Monero is a privacy-enhancing cryptocurrency that exceeds others (Zcash, Dash) in terms of market capitalization and promises privacy and anonymity through unlinkable and untraceable transactions. It thereby addresses a central shortcoming of well-established currencies such as Bitcoin, which cannot offer a meaningful level of anonymity because transactions sent to addresses are linkable and payments among pseudonymous addresses are traceable. There are now a number of commercial (e.g., Chainalysis) and non-commercial tools [1, 2] that implement well-known analytics techniques (c.f., ) and provide cryptocurrency analytics features, including tracking and tracing of payments made in cryptocurrencies.
Technically, Monero is based on the CryptoNote protocol and aims to address Bitcoin’s privacy issues using three central methods: Stealth addresses, which are one-time keys that are generated from the recipient’s address and a random value, should prevent the identification of transactions sent to a given address and provide unlinkability. The use of Ring Signatures in Monero transactions, which mixes an output that is spent (real input) with other decoy outputs (mixin input), obscures the path of a given coin and provide untraceability of payments. Finally, Confidential Transactions hide the value of non-mining transactions and should prevent tracing by value and guessing of change addresses, which are used to send excess input funds back to the issuer of the transaction, based on values.
Nevertheless, in 2017, two concurrent studies [3, 5] have shown that untraceability can be compromised by applying heuristics that can identify mixins. They were able to trace the majority of transactions up to the introduction of RingCTs (confidential transactions) in Jan. 2017. In the following releases (Sep. 2017 and Mar. 2018), additional improvements such as a higher mandatory minimal ringsize and an improved sampling technique for decoys were rolled out. The 2017 studies already showed that the share of traceable transactions plummeted after the introduction of RingCTs, but a more up-to-date picture on the effectiveness of those improvements is still missing.
Furthermore, another traceability method that exploits information leaked by currency hard forks (a split of the currency with a shared history; unspent pre-fork TXOs can be spent on both post-fork branches) has been discussed in the community for some time. The general idea of the attack vector is to exploit differences between rings spending the same output on the two post-fork branches. However, we are not aware of a formal description, nor of an evaluation of its effectiveness.
The contributions of this work are twofold: first, in Section 3, we propose and formalize a new Monero cross-chain analysis method, which exploits information leaked by currency hard forks. Second, in Section 4, we empirically analyze Monero cross-chain traceability by combining known heuristics with our new method. Our analysis, which considers Monero blocks 0 to 1 651 346 (2018-08-31), also provides an up-to-date assessment on the effectiveness of the previously mentioned countermeasures by evaluating the accuracy of known heuristics on recent transactions.
Our findings suggest that Monero is currently mostly immune to known passive attack vectors and resistant to established tracking and tracing methods applied to other cryptocurrencies. They also confirm that the changes to the protocol, which were introduced as countermeasures to the heuristics proposed by Kumar et al.  and Möser et al. , were effective. Consequently, this implies that currently available cryptocurrency analytics tools that work for Bitcoin and its derivatives cannot be applied for tracking and tracing of Monero payments.
All the analysis done in this work can be reproduced by using the MONitERO toolchain, which can be found on GitHub111https://github.com/oerpli/MONitERO
2 Known Monero Traceability Methods
Currently we are not aware of any known method to compromise confidential transactions and stealth addresses. Untraceability has been successfully diminished by Kumar et al. and Möser et al. with the following approaches:
Zero Mixin Removal (ZMR)
[3, 5] As each ring has exactly one real member, all rings with only one (non-mixin) member can be traced, just like in Bitcoin. As the referenced outputs can only be spent once, occurrences of these outputs in other rings can be marked as mixins. Repeated applications of this rule is called Zero Mixin Removal (ZMR). If the average ringsize is small enough, repeated applications of this rule can result in a chain reaction. To prevent this, the mandatory minimum ringsize has been increased several times (03 in 2016, 35 in 2017 and 57 in 2018). In October 2018 (after the cutoff of our dataset) the ringsize has been increased (from 711) and removed as parameter, i.e. all transactions issued since v0.13 have a fixed ringsize of 11. This removes a possible attack vector, based on the assumption that transaction with certain nonstandard ringsizes are issued by the same (set of) users. In our analysis we did not find a method to exploit this.
Intersection Removal (IR)
 This heuristic is a generalization of ZMR: If rings contain the same (non-mixin) members, it is (usually) impossible to determine, which output has been spent in which ring, but as all of them are spent in one of the rings, we mark them as spent and other references to these outputs as mixin. If , this method is identical to ZMR. This can be generalized even further: Instead of identical rings with members we look for sets of rings (where each ring is a set of transaction outputs, abbreviated as TXOs) with the property: (if there are sets in , the union of those sets contain elements). This maps to the matching problem for bipartite graphs , where the property (where is the set of neighbors of ) holds iff there is a perfect matching.
Guess Newest Heuristic
While the outputs spent in a transaction are (mostly) fixed, the choice of decoys is somewhat arbitrary. Most Monero TXOs are spent a few days after they’ve been received (resulting in an age distribution of the real inputs that is heavily left-skewed). The mixins on the other hand were initially (until v0.9 in 2016) sampled uniformly from all eligible existing outputs. Starting from January 2016, a triangular distribution was used (according to Möser et al., which still wasn’t sufficiently left-skewed and did not match real spending behavior), from December 2016 on, 25% of the inputs where sampled from the recent zone (outputs less than 5 days old). In September 2017, two changes have been made to the sampling from the recent zone. The recent zone has been reduced to outputs less than 1.8 days old and the number of decoys sampled from the recent zone has been increased to 50%222https://github.com/monero-project/monero/pull/1996/files. The two publications from April 2017 (shortly after the introduction of the recent zone sampling), proposed a simple yet highly effective heuristic, which guessed that the real input is the most recent one.
Output Merging Heuristic
 If multiple inputs of a transaction reference distinct outputs from the same transaction, this heuristic assumes that these outputs are the real inputs. Before the introduction of confidential transactions this arose naturally, as outputs where split up into denominations (e.g. an output of 8XMR would have been split up into three outputs with denominations 1,2 and 5 XMR). If the recipient wants to spend his funds, he would have to merge these outputs. While this heuristic also works for confidential transactions, these TXs tend to have fewer outputs (mostly 2 outputs, one of which is the change output), which results in fewer “merging-transactions”.
3 Hard Forks & Cross Chain Analysis
Like software projects, cryptocurrencies and their blockchains can be forked, resulting in two currencies with a partly shared transaction history. There are different forking mechanisms, though for this work only hard forks (see Fig. 1) are relevant. The important aspect for our method is that unspent pre-fork TXOs can be spent on both branches. To prevent double spending, each (input) ring is published with a key image, which is uniquely determined by the spent output (the ring signature is used to verify that this is the case). If a coin is spent in multiple (one per branch) rings after a fork, the real input has to be in the intersection of the rings and the remaining members, i.e. the pairwise symmetric differences, can be marked as mixins, as illustrated in Fig. 2.
We used the methods from Kumar et al. and Möser et al. that do not produce false positives (Zero Mixin Removal & Intersection Removal) as well as our new method (Cross Chain Analysis) to deduce mixins and real inputs for Monero transactions. We focus on nontrivial rings, i.e. rings that have at least one mixin (ringsize > 1). If some of the ring members are identified as mixin, we refer to the remaining number of possible real inputs as effective ringsize. A ring with an effective ringsize of 1 is traced. Statistics from our dataset can be found in Table 3.
Overall, were able to trace 4 212 422 nontrivial rings. As can be seen in Fig. 5, in the first years of Monero’s existence most nontrivial rings where traceable (as most mixins were spent in trivial rings). To prevent this, mandatory minimum ringsizes have been introduced, though the sampling of older, provably spent outputs as mixins remained a problem. Starting from 2017, the introduction of RingCT mostly eliminates this threat, as RingCT transactions only sample outputs from other RingCT transactions, all of which were issued after the introduction of mandatory minimum ringsizes.
In the weeks following the MoneroV and Monero Original hard forks, the fraction of traceable rings increases. This is due to our newly proposed method, which allows us to identify the real spent output of 73 321 (improved from 25 256) out of 1 565 858 transaction inputs in the 685 608 (non-coinbase) transactions that have been issued between 2018-04-01 and 2018-08-31. The number of identified mixins in this time span has also more than doubled, from 203 251 to 544 131. Taken together, the status (real or mixin) of 617 452 out of 11 826 525 ring members in this time frame has been identified, which amounts to 5.22% (compared to 228 507 and 1.93% without cross-chain analysis). Results from our traceability analysis can be found in Table 3.
Using the results from our traceability analysis, we also investigated the accuracy of the guess newest heuristic (GNH) and the output merging heuristic (OMH) for recent transactions (see Table 3). We find that the performance of the GNH (see Fig. 5) is not better than random guessing for recent transactions. For the OMH (see Fig. 5) we used two different methods to aggregate the data by months, once considering the time where the outputs were created (“Out”) and when they where spent (“In”). Overall, the number of true and false positives is identical, though the distributions over time differ somewhat. A problem of the OMH is the fact that RingCT transactions have fewer inputs and outputs, resulting in less transactions that merge outputs from previous transactions and thus less possible applications of the OMH.
|First TX date||2014-04-18||2018-04-06||2018-05-03|
|Last TX date||2018-08-31||2018-08-31||2018-08-31|
|First block||1||1 546 600||1 564 966|
|Last block||1 651 346||1 651 728||1 647 778|
|# Transactions||4 955 908||146 475||146 215|
|# Coinbase TXs||1 651 347||105 729||82 814|
|# TX outputs||28 878 846||198 618||450 773|
|# Rings (TX inputs)||24 760 168||244 965||212 919|
|# Nontrivial rings||12 538 632||241 464||212 919|
|# Ring members||70 767 723||1 243 479||1 701 036|
|# Nontrivial rings||12 538 632||241 464||212 919|
|# Ring members||70 767 723||1 243 479||1 701 036|
|# Traced nontrivial rings||4 212 422||50 861||7 671|
|# Identified mixin ringmembers||16 270 257||230 128||49 035|
|# Identified real ringmembers||16 433 958||54 362||7 671|
|# Identified spent ringmembers||13 240||0||0|
|# Nontrivial rings||1 565 858|
|# Identified real rm. w/o new method||25 256|
|# Identified real rm. with new method||73 321|
|# Identified mixin rm. w/o new method||203 251|
|# Identified mixin rm. with new method||544 131|
Before mandatory minimum ringsizes were introduced, most rings were traceable. With increasing mandatory minimum ringsizes (2016/09) the percentage of traceable NTR dropped and since the introduction of RingCT (2017) only a small fraction of all transactions can be traced with blockchain analysis techniques. While our newly proposed method enables the tracing of some additional transaction inputs, the overall impact from this attack vector seems to be small so far. This could change when a Monero fork with considerably higher traction is launched, which would presumably result in more redeemed outputs. Using the traced rings we looked at the accuracy of the GNH & OMH and found that their performance suffered from the recent changes to the transaction protocol. Though it may be the case that our analysis underestimates the accuracy of the GNH, as most of the traced rings in recent months were traced with our new method, which identifies the real spent pre-fork output in post-fork transactions. This skews the age of the spent outputs compared to regular usage. Overall, the fraction of traceable rings remains low and we believe that unless additional attack vectors emerge, Monero remains resistant to analysis methods which have been applied to other cryptocurrencies.
This work was partly funded by the European Commission through the project TITANIUM (Project ID: 740558) and by Austrian Research Promotion Agency (FFG) through the project VIRTCRIME (Project ID: 860672)
-  Bernhard Haslhofer, Roman Karl, and Erwin Filtz. O Bitcoin Where Art Thou? Insight into Large-Scale Transaction Graphs. In SEMANTiCS (Posters, Demos, SuCCESS), 2016.
-  Harry Kalodner, Steven Goldfeder, Alishah Chator, Malte Möser, and Arvind Narayanan. BlockSci: Design and applications of a blockchain analysis platform. arXiv:1709.02489 [cs], September 2017. arXiv: 1709.02489.
-  Amrit Kumar, Clément Fischer, Shruti Tople, and Prateek Saxena. A Traceability Analysis of Monero’s Blockchain. In Simon N. Foley, Dieter Gollmann, and Einar Snekkenes, editors, Computer Security – ESORICS 2017, Lecture Notes in Computer Science, pages 153–173. Springer International Publishing, 2017.
-  Sarah Meiklejohn, Marjori Pomarole, Grant Jordan, Kirill Levchenko, Damon McCoy, Geoffrey M. Voelker, and Stefan Savage. A fistful of bitcoins: characterizing payments among men with no names. In Proceedings of the 2013 conference on Internet measurement conference, pages 127–140. ACM, 2013.
-  Malte Möser, Kyle Soska, Ethan Heilman, Kevin Lee, Henry Heffan, Shashvat Srivastava, Kyle Hogan, Jason Hennessey, Andrew Miller, Arvind Narayanan, and Nicolas Christin. An Empirical Analysis of Traceability in the Monero Blockchain. Proceedings on Privacy Enhancing Technologies, 2018(3):143–163, June 2018.