Simulated Blockchains for Machine Learning Traceability and Transaction Values in the Monero Network

01/12/2020 ∙ by Nathan Borggren, et al. ∙ 0

Monero is a popular crypto-currency which focuses on privacy. The blockchain uses cryptographic techniques to obscure transaction values as well as a `ring confidential transaction' which seeks to hide a real transaction among a variable number of spoofed transactions. We have developed training sets of simulated blockchains of 10 and 50 agents, for which we have control over the ground truth and keys, in order to test these claims. We featurize Monero transactions by characterizing the local structure of the public-facing blockchains and use labels obtained from the simulations to perform machine learning. Machine Learning of our features on the simulated blockchain shows that the technique can be used to aide in identifying individuals and groups, although it did not successfully reveal the hidden transaction values. We apply the technique on the real Monero blockchain to identify ShapeShift transactions, a cryptocurrency exchange that has leaked information through their API providing labels for themselves and their users.



There are no comments yet.


page 5

page 6

page 7

page 8

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

We have successfully applied machine learning (ML) in the past by combining features derived directly from blockchains with labels aggregated from off-chain sources [4, 2]. Other researchers have used ML techniques as well to deanonymize exchanges [11], identify malware [1], and other institutions [13]. With the exception of [2], these analyses have largely focused on Bitcoin as the labels are easily sourced, albeit difficult to verify [8]. However, other crypto-currencies have also greatly progressed and provide sufficient liquidity to be incorporated into cross-currency mixing schemes [2, 12].

Although many crypto-currencies are derivative of Bitcoin, originating in a fork of the code repository followed by some cosmetic changes, some coins have adopted different basic assumptions and introduced substantially new codebases and cryptographic techniques to overcome some of the privacy limitations inherent in Bitcoin. One such coin is Monero [5]. Monero has introduced some structural differences to Bitcoin that were sufficient to render our Bitcoin-like ML machinery inapplicable.

In particular, the following features of the Monero blockchain obstruct our previous analysis.

  • Addresses are not included in the blockchain, obfuscating the recipient of a transaction.

  • Transaction values are obfuscated

  • Inputs to a transaction are combined with spoofed transactions (the RingCT), obfuscating the origin of a transaction.

Despite these improvements, Monero is still susceptible to some level of tracking using heuristics

[9] and understanding residual effects of hard-forks [7].

Can we regain an ML approach to the deanonymization of Monero? A few hurdles need to be overcome. First, featurizations of the Monero blockchain will be heavily topological in their nature; timestamps, number of inputs, size of RingCTs and the connectivity among transactions are the raw materials from which we can make features. Second, the monerod wallet client, in comparison with the bitcoind wallet client, has removed a number of features that are of use to blockchain analysts but not necessary for the day to day use of the coin. Lastly, large repositories of labels of transactions are either unavailable, unreliable, or classified.

To overcome the first hurdle, in Sec. 3, we will quantify some topological aspects in the blockchain neighborhood of a given transaction. We have utilized [10]

, the open source repository behind, to overcome the second hurdle. To address the third hurdle, we have collected and verified labels aggregated from the ShapeShift API. These labels allows us to deanonymize only one entity, ShapeShift, and while we do so in Sec. 5 to demonstrate the use of our features on the real monero blockchain, but for the sake of generality and additional confidence we have chosen another course which we hope will inspire other privacy analysis on Monero and other blockchains.

In cybersecurity studies, it is commonplace to generate synthetic datasets to develop and assess threat detection techniques [6]. We use this analogy to provide a framework to understood the inner workings of Monero in action; test networks are created including ten and fifty person networks to provide a dataset for an ML analysis. For the ML assessment, the blockchain, that is the public-facing aspect of the network, is used to develop featurizations while the wallet contents are used to supply the labels as depicted in fig 1.

Figure 1: A test-network is used to generate a blockchain and provide labels.

Monero also provides new opportunities for machine learning that were not present or applicable in the Bitcoin-like case. In Section 4, in addition to exploring the agent identification task we will explore these other use cases. For example, we can use our features in a regression analysis seeking to find the missing transaction value. Although this is shown to be unsuccessful in this case, we did achieve success in recovering the real input out of the spoofed transactions.

2 Simulating Blockchains

To simulate a Monero economy where multiple agents transact with each other and mine simultaneously, we use tmux, an application for creating and managing multiple terminal sessions on a single machine. We run a shell script to create a tmux-based network of Monero agents based on hard-coded wallet information. On this network, each agent runs a mining operation and a wallet remote procedure call (RPC) attached to an allocated set of ports. All agents on the network are connected to each other and keep a synchronized blockchain.

The “economy files” specify how the economy will operate. Each economy file contains a list of transaction amounts, destination addresses, and wait times between the transactions that the particular agent will adhere to. We generate these files with a stochastic model. We use a Python program to process these files and make HTTP-based transaction requests to the Monero wallet RPCs accordingly.

Other than the constraint that the wait times between transactions must be sufficient to keep the delays in transaction processing relatively small, the content of the economy files is up to imagination. We consider several economic scenarios with varying assumptions and create the economy files accordingly.

Three of the five scenarios we consider are ten-agent economies, and the rest are fifty-agent economies. The wait intervals between transactions and the transaction amounts are generated by the Poisson distributions. For scenario “s03,” the agents’ wait intervals come from varying Poisson parameters ranging from 45 to 90,000, while the transaction amounts come from the same Poisson parameter for all agents. Scenario s04 uses varying Poisson parameters for generating transaction amounts as well. Scenario s05 is the same as s03, but the economy is divided into two pools. That is, the agents only transact within the pool they belong to. Telling these pools apart based on public transaction data is one of the machine learning questions we pursue.

For one of the two fifty-agent scenarios (s06), we create two pools of equal number of agents. Additionally, we create two different cycles of transactions for the two pools, simulating a time zone difference in the real world. Finally, in our final fifty-agent scenario (s07), we devise a transaction network with five ten-agent pools. Fig. 2 shows the experimental setup.

(a) graph for s03 and s04
(b) graph for s05
(c) graph for s06
(d) Graph and s07
Figure 2: Graphs of economy files, showing connectivity of trading partners with edges, and color shows transaction size.

To examine the blockchain data, we link the Onion Monero Blockchain Explorer to the blockchain of one of the agents. Table 1 shows a summary of the datasets generated, while fig 3 shows the dramatic sparsity that can be achieved by removing the spoofed transactions from the blockchain.

Simulation Number of Blocks Number of Transactions
s03 23812 4898
s04 25509 4923
s05 41583 4923
s06 37281 24807
s07 58551 7070
Table 1: Summary of Simulation Datasets
(a) For s06, all edges between transactions are shown
(b) For s06, only true edges between transactions are shown
Figure 3: Removing the spoofed transactions shows a much clearer image of the blockchain activity.

3 Featurizing Monero Blockchains

Real Monero Blockchain

For most machine learning tasks on real cryptocurrency blockchains, the difficulty in procuring labels for supervised learning remains a central challenge, despite the accessibility of blockchain activities themselves. In Monero, this is especially so.

In certain situations, labels and unseen blockchain information may be collected by law enforcement, hedge funds and hobbyists. We utilize transaction data from Shapeshift service. The dataset contains around 1,700,000 transaction entries of which 20,000 are ShapeShift transactions being converted into Monero.

For each transaction entry, the data contains 7 0-hop features - features intrinsic to the transaction as it appears on the Monero explorer interface, e.g. transaction timestamp, ring size, day of week, hour of day, etc. From the 0-hop features, 175 1-hop features, aggregate statistics including mean, max, standard deviation, regarding the transaction neighbors’ 0-hop features are also collected. The 182 features are Z-normalized prior to the predictive task.

Figure 4: A neighborhood around a transaction is featurized by collecting statistics of the 0-hop and 1-hop transactions.

This approach considers the neighborhood information of a particular transaction, while not requiring the extraction of the entire network. We find that the 1-hop features have been informative in Shapeshift transaction predictions. On test nets, group membership prediction and transaction value regression tasks have also benefited from neighborhood information.

In a related work [3], we propose a correlation statistic for mitigating the noise introduced by the mixin mechanism. This feature follows from the hypothesis regarding multiple wallet usage: when a transaction contains multiple ring CTs, the real inputs within each ring are contributed by the same user or users exhibiting similar behavior. For example, a receiver may expect a token amount exceeding the value stored within a single wallet, so the sender provides inputs from multiple wallets that were previously traded at a similar frequency themselves. We quantify this intuition by tabulating a population statistic over transactions containing exactly two rings. The -th entry of the correlation matrix is the correlation in time between -th oldest entry of the first ring with -th oldest entry of the second. The binning of the matrix can be presented in hours of the day, or by partitioning the relative timestamp difference between inputs , . While our features do not explicitly reference the measured correlation matrix, our features have been chosen to be sensitive to these effects.

Test Nets

Of the five test nets s03, s04, s05, s06, s07, all were inputs to the transaction value regression task, while group membership prediction was studied in the last three test nets. The preprocessing of Monero explorer information and featurization follows the featurization process of the real Monero blockchain.

4 Machine Learning

4(a) Machine Learning Spoofed/Real Transactions

An interesting new ML task that Monero uniquely offers is in identifying which of a given set of RingCT elements was the real previous transaction. Our correlation analysis suggests that pattern-of-life behaviors, such as a users’ typical transaction time of day can reveal information about the true input. The features we have computed are sensitive to these differences and give reason to suggest that ML can recover real signal despite the mixins.

Fig. 5 shows a depiction of the task at hand. In black is a screenshot of the blockchain with an arrow in red showing the true input. The true input is known by analyzing the wallets, shown in white, of the users after the simulation terminates.

Figure 5: In black background is the public facing blockchain, in white are the known transactions of the given user. The ML exercise is to recover the index of the real transaction.

4(b) Machine Learning User Identity and Group Membership

In the task of identifying users and groups from transaction logs, we applied neural networks and random forest for classification. An observation in this case is a transaction - we classify the group that the transaction’s receiver belongs to. The groups across scenarios trade strictly within-group, and only during designated time intervals. These time intervals repeat in a cyclic pattern, akin to timezones.

Figure 6: The membership in a group is known from the wallet files and economy instructions.

For both models, a randomized search over hyperparameters was conducted. The neural network is composed of 2 dense layers with 182 and

neurons respectively, where the second layer ranges from 10 to 30.

The random search over random forest hyperparameters include: number of decision trees, maximum depth, maximum features, minimum samples per split, and the splitting criterion. Because random forest has an interpretable feature importance weighting, the top 3 informative features for group membership classification are:

S05 The informative S05 features involve the input minute among a transaction’s inputs. They are listed in decreasing order of importance: Sum of average input minutes, average of max input minutes, and average of minimum input minutes. S06 The informative features are: sum of input seconds, average of maximum input hours, and sum of max input hours S07 The informative features are: median of input minute sums, maximum of input minutes, and average of maximum input minutes.

4(c) Machine Learning Transaction Value

Model performance for the value regression task is the coefficient.

where is the transaction value in expectation. We set the baseline predictor of this task to be predicting shapeshift transaction values in expectation, and its performance is 0. A perfect score is 1, and models that improve on our baseline performance lies in the range .

To predict the transaction values of the i-th entry, we fitted two models: Epsilon-Support Vector Regression (SVR) and neural network.

For both models, a randomized search was completed over hyperparameters. The SVR hyperparameters include its kernel, regularization parameter C, and tolerance parameter . The neural network is composed of 2 dense layers, with 182 and neurons respectively, ranging within [10, 30]. The learning rate was another hyperparameter searched over. Given a hyperparameter set, model performances are computed over 5-folds of the data then averaged.

We find that more information regarding transactions is required to predict their values. The SVR model has a value of , and the neural network has a value of , both below the baseline performance of . Future directions of value regression include

  1. In the case of multiple rings, incorporating input-level correlations between rings.

  2. Integrating known user-level information to value prediction.

Figure 7: The transaction value on the blockchain is missing in the black. We attempt to recover the value from the wallet in white through regression on the features.

4(d) ML results

Fig. 8 shows the results of our machine learning efforts. We expect that uniformity between the users and a severe lag in time transactions posted compared to the design specifications contributed to the poor performance in Scenario 6 and Scenario 7.

Figure 8: ML results for the various tasks are shown. In transaction value predictions, our regressors did not surpass baseline of guessing average transaction values.

5 Machine Learning on the real Monero network; Identifying ShapeShift

Previously in [2] we had collected and validated ShapeShift transactions using their API. This collection of data provided labels for Bitcoin, ZCash, Litecoin, and Dash transactions. Our featurizations of Bitcoin-like blockchains allowed us to successfully recall of ShapeShift transactions while analyzing only of the Bitcoin blockchain.

In Table 2, we have extended that analysis to identify ShapeShift transactions whose target currency was Monero. Surprisingly, the classifier for Monero outperformed that for Bitcoin. We attribute this to the fact that during its peak in 2018, ShapeShift was responsible for upwards of of the entire Monero blockchain, where only one in a thousand transactions in Bitcoin were attributed to ShapeShift. Although our dataset was still greatly imbalanced, the extent of the imbalance was not nearly as severe.

Metric Summary Statistic ShapeShift Not ShapeShift
Precision Mean 0.050062 0.999161
SD 0.000129 0.000030
Recall Mean 0.941982 0.794504
SD 0.002058 0.000548
Table 2: Our features enable a high recall of ShapeShift transactions, identifying of the transactions looking at of the blockchain.

The most important feature was by far the number of rings used in the tx, with seven of the other nine top-ten-features also involving summary statistics of the number of rings. These are shown in Fig. 9.

(a) the features were ranked in accordance to their importance
(b) Descriptors for the important features
Figure 9: Characteristics of the RingCT topology were largely informative.

6 Conclusions

We have found that despite the complexities created by the enhanced privacy features of Monero, the blockchain is still susceptible to deanonymization and information gathering by machine learning techniques. To establish this fact, test networks were developed to generate simulated blockchains. These blockchains were featurized while the wallets were parsed to provide labels. Monero proved to be robust against our efforts in recovery of the obfuscated transaction values, while classifiers for spoofed transaction identification and faction/group/user identification proved informative.

Additionally we have shown that ML on the real Monero blockchain can be used to identify a given party provided a sufficient collection of labels. We used as our example the cryptocurrency exchange ShapeShift to demonstrate this, but expect this to hold true if other large collections of labels were recovered, for example from wallets recovered in criminal investigations. Despite having values for ShapeShift transactions, our regression attempts to recover these values proved unsuccessful. We hypothesize that future efforts could use much deeper features such as tracing all the way back to coinbase transactions, noting which version of Monero was being used for previous transactions, and incorporate features that look forward in time rather than the exclusively backwards features we have used. Such features may perhaps allow value information to leak into the features and provide success to a regression analysis, but the task would indeed be computationally expensive.

It is noted that recent versions of Monero now enforce the RingCT size to be eleven; as ring number derived features had been the most informative features in the ShapeShift analysis, we expect this change to greatly enhance privacy going forward. However, as previous studies have shown, the residue from history of the past transactions will likely linger for some time as these new characteristics reshape the underlying distributions of features.

We would like to thank the Machine Learning and Emerging Technologies exemplars at the LAS at North Carolina State University for funding and continuous feedback. The irony does not escape us that the generosity of code and data from Monero, Onion explorer and the ShapeShift API, all participants devoted to privacy and security in the blockchain realm, were essential to this anti-privacy investigation and we are grateful for their contribution.


  • [1] C. G. Akcora, Y. Li, Y. R. Gel, and M. Kantarcioglu (2019) BitcoinHeist: topological data analysis for ransomware detection on the bitcoin blockchain. CoRR abs/1906.07852. External Links: Link, 1906.07852 Cited by: §1.
  • [2] N. Borggren, G. Koplik, P. Bendich, and J. Harer (2017) Deanonymizing shapeshift: linking transactions across multiple blockchains. Note: Cited by: §1, §5.
  • [3] N. Borggren and L. Yao (2019) Correlations of multi-input monero transactions. Cited by: §3.
  • [4] N. Borggren (2017) Deep learning of entity behavior in the bitcoin economy. Note: Cited by: §1.
  • [5] fluffypony et al. (2015) Monero project. GitHub. Note: Cited by: §1.
  • [6] J. Glasser and B. Lindauer (2013-05) Bridging the gap: a pragmatic approach to generating insider threat data. In 2013 IEEE Security and Privacy Workshops, Vol. , pp. 98–104. External Links: Document, ISSN null Cited by: §1.
  • [7] A. Hinteregger and B. Haslhofer (2018) An empirical analysis of monero cross-chain traceability. CoRR abs/1812.02808. External Links: Link, 1812.02808 Cited by: §1.
  • [8] A. Janda (2013-2017) Wallet explorer. Note: Cited by: §1.
  • [9] A. Miller, M. Möser, K. Lee, and A. Narayanan (2017) An empirical analysis of linkability in the monero blockchain. CoRR abs/1704.04299. External Links: Link, 1704.04299 Cited by: §1.
  • [10] moneroexamples et al. (2016) Onion-monero-blockchain-explorer. GitHub. Note: Cited by: §1.
  • [11] S. Ranshous, C. A. Joslyn, S. Kreyling, K. Nowak, N. F. Samatova, C. L. West, and S. Winters (2017) Exchange pattern mining in the bitcoin transaction directed hypergraph.

    Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

    10323 LNCS, pp. 248–263.
    External Links: Document, ISBN 9783319702773, ISSN 16113349 Cited by: §1.
  • [12] H. Yousaf, G. Kappos, and S. Meiklejohn (2018) Tracing transactions across cryptocurrency ledgers. CoRR abs/1810.12786. External Links: Link, 1810.12786 Cited by: §1.
  • [13] F. Zola, M. Eguimendia, J. L. Bruse, and R. O. Urrutia (2019) Cascading machine learning to attack bitcoin anonymity. External Links: 1910.06560 Cited by: §1.