Bitcoin Forum

After talking about Anonymous UTXO consolidation through LN (https://bitcointalk.org/index.php?topic=5386496.0) a few months ago, I'd like to hear a few opinions about consolidation of (traditionally) mixed outputs.
With this I mean mixing through ChipMixer, CoinJoin, JoinMarket and the like.

I pondered on this a bit and I see a few reasons for and against it. Some questions seem trivial or silly, but I'm just trying to give food for thought and discussion. ;)

[1] Firstly, if you're looking to consolidate many small inputs, you could send everything to the mixer 1 input at a time. This way you won't link them when sending.
Next, send all the mixed, anonymous outputs to one address in one transaction.

It should be reasonably secure except from one aspect which is tracing wallet sizes. However if the inputs weren't linked to each other before mixing, it should be fine, right?

[2] If you perform a UTXO mix on ChipMixer and don't want to end up with many little UTXOs, you may consider doing one transaction that bundles all those output chips into one fresh UTXO.
Since chips can be chosen in relatively large sizes, I don't think that having too many little output chips is really a realistic risk, so best would be to just make them large enough and withdraw each one to a fresh new address?

[3] Consolidating change. As we all know, using a common change address is one big privacy risk in Bitcoin. However if you deal with mixed coins and separate change addresses, you're generally speaking fine; but you quickly rack up a lot of 'change UTXOs' that you will sooner or later need to join together. Is it a good idea to individually mix change UTXOs and then join them, what do you think?

---

By the way, if you want to get notified about low mempool fees to consolidate small inputs, this is the thread to watch: [May 2022] Mempool empty! Use this opportunity to Consolidate your small inputs! (https://bitcointalk.org/index.php?topic=2848987)

Tracing wallet sizes? Like?

It's a big privacy risk if you can trace what I'm doing with it. But, if I just mix all of my change in one transaction, I don't think it's so bad. Making it official that I'm the owner of those UTXO's doesn't harm much, and you've pretty much already known it.

Of course, if they appear to be a lot, then you might not want to reveal you own that much money. In any case, it's better to split your inputs in several transactions.

The best thing you can do is not create change at all. This was very easy to do when ChipMixer was launched and Bitcoin was ~$1,500, since the smallest chip - 0.001 BTC - was only worth around $1.50. So any payment you wanted to make you could round up to the nearest $1.50, have no change output, and not really mind paying an extra buck (or just add the extra on to the fee). Now that 0.001 BTC is worth $30 or more, then it isn't so economical.

You can still avoid creating change outputs with careful UTXO selection. Or instead of rounding up your payment as described above, round up your basket - throw in a couple more cans of beer or an extra month subscription or whatever else you were buying to bring the total up to whatever UTXO you have available so you can avoid creating change. Or just let the merchant keep the rest as a tip. Other options are merchants which will let you open an account or tab with them, top up that account with any amount, and then spend from your available balance.

The way that I deal with the change I do create is usually via ChipMixer, because I find it more economical than trying to coinjoin lots of small change outputs. If I already have some bitcoin stored on ChipMixer under a voucher, then I can just add any change in to that same stack to better hide it. So if, for example, I have 0.012 BTC in a voucher on ChipMixer, than after a couple of small change deposits I can withdraw a 0.016 chip, which prevents them being linked from people looking at individual sizes as you suggest.

If I ever have to deal with any really small change outputs, I usually just fire them off to the donation address of something like Tor, Tails, EFF, etc.

I don't know if he's referring to this but it's one of the types of backtracking chainalysis tries to do when it comes to those, it goes back in time looking for any possible transactions that would match the input that is missing from their history, for example when an address that is tracked deposits coins on a known exchange address it will try to match an outgoing sum from the same exchange or consolidations further down in time that match the value deposited.


I made the mistake of sending freshly coins mixed to exchanges, but I've never and I don't plan on ever linking mixed coins, as o_e_l_e_o said, it's better to have them split in reasonable amounts based on your needs and spending habits that will not create change which is of a too-large value to ignore. Rather than trying to consolidate 5 addresses with 10$ worth to pay for a subscription, I would rather break in 5 a 500$ one and use one of the fractions.

That being said I do have a ton of "dust" in my wallets but I've always postponed any consolidation simply because at this point one screwup and years of mixing have been for nothing, so I'll just let it sit there till I can buy a house with the change from a protonvpn payment  ;D

What if instead of mixing your entire input amount at once, you break the amount into successive mixing sessions, so long as the broken inputs are still fairly large (anything less than $500 is strictly a no-no)?

Then you could combine up to 1 output from each session, and the trackers would not know any better, because the splitted outputs themselves from each broken-up session are not linked together.

---

Of course, if you could hypothetically have your own private coinjoin network of senders, you'd be able to create long chains of transactions fairly easily without being detected as such. Because most commercial trackers have a limit on the chain length to track - maybe 50 for example - so they won't rewind the chain any further to check.

But if inputs came from a mixing service and therefore have no connection to each other, why not just consolidate them in one transaction before sending them to a mixer again? What traces are you leaving in this case? That some anonymous person used a particular mixing service several times and later decided to mix their funds again but in a single transaction, in my view, doesn't tell much because it is still unknown to an observer where funds have landed up after a final mixing round. The thing is UTXO consolidation always involves certain trade-offs, but sending everything (mixed outputs) in a single transaction is at least less time-consuming and, more importantly, a lot less block space-consuming. Please note that I was talking about a specific case in which you are using the same mixing service both for the obfuscation of your inputs and their subsequent consolidation. If your inputs are from completely different sources (Wasabi, JoinMarket, Whirlpool, Chipmixer, Mercury, etc), then it definitely makes more sense to send them one by one to a mixing service before consolidating them.

An option here might be to try to find a service which will accept such small inputs in exchange for either a Lightning payment or a Monero payment without too much in the way of fees, and consolidate them that way before converting them back to a Bitcoin UTXO (although you would obviously have minimal privacy when considering the service you were using).

You might be lowering the amount of privacy you gain. If I consolidate a bunch of different sized outputs in a single transaction which then sends (for example) 1 BTC to a mixer, and then immediately withdraw a 1 BTC output, then there is a potential link there. If I separately send 0.164 BTC, 0.051 BTC, 0.391 BTC, and so on, particularly spread out over a period of days rather than within a few minutes of each other, and then later withdraw 1 BTC, then I obfuscate that link as my deposits are obscured by everyone else's deposits during the same time.

There we go.

Monero is particularly private, so sending your money through a mostly-private exchange such as LocalMonero, using it all to buy XMR for BTC and then back again, and withdrawing in chunks instead of the whole thing (the chunks must be large enough to negate the repeated withdrawal fee) would be a good starting point for untainting mixer outputs - it will be flagged by an exchange as from some other exchange should the transaction chain between the internal addresses in the exchange be long enough.

You won't have to worry about being tracked on the Monero chain because of its use of bulletproofs which makes it harder to unmask the identity of the transaction inputs (by putting in a bunch of spent inputs as fakes). This assumes the exchange won't sell you over though.

The idea is: if you had a total of 0.7 BTC in a wallet previously and after the consolidation, it adds up to slightly less than 0.7; a correlation could be made.

Reused change addresses not only allow tracing what you're doing with the change but also tracing what you're doing with the rest of your BTC. Let's say I'm a merchant and you pay me some BTC; I can look at the change address and see other deposits. I can follow the transactions of these deposits and see that you also sent BTC to other (known or unknown) addresses; which could be exchanges (authorities can call them and ask 'who is the human behind address X'), stores or friends of yours that I now know you have some sort of connection to.

Therefore I think you need to send the inputs to the mixer individually and only combine the mixed outputs, right?
It might also depend on the mixer in question; honestly I'm most familiar with ChipMixer and I don't know whether you can even send multiple UTXOs to e.g. CoinJoin and get out one consolidated output (like in CM with user-choosable chip sizes).

---

So you just got tons of 0.001BTC chips from ChipMixer and used them in full when paying something? Wouldn't that make for pretty large (and expensive) transactions? Or would you create and withdraw appropriately sized chips / UTXOs on the spot?

All sound like pretty cool options; the last one surely the most convenient one and with 0 'loss'! :D

I tried to bring this idea up but wasn't sure how to correctly phrase it. Sending multiple outputs to a single CM mix, individually, will keep them completely unlinked, right? If they're below the minimum of 0.001, I guess you could 'LN mix them' (https://bitcointalk.org/index.php?topic=5386496.0) and then send to CM afterwards. It may be less secure and whatnot, but if you can't afford to just throw away 30 bucks it may be an option.

That's pretty cool; but I wonder how long it will be sustainable; 0.001BTC might be well over 100$ in the future; in some countries like Colombia, BTC0.001 is already over 100k of their home currency COP. I'm not sure as to how much purchasing power it sums up there, though.

To me at least it also depends on the amount of the dust and how much time and effort and money you want to put into it.

There are a few exchanges that don't need anything more then an email address to sign up and will give you a new address with each deposit. They do have miinnium deposit amounts but will credit you once you hit it in total usually 0.001

So in theory it would be known that all these outputs went to one exchange and the exchange would know what email address they were linked to but that is about it.

You could then exchange the coins to a privacy based coin like XMR to another exchange that just requires an email to sign up and exchange them back to BTC

Downsides:
2 x exchange fees
2 x withdraw fees
A lot of time for what may not be a lot of money in the end
If you don't use public Wi-Fi or the like there is still the risk of being found out
You have to trust the exchanges with the funds

-Dave

I tried to keep it vague; for instance some people inadvertently leak multiple addresses of a wallet online, give the xpub to a non-trustworthy party or - the easiest - address reuse. But sure, if you 'follow protocol', addresses in a wallet shouldn't be linked, so total wallet amount is unknown to the outside.

I hope they will; as far as I know it has never happened yet. A few months back, when 1x 0.001BTC chip was over 50 bucks (or now at roughly 30), they didn't make them smaller either; and as o_e_l_e_o said it was the same size when Bitcoin was $1,500 a pop.

Creative way of (ab)using an exchange for gaining instead of losing privacy! ;) Since we're speaking about small amounts, actually an 'instant exchanger' might be perfect for this.
These platforms like https://fixedfloat.com/; they require no registration at all. I don't know if you can deposit multiple times there, though.

There are two things I don't understand from your response:

• What's "untainting mixer outputs"? Haven't we already made it clear that "taint" is an arbitrary rule? Mixing and trying to have your outputs "untainted" is contradictory.
• What's the benefit of mixing with BTC <--> XMR <--> BTC compared to mixing directly with BTC <--> BTC? If it's time, which is the only think I can think of, that's where vouchers and chips take place.

True, but doesn't this answer on why you shouldn't keep change at all? As said by Leo above, whenever you're going to have a decent change left over from a transaction, send them to ChipMixer instead. Or, if you're thinking of buying in bulk, make your purchase and send the rest to ChipMixer.

What I said is: If you have change in x outputs, which are essentially linked from your previous transactions, it doesn't matter that much to broadcast 1 transaction where you spend them all, or x transactions where you spend 1 in each.

The biggest downside of this method is that your account may be frozen after you made a deposit and you will no longer be able to withdraw your funds or consolidate them unless by sacrificing your privacy by providing your real identity. If you still consider exchanges a means to merge your small inputs, a simpler solution would be using a nice bitcoin-only gambling website like bustadice where, as you said, you need nothing but an email address to sign up and where it is highly unlikely that you will be asked for documents. If you like, you can gamble with part of the funds to further obscure the link between your initial amount and your withdrawal amount.


Fair point, but you are not obligated to withdraw immediately and in a single transaction.

Also, and since I do like the service you can use Bitrefill and buy gift cards if it's available where you are located.

https://www.bitrefill.com/signup?code=mibrahcu <-- referral link
https://www.bitrefill.com <-- non referral link

They have the option of adding BTC to your account. They will convert it to a 'cash balance' at the time you send it and each time you deposit you get a new address.
The minimum is $1.00 at the time of sending.

So in theory you could create an account with just an email add a bunch of small amounts of BTC, withdraw to a gift card that you can use in person.

A bit more limited then an exchange since they have to offer service where you are and you have to want to use a gift card at one of the merchants they offer. But still an option.

EDIT TO ADD: If you do use the referral link above and make a qualifying purchase I will know what email address you signed up with, no way of tying it back to you but wanted to put it out there.

-Dave

I get the point, but people who bother use mixer/coinjoin (even with risk blacklisted from some service) is likely have better privacy practice and unlikely doing example you mentioned.


It seems neat idea, but i wonder if there's privacy implication if you keep doing it for long time? I know Bitrefill give new address for each purchase, but i don't remember whether they also give new address for each deposit.

Let's say I deposited 0.1 BTC to ChipMixer. I then wanted to pay for something which was 0.0207 BTC. I would withdraw a 0.016, 0.004, and 0.001 chip, pay the merchant 0.021 BTC (not minding that I just overspent by 50 cents or so) and leave the other 0.079 BTC on ChipMixer as a voucher until I next needed it. No change created. But as I said before, this isn't really economical anymore since the lost 50 cents in this example is now ~$10.

Well, a single ChipMixer session provides a single deposit address, so no, it would link all the outputs. The way to do it is to deposit any UTXOs you don't mind being linked in a single session, withdraw a voucher for the total amount of your deposit, and then destroy that session. Repeat with another sessions with another set of UTXOs and withdraw another voucher. Repeat as many times as necessary - you can do as little as one deposit per session if you want (bearing in mind the minimum deposit limits). Once you have multiple vouchers, you can open yet another new session and combine all the vouchers together, and then make a single large withdrawal.

Yes they do. I just tried it, sent BTC to the given address and as soon as it was confirmed and I went back there was a new deposit address.
And even if there is an 'upper limit' of the addresses they will give you all you need is another email and you can start the process again.

Perhaps not the best or even an ideal way of doing things but it does work.

EDIT TO ADD: If you do use the referral link in the post above and make a qualifying purchase I will know what email address you signed up with, no way of tying it back to you but wanted to put it out there.
Although LeoRockz@aol.com might point back to someone :-)

-Dave

Probably worth pointing out that using more than one account is against their terms and you risk getting hit with KYC demands, which obviously defeats the whole purpose here:

Also, do they have a minimum deposit amount or do they charge a processing fee? I can't imagine they would be too thrilled by receiving dozens of 1000 sat outputs and having to consolidate them all.

Drat! I've been doxxed! Time to abandon this account I guess.

Oh, the issue with this is that I assumed the change doesn't all land in the same address. I'm not sure if there's a standard way; as far as I know, change is handled a bit differently from one wallet to another.

Well, those gambling sites could also close your account, though. So I see no benefit there; the moment you use a centralized party, there is going to be some risk involved.

I really like this idea; these gift cards come in handy anyway from time to time; even as a small birthday gift or simply to purchase something on Amazon. I've only used the service through Lightning so far and didn't know you can also create an account and top it up little by little.

This implies you fully entrust those remaining 0.079 BTC to CM though; not that I'd ever doubt them, but in general I try to minimize such trust. It could be that there is a problem with the website and I can't access it right when I need to or similar sorts of issues, but otherwise it seems like a viable option if the Bitcoin price was a bit lower or the smallest chip size was reduced.

Yup, makes sense; so basically restore the session for each output as long as the output's size is large enough; link smaller outputs by submitting them during one session to reach the minimum size.. You'll maybe pay a bit more though, since every time you create a new session and deposit some coins, they'll be 'truncated' to 0.001 amounts, right?

It's been nice knowing you! ;)

Oh, wait, you meant literal reuse of the change address? Which wallet does such thing?

Yes, that is the downside. As with any such service, coins you store on the service are entirely owned by the service and not by you until you have them safely back in your own wallet. However, it's a risk I'm willing to take for small amounts of coins for the benefit of having instant access at any time to mixed coins, just as I'm willing to take the risk of storing small amounts of coins on an insecure mobile wallet for the benefit of having instant access when I'm on the go. Your own risk profile may vary.

Yes. This method will not work for any change amounts below that value.

Teleport transactions software (https://github.com/bitcoin-teleport/teleport-transactions/), a CoinSwap implementation from privacy expert Chris Belcher, can potentially be used for the consolidation of previously mixed transaction outputs. One of the ways this could be done is the following:

1) You have multiple mixed outputs of a different amount, which you received from Chipmixer, for instance;

2) Instead of consolidating them directly or sending them to another mixing round, you could perform a series of coin swaps, where you would be sending your TXOs one by one at random intervals and with different fees;

3) After your coin swaps are done, you will have a set of swapped TXOs, which will differ from your initial one (because coin swap uses multi-transactions (https://gist.github.com/chris-belcher/9144bd57a91c194e332fb5ca371d0964) to avoid amount correlation);

4) Next you either consolidate all TXO into one transaction or into several transactions, it doesn't actually matter. You can also create additional hops before "real" payment to be able to plausibly deny any connection to a previous output merge, but again it is not necessary.

What do you think?

That looks to be to cover the $2k / day limit. Unless you have a lot of UTXOs then I doubt you would ever hit that wall. But as always when using a service to do something it's always a risk.


As of now $1.00 (when it hits not when you send so don't send all those $1.00 with a low fee since if it takes a while to get there and even a small dip occurs.

As for all the small TX if a lot of people start doing it I can see them raising it from $1 to $5 to even higher.
For now it's an option.

There are other services out there that do similar with gift cards that allow you to bank funds but Bitrefill is one of the oldest and stable, and has a really good reputation.

-Dave

I don't remember which one, but I remember one or more wallets did this a long time ago... :D Though I've got no memory of their names anymore, whether they're still around and if they are, whether they changed this by now.

Cool, thanks for clearing that up! I agree that for certain use cases and certain users, solutions that involve trust are viable options and give them benefits that would otherwise be hard to achieve.

What I meant was that if e.g. you have a 0.0025BTC UTXO and a 0.0015 one, if you send them both in the same session, you end up with a balance of 0.004. But if you want better privacy and use the session restore trick you described before, you will end up with 0.003, right? Or will the 0.0005 of each UTXO be donated either way?

Thanks, this is new to me. I'll have a look at it!

Coin swap is a privacy-oriented technique which involves you swapping your history of transactions with someone else's history of transactions in a non-custodial and trust-minimized way using the smart contracts capability of the bitcoin protocol. The chief advantages of the given method are that (1) you avoid creating toxic change completely during the process of swapping, (2) there are no any thirds-parties or intermediaries involved in this process that can steal your money or surveil your inputs, (3) everything occurs on a base layer of the protocol, which minimizes the attack surface, and, which is arguably the most important point, (4) poor privacy practices of the people you are swapping with doesn't lower the amount of privacy you get and doesn't affect negatively the anonymity set.

Wow. Even at the current bitcoins sale prices, that's only ~3,000 sats. Most services don't accept such small inputs for obvious reasons.

Yes, it would be donated either way, unless you combine the two UTXOs in the same transaction and send 0.004 BTC in a single transaction. Each individual deposit is floored to the nearest 0.001 BTC and the remainder donated, regardless of if you make multiple deposits in the same session. See from their FAQ:

Cool, then besides convenience there's no real downside to always doing this 'session-restore trick' anytime you mix multiple UTXOs with ChipMixer!
Now that you quoted the FAQ, I remember last time I read it was right after sending some 0.xxx8 or 0.xxx9 UTXO, expecting to be able to send the missing amount to reach the next chip size separately, causing almost the largest possible donation during funding process... :D

How about (ab)using hash rental websites like nicehash, deposit mixed coins into your nicehash wallet, rent SHA-256 hashrate, and mine to a large pool that pays every 24 hours (you don't have to pay withdrawal fees), you get fresh coins or otherwise completely unlinked.

The pool doesn't know where your hashrate came from, nor how you obtained it, it only knows the address you are going to deposit to.

Technically they know where your hash comes from since the NH relays are well know. They don't know how you PAID for it.
However, since NH charges a 3% fee and most PPS pools are in that same 3% range you are taking a big cut off the top.
Probably no more then some of the other ways discussed here however.

-Dave

True, and that is more than enough, it will take some cooperations between the pool and the rental service (nicehash or whatever else) and that's very unlikely to happen, because the two services are so far from regulations unlike many of the exchanges.


You are correct, that's the drawback, but still, you can find PPS pools with 0% fees, also nicehash has been paying 5% less than the market on the 7-day average reported on whattomine.com, so that might even get you more sats than you deposit, but of course, this isn't always the case and thus one should go with the assumption that it will cost anywhere between 3% to 6% to obtain those coins.

With that said, if my life is at stake, and I want the maximum privacy I could get - I would still prefer a similar method to any exchange of any sort for these reasons.

1- Using an exchange of any sort means both your deposit and withdrawal addresses are known to a single entity, so they or anybody who hacks them or forces them (like a government) to reveal their data will know about your new address.

You can overcome this issue if you use 2 different exchanges as you mentioned earlier, but then that's also an extra layer of risk added on top of an already risky approach.

2- Most exchanges fall under the regulation and KYC b.s, at any point you might be forced to give away your identity, while a mining pool or a rental service are the last places to be regulated due to the complexity of their business model.

Also, getting some outputs with little to no history is a plus, but it really all depends on how far are you willing to go. Will I pay 5% in this process given that my life isn't at stake if someone happened to link my transactions together? hell no, would I even risk using an exchange for that purpose? also no, to me, using a good mixer like Chipmixer while applying a few of the many tips mentioned here is more than enough in my case.

That might work, but people should be careful since NiceHash ToS mention they implement AML/CTF.


Some people happily use credit card which usually has 3% fee for convenience sake, so IMO 3%-6% is acceptable for those who want to protect their privacy.

That's a pretty cool and creative idea, of course it comes from a long-time mining connoisseur, I like it! You basically sell those UTXOs for hashpower, which generates a similar amount of BTC back; no actual connection, especially nothing that could be analyzed on-chain. I know that you could also deposit through LN on NiceHash, but not sure what the minimum deposit size is on other hashrate rental platforms. This is interesting when it comes to the topic of consolidation / having lots of inputs you want to mix together and get a larger output out of it, without accidentally linking those UTXOs together.

You are putting a lot of faith in CM. It is impossible to know if CM is being run by an intelligence agency or government. If they are not a honeypot, it is impossible to know if an intelligence agency has been able to compromise their servers in a way that will allow them to gather information about inputs and outputs.

That would probably make it difficult for blockchain analysis companies to track the flow of your coin via mass surveillance, however, if a government were to inquire with nicehash as to what happened to your particular deposit, that same government could go to the pool you mined on and ask for information about where your mining payouts were sent to.

Building on the miner idea, here's another one which just occurred to me:

I create a transaction which spends all the coins I want to mix as a fee. I then send that transaction in private to a mining pool who is offering this service. They keep that transaction secret and eventually include it in a block that they mine, thereby claiming all my bitcoin for themselves. At a later date, they then send me an equivalent amount of bitcoin (minus 1% or whatever) to a brand new address I supply them with from their pool of mining rewards as part of one of their regular distribution-of-rewards-to-individual-miners transactions.

Other than the obvious trusting of a third party, there would be two main risks for such a set up that I can see. If you were trying to mix a sufficiently large amount of coins, then some individual miner in the pool, after learning about your transaction from the pool, may be incentivized to go off and attempt to solo mine a block in an attempt to steal your deposit. Secondly, in the event of a chain re-org, then if the block including your transaction loses, your transaction would return to being unconfirmed but would also have been exposed to the wider network, allowing other pools to attempt to mine it.

That's true, the government can also take you to a detention camp and beat the shit out of you until you show them all your transactions, but it's all a matter of how far are they willing to go? mining pools are unregulated for the most part because their business model is very complicated, they deal with no banks, and most of them operate in places where most governments like the U.S or EU countries don't have power own, like China.

But then, even if we were to go with the assumption that a said government will go as far as doing what you suggested, you can still use a passthrough running on some server, that way, you break the connection between Nicehash and the pool, nicehash will tell your government that you mined to server xyz (which at least in theory nobody knows about), from there, unless they find a way to get into your server, they won't know where the hashrate went to, unless they contact every mining pool on planet earth.

The second and better option would be using a decentralized mining pool like P2pool where the blocktemplate is generated by your own node, you connect Nicehash to your node or one of the public nodes, there is no company called p2pool which governments can ask for information, so the link between your incoming hashrate and outgoing hashrate is broken, it will be extremely difficult to anyone to link the pieces back together.

One way which they can track you is by asking Nicehash for the total hashrate you pointed and then attempt to estimate how much "BTC" would have come out of it, and then they would track addresses that received a similar amount, but given that there will probably be a few hundred thousand miners getting that same sum of outputs, it will be extremely difficult to narrow it down to just you.

Another thing they might filter is the addresses that didn't receive BTC before the hash rental took place, this will someone reduce the size of the circle, but it will still be very, very unlikely to know exactly.

Also, creating a decentralized mining rental marketplace won't be all that difficult, that way, you kind of break the chain at the first step of the way, making it even more difficult for anyone to track you.

With that said, I am not saying this is the perfect solution for privacy, the efforts and cost are higher than the traditional ways mentioned in other comments, the hash rental method is really like exchanging BTC for tomatoes and then selling the tomatoes for BTC to someone who lives on the other side of the world, it will take more effort and will cost more, it will also be a lot slower, but it will be more effective than going to supermarket to buy tomatoes with your BTC and then sell it back to them for BTC.

So if all of a sudden a new pool(s) appear(s) and they include TXs that nobody has seen in the mempool you don't think that is going to look a little odd?
1st time / block it happens there would be some discussion about it here and elsewhere.  If it keeps happening they people are going to look at the address where the block reward went and start looking where those TXs go. Possibly not even the government or for any malicious reasons. Just people trying to figure out what these odd blocks are doing.

The best way to hide is in plain site.

-Dave

When you mentioned "small inputs", I assumed the amounts are too small for most mixers.
I know only one mixer that gives up to 20 deposit addresses to use, which could also work for small amounts.

To quote myself:
I don't trust most instant exchangers at all, but especially for the small amounts we're talking about here, I don't mind risking it. BestChange lists a few exchangers with low minimum. If you use different coins (or LN) on different exchangers (through Tor) with random email addresses (when needed), it will be quite difficult to link your transactions. Obviously, you shouldn't reuse addresses and use self-hosted wallets.

Assuming you mean sending multiple transactions to different ChipMixer sessions, getting Vouchers and Redeeming them into a single CM session is unlinked. But since each session has only one deposit address, you shouldn't send multiple deposits to that address (obviously).

You shouldn't deposit multiple times to the same address, but you can easily create a new exchange each time you have change to send somewhere. Even better if you use different services.

CM raised the minimum chip size to 4 mBTC I think around the end of 2017, when Bitcoin transaction fees were high enough to waste most of a 1 mBTC chip on fees. I've never seen chips under 1 mBTC.

As long as they don't ask KYC, you can just create a new account once in a while. Or even each time. Or don't use an account at all, all you need is a throw-away email address.

The way I read it, it doesn't say you can't have more than one account, but you can't use it to get around the limits. Even without account, you can spend $1000 per month. And since we're talking about small change here, that "ought to be enough for anyone" (not plagiarism, just a famous quote from someone who may or may not have said it).

---

---

Hypothetical: what if someone creates a Change Consolidation Lottery? It would work like this: you go to the website, get a deposit address, send your change/dust, and the service collects it. When enough inputs are piled up, a (provably fair) lottery is drawn. Higher deposits are more likely to win of course. The winner receives the total pool (minus transaction and service fees) back to the address their deposit came from.
If enough people use it, it will be difficult to link transactions.

Not sure if you guys will believe me or not, Once I sent some Doge to the previous deposit address on Fixedfloat. I thought it was gone. Their support was offline, The transaction page expired, and I lost hope. Then a few hours later their support back online and manually send me my doges. Old days.

https://prnt.sc/sQbBwrOoQcy4 (https://prnt.sc/sQbBwrOoQcy4)

It varies per exchanger, this one (https://bitcointalk.org/index.php?topic=5093055.msg54663495#msg54663495) keeps each deposit address as a fixed exchange pair. I haven't tried it though, address recycling isn't recommended.

Doesn't really matter if enough people use it. If I deposit to ChipMixer and someone tries to follow my coins, they will eventually see them be pooled and the split in to one of their classical funding transactions which creates ~50 outputs all of 0.008 BTC (or some other chip size). If I withdraw from ChipMixer, then the coins come directly from one of these classical funding transactions, and so again are easy to identify. In both cases, all an adversary can tell is that I used ChipMixer; they can't like input to output or vice versa. The same would be true of this mining pool set up. You could identify transactions spending all the inputs as fees, and you could see where this mining pool sent all its coinbase rewards, but you couldn't link the two together.

Doesn't really solve the problem of dust outputs being too small to spend or a user screwing up their privacy by creating a single transaction linking a bunch of different dust outputs. Combine this idea with the SIGHASH_NONE and SIGHASH_ANYONECANPAY set up we've discussed previously regarding dust outputs, and you might be on to something.

I use Chipmixer's vouchers to join chips from different sessions, but like BlackHatCoiner said, if the change can be linked back to the wallet I use for my forum account I usually just consolidate it in one transaction.  Unfortunately I haven't had to worry about his other concern of appearing wealthy.  :-\  Any change that I may have from my IRL identity wallet I'll send in a different transaction, and consolidate the chips using vouchers.  To o_e_l_e_o's point about rounding up and the value of a chip, I usually just save the dust to consolidate with a later session.

As for exchanges and privacy (and possibly anonymity) I've been on the fence about ShapShift from the start.  They looked pretty suspicious to me at first, but I may give them a try sooner or later.  The only thing you need for an account is a seed-phrase and a password.  The app will generate a Bip39 seed which can be restored in Electrum with the appropriate derivation path, and Ethereum wallets for ETH and tokens.  You can also use MetaMask or a hardware wallet to establish and login to an account.  They don't even ask for an email address.  I haven't looked to deep into the fees or trade limits, but it seems like a viable solution for small trades.

Personally, I have never partaken in lotteries, let alone provably-fair ones,  because both statistics and probability theory clearly shows that the chances of winning in such lotteries are rather slim. Why spend money on things that will likely turn out to be unpleasant for your person? Anyway, what problem are we trying to solve by creating a relatively random algorithm to consolidate unconnected UTXOs? If the goal of this approach is to get rid of annoying small chunks of Bitcoin clogging up the blockchain, making it a neat place for everyday transactions, then yes, I would buy that. Today there are no effective ways to clear the blockchain, especially which would also offer chances to win the jackpot for janitor job.

Can this be used as a mechanism to provide a certain level of anonymity for users that have chosen to give up some of their UTXOs for a greater good? I highly doubt it. The biggest concern is that this service is run by someone who has custody over funds. If a platform is custodial, what prevents its owners from running away with collected jackpot? If it works perfectly anonymizing all outgoing transactions, how can we catch owners that turned out to be malicious?

That's actually a pretty good idea. Instead of leaving it to a centralized entity (such as a 3rd party service) or to a smart contract - which will probably get hacked anyway - this algorithm could be built directly into the Bitcoin Core codebase.

The downside of this though is that it'll make the software more like some money-making machine instead of a node for verifying bitcoin blocks & transactions (it's intended purpose).


Or, how about a variation of LoyceV's suggestion: Instead of holding a "lottery", all dust (where dust is defined to be anything below 10000 satoshis)  could be detected by  the Bitcoin Core wallet and auto-spent to one of Satoshi's addresses (since we know that he will never return, it won't be spent).

This would obviously be an opt-in setting on the Preferences page, and would be a very effective way to burn dust (provided that other wallets follow suit) butit has the disadvantage of putting a backdoor inside the blockchain, so it's probably a bad idea in its present state.

Two downsides to this: It still clogs up the UTXO set each node has to keep with a bunch of dust outputs, and they eventually will be spent when quantum computing advances to a sufficient degree to break the ECDLP and all the early P2PK addresses become vulnerable. A better option would be to simply add on any dust to the fee. Then it creates no unnecessary UTXOs, and at least it goes to honest miners rather than some future dishonest criminal. If you really wanted to burn the dust instead, then an OP_RETURN output is both unspendable and does not add to the UTXO set.

I find a proper burn address (like 1BitcoinEaterAddressDontSendf59kuE) already a better choice than Satoshi's.
But yes, that means unnecessary tx if one wants to burn and the other 2 options are much much better.

I believe the idea is that if you do this long enough (this is the catch, though), statistically, you'll get as much out of the lottery as you put in. So if you deposit a thousand 1,000 sat UTXOs, eventually, you're guaranteed to win a whole 1,000,000 sat pool.
But it's a little bit like the Martingale strategy [1], where there is a very slim chance that you need e.g. to play this proposed lottery millions of times, even though you'll eventually win an even larger jackpot of e.g. 1BTC. But for that you would statistically need to also deposit 100,000 times, if you only send 1,000 sat every time. If this is once per day, it would still take you over 270 years to win that 1BTC and get all your deposits back.

This is a great idea, honestly, just gift those dust outputs to the honest miners that nicely secure the whole network. Makes sense!

[1] https://en.wikipedia.org/wiki/Martingale_(betting_system)

Please explain to a technically incompetent person what you mean when you say "gift." As far as I know, there is no direct way exists to convert an unspent output to a transaction fee without also creating another output. A transaction fee is a difference between inputs' aggregated value and outputs' aggregated value. So, in order to donate miners all my inputs, I would need to create a transaction with zero outputs, which is likely against consensus rules. On the other hand, even if it is possible to create an output of zero value, then it still won't solve the problem of clogging up with unspendable UTXOs (instead of small amount UTXOs, the blockchain will be spammed with zero amount UTXOs).

O_e_l_e_o's "add on any dust to the fee" was meant to happen before you have dust in your wallet. So, for example, instead of sending 1 Bitcoin with 1000 sat fee and 1000 sat change, you send 1 Bitcoin with 2000 sat fee and no change.

Yeah, what Loyce said. Or, you can absolutely create transactions which spend all the inputs as a fee, with 0 BTC in the outputs. Here are a few examples:

https://mempool.space/tx/9dc862cee6597a1748e4a1304be17c082a075eae243ce54432b47d5c300345a9
https://mempool.space/tx/8c307f3efe1b384f3b8528d3ed9ec62e0323358457826bd6731d64de9e3b7935
https://mempool.space/tx/eb31ca1a4cbd97c2770983164d7560d2d03276ae1aee26f12d7c2c6424252f29

Because these all only create OP_RETURN outputs which are not stored in the UTXO set they therefore don't clog up anything.

This txid nicely shows why not to do this: the $11 worth of "dust" they burned 9 years ago is now worth $3800. So keep it, guard it, label it. Then Lock it (in Bitcoin Core) or Freeze it (in Electrum) so you don't accidentally consolidate it. And then wait:

Ah, now I see: this privacy-enhancing technique is often referred to as "change avoidance" where you are actively practicing careful coin control not to create unnecessary outputs. The downside of this is that you have to do all these adjustments manually while doing some mathematical calculations in your head, trying to figure out which step doesn't break your anonymity set. I would like to see bitcoin wallets that have some in-built fee adjustment mechanism aimed at guarding my privacy. For example, when I make a transaction and accidentally create unspendable small outputs as change, a wallet warns me about that and offers me to slightly increase or decrease the fee rate.


In other words, OP_RETURN outputs are no longer part of bitcoin supply.

I don't think you can really automate this, it varies per transaction and depends on the label of each input. I prefer manual Coin Control in Bitcoin Core, and Advanced Preview in Electrum (both can be enabled in Settings).

Most wallets don't even warn you when you use an input that costs more in fees than it's worth (say 1000 sat from a legacy input while you pay 10 sat/byte fee). I've seen so many transactions that would have have more change if they would have used less inputs.

The funds are now owned by the miner (and the Bitcoin supply wasn't reduced).

---

---

This topic reminded me to do some wallet maintenance, so yesterday I cleaned up 8 inputs.
The minimum amount at my favourite instant exchanger often changes. Today it's 36k sat, yesterday it was 3.6k sat. I thought it would depend on the transaction fee, but at the moment, transaction fees (https://jochen-hoenicke.de/queue/#BTC,24h,weight) are as low as it gets.
Exchange rates for small amounts aren't the best, but it still beats collecting dust. I also made a payment for which the change was exchanged instantly (into my low-fee altcoin wallet which I use to pay services (such as VPN)).

I believe the idea would be to have an option before signing a transaction to say 'no change please' which increases the transaction fee to the point where there's no change generated; just output to the other party and change. That should be possible to do automatically.

Electrum does this, to an extent. If you try to create a change output which would be dust, it automatically adds it on to the fee instead (and shows you a little icon you can hover over for it to explain what it has done).

Correct.

Not correct. Coins sent to OP_RETURN outputs are forever locked within that output and are provably unspendable. They do not belong to the miner and can indeed be subtracted from the total supply, since they will never move. Indeed, each instance of Bitcoin Core will automatically remove any such coins from its database.

You would need two servers for what you describe to work. Nicehash might tell inquiring minds that you mined at server xyz with an IP address of 1.2.3.4, and when the government inquires with the various pools, they could ask if anyone connected from IP address 1.2.3.4, however if server xyz forwards the work to server ABC with an IP address of 4.2.2.1, which subsequently forwards the work onto the pool, even if the government were to find the pool you were mining on, they would have no way of knowing the work originated from nicehash, nor the server that nicehash knows about.

Your intermediary server(s) could split up the hashrate among multiple pools. If you are only mining on an unknown pool for a short time, I don't think there would be a lot of candidate miners who meet any given hashrate estimate.

Unless they're chasing a specific money flow, I don't expect government to dig this deep. Here, it's quite simpel: when you sell a substantial amount of Bitcoin for fiat on your bank account, they'll ask you where the money came from. It's up to you to explain the money is legit.
Banks have to report "unusual transactions", after which government doesn't really know what to do with them (link in Dutch) (https://www.trouw.nl/economie/tienduizenden-witwasmeldingen-amper-strafzaken-soms-lijkt-het-of-het-hele-meldsysteem-voor-niets-is~b03c7f64/).

I'm not trying to hide transactions from government, they want to know far too much from me already. But I'm still careful selecting which inputs to link together.

You can do that, but that would contribute to more added latency which is something you want to avoid when mining, going from NH to sever 1 > server 2 > Mining pool might not work perfectly, it will certainly work but the number of stale/rejected shares might be a bit high which would result in an overall more expensive operation than it already is.

I still think using a decentralized pool is the best approach, from NH > P2Pool is going to be very low latency, without any added cost, if the government manages to get your details from NH, there will be little to nothing of info.

The added latency would be an added cost to your privacy.

Using P2Pool may be an option to reduce your cost, and there would not be anyone for the government to talk to. However the government may be able to deduct the P2Pool blocks, and look at the hashrate you rented from NH (and for how long) to make an educated guess as to where your coin ended up.

---

I think in most cases, people who have SARs filed on their transactions/activity are not breaking any laws, and will probably not be investigated. However if there is an investigation involving that person, the government will have those SARs available to help link money flows after the fact.

Maybe a little off-topic, but this is another advantage of Bisq: probably every time you sell BTC for fiat, the money arrives in your bank account from a different sender.
Instead, if you use one or two centralized exchanges, it will always come from those two bank accounts. This way, someone could link your outputs.
1] You send unlinked UTXO A to Binance
2] You cash out the amount to your bank account
3] You send unlinked UTXO B to Binanche
4] You cash out the amount to your bank account

Even though they were unlinked, by sending them to the same exchange and subsequently the same bank account, they can be linked.
Through Bisq, you could even sell one UTXO for fiat received via bank transfer, another for fiat received via Skrill, and another via 'cash in person'.

That's not helping: if I use reputable exchanges, my bank has less to worry about. If I often send/receive money to/from many different bank accounts, they'll have a reason to ask more questions. And it's not as if the bank wants to spend money asking questions, but government forces them to do this. Government also doesn't tell them which questions they have to ask, so banks ask anything they can come up with just to be on the safe side to avoid high fines again.

I'm not sure I follow you here. Can you elaborate?

If some random person is scanning the blockchain for deposits to Binance, they will have no idea about the fiat withdrawals from Binance or the fiat deposits in to your bank account, so they won't be able to use that information to link Binance deposits.
If, on the other hand, we are considering some blockchain analysis company, government, three letter agency, etc., then Binance have probably already shared all your data with them and so your deposits are already linked together without you ever withdrawing fiat.

That's a good counter-argument, true as well. Maybe less questions, but I believe also potentially easier to trace.

For random persons it's not easy, but if you're from / with government, you could get information about bank transfers to your bank account and compare those to Bitcoin deposits on the blockchain of the same size. You're right though, that they can just get that information straight from Binance more easily.

Anyhow; by just depositing BTC into a centralized exchange, it also links your inputs. Even if you get new deposit addresses; they're linked not on the Bitcoin blockchain, but within the Binance system. Not everyone, but certain people can surely get this information from the exchange.

Even if you receive deposits to different bank accounts or even different payment methods, it is possible for the government to get a consolidated view of all transactions you have received by getting information from various banks/payment services.

The above may not apply to those receiving cash in person, although engaging in this type of transaction is generally risky, and has a high risk of you getting scammed, so instead of losing your privacy, you may just lose your money.

You're highly overestimating my government. Sure, they can do this when a team investigates a large crime, but not automated and not on a large scale. Just recently it was in the news their IT system can't handle reducing VAT on vegetables. I'm not even kidding :D
And the information they have, they don't know what to do with (https://bitcointalk.org/index.php?topic=5398949.msg60240171#msg60240171). There's no way they're going to analyze dust transactions.

Sure, it is unlikely that western governments can successfully investigate on a large scale, however, the information is still available, long after the fact. If you argue that the government cannot monitor your financial transactions at scale, you might as well say that you have nothing to hide and take no steps to ensure your privacy.

Privacy goes further than just government. I'm not required to report transactions, we have no capital gains tax. I just report my annual tax overview, and no individual transactions.
So my privacy is limited by the things I'm required to report, and only for taxes (and banks). Other than that, I'm free to hide where I buy my coffee from the rest of the internet.

I'm now completely following the approach of avoiding small change in my wallet. Manually picking a change destination makes each transaction only slightly more work.

If you take reasonable and sensible precautions (trading in well populated area during the day, not sharing unnecessary personal information, not carrying excess fiat or bitcoin, etc.) then trading bitcoin for cash is no riskier than trading anything else for cash, which happens millions (if not billions) of time every day all over the world.

My question then is: What are you doing with your change? I mostly avoid change by not creating any - careful UTXO selection, buying extra goods/services, leaving a tip, adding to fee, etc. You say you are manually picking change destinations instead - where are you sending it that you can still use it a non privacy breaking way? Some kind of instant exchange for Lightning?

Yes.

Yes.

Yes. Or a custodial LN wallet.

Topping up webhosting works too, this one is great to combine with batching payments (which also reduces transaction fees).
I noticed my post missed a word: I was talking about small change, not just any change.
None of these are perfect solutions, but it's much better than consolidating many small inputs at once.

Two further questions then:

• Does this not mean you have zero privacy from the owners of said wallet, who would be able to link several your transactions together by the way of the change outputs being deposited to your account with them?
• Which wallets will accept small on chain deposits and credit you with the same amount on a Lightning channel without taking a significant proportion in fees?

Correct. That's why I don't often do it, it's just one of many options I have. Or transfer funds to another LN wallet again.

BlueWallet doesn't charge anything to deposit, but takes 0.3 to 1% when making LN-payments. Each new LN wallet gives a new deposit addy.
Phoenix Wallet charges 3000 sats minimum when you deposit.
There are probably more LN wallets that can do this, but I don't know the rates for those by heart.

What I mean is: when I sell through Bisq, I get money from a private person and there's no reference to cryptocurrency in the 'reference' field. So I don't know how they'll want to link the individual transfer to Bitcoin, not to speak of linking multiple trades with different trading partners.

It's worth noting that both of these use instant exchanger APIs for this service; I know Breez uses https://boltz.exchange/, though it may be cheaper using this exchanger through the application, since they subsidize it a little. Subsidization may be restricted to just channel opening fees though; so I'm not sure about that.