Breaking Mixing Services

[madu]

Hey,
more than a year ago I wrote my bachelor thesis about mixing services/anonymous bitcoin transactions (yes, bitcoin is pseudonymous).
I found some trivial bugs (timing attacks, leakages, xss, ...) through which nearly all relevant centralized bitcoin mixing services could be broken. Based on outgoing mixing transactions (transactions sent by the mixer) I was able to identify the correct incoming transactions sent by customers (vice versa).
My thesis is quite easy to understand and the bugs are also trivial, however, at the time of writing, I did not find any specific work related to these problems.

The most important conclusion of my work is, that even though a mixing service/a mixing algorithm might seem to be reliable at the moment, through a single leak/implementation fault, an attacker could be able to deanonymize any past transaction which has been processed by the mixing services. Even though the leak/implementation fault gets fixed by the service, every transaction which has been processed prior to the fix is irreversible vulnerable.

bitmixer.io & coinmixer.se are offline now, however its still possible to use the bugs I describe in my thesis to reverse nearly all transactions which have ever been processed by these services.
In my thesis, I attacked coinmixer.se (at the time of writing it was the biggest centralized mixing service), however - except chipmixer.com¹ - every other centralized mixing service I checked could be broken in a similar fashion.


If there is interest in this topic, I can publish further information (source-codes, examples, ..) on this topic and attacks.


Link to my thesis (python source inside): https://www.dropbox.com/s/3yapwyfz72tvswh/BA_mixing_services.pdf?dl=0

Author: Felix Maduakor
Email: felix.maduakor@rub.de

¹ Chipmixer was the only centralized mixing service which I did not break fully. However, I did not put much work into checking this mixing service.

[1679385019]

1679385019

[1679385019]

1679385019

[1679385019]

1679385019

[1679385019]

1679385019

[arnelandvik]

Well, I believe that such research should be undertaken in details and more accurately, although I agree with a lot of the above hypotheses

[MakeMoneyBtc]

Wow, I did not expect to see this since I've used a few mixing services and never came to my mind that their algorithm could be broken. If it was to be just a regular mixing service that was recently opened than I would understand but hacking the biggest mixing service existing is a big surprise for everyone that uses it. Anyway, there are some many mixing services existing right now and it's obvious that almost all of them use the same algorithm and if you can break it then you hack 80% of the websites.

[squatter]

In my thesis, I attacked coinmixer.se (at the time of writing it was the biggest centralized mixing service), however - except chipmixer.io¹ - every other centralized mixing service I checked could be broken in a similar fashion.

¹ Chipmixer was the only centralized mixing service which I did not break fully. However, I did not put much work into checking this mixing service.

I'd be curious what your findings are if you pursue it further. I always thought Chipmixer's approach was superior to the traditional script methods because those can be extensively analyzed and repeated. With Chipmixer, outputs are broken into generic amounts and users extract private keys that aggregate to [deposit amount - donation]. Those keys can be sweeped at any time. This seems much harder to analyze.

[JohnsonX]

Thanks for posting, this is very interesting.

Is your conclusion that the specific services have been poorly designed and their implementations are faulty or is an unbreakable mixing service impossible/hard to make?

[ETFbitcoin]

Thanks for sharing. I take a quick look and while you list lots of attack scenario, you forget to mention de-anonymization attack through Tor exit or VPN which leak information such as DNS request (or you intentionally left it as it's complex enough to make separate research)

You might want move this thread to Development & Technical Discussion as you'll get more people who interested or can give better feedback.

P.S. will add comment after i done read the paper or/and try python code

[Kakmakr]

If this is true, then you can help law enforcement to trace coins that was used in crime. <Some of the bigger exchange hacks that occurred, which used Mixer services to hide the coins> 

Did you find any criminal activities and terrorism funding that was presumably done with these Mixer services? Did the 3 letter agencies approach you, like they did with Gavin in the early days, to help them track some of the criminal activities that were done with these services?

Glad to hear that some Mixer services are more secure than others, because we need financial privacy. <The same level as Cash transactions> 

[Carrelmae10]

..thanks for sharing your information here..in the first place,,I really don't have the idea on what is mixing services and how does it goes,,until I have read your thread and found out that mixing services works like this and it can be broken..
I admire you for giving this a time to conduct research and explain to public how does mixing services or bitcoin transaction works..this is very informative,thank you again for giving us the result of your study.

[elda34b]

An important research, but why don't you spend more time on attacking Chipmixer or other mixing services (of course, ideally the biggest ones). I'm curios as how far will you be able to attack reputable mixer services and if you did succesfully hack it up, maybe we need to rework how mixing services is built.

[mocacinno]

Interesting reading material... I've quickly browsed trough your attack on coinmixer.se, and my first reaction was that you were able to attack them because they did not include any variation in the creation of their output transactions. I mean, if a mixer only creates output transactions with version = 2, sequence = 294967294, locktime > 0 and the fee is within a very small range, it should become pretty easy to identify those transactions (and you did).

Don't get me wrong, what you did was a very nice thing... I personally wouldn't have the patience to analyse a mixer's method like you did, and i personally feel that you discovered a huge security flaw in coinmixer.se's mode of operation... However, i can hardly imagine it being impossible to fix these issues...
They basically had to generate more "random" output transactions, making sure there isn't a clear pattern in them... If they'd do this, it looks to me like an attack on their service would have been much harder.

That being said: i quickly browsed trough your thesis, so i haven't read your exact conclusions (yet), but i really think you did a great job... Raising awareness about security flaws that have been made even by the biggest mixing services is a good thing for the community

[madu]

Thanks for all of your feedback!

Interesting reading material... I've quickly browsed trough your attack on coinmixer.se, and my first reaction was that you were able to attack them because they did not include any variation in the creation of their output transactions. I mean, if a mixer only creates output transactions with version = 2, sequence = 294967294, locktime > 0 and the fee is within a very small range, it should become pretty easy to identify those transactions (and you did).

Don't get me wrong, what you did was a very nice thing... I personally wouldn't have the patience to analyse a mixer's method like you did, and i personally feel that you discovered a huge security flaw in coinmixer.se's mode of operation... However, i can hardly imagine it being impossible to fix these issues...
They basically had to generate more "random" output transactions, making sure there isn't a clear pattern in them... If they'd do this, it looks to me like an attack on their service would have been much harder.

That being said: i quickly browsed trough your thesis, so i haven't read your exact conclusions (yet), but i really think you did a great job... Raising awareness about security flaws that have been made even by the biggest mixing services is a good thing for the community

Thanks for the feedback.
Yes, you are correct, it was pretty easy to identify coinmixer.se's network. However, it was the biggest mixing services at the time and it should be seen an example of how to break these services.
The general problem of these mixing algorithms is, that they use generic transactions. Even if every transaction of a centralized mixing service is completely randomized you will be able to differentiate (with a great possibility) generic randomized transactions sent by a mixing service from genuine user transactions.
However, identifying a network does not necessarily imply that transactions of this network can be deanonymized (but in a regulated future you might get some problems trying to use these coins).

Generally speaking, the algorithms of coinmixing services are evolving. While the first generation of mixing services could easily be broken through simple taint analysis (bitcoin fog, blockchain.info mixing service), the next generation of mixing implementation needed some more work to be broken (bitmixer.io - timing attack, coinmixer. se transaction analysis) and with the newest mixing algorithms (chipmixer.com) you might already need heuristic methods.

An important research, but why don't you spend more time on attacking Chipmixer or other mixing services (of course, ideally the biggest ones). I'm curios as how far will you be able to attack reputable mixer services and if you did succesfully hack it up, maybe we need to rework how mixing services is built.

Yes, when I started my research bitmixer.io and after that coinmixer.se were the biggest mixing services. However, I realized that chipmixer.com has a better approach of mixing but was not used that much. Right after my thesis, I began with other bitcoin projects, so I didn't look further into my approaches to attack chipmixer.com. But I see, many people are interested in chipmixer.com. As soon as I got time I will again look into it. I think I already have a little python script.

In general, I would recommend using privacy driven cryptocurrencies if you want to have privacy in your transactions. But if you really want to use Bitcoin, than chipmixer.com might be the best solution for now. But remember, bitmixer.io and coinmixer.io were the best solutions in their times. Today you are able to identify and deanonymize nearly all transactions which have been made through these services. If someone used these services to anonymize their criminal activities they might still get caught.

If this is true, then you can help law enforcement to trace coins that was used in crime. <Some of the bigger exchange hacks that occurred, which used Mixer services to hide the coins>  

Did you find any criminal activities and terrorism funding that was presumably done with these Mixer services? Did the 3 letter agencies approach you, like they did with Gavin in the early days, to help them track some of the criminal activities that were done with these services?

Glad to hear that some Mixer services are more secure than others, because we need financial privacy. <The same level as Cash transactions>  

Yes, it would be very interesting to check if/how many criminals use these kind of services. I remember, my professor also asked me this question. But I have worked on other projects right after my thesis, so I didnt follow up on this.
Actually I did not publish my thesis till now, because I woked on other cryptocurrency related projects. This is the first place I publish it.

Thanks for sharing. I take a quick look and while you list lots of attack scenario, you forget to mention de-anonymization attack through Tor exit or VPN which leak information such as DNS request (or you intentionally left it as it's complex enough to make separate research)

You might want move this thread to Development & Technical Discussion as you'll get more people who interested or can give better feedback.

P.S. will add comment after i done read the paper or/and try python code

Thank you!
Yes, I completly forgot network attacks. I remeber, that I thought about it - dont know why I didnt add it.

Thanks for posting, this is very interesting.

Is your conclusion that the specific services have been poorly designed and their implementations are faulty or is an unbreakable mixing service impossible/hard to make?

My conclusion is, that breaking mixing services can be compared to cracking/reverse engineer software. While some years ago it was pretty easy to crack software, in today's world it got way harder. However, in both cases, attackers will always be able to break it.

[angel55]

This is why anyone serious about privacy just uses privacy coins.  Why go through all the hassle of mixing when its not even full proof.  Serious sellers on the darknet only accept privacy coins.

[olumyd]

If there is interest in this topic, I can publish further information (source-codes, examples, ..) on this topic and attacks.

I'm definitely interested, sent you a pm.

[nopara73]

It is terribly chatty for me. I'd like to check if my quick glance takeaways are correct:

1. First you identify a traditional mixing service's transactions.
2. Then you mess around with the possible timeframes for the mixes.
3. Finally you do a subset-sum analysis. (Amount based analysis of mixing inputs and outputs.)

Thus you get most of the links between incoming and outgoing transactions, except those that happen to be equal within the appropriate mixing window.

Is this a fair way to describe what you did?

[buwaytress]

Good job, I do think you've got a bright future with one of them blockchain analytics firms or at least as an independent consultant, you know compliance in fintech and crypto is coming up big time, particularly with the currently problematic area of identifying the UBO (ultimate beneficial owner) with crypto transactions as part of AML/KYC compliance.

I'm curious if this methods would work with CoinJoin transactions, particularly with those wallets were there aren't many users (I guess that means all).

On the note of traditional mixers, Mixing has been due an overhaul for a while now! I may say this with some bias, but ChipMixer's really been the only service to have innovated on the standard model of tumbling, and I suppose it's always a matter of time before a new method is cracked.

Also, I've sent you a DM, hoping to be able to get a bit more coverage of this elsewhere. Hopeful for a response.

[Stedsm]

What kind of attacks did you exactly make? I'm keen to know them and understand all of them in a much better way if you could elaborate it well. Also, how can you consider the mentioned mixer services to be centralized?

You may find it stupid but I wish to ask one more question here, that when you're able to attack these services (don't know exactly the type of attack, but still a query in my mind), weren't you able to fetch transactions done by XMR and Dash users? It'd be a threat to these alts if you or any dev will be able to fetch the real transactions among the mixed ones as well as I believe you already are a fear to all of us who use these services because if this is actually true, what's the meaning for anyone to use a mixer?

[Naster]

very interesting findings dear Felix. You did an excellent job!

Just like someone said, raising awareness about security flaws that have been made is a very good thing for the community.

Technologies are getting better daily, making out of it a wheel were Tom & Jerry are gaming...

I will give a try to your thesis. Thanks a lot for sharing it with us!

[madu]

It is terribly chatty for me. I'd like to check if my quick glance takeaways are correct:

1. First you identify a traditional mixing service's transactions.
2. Then you mess around with the possible timeframes for the mixes.
3. Finally you do a subset-sum analysis. (Amount based analysis of mixing inputs and outputs.)

Thus you get most of the links between incoming and outgoing transactions, except those that happen to be equal within the appropriate mixing window.

Is this a fair way to describe what you did?

Yes, you could define it like that. But generally speaking there are only two big steps:
1) Identify mixing service transactions within blockchain data
2) Find an algorithm to connect input transactions to output transactions

The method of solving each steps is based on the implementation of the mixing service.
In case of coinmixer.se the first step could be solved by analyzing transaction data and the second step could be solved by analyzing the transaction flow and transaction data.
In case of bitmixer.io both steps could be solved by analyzing transaction data - no transaction flow is needed here.

I'm curious if this methods would work with CoinJoin transactions, particularly with those wallets were there aren't many users (I guess that means all).

There is a lot of interest in this topic. I will definitely also look into decentralized mixing protocol implementations. However, I will focus in my next work on chipmixer.com and some privacy enhancing coins (dash, monero, zcash) as this seems a very challenging and interesting task.

What kind of attacks did you exactly make? I'm keen to know them and understand all of them in a much better way if you could elaborate it well. Also, how can you consider the mentioned mixer services to be centralized?

You may find it stupid but I wish to ask one more question here, that when you're able to attack these services (don't know exactly the type of attack, but still a query in my mind), weren't you able to fetch transactions done by XMR and Dash users? It'd be a threat to these alts if you or any dev will be able to fetch the real transactions among the mixed ones as well as I believe you already are a fear to all of us who use these services because if this is actually true, what's the meaning for anyone to use a mixer?

Mixing Services work like black boxes. You put your coins in, some "magic" happens and you receive anonymized coins. Since Bitcoin is purely transparent and you are able to to analyze each transaction in blockchain space you have enough data to identify and deanomyize transactions regarding the mixing service. You just have to filter all blockchain data which is not interesting for you and analyze the rest.

These services are purely centralized, since you send your coins to a centralized party. If the mixing service wants to steal your coins - they definitely are able to do this. Just remember: whenever you lose the control over your coins and some party is able to steal your coins - it is a centralized service.
In decentralized mixing/tumbling no centralized party is able to steal your coins.

I did not look into the specific implementation of dash, monero, zcash. General speaking the difference between mentioned cryptos and bitcoin is, that bitcoin is not meant to provide privacy while the main focus of monero and zcash is privacy. They are built in a way to provide privacy, while in bitcoin some services try to implement algorithms to provide privacy on a cryptocurrency which is not meant to guarantee privacy.

[PrimeNumber7]

It looks like a major problem with coinmixer.se is their transactions all had multiple unique variables. If a mixing service were to use multiple node/wallet implementations to create and sign transactions, and use randomized values for the variables you found to always be constant with coinmixer.se transactions, it might be more difficult to determine their "network", or would have a less degree of certainty as to which transactions are part of their network.

An attacker using their service is ultimately a massive, unavoidable data leak. Your 20 "test transactions" during that week, accounted for more than 1% of their weekly transactions.

When bitmixer closed, they made a very interesting comment:

When we started this service I was convinced that any Bitcoin user has a natural right to privacy. I was totally wrong. Now I grasped that Bitcoin is transparent non-anonymous system by design.

This appears to imply they believe similar research was done successfully on their mixing service, and did not want to give their customers a false sense of securityprivacy.

[ETFbitcoin]

Finally i have free time to read your thesis. My comment, thoughts & question :
1. On 1 - Introduction. You forget to mention 2 proposals (which published before date before of your thesis) which aim to improve anonymity which are BIP 151 and 156, even though it's not anonymization by modify transaction.
2. Upcoming bitcoin proposal, Schnorr MuSig could improve privacy on transaction with multiple input, you might be interested.
3. On 2.3 Privacy in Bitcoin. You should take not that :

• Few wallet such as Electrum now randomize output order
• Few wallet have multiple change address feature
• Few wallet such as Samourai wallet have advance transaction generation to improve user's privacy. It's called Stonewall

4. Your attempt to de-anonymize coinmixer.se is great, especially distinguish customer/coinmixer address by "Following transaction fulfills fee indicator", "Received an uncommon value" and "Tx fee based on partitions correct"
5. Why did you use blockchain.info rather than use Bitcoin Core RPC-JSON?

More info :
1. BIP 151 : Peer-to-Peer Communication Encryption
2. BIP 156 : Dandelion - Privacy Enhancing Routing
3. Dandelion: Redesigning the Bitcoin Network for Anonymity
4. Dandelion++: Lightweight Cryptocurrency Networking with Formal Anonymity Guarantees
5. MuSig: Schnorr Multisig and signature aggregation
5. Samourai Wallet : Stonewall