Topic: Breaking Mixing Services - page 2. (Read 1838 times)
An important research, but why don't you spend more time on attacking Chipmixer or other mixing services (of course, ideally the biggest ones). I'm curios as how far will you be able to attack reputable mixer services and if you did succesfully hack it up, maybe we need to rework how mixing services is built.
..thanks for sharing your information here..in the first place,,I really don't have the idea on what is mixing services and how does it goes,,until I have read your thread and found out that mixing services works like this and it can be broken..
I admire you for giving this a time to conduct research and explain to public how does mixing services or bitcoin transaction works..this is very informative,thank you again for giving us the result of your study.
I admire you for giving this a time to conduct research and explain to public how does mixing services or bitcoin transaction works..this is very informative,thank you again for giving us the result of your study.
If this is true, then you can help law enforcement to trace coins that was used in crime. 
Did you find any criminal activities and terrorism funding that was presumably done with these Mixer services? Did the 3 letter agencies approach you, like they did with Gavin in the early days, to help them track some of the criminal activities that were done with these services?
Glad to hear that some Mixer services are more secure than others, because we need financial privacy.
Did you find any criminal activities and terrorism funding that was presumably done with these Mixer services? Did the 3 letter agencies approach you, like they did with Gavin in the early days, to help them track some of the criminal activities that were done with these services?
Glad to hear that some Mixer services are more secure than others, because we need financial privacy.
Thanks for sharing. I take a quick look and while you list lots of attack scenario, you forget to mention de-anonymization attack through Tor exit or VPN which leak information such as DNS request (or you intentionally left it as it's complex enough to make separate research)
You might want move this thread to Development & Technical Discussion as you'll get more people who interested or can give better feedback.
P.S. will add comment after i done read the paper or/and try python code
You might want move this thread to Development & Technical Discussion as you'll get more people who interested or can give better feedback.
P.S. will add comment after i done read the paper or/and try python code
Thanks for posting, this is very interesting.
Is your conclusion that the specific services have been poorly designed and their implementations are faulty or is an unbreakable mixing service impossible/hard to make?
Is your conclusion that the specific services have been poorly designed and their implementations are faulty or is an unbreakable mixing service impossible/hard to make?
In my thesis, I attacked coinmixer.se (at the time of writing it was the biggest centralized mixing service), however - except chipmixer.io1 - every other centralized mixing service I checked could be broken in a similar fashion.
1 Chipmixer was the only centralized mixing service which I did not break fully. However, I did not put much work into checking this mixing service.
1 Chipmixer was the only centralized mixing service which I did not break fully. However, I did not put much work into checking this mixing service.
I'd be curious what your findings are if you pursue it further. I always thought Chipmixer's approach was superior to the traditional script methods because those can be extensively analyzed and repeated. With Chipmixer, outputs are broken into generic amounts and users extract private keys that aggregate to [deposit amount - donation]. Those keys can be sweeped at any time. This seems much harder to analyze.
Wow, I did not expect to see this since I've used a few mixing services and never came to my mind that their algorithm could be broken. If it was to be just a regular mixing service that was recently opened than I would understand but hacking the biggest mixing service existing is a big surprise for everyone that uses it. Anyway, there are some many mixing services existing right now and it's obvious that almost all of them use the same algorithm and if you can break it then you hack 80% of the websites.
Well, I believe that such research should be undertaken in details and more accurately, although I agree with a lot of the above hypotheses
Hey,
more than a year ago I wrote my bachelor thesis about mixing services/anonymous bitcoin transactions (yes, bitcoin is pseudonymous).
I found some trivial bugs (timing attacks, leakages, xss, ...) through which nearly all relevant centralized bitcoin mixing services could be broken. Based on outgoing mixing transactions (transactions sent by the mixer) I was able to identify the correct incoming transactions sent by customers (vice versa).
My thesis is quite easy to understand and the bugs are also trivial, however, at the time of writing, I did not find any specific work related to these problems.
The most important conclusion of my work is, that even though a mixing service/a mixing algorithm might seem to be reliable at the moment, through a single leak/implementation fault, an attacker could be able to deanonymize any past transaction which has been processed by the mixing services. Even though the leak/implementation fault gets fixed by the service, every transaction which has been processed prior to the fix is irreversible vulnerable.
bitmixer.io & coinmixer.se are offline now, however its still possible to use the bugs I describe in my thesis to reverse nearly all transactions which have ever been processed by these services.
In my thesis, I attacked coinmixer.se (at the time of writing it was the biggest centralized mixing service), however - except chipmixer.com1 - every other centralized mixing service I checked could be broken in a similar fashion.
If there is interest in this topic, I can publish further information (source-codes, examples, ..) on this topic and attacks.
Link to my thesis (python source inside): https://www.dropbox.com/s/3yapwyfz72tvswh/BA_mixing_services.pdf?dl=0
Author: Felix Maduakor
Email: [email protected]
1 Chipmixer was the only centralized mixing service which I did not break fully. However, I did not put much work into checking this mixing service.
more than a year ago I wrote my bachelor thesis about mixing services/anonymous bitcoin transactions (yes, bitcoin is pseudonymous).
I found some trivial bugs (timing attacks, leakages, xss, ...) through which nearly all relevant centralized bitcoin mixing services could be broken. Based on outgoing mixing transactions (transactions sent by the mixer) I was able to identify the correct incoming transactions sent by customers (vice versa).
My thesis is quite easy to understand and the bugs are also trivial, however, at the time of writing, I did not find any specific work related to these problems.
The most important conclusion of my work is, that even though a mixing service/a mixing algorithm might seem to be reliable at the moment, through a single leak/implementation fault, an attacker could be able to deanonymize any past transaction which has been processed by the mixing services. Even though the leak/implementation fault gets fixed by the service, every transaction which has been processed prior to the fix is irreversible vulnerable.
bitmixer.io & coinmixer.se are offline now, however its still possible to use the bugs I describe in my thesis to reverse nearly all transactions which have ever been processed by these services.
In my thesis, I attacked coinmixer.se (at the time of writing it was the biggest centralized mixing service), however - except chipmixer.com1 - every other centralized mixing service I checked could be broken in a similar fashion.
If there is interest in this topic, I can publish further information (source-codes, examples, ..) on this topic and attacks.
Link to my thesis (python source inside): https://www.dropbox.com/s/3yapwyfz72tvswh/BA_mixing_services.pdf?dl=0
Author: Felix Maduakor
Email: [email protected]
1 Chipmixer was the only centralized mixing service which I did not break fully. However, I did not put much work into checking this mixing service.
Jump to: