Tornado Cash and Blender.io were in the news recently for being sanctioned. We wrote about this previously as well. But what exactly are mixing services trying to do? And if it has something to do with anonymity then why are so many of the folks involved getting identified and arrested? Why did BitMixer shut down three days after two “dark web” marketplaces were closed, at least one of which was operated covertly by the authorities for at least a month before the announcement?
As we are going to see, mixers have a simple job: hide the source of some funds. But that job is made nigh-impossible by the requirement that users behave in certain unnatural ways. It is not so much that these mixers were flawed – though some surely were. The real problem is that obfuscating the source of funds only works if you never use those funds for anything related to your real identity. And the world doesn’t work that way.
How Mixers Work
There are essentially two models for mixers. The first, the old-school mixing approach, is to send everything to a known party who then effects transfers out of unrelated wallets. There is a reasonable explanation provided in the indictment of the Helix mixer operator Larry Harmon. In the end Harmon cleaned some Bitcoin for an undercover agent and got caught because the government then knew for sure that two “unrelated” addresses were the same person. It also did not help that Harmon deposited some of his fees on BlockFi which, you know, had his identity.
The second approach seeks to avoid this “detectives can figure out who you are” problem by operating entirely on-chain. This is how Tornado Cash works. It is also how the so-called privacy coins like Zcash and Monero work. We are going to skip the technical details here. But roughly what happens is you deposit money and get an encrypted receipt for the deposit. You can then “cash in” that encrypted receipt to a fresh address. Everyone can see your money came from the mixer – but they cannot tell which deposit into the mixer your money came from.
People are the Problem
In Bruce Schenier’s classic Applied Cryptography he writes about successful attacks on cryptographic systems:
Most of those applications have used lousy cryptography, but successful attacks against them had nothing to do with cryptanalysis. They involved crooked employees, clever sting operations, stupid implementations, integration blunders, and random idiocies…Even the NSA has admitted that most security failures in its area of interest are due to failures in implementation, and not failures in algorithms or protocols. In these instances it didn’t matter how good the cryptography was; the successful attacks bypassed it completely.
That is a nice way of saying the math is not the problem – the people are. People behave like people. They make mistakes. They interact with the same wallets and services on both sides of a mixer. And just generally people are not reliable like robots.
Tracing Through Mixers
This enables tracing through mixers. Sometimes the process is trivial because the mixer itself gives up, KYCs all users and generally cooperates with law enforcement. But even if the service itself is not compromised smart people can exploit structure in on-chain data to unravel things.
To accomplish this task, we looked at these trading platforms from several different perspectives, ranging from the correlations between the transactions they produce in the cryptocurrency ledgers to the relationships they reveal between seemingly distinct users. The techniques we develop demonstrate that it is possible to capture complex transactional behaviors and trace their activity even as it moves across ledgers, which has implications for any criminals attempting to use these platforms to obscure their flow of money.
That is a nice way of saying “these mixers do not really work.” And, as you probably expected, it gets even worse for the users. The same authors also looked at Zcash where they found:
We conclude that while it is possible to use Zcash in a private way, it is also possible to shrink its anonymity set considerably by developing simple heuristics based on identifiable patterns of usage.
Other research has looked at different products. Tutela can in many cases see through Tornado Cash. While the paper is perhaps a bit technical for most folks there is a more understandable blog post. The paper begins ominously:
A common misconception among blockchain users is that pseudonymity guarantees privacy. The reality is almost the opposite. Every transaction one makes is recorded on a public ledger and reveals information about one’s identity.
And later they place the blame squarely where it belongs, not with the math:
We also propose a set of new heuristics targeted at Tornado Cash, highlighting that careless user behavior, despite using a mixer, can still reveal identity.
As Groucho Marx said “I resemble that remark.” Don’t we all.
In Applied Cryptography Schneier also details one known-to-be-unbreakable cryptographic technique: the one-time pad. And then he goes on to explain how hard it is to use one of these properly. The problem is not, and never really was, the math. This technique was invented in the 19th century. We have known for a long time that security flaws are far more likely attributable to human behaviour than well-studied algorithms.
There are quite a few known-secure mixing and tumbling procedures. It’s the users themselves that give away the game. There is a term in the IT-support area: PEBCAK. This is a fake error code that stands for “problem exists between chair and keyboard.” It’s the users fault.
Cryptocurrency mixer users who get found out have only themselves to blame. Instead of pushing her cosmetics brand Fenty into the metaverse, Rihanna might do better licensing “Take a Bow” to a crypto tumbler ’cause she nailed it:
Don’t tell me you’re sorry ’cause you’re not
Baby, when I know you’re only sorry you got caught
Related: Tornado Cash’s Swirling Accusations