< Back to Searchlight Blog

The quest for Monero deanonymisation and potential impacts on darknet markets

Published on 02 Dec 2020 by Louise

Monero, often hailed by darknet users as the most private cryptocurrency available, has recently been the subject of efforts by security researchers to deanonymise and trace its transactions. How will Monero's potential traceability affect the illicit trade that occurs on darknet markets?

The cryptocurrency Monero, created in 2014, has been lauded for its focus on financial privacy and decentralisation. Though not as popular or valuable as Bitcoin, Monero's advantage stems from the fact that account balances and payments cannot be viewed. This is unlike most cryptocurrencies, which whilst providing a certain level of anonymity still allow transactions to be visible on their public ledgers. Furthermore, Monero enforces its privacy features on all transactions as procedure, whereas many cryptocurrencies provide them as opt-in features. The standard of privacy provided by Monero has made it the second-most popular cryptocurrency of choice for those wishing to trade illegal goods and services on darknet markets only accessible via the Tor network.

However, many security researchers have taken Monero's claims as a challenge to test its traceability. The most high-profile example of this is activity by blockchain forensics firm CipherTrace, who recently filed two patents related to Monero tracing techniques. The patents, filed in September and November 2020, regard a set of "Monero tracing tools" which have allegedly already been shared with law enforcement to trace transactions associated with criminal activity. CipherTrace claims the tools have been in development since 2019, and comprise methods for exploring Monero transaction flows, clustering likely owners, and gaining intelligence on the Monero network. Though largely based on statistical and probabilistic methods, the patented techniques are claimed to have paved the way for future efforts at wallet identification and exchange attribution. This all culminates in potentially providing law enforcement far greater ability to investigate Monero transactions and addresses suspected of criminality. CipherTrace's efforts are not the only attempt to break Monero's privacy; in early November 2020 it was reported that the cryptocurrency's network sustained an albeit ineffective Sybil attack aimed at breaching its privacy mechanisms.

Despite these bold statements, reaction to the news among darknet users has been relatively subdued. A post on darknet forum Dread on November 23 detailing CipherTrace's announcement provoked a range of responses, the majority of which were doubting the legitimacy of their claims due to lack of proof of work; though this would obviously compromise the utility and confidentiality of CipherTrace's methods. However, some users warned that the patents serve as a reminder that darknet users should take multiple measures to obscure their identity, beyond just their choice of cryptocurrency. Currently, Monero is supported as a payment option on up to 45% of darknet markets online, with little sign of market administrators rescinding this option due to any privacy concerns. However, as these tracing methods continue to develop and begin to be implemented by law enforcement, users trading illegal goods and services on the darknet may switch to a coin which they perceive to be less scrutinized.

Screenshot showing user reaction on Dread to news of potential Monero traceability

Try our Darknet Intelligence/Forensics tool for free, contact enquiries@slcyber.io


Latest News from Searchlight

20 May 2021

Is all press good press? DarkSide, Colonial Pipeline and Ransomware-as-a-Service

This article explores the darknet structures and relationships sustaining the ransomware ecosystem, and enquires whether the consequences of DarkSide's attack against Colonial Pipeline will affect the continued growth of this lucrative cybercriminal enterprise.

Read more...

03 Mar 2021

Zero-day exploit in Accellion FTA leads to data compromise of multiple companies

This article evaluates the recent slew of data breaches suffered by a range of major organisations as a result of vulnerabilities in the soon-to-be-retired Accellion File Transfer Appliance, as well as the implications of suspected involvement by notorious ransomware gang Cl0p.

Read more...

06 Jan 2021

Covid-19 and the darknet: deceit, disinformation and disruption

Since the beginning of the coronavirus pandemic, darknet actors have exploited the heightened sense of fear and uncertainty for financial and even political gain. In tandem with the much-anticipated rollout of vaccines for the disease in multiple countries worldwide, actors have renewed efforts at Covid-related fraud, disinformation, and cyber-espionage.

Read more...

02 Dec 2020

The quest for Monero deanonymisation and potential impacts on darknet markets

Monero, often hailed by darknet users as the most private cryptocurrency available, has recently been the subject of efforts by security researchers to deanonymise and trace its transactions. How will Monero's potential traceability affect the illicit trade that occurs on darknet markets?

Read more...

Whoops, looks like something went wrong.

1/1 Swift_TransportException in AuthHandler.php line 181: Failed to authenticate on SMTP server with username "notifymcgoo@gmail.com" using 1 possible authenticators

  1. in AuthHandler.php line 181
  2. at Swift_Transport_Esmtp_AuthHandler->afterEhlo(object(Swift_Transport_EsmtpTransport)) in EsmtpTransport.php line 332
  3. at Swift_Transport_EsmtpTransport->_doHeloCommand() in AbstractSmtpTransport.php line 118
  4. at Swift_Transport_AbstractSmtpTransport->start() in FileSpool.php line 149
  5. at Swift_FileSpool->flushQueue(object(Swift_Transport_EsmtpTransport)) in SwiftmailerServiceProvider.php line 95
  6. at SwiftmailerServiceProvider->Silex\Provider\{closure}(object(Request), object(TemplateResponse), object(Application))
  7. at call_user_func(object(Closure), object(Request), object(TemplateResponse), object(Application)) in Application.php line 387
  8. at Application->Silex\{closure}(object(PostResponseEvent), 'kernel.terminate', object(TraceableEventDispatcher)) in WrappedListener.php line 61
  9. at WrappedListener->__invoke(object(PostResponseEvent), 'kernel.terminate', object(EventDispatcher)) in EventDispatcher.php line 184
  10. at EventDispatcher->doDispatch(array(object(WrappedListener), object(WrappedListener), object(WrappedListener)), 'kernel.terminate', object(PostResponseEvent)) in EventDispatcher.php line 46
  11. at EventDispatcher->dispatch('kernel.terminate', object(PostResponseEvent)) in TraceableEventDispatcher.php line 133
  12. at TraceableEventDispatcher->dispatch('kernel.terminate', object(PostResponseEvent)) in HttpKernel.php line 77
  13. at HttpKernel->terminate(object(Request), object(TemplateResponse)) in Application.php line 598
  14. at Application->terminate(object(Request), object(TemplateResponse)) in Application.php line 565
  15. at Application->run(object(Request)) in Application.php line 97
  16. at Application->run() in index.php line 12
Uncaught Exception: Swift_TransportException

Uncaught Exception: Swift_TransportException .

Swift_TransportException in AuthHandler.php line 181:
Failed to authenticate on SMTP server with username "notifymcgoo@gmail.com" using 1 possible authenticators

                    if ($authenticator->authenticate($agent, $this->_username, $this->_password)) {
                        return;
                    }
                }
            }
            throw new Swift_TransportException(
                'Failed to authenticate on SMTP server with username "'.
                $this->_username.'" using '.$count.' possible authenticators'
                );
        }
    }

Google this Exception

Stack trace

# 1 \Swift_Transport_Esmtp_AuthHandl …::afterEhlo(Swift_Transport_EsmtpTransport)
[root]/vendor/swiftmailer/swiftmailer/lib/classes/Swift/Transport/EsmtpTransport.php # line 332
# 2 \Swift_Transport_EsmtpTransport::_doHeloCommand()
[root]/vendor/swiftmailer/swiftmailer/lib/classes/Swift/Transport/AbstractSmtpTransport.php # line 118
# 3 \Swift_Transport_AbstractSmtpTra …::start()
[root]/vendor/swiftmailer/swiftmailer/lib/classes/Swift/FileSpool.php # line 149
# 4 \Swift_FileSpool::flushQueue(Swift_Transport_EsmtpTransport)
[root]/vendor/silex/silex/src/Silex/Provider/SwiftmailerServiceProvider.php # line 95
# 5 Silex\Provider\SwiftmailerServiceProvider::Silex\Provider\{closure}(Request, TemplateResponse, Application)
# 6 call_user_func(Closure, Request, TemplateResponse, Application)
[root]/vendor/silex/silex/src/Silex/Application.php # line 387
# 7 Silex\Application::Silex\{closure}(PostResponseEvent, "kernel.terminate", TraceableEventDispatcher)
[root]/vendor/symfony/event-dispatcher/Debug/WrappedListener.php # line 61
# 8 Symfony\Component\EventDispatcher\Debug\WrappedListener::__invoke(PostResponseEvent, "kernel.terminate", EventDispatcher)
[root]/vendor/symfony/event-dispatcher/EventDispatcher.php # line 184
# 9 Symfony\Component\EventDispatcher\EventDispatcher::doDispatch([array], "kernel.terminate", PostResponseEvent)
[root]/vendor/symfony/event-dispatcher/EventDispatcher.php # line 46
# 10 Symfony\Component\EventDispatcher\EventDispatcher::dispatch("kernel.terminate", PostResponseEvent)
[root]/vendor/symfony/event-dispatcher/Debug/TraceableEventDispatcher.php # line 133
# 11 Symfony\Component\EventDispatcher\Debug\TraceableEventDispatcher::dispatch("kernel.terminate", PostResponseEvent)
[root]/vendor/symfony/http-kernel/HttpKernel.php # line 77
# 12 Symfony\Component\HttpKernel\HttpKernel::terminate(Request, TemplateResponse)
[root]/vendor/silex/silex/src/Silex/Application.php # line 598
# 13 Silex\Application::terminate(Request, TemplateResponse)
[root]/vendor/silex/silex/src/Silex/Application.php # line 565
# 14 Silex\Application::run(Request)
[root]/vendor/bolt/bolt/src/Application.php # line 97
# 15 Bolt\Application::run()
[root]/public/index.php # line 12


Request data

content (empty)
languages en_US
en
charsets (empty)
encodings br
gzip
acceptableContentTypes text/html
application/xhtml+xml
application/xml
*/*
pathInfo /news/what-will-be-the-impact-of-monero-deanonymisation
requestUri /news/what-will-be-the-impact-of-monero-deanonymisation
baseUrl (empty)
basePath (empty)
method GET

Headers

host ["bolt"]
connection ["close"]
user-agent ["CCBot/2.0 (https://commoncrawl.org/faq/)"]
accept ["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"]
accept-language ["en-US,en;q=0.5"]
accept-encoding ["br,gzip"]

Server

HTTP_HOST bolt
HTTP_CONNECTION close
HTTP_USER_AGENT CCBot/2.0 (https://commoncrawl.org/faq/)
HTTP_ACCEPT text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HTTP_ACCEPT_LANGUAGE en-US,en;q=0.5
HTTP_ACCEPT_ENCODING br,gzip
PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
SERVER_SIGNATURE <address>Apache/2.4.25 (Debian) Server at bolt Port 80</address>
SERVER_SOFTWARE Apache/2.4.25 (Debian)
SERVER_NAME bolt
SERVER_ADDR 192.168.80.2
SERVER_PORT 80
REMOTE_ADDR 192.168.80.3
DOCUMENT_ROOT /var/www/html/public
REQUEST_SCHEME http
CONTEXT_PREFIX (empty)
CONTEXT_DOCUMENT_ROOT /var/www/html/public
SERVER_ADMIN [no address given]
SCRIPT_FILENAME /var/www/html/public/index.php
REMOTE_PORT 38336
GATEWAY_INTERFACE CGI/1.1
SERVER_PROTOCOL HTTP/1.0
REQUEST_METHOD GET
QUERY_STRING (empty)
REQUEST_URI /news/what-will-be-the-impact-of-monero-deanonymisation
SCRIPT_NAME /index.php
PHP_SELF /index.php
argv []
Arguments:
array:1 [
  0 => Swift_Transport_EsmtpTransport {
    -_handlers: array:1 [
      "AUTH" => Swift_Transport_Esmtp_AuthHandler {
        -_authenticators: array:3 [
          0 => Swift_Transport_Esmtp_Auth_CramMd5Authenticator {}
          1 => Swift_Transport_Esmtp_Auth_LoginAuthenticator {}
          2 => Swift_Transport_Esmtp_Auth_PlainAuthenticator {}
        ]
        -_username: "notifymcgoo@gmail.com"
        -_password: "6690823boyded"
        -_auth_mode: "login"
        -_esmtpParams: array:6 [
          0 => "LOGIN"
          1 => "PLAIN"
          2 => "XOAUTH2"
          3 => "PLAIN-CLIENTTOKEN"
          4 => "OAUTHBEARER"
          5 => "XOAUTH"
        ]
      }
    ]
    -_capabilities: array:7 [
      "SIZE" => array:1 [
        0 => "35882577"
      ]
      "8BITMIME" => []
      "AUTH" => array:6 [
        0 => "LOGIN"
        1 => "PLAIN"
        2 => "XOAUTH2"
        3 => "PLAIN-CLIENTTOKEN"
        4 => "OAUTHBEARER"
        5 => "XOAUTH"
      ]
      "ENHANCEDSTATUSCODES" => []
      "PIPELINING" => []
      "CHUNKING" => []
      "SMTPUTF8" => []
    ]
    -_params: array:8 [
      "protocol" => "tcp"
      "host" => "smtp.gmail.com"
      "port" => 587
      "timeout" => 30
      "blocking" => 1
      "tls" => true
      "type" => 1
      "stream_context_options" => []
    ]
    #_buffer: Swift_Transport_StreamBuffer {
      -_stream: &1 stream resource @1026
        crypto: array:4 [
          "protocol" => "TLSv1.2"
          "cipher_name" => "ECDHE-ECDSA-AES128-GCM-SHA256"
          "cipher_bits" => 128
          "cipher_version" => "TLSv1.2"
        ]
        timed_out: false
        blocked: true
        eof: false
        stream_type: "tcp_socket/ssl"
        mode: "r+"
        unread_bytes: 0
        seekable: false
        options: []
      }
      -_in: &1 stream resource @1026
      -_out: &1 stream resource @1026
      -_params: array:8 [
        "protocol" => "tcp"
        "host" => "smtp.gmail.com"
        "port" => 587
        "timeout" => 30
        "blocking" => 1
        "tls" => true
        "type" => 1
        "stream_context_options" => []
      ]
      -_replacementFactory: Swift_StreamFilters_StringReplacementFilterFactory {
        -_filters: []
      }
      -_translations: []
      #_sequence: 28
      -_filters: []
      -_writeBuffer: ""
      -_mirrors: []
    }
    #_started: false
    #_domain: "[192.168.80.2]"
    #_eventDispatcher: Swift_Events_SimpleEventDispatcher {
      -_eventMap: array:5 [
        "Swift_Events_CommandEvent" => "Swift_Events_CommandListener"
        "Swift_Events_ResponseEvent" => "Swift_Events_ResponseListener"
        "Swift_Events_SendEvent" => "Swift_Events_SendListener"
        "Swift_Events_TransportChangeEvent" => "Swift_Events_TransportChangeListener"
        "Swift_Events_TransportExceptionEvent" => "Swift_Events_TransportExceptionListener"
      ]
      -_listeners: []
      -_bubbleQueue: []
    }
    #_sourceIp: null
  }
]
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
Arguments:
array:1 [
  0 => Swift_Transport_EsmtpTransport {
    -_handlers: array:1 [
      "AUTH" => Swift_Transport_Esmtp_AuthHandler {
        -_authenticators: array:3 [
          0 => Swift_Transport_Esmtp_Auth_CramMd5Authenticator {}
          1 => Swift_Transport_Esmtp_Auth_LoginAuthenticator {}
          2 => Swift_Transport_Esmtp_Auth_PlainAuthenticator {}
        ]
        -_username: "notifymcgoo@gmail.com"
        -_password: "6690823boyded"
        -_auth_mode: "login"
        -_esmtpParams: array:6 [
          0 => "LOGIN"
          1 => "PLAIN"
          2 => "XOAUTH2"
          3 => "PLAIN-CLIENTTOKEN"
          4 => "OAUTHBEARER"
          5 => "XOAUTH"
        ]
      }
    ]
    -_capabilities: array:7 [
      "SIZE" => array:1 [
        0 => "35882577"
      ]
      "8BITMIME" => []
      "AUTH" => array:6 [
        0 => "LOGIN"
        1 => "PLAIN"
        2 => "XOAUTH2"
        3 => "PLAIN-CLIENTTOKEN"
        4 => "OAUTHBEARER"
        5 => "XOAUTH"
      ]
      "ENHANCEDSTATUSCODES" => []
      "PIPELINING" => []
      "CHUNKING" => []
      "SMTPUTF8" => []
    ]
    -_params: array:8 [
      "protocol" => "tcp"
      "host" => "smtp.gmail.com"
      "port" => 587
      "timeout" => 30
      "blocking" => 1
      "tls" => true
      "type" => 1
      "stream_context_options" => []
    ]
    #_buffer: Swift_Transport_StreamBuffer {
      -_stream: &1 stream resource @1026
        crypto: array:4 [
          "protocol" => "TLSv1.2"
          "cipher_name" => "ECDHE-ECDSA-AES128-GCM-SHA256"
          "cipher_bits" => 128
          "cipher_version" => "TLSv1.2"
        ]
        timed_out: false
        blocked: true
        eof: false
        stream_type: "tcp_socket/ssl"
        mode: "r+"
        unread_bytes: 0
        seekable: false
        options: []
      }
      -_in: &1 stream resource @1026
      -_out: &1 stream resource @1026
      -_params: array:8 [
        "protocol" => "tcp"
        "host" => "smtp.gmail.com"
        "port" => 587
        "timeout" => 30
        "blocking" => 1
        "tls" => true
        "type" => 1
        "stream_context_options" => []
      ]
      -_replacementFactory: Swift_StreamFilters_StringReplacementFilterFactory {
        -_filters: []
      }
      -_translations: []
      #_sequence: 28
      -_filters: []
      -_writeBuffer: ""
      -_mirrors: []
    }
    #_started: false
    #_domain: "[192.168.80.2]"
    #_eventDispatcher: Swift_Events_SimpleEventDispatcher {
      -_eventMap: array:5 [
        "Swift_Events_CommandEvent" => "Swift_Events_CommandListener"
        "Swift_Events_ResponseEvent" => "Swift_Events_ResponseListener"
        "Swift_Events_SendEvent" => "Swift_Events_SendListener"
        "Swift_Events_TransportChangeEvent" => "Swift_Events_TransportChangeListener"
        "Swift_Events_TransportExceptionEvent" => "Swift_Events_TransportExceptionListener"
      ]
      -_listeners: []
      -_bubbleQueue: []
    }
    #_sourceIp: null
  }
]
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)