Research Summary: Analysis of Decentralized Mixing Services in the Greater Bitcoin Ecosystem

Research Summary: Analysis of Decentralized Mixing Services in the Greater Bitcoin Ecosystem

TLDR

  • This paper investigates the role two decentralized CoinJoin mixers, Samourai Wallet and Wasabi Wallet, play in the Bitcoin ecosystem.
  • The author develops heuristics for detecting CoinJoin transactions, analyzes the number and volume of transactions processed through the two systems, and addresses known for criminal activity.
  • Finally, the author analyzes the framework from a security perspective, determining that both wallet services are robust against coin theft and denial of service, and that while de-anonymization is possible it would have to be overt.

Core Research Question

What role do Samourai Wallet and Wasabi Wallet play in the greater Bitcoin ecosystem, how has that role evolved over time, and is it possible to de-anonymize participants?

Citation

Stockinger, Johann. Analysis of Decentralized Mixing Services in the Greater Bitcoin Ecosystem. Diss. Wien, 2021. https://repositum.tuwien.at/bitstream/20.500.12708/18576/1/Stockinger%20Johann%20-%202021%20-%20Analysis%20of%20Decentralized%20Mixing%20Services%20in%20the...pdf

Background

  • Transaction privacy: On the blockchain, the core assumption is that all transactions are visible to nodes, so that the state transition between blocks can be made with data integrity. This means there’s little to no transaction privacy on a blockchain, regardless of whether it uses Ethereum’s account-based format or Bitcoin’s unspent transaction output (UTXO) format.
  • Mixing services: In order to preserve transaction privacy for individuals conducting blockchain transactions, a structure with centralized nodes can be used to confuse potential adversaries who might want to deanonymize transactions by tracing transaction paths.
  • Decentralized mixing services: Using a centralized mixing service exposes a user to off-chain risk. Funds could be stolen or lost. Decentralized mixing services such as Samourai Wallet or Wasabi Wallet avoid off-chain risk by mixing transactions without a centralized processor.
  • CoinJoin (and its predecessor Chaumian CoinJoin): A well-known mixing method. As a mixer framework, ZeroLink adopted CoinJoin as its mixing method.

Summary

  • In the first part of the paper, the authors describe the history of anonymity and privacy techniques in Bitcoin, and the de-anonymization techniques used to break them.
  • Privacy preserving techniques on Bitcoin was the main focus of this research. CoinJoin is the first decentralized mixing solution compatible with Bitcoin, where it becomes increasingly complex to link the various outputs to individual users as the number of participants in a CoinJoin transaction increases.
  • The protocols used in this paper are: the ZeroLink framework for mixer services, Chaumina CoinJoin for mixing methods, and the improved heuristics the authors developed to analyze them.
  • Wasabi Wallet and Samourai Wallet are the implementation instances of the primitives mentioned above - CoinJoin and ZeroLink.
  • The author created the improved heuristics based upon the work of Wasabi Wallet cofounder Ádám Ficsór, to better discover and separate Wasabi and Samourai Wallet transactions from regular Bitcoin transactions.
  • Two new heuristics were developed, and their F-1 score is significantly better than Ficsór’s original approach. F-1 score is the harmonic mean of the precision and recall, which is a measure of test accuracy.
  • For Samourai Wallet’s Whirlpool transactions, the accuracy improvement from heuristics is limited, with the help of LaurentMT’s TxID analysis.
  • The scope of the transaction analysis: the value, the amount, the coordinator fees, and the flow (in or out) from the Wasabi Wallet and its mixing transactions were analyzed with as metrics in a time series. The same analysis is done for Samourai Wallet, and its different anonymity pools (0.01, 0.05. 0.5 btc, respectively).
  • GraphSense was used to categorize and associate users and usages to the above transactions among the two wallet services. The authors discovered some already-labeled-entity of addresses, including exchanges, gambling services, ponzi schemes, crime (hacked) accounts, mining pool, etc.
  • The authors made interesting discoveries such as accounts associated with Binance incidents, or the North Korea hacking group Lazarus.
  • For the second part of the paper, the authors suggested some best practices when using decentralized mixing services, such as the usage of TOR, or the labeling to pre-mixed UTXO wallet addresses, etc.
  • They discuss the limitations of decentralized mixing frameworks, services, and their security assumptions. For deanonymization they suggest that users must use two different tor connections for both the input and output registration phase, in order to fulfill ZeroLink’s design intention.
  • Active adversaries can only deanonymize users if they are impersonating tumblers (coordinators) and actively manipulating input registrations. Even so, the users can easily recognize that malicious behavior and mix the coin again via other tumblers.
  • Coin theft and DoS attacks are described and analyzed as potential threats. The three attack vectors introduced above are examined against Samourai Wallet and Wasabi Wallet implementations.
  • Comparison and discussion of LaurentMT and Ficsór pros and cons.
  • Future improvements are discussed in the Wabisabi framework, the successor to Zerolink, or concerns about the rare but surely existing cases that would reduce the anonymity to transaction pools.

Method

  • ZeroLink and CoinJoin are formally defined and discussed so that the newly discovered heuristics make sense. ZeroLink is a framework that defines 3 essential parts in a mixing process: a pre-mix wallet, a mixing process, and a post-mix wallet.
  • To identify whether a transaction is a regular bitcoin transaction or a CoinJoin transaction, heuristics can be applied to them to see whether they match the behavior characteristics of CoinJoin transactions.
  • Two unique heuristics are raised by this work to categorize transactions: 1. there is at least one unique output value, and 2. there are at least 3 distinct output values. The reasoning behind 1. is that the fee collected by the coordinator address is very likely to be distinct from any other output produced by the transaction. The reasoning behind 2. is due to the fact that it is highly likely that at least one change output will be produced by the transaction (i.e., there are at least distinct values for the CoinJoin itself, the coordinator fee, and one change output).
  • On discovering a Wasabi Wallet or Samourai Wallet transaction, heuristics are improved for better discovery rate in the research:
  • For Wasabi Wallet:
    • Ground Truths are established by using static coordinator addresses from block 530500 to block 609999, and false positive data before block 530500 can be eliminated cause that’s before Wasabi Wallet launched CoinJoin transactions. 7406 ground truth transactions from block 1 to 609999 are raised as a result.
    • Improved heuristics are:
      • There are at least 10 outputs of equal value.
      • The most frequent output value is 0.1 ± 0.02.
      • There are at least as many inputs as occurrences of the most frequent output.
      • There is at least one unique output value.
      • There are at least 3 distinct output values.
  • For Samourai Whirlpool:
    • While Ground Truth cannot be established using the same methods, some common senses (e.g., transactions before 569999 are false positives) can be applied.
    • Since the first transactions (pre-mixed) from every pool can only be from the genesis mixing pool, the relationships between remix and premix addresses are analyzed.
    • Improved heuristics are:
      • The number of inputs and outputs of the transaction is equal to 5
      • At least one and at most three inputs are remix addresses, i.e., there are 1, 2, or 3 inputs with a value exactly equal to a Samourai Whirlpool pool size.
      • At least two and at most four inputs are premix addresses, i.e., there are 2, 3, or 4 inputs with a value between a Samourai Whirlpool pool size and the pool size plus a certain amount which makes up the transaction fee (with a maximum difference of 0.0011 BTC as per [dF19]).
  • The uniform value of all outputs is exactly equal to a Samourai Whirlpool pool size.

Results

  • In the first part of Ch.4, the number of Wasabi Wallet transactions, outgoing (exiting Wasabi Wallet) transactions, the total mixed (newly mixed) BTC, and the fees paid to coordinators of Wasabi Wallet are analyzed.
  • Figure 4.1 shows the total usages - 18687 transactions from block 530500 to block 658738, for Wasabi Wallet.
  • Figure 4.2 shows the amount of btc mixed by it, roughly 606,019.18 BTC.
  • Figure 4.4 shows the amount of BTC mixed and leaving the anonymity set.
  • And, Figure 4.5 shows the mount of BTC newly entering the anonymity set.
  • Figure 4.7 is the fee graph to Wasabi Walet’s coordinators.
  • In the second part of Ch.4, for Samourai Wallet’s Whirlpool transactions, the share to each anonymity set, the amount of transactions, outgoing transactions, total mixed (newly mixed) BTC, and the fees paid to the coordinators of Samourai Wallet are analyzed.
  • Figure 4.8 shows the total usages - 84063 transactions from block 530500 to block 658738, for Samourai Whirlpool transactions.
  • Figure 4.9 shows the total usages ratio among different sizes of anonymity sets.
  • Figure 4.10 shows the amount of btc mixed by it, roughly 18,198.1 BTC.
  • Figure 4.12 shows the amount of BTC mixed and leaving the anonymity set.
  • And, Figure 4.13 shows the mount of BTC newly entering the anonymity set.
  • Table 4.3 is the fee graph to Samourai Wallet’s Whirlpool coordinators and miners.
  • Apart from that, the correlation of such accounts to existing services are done usingGraphSense. The Level is indicating the distance from the direct CoinJoin transaction receiver address to the target address.
  • The labeling done by GraphSense:


  • For Samourai Whirlpool Transactions, the same can be done:


Discussion and Key Takeaways

  • Wasabi Wallet and Samourai Wallet are the two most-used decentralized Bitcoin mixing services. The paper improved heuristics to better recognize mixer transactions in the Bitcoin network. Combined with the labeling service from GraphSense, the role of mixing services in the Bitcoin ecosystem are better understood, and primitive observations (longitudinal analysis) can be used to discover more insights about mixing services.
  • The research suggests that centralized nodes performed the same as decentralized nodes or even better, performance-wise, than decentralized coordinating. Anonymity is achieved by blind signature protocols, so that coordinators/tumblers won’t be able to re-link users from the input registration phase and output registration phase.

Implications and Follow-ups

  • The research paves the way for an implementation of heuristics used to discover CoinJoin transactions by Wasabi Wallet and Samourai Wallet, which will pave the way for future work.
  • It’s worth noting that the introduction of the Wabisabi framework, which will ultimately replace ZeroLink, could render the heuristics used in this work partially unusable or totally unusable.

Applicability

  • This work can be used in AML research and tracing criminal activities. In the past that data was only shared inside government organizations. Now that there’s an implementation by academics, the data and code will be useful for future research.
7 Likes

@Jerry_Ho: Thanks for a fascinating contribution to the SCRF Forum.

I’m curious to know if there have been any new deanonymization efforts since the publication of this research. Are aware of any, and if so can you comment on their relevance to this post?

4 Likes

Yeah, the authors of the original Wasabi wallet/Zerolink, Adam Ficsor, has made significant improvements over the years.

This video serves as an ELI5 to the new framework.

All of the activities/whitepapers can be found under their zkSNACK repo,

and it’s not just simply mixers for now, things like decentralized non-custodial wallets are also in the protocol in order to make it more feasible to regular users.
That is, it’s hard to “reuse” your addresses and make your transaction traces tracable if you’re using Wasabi wallet to make anon transactions.

4 Likes

Excellent job on this summary @Jerry_Ho.

It’s unfortunate that mixing as a privacy-preserving technology is so susceptible to on-chain fingerprinting. Those that seek privacy via Wasabi or Samourai are effectively singled out from other transactors and that might pose a threat to Bitcoin’s fungibility.

In order for a sufficient level of privacy to be achieved, a large number of users need to seek privacy thus increasing the total anonymity set. It appears that user interfaces play a critical role here.

Did the authors discuss or attempt to measure to impact of that user experience has on the adoption of this transaction type?

2 Likes

They didn’t.

If we were to define UX, and have quantifizable results - hard to gauge and design a way to measure

  1. Is the readme clear enough that ppl won’t do stupid things such as reuse address, NOT going through relayer with fresh new address…
  2. Is the withdrawl address already seen (OSINT) on internet.
  3. Other VPN related usages, client fingerprints , temporal traces, etc.

The only related stats from the research:

The tags provided by GraphSense show that addresses of 2 mixing services (including
the main Wasabi Fee entity), 39 exchange services, 5 wallet services, 6 mining pools, 3
gambling services, as well as 6 other tagged services have either directly participated in
Samourai Whirlpool transactions, or are within close proximity. Furthermore, entities
which have been connected to illicit activities have also used Wasabi Wallet CoinJoin
transactions, namely 3 entities tied to Ponzi schemes, and 20 entities directly related to
criminal activities (15 entities tagged as service hack, 2 as sextortion, 1 as scam, and 2
as ransomware).

The results were simply gathered from Graphic Sense, and little address has been identified.

Excellent summary @Jerry_Ho

I had to read a blog on bitcoin mixing and related services as a primer before reading though. :sweat_smile:

I agree that the work can (and should) be used in anti-money laundering circles. This is because at the end of the day, cryptocurrency transactions constitute a high money laundering risk.

Do you know any particular (and successful) applications of the research work in the AML field?

Curious to see such projects. :eyes: