Bitcoin Dust

[kryme]

Can someone explain this article in more simpler terms (maybe with examples/pictures?) I'm confused on how this makes it easier to track wallet addresses to IP addresses.

More specifically the following:

Entities conducting blockchain analytics may use dust to deanonymize users and their wallet addresses. The idea is to create enough deterministic links between the analysis firm’s wallets and the recipient addresses. Once these links are created, the firm can run analysis using the data it collects to trace IP addresses to the recipient wallets.

“When the dust is consolidated with the user’s other funds, it helps with chain analytics by making it easier to cluster addresses,”

https://www.coindesk.com/dust-attacks-bitcoin-wallets

[1714077299]

1714077299

[1714077299]

1714077299

[o_e_l_e_o]

Dust attacks help to link addresses together by watching for them being used as inputs in the same transaction.

Let's say you made a transaction out of Address A. You also made a separate, unconnected transaction out of Address B. You also own Address C. There is, at the moment, nothing linking those three address. I send a few hundred satoshis to a few dozen addresses I think might belong to you, including Address A, B, and C. When you next go to make a transaction out of Address C, your wallet automatically consolidates all the small inputs, and so Addresses A, B, and C all show up together as inputs to the same transaction. Based on that, it is highly likely that all three addresses are owned by the same person.

Now, there is no link stored on the blockchain between bitcoin addresses or transactions and IP addresses, so I'm not entirely sure what the article is getting at when it talks about "tracing IP addresses". The only way to attach IP addresses to transactions is when they are broadcast, so if an attacker ran enough nodes and you then broadcast a transaction from an address which they had already identified to one of their nodes, then they could potentially link your IP address to your bitcoin addresses that way.

The simple way to avoid this is to never reuse addresses, and if you do get sent dust to your addresses, do not spend it.

[kryme]

Thanks for the explanation, I get it now.

[RHavar]

Now, there is no link stored on the blockchain between bitcoin addresses or transactions and IP addresses, so I'm not entirely sure what the article is getting at when it talks about "tracing IP addresses".

The article links to this explanation of what it means. It's probably reasonably effective in the hands of a skilled attacker, when the sender uses the standard relay network in a normal fashion

[kryme]

Now, there is no link stored on the blockchain between bitcoin addresses or transactions and IP addresses, so I'm not entirely sure what the article is getting at when it talks about "tracing IP addresses".

The article links to this explanation of what it means. It's probably reasonably effective in the hands of a skilled attacker, when the sender uses the standard relay network in a normal fashion

That explanation has nothing to do with dusting though? I realize you can track addresses to IPs via running a node, I just wasn't sure how dusting would make it easier as the article claims.

[odolvlobo]

... and if you do get sent dust to your addresses, do not spend it.

You can defeat the dust attack if you spend the dust in a coinjoin transaction.

[o_e_l_e_o]

You can defeat the dust attack if you spend the dust in a coinjoin transaction.

I still wouldn't.

Wasabi, for example, sets the dust limit to 5000 sats, and any input below this will not be displayed. If you were to edit this so you can include transactions down to 546 sats, and then included more than one of these inputs in a coinjoin, because such inputs are uncommon in a coinjoin an attacker could still link them together with a fairly high degree of certainty.

I suppose if you were to only include one dust input per coinjoin you could slowly use up all the dust, but at that point, is it really worth it?

[nc50lc]

You can defeat the dust attack if you spend the dust in a coinjoin transaction.

I still wouldn't.

I usually donate them to random and personal "black-hole" addresses.
That way, the attackers' funds might help the trading price by decreasing the supply a bit. I'm not receiving/producing a lot of dust anyways.

[bob123]

I realize you can track addresses to IPs via running a node, I just wasn't sure how dusting would make it easier as the article claims.

It doesn't.

Most articles you can find online about something crypto related are full of wrong information.
I rarely see good articles without any major mistakes.

However, depending on the wallet you are using, you might be linking your IP and your addresses together all the time.

If you aren't using a full node or a privacy-orientated lightweight wallet (e.g. wasabi), you are most likely leaking information about you towards the server fetching all information from the blockchain.

[kryme]

I realize you can track addresses to IPs via running a node, I just wasn't sure how dusting would make it easier as the article claims.

It doesn't.

Most articles you can find online about something crypto related are full of wrong information.
I rarely see good articles without any major mistakes.

However, depending on the wallet you are using, you might be linking your IP and your addresses together all the time.

If you aren't using a full node or a privacy-orientated lightweight wallet (e.g. wasabi), you are most likely leaking information about you towards the server fetching all information from the blockchain.

Interesting. I've really only used exchange wallets to send/receive, but have dabbled with Bitcoin Core a little bit. I guess my confusion came with not realizing the "dust" from multiple addresses in one wallet would all consolidate. I guess if you've linked an IP to 1 address and then do this dust attack and link new addresses to that original address then you link the IP to all addresses...which I guess makes it easier to trace IPs?

[RHavar]

That explanation has nothing to do with dusting though? I realize you can track addresses to IPs via running a node, I just wasn't sure how dusting would make it easier as the article claims.

The intuition is simple: Each time you create a transaction, there is a (large) potential to leak information. Attackers can use heuristics to guess your ip address. Or guess you're using tor (which itself is interesting information) and most powerfully: guess what other addresses you own (if the transaction spends from/to other addresses).

Normally someone only uses an address once, so you only get to apply these heuristics once. But if you send money to an address, you might get them to make an additional transaction. It's not particularly economical to send people large amounts of money, so you generally send them the smallest you can (AKA dust).

[ranochigo]

Interesting. I've really only used exchange wallets to send/receive, but have dabbled with Bitcoin Core a little bit. I guess my confusion came with not realizing the "dust" from multiple addresses in one wallet would all consolidate. I guess if you've linked an IP to 1 address and then do this dust attack and link new addresses to that original address then you link the IP to all addresses...which I guess makes it easier to trace IPs?

You can potentially use the link to establish that a set of addresses belongs to a specific group of people. Using the dust attack is more to identify which groups of addresses likely belongs to the same person.

IP addresses is already leaked if you're using non-privacy oriented wallet clients. It can be determined to a certain degree of accuracy that some addresses belongs to the user behind that IP address. The dust attack is solely used to determine the links between addresses.

[bob123]

I guess if you've linked an IP to 1 address and then do this dust attack and link new addresses to that original address then you link the IP to all addresses...which I guess makes it easier to trace IPs?

Sure, if you already know an IP address associated to a bitcoin address, linking the same IP to other addresses happens automatically when you link different BTC addresses together.
But finding out an IP address itself is not made easier with the dust attack. And that's somewhat the statement from the article you have linked.

[RHavar]

But finding out an IP address itself is not made easier with the dust attack. And that's somewhat the statement from the article you have linked.

Sorry, but you are not quite correct.

Let's say I have a bunch of spy-nodes observing the network. And I'm interested in knowing more about a particular address. First a transaction spends from that address, and with my spy nodes, I find it looks like IP address X originated the transaction. But there's a lot of noise and uncertainty to the point that the observation on its own is ~worthless. But lets say I now send dust to that address, and it again gets spent by what also looks like the IP address of X. Now I might have enough confidence to actually believe that X ip address originated the transaction.

And also, don't forget that all the analysis techniques kind of "signal boost" or "back propagate" () each other. e.g. the dust attack might link cause you to spend from an address is well-understood (e.g. a withdrawal address you made from a chainalysis powered exchange) and you have just clusted your entire wallet to your personal information. Like even tiny privacy leaks can end up causing outsized implications.

I've had (indirect) access to chainalysis and was able to run a few little experiments, and I think people don't appreciate how wtf effective they can be (and if they did, there would be more energy at trying to fix some low-hanging fruit of privacy leaks, e.g. (bip69 vs normal wallets).

The silver lining though, is that the analysis techniques are very fragile. Like my hunch is if we got 1% of transactions to now use bip78 it would cause a catastrophic increase in uncertainty in attackers models.

[kryme]

But finding out an IP address itself is not made easier with the dust attack. And that's somewhat the statement from the article you have linked.

Sorry, but you are not quite correct.

Let's say I have a bunch of spy-nodes observing the network. And I'm interested in knowing more about a particular address. First a transaction spends from that address, and with my spy nodes, I find it looks like IP address X originated the transaction. But there's a lot of noise and uncertainty to the point that the observation on its own is ~worthless. But lets say I now send dust to that address, and it again gets spent by what also looks like the IP address of X. Now I might have enough confidence to actually believe that X ip address originated the transaction.

But is it practical considering many ISP gives dynamic IP by default and static IP usually costs more, which limit the attacker from finding IP to only to finding nationality of the owner of certain address?

If it's the government (or someone working for the gov) tracking down the IP, they can just subpoena the ISP to get the psychical location that was assigned the IP at the time of the transaction..

[ranochigo]

If it's the government (or someone working for the gov) tracking down the IP, they can just subpoena the ISP to get the psychical location that was assigned the IP at the time of the transaction..

It'll be easier than that. The ISP just need to determine the subject of interest and monitor their traffic. Since the traffic is unencrypted, the ISP can easily see the information being transferred. ISP can determine with a pretty high certainty which transactions originate from the node.

They just need to connect to a VPN and the certainty would drop drastically.

[RHavar]

But is it practical considering many ISP gives dynamic IP by default and static IP usually costs more, which limit the attacker from finding IP to only to finding nationality of the owner of certain address?

The point I was trying to make earlier though is that even small amounts of privacy leaks can end up add (multiply?) up to be a big deal. And it's really hard to imagine or enumerate all the different ways that can happen.

Like even if the ip address is changing, but they come from the same residential ISP -- the can be incredibly valuable -- as those (dynamic) ip addresses will generally geo-locate you to a ~city type level. I might be using some totally unrelated data to suspect person X of making those transactions. I know person Y lives in a particular city. And it appears the transaction originates from city Y.

So not only does this increase my confidence that person X made the transaction, but it also strengthens my confidence in the information that lead me to that track in the first place. Which sort of feedback to how easily people underestimate the affect of slight privacy leaks.

Fair enough, but government is just one of possible attacker. Not all attacker have money or resource like government.

Don't make the mistake of thinking government accessible data is only accessible to the government. I had private information (that I provided directly to law-enforcement and no one else) come back and be used to harass me (via a leak?). And I've seen various (failed) attempts at "social-engineering" by court orders for information (and even specific action!) that have been caught (and only because some services notified me of pending requests, and I warned them to triple-check for authenticity). I am almost 100% sure various stuff went through without me even knowing about it.

In short: If someone knew your IP address and a time, and they forged a subpoena to get your information. There's a very large chance they would get it.

[fillippone]

A few time ago I wrote a post detailing what is a Dust Attack and how avoiding doing stupid things when you get caught in one:

Dust Attack, what it is, why it is dangerous and how to prevent falling to it

There are no pictures, but I think it is pretty simple and it should help you!

Of course comments are welcome!