A new attack on Bitcoin’s privacy may result in user addresses being linked, emphasizing the need for increased focus on privacy in the modern cryptocurrency age.
Dubbed the “dusting attack,” the specific attack works by sending small amounts of funds to a wide range of addresses, and then watching the movement of those funds on the blockchain. When those inputs are combined with other addresses, the addresses are linked together, allowing attackers to group addresses and move closer to de-anonymizing users. To mitigate this, the Samourai Wallet recommended using coin control to manually lock the offending input to avoid spending it, a feature also available in many core cryptocurrency clients:
If you have recently received a very small amount of BTC in your wallet unexpectedly, you may be the target of a "dusting attack" designed to deanonymise you by linking your inputs together – Samourai users can mark this utxo as "Do Not Spend" to nip the attack in the bud. pic.twitter.com/23MLFj4eXQ
— Samourai Wallet (@SamouraiWallet) October 25, 2018
While initially noticed as targeting Bitcoin users, the dusting attack could in theory work with most cryptocurrencies, especially those with transparent blockchains.
As cryptocurrency becomes more mainstream, privacy attacks are more common
Attempts to compromise consumer data and privacy have increased in the global economy, in particular with online purchases and payment apps. Recently Venmo was revealed to be publicly revealing all of user transactions by default, meaning that anyone could look up a user profile and see everywhere they had spent money. Similar privacy breaches extend beyond online shopping, with Google and Mastercard partnering to close the consumer data loop between online and offline purchases.
Cryptocurrency privacy attacks have scaled up as well, beyond the recent dusting attacks. Research from Princeton University revealed that Bitcoin transactions could be traced and linked together through online purchases, as well as associated with real-world identities, by leveraging user data gleaned from the online checkout process. Additionally, earlier this year BitFury, a Bitcoin mining company that has also entered the blockchain analysis industry, claimed to have linked and de-anonymized a whole one out of six, or over 17%, of the Bitcoin blockchain. Increasing research into chain analysis techniques combined with the increasing prevalence of cryptocurrency in the economy may very well standardize user privacy breaches.
Dash mitigates modern attacks, has a long-term privacy focus
Enhanced privacy solutions offered by Dash for years can help mitigate attacks, including the dusting attack affecting Bitcoin users. By using PrivateSend mixing, inputs are split into smaller denominations, which are then mixed many times with those of other users in the network before a final, difficult-to-trace final transaction is sent from a collection of these inputs. In most cases, the dusting attack input would be too small to be split and mixed, and therefore would not be included in PrivateSend transactions, protecting the user from the attack. If the dusting attack input is large enough, it would be split and mixed with hundreds more, rendering the attack’s effect essentially useless. In the event that a user mistakenly combines their funds with those of the dust input, compromising the privacy of their previous balance, they can use PrivateSend to move their funds anonymously preventing their future financial activity from being compromised as their past had been.
Additionally, Dash is working on a number of improvements for PrivateSend, streamlining the mixing process and reducing fees, in the upcoming version 13.0 release. Beyond that, its developers are actively seeking additional methods of securing privacy down the road, including investigating encrypted means.