FuckTheRIAA

FuckTheRIAA OP wrote (edited )

On September 30th, Chainalysis and Integra FEC won the contract to develop a Monero tracing tool for the IRS. CipherTrace's already existing system wasn't selected, so I'm going to guess that CipherTrace's system was more bark than bite.

Some positive viewpoints to end on:

https://old.reddit.com/r/Monero/comments/j4xscl/a_positive_view_of_the_recent_chainanalysis_news/

https://www.coindesk.com/spagni-fluffypony-monero-cryptographers-one-step-ahead-regulators

TL;DR:

Until CipherTrace produces any proof, their Monero tracing tool looks more like vaporware than anything else. The system is probably highly reliant on information provided by centralized exchanges, so stick to private sellers on decentralized exchanges. Ransomware groups might be traceable due to the sheer number of victims they've pissed off that will happily provide information to investigators, but that's just karma. I don't think people using Monero for transactions on a small scale have to be concerned right now, but I'm not an expert. If I had to place a bet between the 146 developers that have contributed to Monero since 2014 and a company that can't even get the facts right and that the IRS didn't even want to deal with, my money would be on the Monero developers.

Regardless, Monero is the most anonymous electronic payment system right now and probably will be for a long time. The only other options that offers better anonymity is sending cash by mail to the few companies that accept it - and hoping that the money doesn't "get lost" - or not transacting at all.

2

FuckTheRIAA OP wrote (edited )

There have apparently been some recent developments regarding Monero tracing. On August 31st CipherTrace published a press release claiming that they have "developed tools for the U.S. Department of Homeland Security (DHS) to track transactions of notoriously difficult-to-trace privacy coin Monero (XMR)". They have yet to provide any proof that this actually works. A CipherTrace employee made a thread on /r/Monero to discuss the company's Monero tracing tool.

While the product is not suitable for Anti-Money Laundering purposes just yet, Jefferies mentioned that ransomware cases involving Monero can be traced back to sources.

Source: https://cointelegraph.com/news/ciphertrace-develops-monero-tracing-tool-to-aid-us-dhs-investigations

Jevans [the CEO of CipherTrace] then confirmed Noether’s assessment by saying the tool uses statistical analysis to narrow the field of search. But he was unable to give more details on how this model determines statistical significance.

“to develop a skeleton, if you will, framework for improving the accuracy of the heuristical search models. And so, using probablistic models we’re able to trim down the search tree dramatically.”

As such, despite the fanfare, the tool developed by CipherTrace is not capable of directly tracing ring signers. With that, Monero stakeholders can breathe a sigh of relief as its protocol remains private.

Source: https://web.archive.org/web/20200923105848/https://www.newsbtc.com/2020/09/01/is-ciphertraces-monero-tracking-tool-as-effective-as-it-claims/

A lot of Monero experts including developers doubt that CipherTrace is able to trace Monero:

I do believe however that in the case of the claim regarding Monero made by CipherTrace there is a valid signal among the noise. This is because the senders of XMR in response to a ransomware extortion have a very strong incentive to provide law enforcement with all the details of their payments to the ransomware extortionist. If there are enough victims it may be possible to barely overcome the current ring signature decoys in Monero. Basically this is a very large E ---> A ---> E attack, that has been documented beforehand in Breaking Monero. Interestingly a simple mitigation for a merchant accepting Monero against this attack is good customer service. This of course is not possible for extortion via ransomware which is why I suspect CipherTrace picked this particular example.

-ArcticMine, Monero Core Team

Their description doesn’t make any sense - you can’t deduce Monero addresses even if you know the funds originated from a particular transaction. I’m highly skeptical that they’ve created anything more than a visual block explorer.

-Riccardo Spagni, former Monero lead maintainer

There is no reason to think there is anything novel going on here until proven otherwise.

The most likely answer is they're using methods developed by the Monero community to improve Monero to de-anonymize some specific transactions with external data. The Monero community has long been at the forefront of privacy research in an effort to build stronger tools, as evidenced by the Breaking Monero series:

https://www.youtube.com/playlist?list=PLsSYUeVwrHBnAUre2G_LYDsdo-tD0ov-y

The MRL (and others in the community) are the leading experts on this type of thing. We are available in #monero-research-lab to answer any questions CipherTrace or others may have about state-of-the-art known methods for analysis of the Monero blockchain, and have tools readily and freely available to do so. There are numerous errors in understanding of Monero in the article, both by CoinTelegraph and CipherTrace, but I won't get into those details here. Without details, there isn't really anything to discuss. Some vague information provided by CipherTrace in this article is not possible without external data (like KYC information from exchanges). Further, we find any conclusions that such methods would be broadly applicable to modern transactions to be highly suspect. As the saying goes, that which can be claimed without evidence can be dismissed without evidence. If you have questions that come out of this hit-piece, please feel free to DM me or jump into IRC/Matrix to chat about it.

Another great example of how poor journalism is in this space

-Seth Simmons, information security engineer

First, this article sources all of its claims from the company's own press release, and does not appear to verify them in any way. I would personally therefore treat any conclusions as suspect without further details or evidence.

While research is always ongoing in this area, I would be very surprised if this company has discovered some novel method of analysis that isn't already known from years of open research by the Monero communities and other academic and industry researchers. I would be even more surprised if they had a method that is broadly applicable to modern transactions, or that does not require significant and specific external data to draw definitive conclusions, like that from exchanges. They likely attempt to draw known statistical inferences from on-chain structures or external data, but again, it's not possible to know since they aren't saying.

It's important to note that there are certainly particular circumstances and scenarios where effective privacy can be reduced while using Monero, and we discuss many of them in the Breaking Monero series; importantly, we discuss them in context.

I like Hitchens's Razor:

What can be asserted without evidence can also be dismissed without evidence.

This doesn't mean that research into methods of analysis isn't important, nor that we shouldn't continue to make better protocols and tools; on the contrary, this research and development has been done for years and continues to be done, regardless of what companies claim they can do.

-Sarang Noether, Monero Research Lab

It is extremely unlikely that CipherTrace can trace Monero to the remote extent that they can trace any other coin. We have not seen any specific details by CipherTrace on the effectiveness of their tracing tool. If we were provided these, we would be happy to discuss them and the risks they pose, either in theory or in practice. Without specific information, any speculation is just that: speculation. We find it extremely unlikely that CipherTrace can learn actionable information about the vast majority of modern Monero transactions, or that they have come up with a substantially novel method.

Research will continue to advance Monero's privacy regardless of claims made by CipherTrace or other companies. Should CipherTrace or other companies wish to learn the most up-to-date techniques and methods for Monero chain analysis, we refer them to the Breaking Monero video series or the years of published papers, preprints, and videos on these topics. Monero is lucky to have the world's leading experts review its privacy protections and publish these findings to the public for the purpose of making Monero more resilient to analysis. The first Monero Research Lab paper was published in 2014, and the first Breaking Monero episode was released in 2018. It's obvious that Monero takes substantial measures to stay ahead of leading surveillance methods.

Monero is an open, permissionless network. Thus, Monero is specifically designed to withstand analysis from governments and others who attempt to surveil it. Since we have no reason to believe that there are new ways of trying to trace Monero transactions, nor any indication of their effectiveness, Monero users can continue to transact in confidence. While no privacy tool is perfect, Monero remains the best tool for the vast majority of people.

-SamsungGalaxyPlayer, Monero contributor

There is speculation that it is nothing but a simple merge analysis, which is a technique that is not new and can be mitigated by self-spending operations.

On September 1st the Monero Core Team made an announcement regarding the CipherTrace news, which included the announcement of an algorithmic innovation:

Additionally, after the CipherTrace press release, Monero Outreach published a description of a new algorithmic innovation to Monero called Triptych. Triptych promises to even further protect Monero users through obfuscation of the limited information CipherTrace appears to use.

Triptych allows the number of funding-source-hiding decoys used in a transaction to surge while blockchain space and processing time drop. Triptych is part of a continual pattern of Monero improvement and was in development long before the CipherTrace announcement.

On September 4th the IRS put out a $625,000 contract for a tool that can trace Monero. It seems like they were not satisfied with CipherTrace's existing Monero tracing tool.

2

FuckTheRIAA OP wrote (edited )

I made a big mistake when I said that Tor over VPN was a maybe an option when wanting to increase anonymity. I phrased it as if there was a debate over that it could make users more easily trackable. There is no debate over it, it can indeed make the user easier to track. Use a bridge instead. I should just have researched it properly from the get-go instead of just drawing from my memory, saying that I was unsure, and telling you guys to "read up on it and make your own decision" and for this I'm sorry.

If you have mirrored the guide, please update your mirror!

(This version also includes a new section about end-to-end encryption and various small improvements, most notably to verify the Tor Browser installer using PGP to make sure it hasn't been tampered with.)

I'm going to archive the corrected version to Wayback Machine and archive.today now.

2

FuckTheRIAA OP wrote

Thanks! I'm happy that Raddle appreciates it more than the powers that be on Reddit did lol. My original Reddit thread was removed for some reason that I have yet to be informed about. I also can't see the comment I left about it in the thread when I'm logged out, so I guess I got shadow banned as well. Feels a bit shitty, I put more time into this than I should have. I haven't broken any rules there as far as I'm aware and nothing mentioned in my post is illegal. I basically wrote an almost 4000 word well-researched essay with citations and everything, so a sentence in return from whoever removed my thread about why it was removed doesn't seem like too much to ask, but I guess that's just Reddit these days. ¯\_(ツ)_/¯

4