Cryptocurrencies are sometimes thought of as being anonymous since they can be used and owned by anyone and do not identify personal information indicating who the sender or recipient is. However, this assumption is incorrect. Cryptocurrencies are generally not anonymous but rather pseudonymous. In many ways, cryptocurrencies are actually far less anonymous than traditional government-backed money.
Why Do Some Think Cryptocurrencies Are Anonymous?
If cryptocurrencies aren’t anonymous, why do so many people claim that they are? We believe this is due to a fundamental lack of understanding of how cryptocurrencies work as well as repetitively stated falsities. Below are three reasons why:
The Silk Road
Bitcoin, and by extension other cryptocurrencies, have sometimes been likened by critics as only useful for buying drugs. The Silk Road was an online marketplace on the darkweb that lasted from February 2011 to October 2013 that was frequently used for buying drugs and other illegal items and services. Bitcoin was still in its infancy at this time, but this was the first major practical use of Bitcoin outside of speculation and is part of the story that led Bitcoin to be where it is today.
Some critics still associate Bitcoin with this type of illegal criminal activity even though criminal activity accounts for only 10% of transactions. The US Drug Enforcement Agency actually wants criminals to keep using it because it’s easier to track and more transparent. The use of USD in criminal activity is far more common. But the initial association with anonymous individuals using bitcoin to buy drugs 7-9 years ago still leads some people to think Bitcoin as a form of money is anonymous; it isn’t.
Lack of Identifiers
After looking at the record of any Bitcoin transaction, it is evident there no identifier linking any of the wallet addresses to any individual(s) in particular. Wallet addresses are represented solely by letters and numbers. This leads some people to take a short-sighted view that just because identifiers are not present in the transaction itself, the individual(s) involved are anonymous. They aren’t. Cryptocurrencies almost always elect to use public blockchains which allows anyone with the expertise to track the entire transaction history. Anybody can use a blockchain explorer, and digital analytics and forensics companies can typically trace other wallets owned by the same individual through varied heuristics, so once a single wallet address of an individual is known, the rest of their wallet addresses can usually be found.
Lack of Central Authority
Unlike traditional financial systems, there is no central authority to go to who can provide identification information of an individual or who can ban or blacklist an individual. Cryptocurrency is non-custodial in nature, meaning individuals own their own cryptocurrency and can do with it as they please. It cannot be revoked or seized by traditional means.
CAN Cryptocurrencies Be Anonymous?
Anonymity is a scale, not a yes/no distinction. Individuals can take actions to become more (or less) anonymous. Furthermore, a few select cryptocurrencies do have some privacy features built-in so that they cannot be tracked and traced as easily as other major currencies like Bitcoin and Ethereum. However, we have found that the use of these “privacy coins”, mixers, or other efforts to obscure the blockchain trail often results in a false sense of security and subsequent OPSEC sloppiness that can lead to attribution on the person(s) in question.
Factors Reducing Privacy and Anonymity
Almost all cryptocurrency users register on one or multiple exchanges and are usually required to go through KYC or provide identification in order to be able to use the exchange. If the user has taken the funds off an exchange, those funds can often be traced.
IP tracking and tracing
Once a person’s IP is known, it may be possible to track down the individual behind the transaction. There are a variety of ways IP’s can be determined, both on-chain and off-chain, the latter being both far more practical and common.
A Bitcoin transaction is broadcasted by a Bitcoin node to other nodes in the Bitcoin network, who in turn broadcast to all nodes they are connected with. But most people don’t run Bitcoin nodes. Rather, they connect to a node that broadcasts their transactions on their behalf. Any node you connect with knows the IP address of their connections, therefore, by controlling node connections through a variety of different ways, it is possible to determine a users’ IP address. However, in the vast majority of cases, this exercise would be useless, expensive, and ineffective at the same time.
Off-chain IP tracing is far more practical. A user’s IP is not be recorded on the blockchain, but interactions the individual undertakes on the internet are. IP access logs can be acquired from cryptocurrency exchanges, email service providers, and social media platforms. Even by knowing email addresses and social media platforms, covert and properly conducted OSINT can often reveal key information like social media handles that can ultimately lead to IP address attribution without tipping a suspect off.
Poor Operational Security
While cryptocurrencies are relatively safe and secure, weaknesses typically lie in individuals who use them. Operational security employed by users is frequently poor and grossly inadequate, reducing their privacy and anonymity. Examples of poor operational security include always using the same wallet addresses over and over again and insecure storage of private keys.
Techniques Used to Increase Privacy and Anonymity
Some individuals will elect to hold or utilize ‘privacy coins’ such as Monero (XMR). Some privacy coins are more effective at ensuring privacy than others. Monero is considered the leading privacy coin right now because it’s highly effective. The ownership of Monero effectively cannot be traced. But this doesn’t mean Monero is a panacea for anyone looking to avoid being tracked. For one, many users leave their XMR on exchanges where it can be seized which is counter-intuitive. Furthermore, most XMR users employ poor operational security e.g. buying XMR on an exchange, telling friends and family that they own XMR, etc…
Put simply, if there is enough evidence to indicate an individual held or holds cryptocurrency (whether they are hiding assets in a divorce case or ill-gotten fraud proceeds) Monero won’t save them from the truth. Investigators know many avenues of approach to dismantling the misconception of total obscurity provided by privacy coins; as just two examples, unsubstantiated income to a bank account or seizure of devices may result in the required proof despite lacking a wallet address with balance.
Coin Mixers such as CoinJoin work by taking multiple input transactions mixing them up and ultimately giving funds back to the owners. However, Coin Mixers have mixed success depending on the implementation strategy, but they can be defeated.
Taking a look at a centralized mixer such as Bitcoin Fog as one example, the mixer operator has a pool of BTC. When they receive x BTC from someone wishing to mix funds, the mixer accepts it in one of their wallets and then pays out from another wallet to a new wallet(s) specified by the individual, albeit with a service fee deducted that is around 3%. There are multiple avenues we could utilize to attempt to defeat the mixer.
Blockchain forensics software allows us to see when funds have been deposited into wallets that have been attributed to mixing services. Once we determine x amount of funds have gone into a specific mixer, we could look for transactions in subsequent blocks showing a payout that amounts to what was sent into the mixer less the service fee. In all likelihood, there will only be a few transactions in the next 20 or so blocks that meet the criteria, which we’d manually assess to prevent false positives.
Because Coin Mixers operate differently, the strategy used to defeat one will not necessarily work on other ones, or a modified strategy may be necessary. This is where our experience assessing and analyzing coin mixers becomes incredibly useful since we have an understanding of how each mixer operates, how funds are mixed, and what the weaknesses associated with it are. From a forensics perspective, the difference between a centralized mixer like Bitcoin Fog and a decentralized mixer like Wasabi is profound. Furthermore, since defeating mixers can be a time-intensive process, it’s typically only worth it when there’s a significant amount of funds at stake.
Not Linking Wallet Addresses to Identity
This option may sound like the easiest to execute properly but is, in fact, the most difficult. Most people acquire cryptocurrency by purchasing on an exchange that they’ve linked their identity to. There aren’t many other available options through which individuals can acquire cryptocurrency. Mining is one of those options, but individuals will only be able to acquire a small amount of cryptocurrency, it takes a long time to do so, and in all likelihood they will end up spending more on electricity to mine than the value of the cryptocurrency they receive, making it uneconomical.
Even if someone can acquire cryptocurrency without providing their identity, they need to avoid association with all applicable and associated wallets by not telling any friends or family of wallet addresses, not posting it online, and not using the wallet address(es) as a payment option for any services or work performed. Overall, that’s a pretty hard task to accomplish even for someone well-versed in cryptocurrency.
Cryptocurrency vs Fiat Currency
Cryptocurrencies are highly transparent and pseudonymous. The degree of anonymity varies depends on the practices employed by the users. Transaction history is public and viewable by anyone. No one has special access, and no court order can change that. In practice, most users take little to no effort to anonymize themselves making cryptocurrency not very anonymous.
In contrast, fiat currency is far less transparent, particularly when compared to banknotes. It’s practically impossible to track banknote expenditures an individual makes. Banknotes are also fairly anonymous since the ownership history of specific banknotes is not really tracked at all. It’s why banknotes are so frequently used for illicit activities like drug trafficking and prostitution. Digital fiat currency and transactions are far less anonymous since banks keep detailed records on all expenditures and merchants. However, they don’t fare much better than banknotes when it comes to transparency since the transaction history can only be obtained by the individual, the bank, and certain government agencies, or a court can order the bank to provide it if deemed lawful.
I always find it comical when the villain in a movie demands a ransom paid in Bitcoin. It’s far more transparent than government-backed currencies. The degree of anonymity depends on the practices employed by the user but cryptocurrency typically ends up being considerably less anonymous than cash.
Note: Nothing in this article is to be construed as legal, financial, or tax advice.