terrible customer service, etc., (not just on Coinbase but across most exchanges) and it's pretty clear exchanges don't care about you. They only care about your money.
legendary
Activity: 2226
Merit: 6947
Currently not much available - see my websitelink
Don't you use exchanges for traditional investments, like Interactive Brokers (IB)? Don't you have a bank account somewhere, where you did KYC? They need your documents as well. Are you affraid they are going to sell it online?
In Germany we still have some "less invasive" requirements to open a normal bank account (without online banking). It's possible to go to a local bank store, ask for a bank account and your identity will be verified there, by showing them only your government ID. Of course they'll note your name, address and ID number to link it to your account but when I see which crazy requirements users have to deliever on crypto exchanges, maybe even after funds are already locked, thats insane. So, the procedure here is much better.* AFAIK, there is no need to upload documents if you register locally.
For everything else I'm using cash, Germany is one of the few countries where cash is still very valued in public even if some people are pushing negative and misleading claims against it very hard.

*I know, this procedure is still not perfect since the database of the bank can be hacked, a better model would be where the name of the account owner isn't directly linked but is stored offline in the (offline) archives of the bank and if there's any violation by the bank account the name of the account owner can be checked in case if there's a suspicion manually. Everything stored offline. That would work finde to prevent money laundering / terrorism financing while securing the privacy of normal users...I've still the hope that people will realize how important privacy is and start to claim it (again).  Cheesy


I'm always wondering why consumer protection doesn't play any role in the KYC discussion. There's only much talk about how to prevent terrorism, how to prevent money laundering and how to push stricter KYC. It's nothing about consumer protection when we are put at risk of identity theft by enforced KYC everywhere. And even if we don't handle much money we are forced to do KYC if we want to convert fiat to crypto / crypto to fiat or if our exchange has already frozen our funds because of some random reasons.  Roll Eyes

The whole problem is digitalizing user data and sending it away where we don't know how it's handled. Is it sold to 3rd parties? Will it be hacked? Who will gain access? I've no doubt that digitalized data handled on centralized services will be hacked somewhere in the future and that's why I've also a strong aversion against using any fingerprint / retina scan verification (besides KYC  Tongue). If that's hacked we can't get it back (never!) because it's an unique data set. Hackers can do a lot of damage when they gain access to such biometric data.
Users are exposed to huge risks with submitting digital data like for KYC and I'm missing the consumer protection part totally in this debate. The KYC discussion has gotten way to unbalanced and it seems it's going further away from any customer perspective.

We don't have much choice here I guess but personally I'm boycotting as much as possible all services where invasive KYC is required. The purchase of physical gold with cash in Germany was lowered to 2000€ (2200$) per day recently and some crypto services require much lower levels already when KYC is enforced...
legendary
Activity: 2268
Merit: 18748
For example, if you want to sell 3 BTC. That's like 30k USD now. Would you do it in this forum? In a service like BISQ?
Yeah, I'd use Bisq, and probably be looking for cash, although I might accept some form of money transfer if I was desperate for fiat in a hurry. Bisq uses security deposits and multi-sig escrow. My bitcoin would not be released to the buyer until I confirmed I was paid. I would feel happier doing that than I would do using a centralized exchange and wondering if they were going to freeze my account, demand to know the source of my bitcoin, and ask ridiculously invasive KYC questions.

Personally, I trust much more in an environment like Coinbase or Bitstamp or Binance. Don't you think?
Each to their own. I trust exchanges as far as I could hypothetically throw them.

I really doubt those exchanges are not going to sell your documents to scammers around the world.
Coinbase have already admitted selling customers' data to third parties without their knowledge or consent. Binance were hacked for thousands of users' worth of KYC documents. There have been plenty of other leaks and hacks we know about. Think about how many we don't know about.

Don't you have a bank account somewhere, where you did KYC?
Unfortunately, yes. I have a job which pays in fiat, and I still require fiat to pay for most of my bills and living expenses. However, that doesn't mean I should just give up all hope of privacy and send my KYC documents to anyone who wants them.
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
With the ongoing growth of exchanges like LocalBitcoin, Paxful, and BISQ, as well as a large peer-to-peer marketplace on this forum and others, there isn't really an absolute need to use a centralized exchange. Sure, it might be easier and quicker, but it's very rare that using one is your only option.

Maybe for very small volumes, but you need to consider security as well. Depending on how much you are invested, it is very risky and uncomfortable to use those services you mentioned.

For example, if you want to sell 3 BTC. That's like 30k USD now. Would you do it in this forum? In a service like BISQ?

You cannot do it in small quantities like 300 USD each time, it would take 100 txs.

Personally, I trust much more in an environment like Coinbase or Bitstamp or Binance. Don't you think?

I really doubt those exchanges are not going to sell your documents to scammers around the world.
Don't you use exchanges for traditional investments, like Interactive Brokers (IB)? Don't you have a bank account somewhere, where you did KYC? They need your documents as well. Are you affraid they are going to sell it online?

Using IB or Coinbase is like the same to me. Coinbase is heavily regulated already, as far as I know.
legendary
Activity: 2268
Merit: 18748
Unfortunately, LocalBitcoins is no longer the good example for such mention.
Thanks for that info. It's been a while since I used LBC, and wasn't aware of their new KYC regulations. Another exchange to avoid, then. What a shame.

Inputs/outputs is how bitcoin works but it doesnt mean user X spend it.
It is possible to link multiple inputs in the same transaction together, though. If you know I own address A, and you see a transaction with both address A and address B sending coins to address C, you can reasonably assume I own address B (as well as address D, the change address, if you can tell which output is change). You can then look at address B, and similarly link it to some other addresses. Rinse and repeat.
legendary
Activity: 2296
Merit: 1014
https://www.walletexplorer.com

Just paste some any used address there.
The website will show you all addresses that its inputs were used together in a single transaction.
It doesnt mean what you think it does. Inputs/outputs is how bitcoin works but it doesnt mean user X spend it.
Privacy is needed for Bitcoin as one of most important addition that should be worked on. It is. When it will be ready nobody knows.
hero member
Activity: 750
Merit: 511
With the ongoing growth of exchanges like LocalBitcoin, Paxful, and BISQ, as well as a large peer-to-peer marketplace on this forum and others, there isn't really an absolute need to use a centralized exchange.

Unfortunately, LocalBitcoins is no longer the good example for such mention. They actively cooperate with the finnish authorities and applied the KYC/AML by introducing a mandatory KYC starting from 1k euro per year. And the fact that they store funds at their addresses makes them somewhat closer to centralized exchanges.

https://localbitcoins.com/blog/id-verification-update/

hero member
Activity: 2268
Merit: 669
Bitcoin Casino Est. 2013
As far as I am concerned, if you care about your privacy, then avoid KYC demanding exchanges altogether.

If you complete KYC, you have no idea how many people at that exchange have access to the information linking your real name to your deposit and withdrawal addresses. You also have no idea which third parties or governments the exchange is either selling or passing on your details to, and how many people at each of those have access to this information. If you mix coins before depositing or after withdrawing, some exchanges may freeze your account due to unspecified "suspicious activity" until you complete even more invasive KYC.

With the ongoing growth of exchanges like LocalBitcoin, Paxful, and BISQ, as well as a large peer-to-peer marketplace on this forum and others, there isn't really an absolute need to use a centralized exchange. Sure, it might be easier and quicker, but it's very rare that using one is your only option.
I totally that we should avoid an exchange site or whatever site that is if it needs you to complete a KYC, since it needs us to submit our personal information and the wallet address will be linked to our information. Right?. It's what I can think of making yourself use centralized exchange which needs KYC for us to complete.
legendary
Activity: 2268
Merit: 18748
It could be avoided altogether if they use mixer/coinjoin at risks exchange freeze their coins and ask lots of information about deposited Bitcoin.
As far as I am concerned, if you care about your privacy, then avoid KYC demanding exchanges altogether.

If you complete KYC, you have no idea how many people at that exchange have access to the information linking your real name to your deposit and withdrawal addresses. You also have no idea which third parties or governments the exchange is either selling or passing on your details to, and how many people at each of those have access to this information. If you mix coins before depositing or after withdrawing, some exchanges may freeze your account due to unspecified "suspicious activity" until you complete even more invasive KYC.

With the ongoing growth of exchanges like LocalBitcoin, Paxful, and BISQ, as well as a large peer-to-peer marketplace on this forum and others, there isn't really an absolute need to use a centralized exchange. Sure, it might be easier and quicker, but it's very rare that using one is your only option.
legendary
Activity: 3024
Merit: 2148
Walletexplorers won't help other people identify your personal identity but it will only help you connect all the addresses being used in one wallet, that is why this has been a big tool for alt account hunters linking bounty abusers in the forum. It may link members here and their alt accounts but it can't show you anything about the identity of the owner of that wallet. As long as you don't use your address publicly or is not tied up to you in anyway on any KYC process then the addresses you are using will remain anonymous and can't be linked to you.

That's not true, linking someone's addresses is a step on the path of finding someone's identity, as each address has a chance of being tied to identity. Even in your example people link their social media accounts when they do bounties, and often this information is public on spreadsheet, so you can quite simply find someone's real name just by looking at their wallet in this case. And if we are talking about governments, they can easily do this to with exchanges, as exchanges know about your bank card, and bank card has your name on it.
hero member
Activity: 1806
Merit: 672
Walletexplorers won't help other people identify your personal identity but it will only help you connect all the addresses being used in one wallet, that is why this has been a big tool for alt account hunters linking bounty abusers in the forum. It may link members here and their alt accounts but it can't show you anything about the identity of the owner of that wallet. As long as you don't use your address publicly or is not tied up to you in anyway on any KYC process then the addresses you are using will remain anonymous and can't be linked to you.
legendary
Activity: 3024
Merit: 2148

Or the users don't even think about it since the exchange would know all address used for deposit activity.

The problem here is not that exchange knows it, but that third parties can easily use it to break someone's privacy. If a user has wallet A and wallet B, and uses them both to deposit to a service with static deposit address, then it's not hard to link wallets A and B. I've browsed wallet explorer and it's really easy to spot wallets of services - if a wallet has huge amount of addresses and transactions, big volumes and holds/used to hold a lot of BTC's - then it's a service. And if different addresses send coins to the same address of a service, chances are they belong to the same person. Although if someone uses their exchange as a wallet, then other entities will by falsely linked with this analysis.
legendary
Activity: 3024
Merit: 2148

Kraken is the only exchange I've been using that lets you generate a new address, I've never see another one.
If most exchanges don't provide it, I suppose it's a matter of infrastructure convenience (or security)


It's not about security, it's just that generating new addresses requires some extra coding and maybe extra work for support when people send coins to old addresses, so they don't see reasons to do it, because so far it worked well for them - users almost never complain about it, because they don't care about their privacy. I think it just shows that an average exchange users doesn't care much about Bitcoin's ideals, they just want to make money (and that's okay).
legendary
Activity: 2268
Merit: 18748
Even if we try to use VPN, Tor, mixers, coin control or any other way to ensure privacy, three-letter agencies are very likely a step or two ahead of us.
There's a difference between the NSA and general ISP or government mass surveillance, being "doxxed", being targeted by scammers, and so forth. If the NSA wanted to track you down, there is probably very little you could do to stop them. That doesn't mean you should just give up all your privacy and let anyone who wants to spy on you and your activities.

Wallet addresses are not generated automatically upon joining, most of the time the users need to click a "generate address" button.
Sure. I meant simply that it's not like that for every new user that joins there is a person sitting at the other end generating a new deposit address and manually entering it in to the exchange's database. Every new user can just hit the button that says "Generate a deposit address", and the system will create one for them automatically. There is no good reason to not allow existing users to generate a fresh deposit address.
copper member
Activity: 2940
Merit: 4101
Top Crypto Casino
...

Wallet addresses are not generated automatically upon joining, most of the time the users need to click a "generate address" button.
Kraken is the only exchange I've been using that lets you generate a new address, I've never see another one.
If most exchanges don't provide it, I suppose it's a matter of infrastructure convenience (or security)

We can conclude that privacy is a very challenging task today, and that most internet users including ones that use cryptocurrency do not have the knowledge and skills to remain anonymous. Even if we try to use VPN, Tor, mixers, coin control or any other way to ensure privacy, three-letter agencies are very likely a step or two ahead of us.
it has always been.
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
At Bitcoin conference Snowden is say : “The lack of privacy is an existential threat to bitcoin. Is the only protection users have from political change,”, but also: “If you know how the system works, you can still have privacy,”

One more great quote from Snowden:

Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.
https://en.wikiquote.org/wiki/Edward_Snowden
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
It's not just about people sharing their private data willingly (which far too many people do), but it is also about your browsing habits. Some browsers, notable Chrome, monitor everything you do online. Many ISPs and governments also monitor their users and every webpage you visit. If you repeatedly visit the same address on a block explorer, it becomes pretty obvious to anyone watching you that you own that address, even if your wallet is offline/airgapped/paper/etc.

We can conclude that privacy is a very challenging task today, and that most internet users including ones that use cryptocurrency do not have the knowledge and skills to remain anonymous. Even if we try to use VPN, Tor, mixers, coin control or any other way to ensure privacy, three-letter agencies are very likely a step or two ahead of us.

Snowden shows that NSA is working on tracking Bitcoin users at least from 2013 by using different spy tools (Xkeyscore. MAC addresses. OAKSTAR. MONKEYROCKET), and it is not difficult to imagine what they have accomplished to this day.

At Bitcoin conference Snowden is say : “The lack of privacy is an existential threat to bitcoin. Is the only protection users have from political change,”, but also: “If you know how the system works, you can still have privacy,”
legendary
Activity: 2268
Merit: 18748
From my experience of using exchanges and other services, the ability to generate new addresses is very rare
That's pretty poor customer service really. Considering all these services are set up to automatically generate a new deposit address for each new customer who signs up, it is trivial for them to offer the ability to customers to generate a new deposit address for themselves. I suppose if you are willing to share your KYC documents freely across the internet then you aren't the most privacy conscious person, but not reusing addresses is a pretty basic bitcoin practice.

Would be nice if we can have a list of exchanges that have this option of generating new addresses.
Agreed. I have never and will never complete KYC at an exchange, but I'd be much more likely to use an exchange for trading bitcoin to the few alts I'm interested in if they gave me the option of generating new addresses.

Still, obviously none of this matters if someone at the exchange themselves wants to track your addresses, since they will still be able to see all your different deposit addresses. High quality and high volume DEXs can't come soon enough.
legendary
Activity: 2212
Merit: 7064

From my experience of using exchanges and other services, the ability to generate new addresses is very rare, so it's indeed quite bad. You'd need to mix only the amount you want to deposit and send it all to an exchange, because any change output can later link your wallet(s) together. And it's not only about exchanges, casinos and other services that have deposits suffer from it too.

I think CryptoBridge exchange is still offering that option to generate new address every 15 minutes.

Would be nice if we can have a list of exchanges that have this option of generating new addresses.
legendary
Activity: 3024
Merit: 2148

I don't really use exchanges, but I thought most would let you generate a new deposit address for each transaction, if you wanted? Do they really just give you one deposit address and that's it? What another great reason to stop using these exchanges. In this case, you will need to pass all your coins through a mixer prior to depositing them, and then again through a mixer after withdrawing them, but there are cases of some exchanges blocking transfers to/from mixers as I said above.

From my experience of using exchanges and other services, the ability to generate new addresses is very rare, so it's indeed quite bad. You'd need to mix only the amount you want to deposit and send it all to an exchange, because any change output can later link your wallet(s) together. And it's not only about exchanges, casinos and other services that have deposits suffer from it too.
legendary
Activity: 2268
Merit: 18748
For example, if you ever bought bitcoin from an exchange using Fiat you made KYC.
I think this goes without saying. Even the newest newbie should realize that if they are handing over their KYC documents to an exchange, then all their activity can be linked to their real name. Perhaps what they don't realize is that many exchanges track where coins come from and go to before and after being on the exchange. They will ban users who deposit from/to casinos and even mixers. Since exchanges report user activity to their relevant governments, I wouldn't be surprised at all if they are also reporting which addresses are linked to which user, allowing the government to then trace your activity as well.

Your transactions from different wallets can still be linked, but in a different way - if you have a static deposit address on an exchange, and use with different wallets, it can be easy to spot this and link those wallets
I don't really use exchanges, but I thought most would let you generate a new deposit address for each transaction, if you wanted? Do they really just give you one deposit address and that's it? What another great reason to stop using these exchanges. In this case, you will need to pass all your coins through a mixer prior to depositing them, and then again through a mixer after withdrawing them, but there are cases of some exchanges blocking transfers to/from mixers as I said above.
legendary
Activity: 3024
Merit: 2148
If using a mixer, then you should ideally be sending all coins to a brand new wallet, as opposed to back to a new address from the same wallet. There is always a chance that at some point in the future you mess up and accidentally link that new address to an old one or a change address from the same wallet, especially after months or years where you could easily forget which UTXOs were mixed and which weren't. There's also the possibility that someone gains access to your master public key, and then can derive all your address from that wallet and see that they are linked together.


Your transactions from different wallets can still be linked, but in a different way - if you have a static deposit address on an exchange, and use with different wallets, it can be easy to spot this and link those wallets, because exchange wallets are so well known, that even the walletexplorer site shows their names instead of just raw id. So, you not only have to worry what inputs you are using, but also to what inputs are you sending, because someone who reuses addresses can weaken your privacy.
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
I see a problem in this only if the user is buying some goods and paying with crypto, then his coin address can be linked with his personal data and privacy can be compromised. Coin address can be also linked with any social media accounts, many users post such info when applying for bounty campaigns, and they make an even easier job for anyone who digs for such information.

There are other possible leaks. For example, if you ever bought bitcoin from an exchange using Fiat you made KYC. If you send those coins from the exchange to your wallet it could even possible to link that to your bitcointalk account using a simple tool like that, if you are not careful.

This post was just to show people how easy it is to link all your addresses from the same wallet together.
legendary
Activity: 2128
Merit: 1293
There is trouble abrewing
If you repeatedly visit the same address on a block explorer, it becomes pretty obvious to anyone watching you that you own that address, even if your wallet is offline/airgapped/paper/etc.

you forgot about the block explorers themselves keeping a record of which addresses the users keep checking. it could be done with using cookies and recording IP addresses and building a database to link different addresses to same person.
legendary
Activity: 2268
Merit: 18748
Be careful, even using a mixer you need to be careful in your future transactions. After you send your mixed coins back to your wallet, you need to be careful not to link those coins to your old addresses (which may still have balance).
If using a mixer, then you should ideally be sending all coins to a brand new wallet, as opposed to back to a new address from the same wallet. There is always a chance that at some point in the future you mess up and accidentally link that new address to an old one or a change address from the same wallet, especially after months or years where you could easily forget which UTXOs were mixed and which weren't. There's also the possibility that someone gains access to your master public key, and then can derive all your address from that wallet and see that they are linked together.

The idea that Bitcoin is anonymous crypto is still prevalent, and in fact it is, until the moment you link it to your private data (name, home address, photo...).
It's not just about people sharing their private data willingly (which far too many people do), but it is also about your browsing habits. Some browsers, notable Chrome, monitor everything you do online. Many ISPs and governments also monitor their users and every webpage you visit. If you repeatedly visit the same address on a block explorer, it becomes pretty obvious to anyone watching you that you own that address, even if your wallet is offline/airgapped/paper/etc.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
It just shows that your address A is connected with some address B or C and so on, but it is just coin address history without any user data. I see a problem in this only if the user is buying some goods and paying with crypto, then his coin address can be linked with his personal data and privacy can be compromised. Coin address can be also linked with any social media accounts, many users post such info when applying for bounty campaigns, and they make an even easier job for anyone who digs for such information.

The idea that Bitcoin is anonymous crypto is still prevalent, and in fact it is, until the moment you link it to your private data (name, home address, photo...).
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
Few time ago I discovered this website, which allows anyone to discover all your used wallet's addresses with just a few clicks.

https://www.walletexplorer.com

Just paste some any used address there.
The website will show you all addresses that its inputs were used together in a single transaction.

Paste some of your used addresses there and get surprised. Probably many of them are going to be linked together.

How to avoid linking your addresses?

Unless you are very careful and you try not to mix many inputs from different addresses in the same transaction, all your addresses from the same wallet can be linked back to you, by anyone.

So, you have 2 options:
1 - Download a good wallet (like Electrum) which let you control each input, and be careful not to use those addresses in the same transaction.
Or
2 - Use a bitcoin mixer, which allows you to always have fresh coins with no blockchain connection to your old addresses.

Be careful, even using a mixer you need to be careful in your future transactions. After you send your mixed coins back to your wallet, you need to be careful not to link those coins to your old addresses (which may still have balance).
Jump to: