Privacy on the blockchain: �beginners guide
Zoltan Balazs
About me
I am full-time security researcher
Blockchain as a hobby
First interest in blockchain ~2011
First geth node in 2016
Ethereum Smart Contract Hacking Explained like I'm Five - Hacktivity, Virusbulletin 2018
Web3 + Scams = It's a Match! – Hacktivity, Hack in the Box Singapore 2022
How it started
Published in 1998, referenced in the Bitcoin paper
How it is going
“Comm members, for example, have kidnapped one another to gain access to a rival’s cryptocurrency. Gunmen fire weapons at targets’ houses or throw bricks through their windows. ”
https://www.404media.co/sim-swappers-are-working-directly-with-ransomware-gangs-now/
Public blockchain is not private DUH
In ~2011 there was this popular misconception that Bitcoin blockchain is anonymous
People registered on exchanges with their true identity
Used the exchanges as input/output for their illegal activities
BAD KARMA
Bitcoin based darkweb markets
Silk road - seized in 2013
Alphabay - 2017
Hansa market - 2017
Welcome to Video - 2018
Wall street market – 2019
Valhalla Marketplace - 2019
Bitcoin blockchain analysis != Ethereum blockchain analysis
Bitcoin wallets can join multiple wallet addresses as input for one outgoing transaction
“… some wallets that use tools called Simple Payment Verification or Electrum—designed to avoid storing the entire blockchain—leak certain information with every transaction. Nodes that receive a transaction message from those wallets can see not only the user’s IP address but all of their blockchain addresses and even their wallet’s software version, a tidy bundle of identifying information. ”
Tracers in the Dark - Andy Greenberg
The obvious don’ts: if you want privacy, don’t post publicly
Link your ENS domain with your main wallet address
Set your ENS domain as your Twitter display name
Use link.tree / Mastodon profile ETH address
Post your main wallet address on forums
Call yourself the Crypto King
The main issue
If you buy anything today with ETH with your ONE AND ONLY address
The seller will know:
This is far from ideal
Created in 2019
“open source, non-custodial, fully decentralized cryptocurrency tumbler that runs on EVM-compatible networks”
Blacklisted in 2022
May 2023 – Tornado DAO “hack”
OPSEC guides
https://docs.tornado.ws/general/guides/opsec.html
“Metamask one of the most popular wallets - now by default, logs IP addresses when a wallet is generated or makes a transaction”
“Additionally when you configure an Metamask wallet an Infura RPC access key is assigned to your instance, if you make two transactions from two separate addresses from that instance they will be directly related.”
Offtopic: Monero
Offtopic: Wasabi wallets
A coinjoin is a special Bitcoin transaction where several peers get together to literally join their coins in a single transaction. They collaboratively build a transaction where each of them provides some coins as inputs, and fresh addresses as outputs.
Crypto in popcorn
https://cointelegraph.com/magazine/3-4-billion-bitcoin-popcorn-tin-silk-road-hacker/
The criminal “masterminds”
“Prosecutors allege that Lichtenstein and Morgan tried to unload the stolen Bitcoin (from Bitfinex) or turn it into actual money and other goods. And they allegedly did it in a few ways, by using Bitcoin cash machines to convert Bitcoin into dollars, by using stolen Bitcoin to buy gold in NFTs and by purchasing a $500 Walmart gift card.
So they have a bunch of these unhosted wallets and they start moving the bitcoins around between them according to the government.”
The government is saying that Ilya opened up an account on an exchange. And when he did it, he had to provide identifying information. And he gave a selfie and a copy of his driver's license. And he opened up an account like any normal person would do.
When Lichtenstein allegedly bought gold with some of the stolen funds, he shipped it to his real address. And when the couple allegedly used that Walmart gift card, their orders were delivered to their real Manhattan apartment.�
More OPSEC failures
Note: VCE: Virtual Currency Exchange
On January 31, 2022, law enforcement gained access to Wallet 1CGA4s by decrypting a file saved to LICHTENSTEIN’s cloud storage account,8 which had been obtained pursuant to a search warrant.
The file contained a list of 2,000 virtual currency addresses, along with corresponding private keys.9
https://www.youtube.com/watch?v=01oeaBb85Xc
Decentralisation FTW
Light wallets using API access are not private
Decentralise consensus clients, execution clients
Decentralise nodes via country, cloud provider
Decentralise stake pool��Decentralise wallet software
Decentralise exchanges
Decentralise APIs
Architectural / political / logical decentralisation
Future: Privacy pool
Privacy Pool operates similarly to Tornado Cash by mixing multiple user transactions to obscure their true origins. However, when users choose to withdraw funds, they have the option to generate a zero-knowledge proof.
The zero-knowledge proof confirms that they are not utilizing a criminal blockchain address while safeguarding their identity.
Future: stealth addresses
“One of the largest remaining challenges in the Ethereum ecosystem is privacy.�
Future: Central Bank Digital Currency (CBDC)
Privacy nightmare
Clearly, worse than cash
Worse than traditional bank accounts and bank transfers
Conclusion
Do not do crimes
Do not do crimes on the blockchain, as blockchain is the best forensics source to proof your crimes
Do not brag about how much money/NFTs you have
Thank you for your attention