Bitcoin Transactions Analysis Breaks Tor Anonymity


Researchers from Qatar University in Doha published a paper on January 23, 2018, detailing their successful attempt to de-anonymize Tor users with bitcoin transaction analysis.

In this shocking research paper, a clear and simple method is explained for tracking the real identities of people who sent or received payments for hidden services using bitcoin. 125 unique users were positively identified and connected with 20 different Tor hidden services. These services included sensitive transactions on deep web markets such as Silk Road and The Pirate Bay, and also donations to Wikileaks.

It is quite ironic how Bitcoin had been stigmatized in the past as an anonymous payment method that enables criminal activity and money laundering. In fact, we now understand that the opposite is true. Bitcoin is practically a gift for law enforcement agencies with access to big data. Not only can bitcoin transactions be analyzed to expose criminal activity currently taking place over Tor, but transactions made in the past can also be analyzed to reveal, in accurate detail, who did what, and when, from where. If no statute of limitations is in place for the specific illegal activity, then bitcoin can be a tool that law enforcement agencies can use to track down every prosecutable felony and misdemeanor accomplished with bitcoin over Tor since the creation of the network.

Additionally, with the Qatar University method, bitcoin transactions can be analyzed to reveal who has been financially supporting alternative truth-revealing media such as Wikileaks and other similar organizations. This could indirectly put whistleblowers in danger and eventually shut down mechanisms in place to protect whistleblowers and journalists who wish to investigate and publish sensitive truths.

The Qatar University researchers began their study by crawling the onion landing pages of 1,500 hidden services and extracted 88 bitcoin payment addresses including two ransomware addresses. They then crawled two online social networks; Twitter and the forum. Five billion tweets and one million bitcointalk forum pages were crawled to create two datasets of 4,100, and 41,000 bitcoin addresses publicly displayed on these respective social networks. Finally, they examined Bitcoin blockchain transaction data, specifically searching for transactions between Twitter/Bitcointalk users BTC addresses and Tor hidden services BTC addresses. The results were expanded with techniques that built upon the initial findings and analyzed corresponding transaction history.

This research was done by privacy advocates. All 125 people who were doxed in this study were contacted by the researchers and informed of the threat and offered possible remedies. A thread was also posted on the forum informing the public of the dangers this study had uncovered. However, we can easily imagine how these techniques can, will, and most likely already have been used by adversaries to privacy to document bitcoin users’ activities over Tor and possibly use the data for blackmail or in an unethical manner.

Bitcoin/Tor users who find that they are vulnerable to this deanonymizing attack are advised:

…to clean their social network footprint, focusing on removing PII (Personally Identifiable Information) that is publicly shared or deleting their linked online identities, all together.”

It is also suggested by the Qatar researchers to follow Bitcoin best practices, to use CoinJoin, Fair Exchange, CoinSwap, and stealth addresses. Privacy-focused altcoins, specifically Monero and Zcash, are also mentioned in the paper as a way to protect the anonymity of sensitive transactions.