How Monero Users Get Traced (RUN YOUR OWN NODE!)
Table of contents
Protect your Monero by only using trusted nodes; malicious ones can expose your IP and compromise your privacy. Stay safe out there!
Last month was a rough one for Monero users after the Kraken exchange announced that they would be delisting Monero (XMR) from their services at the end of the month. Therefore, users should make sure to withdraw any Monero they might have there to a private wallet before October 31st. We will discuss the delisting problem more in a bit, but there's also some news that I think is worth celebrating.
Chain Analysis, the company that famously won the $1.5 million IRS contract to find a way to trace Monero transactions, had an internal video leak showing people how to use their tool. The good news is that there isn't any breaking of cryptography involved with the Chain Analysis software. All of the tactics in that video, which demonstrate how to trace Monero transactions, have been known about for years and have actually been addressed by the Monero developers in different episodes of Breaking Monero. I once again recommend all of you to go watch it if you really want to dig deep into how Monero works and how to maintain good obscurity with it in video format.
Now, I will quickly go over the Chain Analysis techniques and how you can defend against them. The most important detail—if you take nothing else from this video—is to only use Monero nodes that you trust. This is crucial because malicious nodes are able to grab your IP address, and wouldn't you know it, malicious nodes are the key component to Chain Analysis tracking Monero transactions.
Unfortunately, the majority of Monero users don't run their own nodes because to do so, you need at least 60 gigabytes of blockchain data downloaded to your device for a pruned node and 200 gigabytes if you want to run a full node. This is especially burdensome for mobile users in a world where expandable storage via SD cards is becoming rarer and rarer. This is probably why all the mobile wallets for iOS and Android that I'm aware of don't even have a built-in option to run a local node, unlike the official desktop wallets. Although you can technically run a local node on an Android device with enough storage by downloading the daemon separately through Termux, the daemon will also drain your battery a lot quicker. Therefore, I really recommend running your own node on a device that you can leave plugged in, as this will also give you better uptime for your node.
If you can't run your own node, you could hide your IP address with a proxy or a VPN before you connect to a remote node. This way, if the node is malicious, they lose their most important tracking metric. In the Chain Analysis video, there were a number of transactions believed to be from admins of an illegal site on the dark web who happened to be connected to a compromised node. At several points in the video, the Chain Analysis person would look up the IP address they got from them, and it would belong to a proxy or a VPN. Thus, they still couldn't even confirm the location of the target until one day they slipped up, connected without a VPN, and then they were able to confirm that they were in Colombia. Who knows what happened to the admins after that?
In the Chain Analysis video, one of the more disturbing things I noticed was the RPC request they were using to get IP addresses, which seemed to be coming from node.manor.com. This is actually a round-robin DNS that points to several different Monero nodes. What is really concerning about this is that node.manor.com is in the list of default public nodes in several very popular Monero wallets. So, not only does Chain Analysis run bad nodes, but they have managed to infiltrate the Monero community to some degree—typical fed stuff.
There have definitely been a lot of Monero transactions that have already gone through those poison nodes and are probably still being analyzed. What these malicious nodes do, besides just logging your IP address, is generate decoy outputs for your transactions that have already been spent. This means any law enforcement that analyzes that transaction on the blockchain with the Chain Analysis tool can automatically ignore the decoy outputs and focus on the real one, allowing them to follow where it goes. They can keep following transactions in this way as long as the nodes are processing them. What they are hoping to get—or at least the way it looked from watching the Chain Analysis video—is to obtain a real IP address for you, so they can actually go raid your house or spy on you.
Remote nodes can also learn the last block that your wallet synced, which basically tells the node when you last used your Monero wallet. This data could easily be correlated with transaction data from controlled purchases and sales on a dark web marketplace.
To truly protect your privacy in the crypto world, always use Monero with onion nodes and temporary wallets—because your freedom is worth the extra effort.
Enforcement that analyzes transactions on the blockchain, using the chain analysis tool, can automatically ignore the decoy outputs and focus on the real ones. This allows them to follow where the real transactions go, as long as the nodes are processing them. What they are hoping to achieve, at least from observing the chain analysis video, is to obtain a real IP address for you. This information could potentially lead to them raiding your house or spying on you.
Remote nodes can also learn the last block that your wallet synced, which indicates when you last used your Monero wallet. This data could easily be correlated with transaction data from controlled purchases and sales on a dark web marketplace. Notably, many vendors on these marketplaces list their inventory, and if we assume there is no shrinkage from people consuming their own supply, a decrease in inventory suggests an increase in sales. Therefore, it is crucial to run your own Monero node, as chain analysis becomes essentially useless if they cannot poison your decoy outputs in the transactions. The key data point that connects those transactions to a real-life identity is the unshielded IP address. Additionally, exchanges could potentially be subpoenaed if they have KYC (Know Your Customer) protocols in place, but ideally, you should avoid dealing with KYC exchanges altogether.
A relatively easy way to defend against IP logging, without the hassle of using a VPN or running your own node, is by using only Monero nodes that are on the dark web. If you visit Monero's official site in your browser, you will find a list of different remote nodes you can use, filtering for those that are only on Tor or I2P. If you are on a desktop, ensure that you check the SOCKS5 proxy option in the Monero GUI wallet, which can be found under settings and interface. Make sure that the IP address you enter here is 127.0.0.1 and set the port to 9150. If you have a standalone Tor daemon running on your PC, ensure that the port you configure matches the one set here. If you are just running the Tor browser, this setting will automatically bind the Monero wallet to that Tor connection; just keep the Tor browser open and connected in the background.
For Android users, you can use Orbot to proxy any application over the Tor network, and then in your Monero wallet, choose one of the onion nodes, ideally one with an up-to-date block height and a good uptime history. However, there remains a possibility that these onion nodes could be controlled by chain analysis, which might still use poisoned inputs on your transactions to track where you are sending Monero. Nonetheless, this scenario is less likely than with clearnet nodes, as chain analysis would lose the opportunity to log your IP address with onion nodes. Moreover, it is more probable that users will connect to clearnet nodes rather than onion nodes due to the additional steps required to use them.
The last piece of advice is to be very cautious when using exchanges and swap services, as interactions with these can sometimes be easier to observe on the blockchain. If the transaction fees and unlocking times use non-standard values, there are options in the chain analysis tool to flag these transactions, making it easier to differentiate between different kinds of transactions. I also suspect that many exchanges connect to remote nodes instead of running their own, as there seems to be no compelling reason for them to operate their own nodes.
For a more concerning thought, the most popular exchanges that deal in Monero might have an unwritten, undisclosed rule that all of their Monero transactions must go through compromised nodes that federal authorities can monitor for compliance purposes, tracking where funds are coming from and going to when entering and exiting the exchange. Therefore, if you want to swap your Monero, do not do it from your main wallet. Instead, transfer the funds you wish to swap to an intermediary wallet first—a one-time wallet that you will dispose of after use—and then swap from there. Similarly, when receiving funds from an exchange, do not have them deposited directly into your main wallet; receive them in an intermediary wallet first and then transfer from there.
The default transaction fees in the official Monero wallet are less than half a penny, so your freedom is absolutely worth paying a couple of extra Monero transaction fees and using those temporary wallets. However, the best thing to do with your Monero is not to exchange it at all; rather, it is to spend it. This was the original purpose of cryptocurrency. Properties of Monero, such as the tail emission, low transaction fees, and excellent fungibility, make it one of the best cryptocurrencies to spend. My online store, for instance, accepts Monero for all of its products, and you receive a 10% discount whenever you use it at checkout.
Many people are wondering how they can acquire Monero if it is being delisted. The answer is simple: if you have a store or provide any kind of paid service, you can start accepting Monero right now. So, stay safe out there, practice good operational security, and have a good rest of your day.