De Anonymization Puns

A new I2P-related research project (University of Lucerne, Switzerland) is scheduled for the first half 2022. It will start in the next weeks and end during 2022. All proposals, procedures and findings will be openly published on https://codeberg.org/diva.exchange/academia during the upcoming weeks and months.

The decision on "how to de-anonymize I2P network participants" are up to the independent researches and will be fully disclosed as part of their work. The researchers are not related to diva.exchange (diva.exchange has written the research proposal - but there is no funding or alike involved).

diva.exchange is an AGPLv3 developer (an independent, community-driven, research-focussed association under Swiss law) of I2P-based and fully distributed market places. All source code is available via git on https://codeberg.org/diva.exchange (github mirror [delayed]: https://github.com/diva-exchange). The public testnet explorer for the byzantine fault-tolerant, I2P-based and application-agnostic blockchain (2022 focus: Monero, Bitcoin, Zcash and Ethereum trades) is here: https://testnet.diva.exchange

I am doing research on a court case where the government insists that a user was not de-anonymized through an NIT (or browser exploit). Yes its a case with someone visiting CP sites. No I am not trying to defend the guy. No I do not want to be involved with CP. All I am looking for is the actual technical challenges of de-anonymizing a user without the use of an NIT. For those unfamiliar, NITs have previously been used in other CP busts, like playpen.

My current thoughts.. this person in this case (US v David Corwin) must have been de-anonymized in one of a few ways.

Global passive adversary -- a government or collection of governments runs enough nodes such that they are able to correlate traffic between the onion service guard node and the user guard node.

NIT - I have heard that the government is denying the use of an NIT in this case.. if true, this is a pretty large departure in capability

Browser leak - The accused visited a website outside of the tor network and either the browser was fingerprinted, or it was redirected with some sort of signature from a compromised tor node.

Anyone else have any ideas?

I´m new to Tor and I´m using the Tor-Browser in Safest mode without any other changes.

I´ve seen many articles about attacks on tor ,but the most of them are many years old and some of them just want to sell me their VPN. Are attacks like Correlation Attacks still a big problem? And how big? Is there a high chance someone is attacking ,when I just enter the circuit? Are there houndreds of different hackers or are most of the attacks by NSA etc. I know that I should not visit HTTP-Websites. I´m also not planing to do anything Illegal , but I want to know if it is safe to browse with Tor.

Recently I have seen an article about a possible attack against Tor hidden services. By running several guards and uploading large files to multiple hidden services it is possible to match the traffic pattern and identify the anonymous website.

Is it possible to deanonymize websites in this way? Is Vanguard a solution?

As you may have heard, the EU introduced the 5th anti-money laundering directive (5AMLD) in early 2018. As a result, localbitcoins (based in finland) is now having to enforce KYC checks.

To clarify, "a directive is a legal act of the European Union, which requires member states to achieve a particular result..."

Most people probably saw this coming but this is only half the story. There is another clause in the directive which specifically calls for the de-anonymization of users engaged with virtual currencies. This means obtaining associated wallet addresses and owner identity. Section 0.9 of the directive states:

"The anonymity of virtual currencies allows their potential misuse for criminal purposes. The inclusion of providers engaged in exchange services between virtual currencies and fiat currencies and custodian wallet providers will not entirely address the issue of anonymity attached to virtual currency transactions, as a large part of the virtual currency environment will remain anonymous because users can also transact without such providers. To combat the risks related to the anonymity, national Financial Intelligence Units (FIUs) should be able to obtain information allowing them to associate virtual currency addresses to the identity of the owner of virtual currency. In addition, the possibility to allow users to self-declare to designated authorities on a voluntary basis should be further assessed."

By simply using virtual currencies, you can be subject to de-anonymization by the government.

Source: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32018L0843&from=EN#d1e589-43-1

https://sites.cs.ucsb.edu/~chris/research/doc/raid13_i2p.pdf

The research describe some complicated de-anonymization attack on I2P and they say that they shared the results of the research with the I2P developers and that the developers are working on improving the security of I2P against this kind of attack. It looks like the research is from 7 years ago, so anybody know how safe is I2P against this attack TODAY and what improvements were made after this paper got published?.

I noticed that a lot of times especially if your entry/guard node happens to be in Germany Tor builds circuits where both entry and exit node and sometimes even all three nodes are located in the same country.

Why does Tor allows for Tor circuits to be built with both entry and exit nodes located in the same country if that makes de-anonymization easier?

>[–]system33-Distinguished Contributor 4 points 4 months ago

>In the traditional traffic analysis attacks against Tor all low latency anonymity networks (of which Tor is the most popular), the adversary needs to be between the user and her guard as well as between the exit and the user's destination.

>If those two places happen to be close together, then the adversary doesn't have to be very global. That is correct.

https://www.reddit.com/r/TOR/comments/cergvn/if_both_user_and_the_website_that_is_being/?st=k3aj9iip&sh=d30d22b0

https://nakedsecurity.sophos.com/2016/09/07/can-you-trust-tors-hidden-service-directories/

I found this article about an attack that can de-anonymize Tor users who browse some hidden services and it is said that " with next-generation hidden services, this attack will become nearly impossible ".

I know that next-generation hidden services are the ones with the 56 characters address but what is the difference that make this kind of attack nearly impossible on next-generation hidden services?.

TL;DR

Japanese CTF team successfully identified suspicious hacking-related IPs located in Germany and France, by setting up hundreds of watchguard full nodes of cryptocurrency on cloud and analysing transactions.

More details:

Japanese cryptocurrency exchange Zaif was hacked in last September. Stolen funds include BTC, BCH and MONA.

Among those funds, Monacoin (MONA) is a minor cryptocurrency which is only popular in Japan. There are not many full nodes of Monacoin, hence the number of full nodes is around 200. Immediately after the incident, CTF team TokyoWesterns set up 222 nodes on cloud, logging all the relayed transaction IP address and analysed them to identify original IP of transaction.

As a result, 5 hacking-related transactions were attributed to 2 source IP addresses which only appeared 10 days before the incident happened.

It is possible that hacker used these two full-nodes simply as a relayer, but this type of de-anonymization attempt is clearly a threat to privacy-oriented cryptocurrency like Monero. Plausible deniability of Monero is not hurt by such attack, but to ensure the privacy and safety against ongoing threat, development of Kovri is quite important.

https://www.coindesk.com/hackers-behind-60-million-zaif-crypto-exchange-theft-may-have-been-exposed/

https://www.japan-d2.com/news-detail/2018/11/5 (Japanese)

https://www3.nhk.or.jp/news/html/20181105/k10011698951000.html (Japanese)

Edit:

English news link added

I have been checking ShapeShift's API to see XMR transactions. They have been running from 7% to 15% or more out of all transactions.

Between ShapeShift and a few other exchanges such as XMR.TO and the big guys like Binance, BitFinex, BitStamp... and a few payment gateways like CoinPayments.net... how close are we to having a sustained 50% transaction attack going on that can de-privatize many rings? [I recall 50% being a tipping point for ringsize 5?]

Has anyone on XMR team talked to the big players to find out?

What about XMR.TO? I have noticed that they claim to store no records but still have the same address meaning same wallet/keys. Meaning if they are hacked then all those transactions become public and no longer provide privacy.

How does this situation impact the ringsize decision? Has this been explicitly discussed? All it takes is some hacks or LE-co-operation/warrants in order to find the real spends for many outputs!

Has Monero team taken an assumption such as 50% of all tx are controlled by few easily-targeted entities and adjusted ringsize in accordance?

Why not bump ringsize further? Take 15 or at least 11 and make research on this topic a priority and reduce later if needed. The size increase is minor ... only verification time is an issue. But we must have enough headroom to go to at least 11?

Let's say that you are running a Tor hidden service, and your ISP suspects something. And your service is not getting much attention yet, you don't have many visitors, only one or two per day. Or in another case you are running a very big hidden service and with a lot of customers. And a very big resourceful agency wants to find out where is this hidden service actually served from. Then they engineer a specific packet and keep sending it to the hidden service, like a signature, and keep tracking it. This very intelligent and big agency, with all the resources it has, watches on which network this specific packet will surface next, out of the Tor network, step by step reducing their search area. Or for the case of your ISP, let's say they know the onion address of your service, and that you are probably running a Tor hidden service. and all it takes for them is to browse it normally and see if your IP is the one sending out that amount of traffic that they are recieving. How well protected is Tor against such attacks?