List of leaks

Leaks involving receiver privacy

Monero transactions typically start after the receiver gives the sender a monero address -- thus leaking it to him or her
Every monero transaction leaks one of the receiver's stealth public keys to the sender
Every monero transaction provides cryptographic proof to the sender linking the recipient's stealth public key to their original monero address
Every monero transaction leaks the amount received by the recipient to the sender

Leaks involving sender privacy

Every monero transaction leaks at least one of the sender's inputs -- these can sometimes be linked to the sender's real identity via the common input ownership heuristic
Every monero transaction leaks at least one of the sender's ring signatures, and each of those references 16 stealth public keys. 15 are "decoys" and one is the real stealth public key where the sender received the money he or she is now sending. This is bad for privacy because chain analysts have tools for eliminating decoys. For example, they can check if any of the stealth public keys in the ring signature belongs to themselves or one of their partners, and then rule it out as definitely not the true spender because they know they themselves didn't sign the transaction, and can ask their partners if they did. By ruling out many decoys as definitely not the true spender, they can sometimes even narrow it down to just one pubkey and thus know for sure which stealth public key in the ring signature belongs to the true spender

Leaks involving amount privacy

Every monero transaction leaks the fee paid by the sender. These fees are sometimes used for wallet fingerprinting. For example, commonly used services like exchanges, darknet markets, and custodial wallets tend to set higher fees than do users of self-custodial wallets
I already mentioned the following leak under "Leaks involving receiver privacy" but it's also an amount privacy leak so I'll just repeat it: Every monero transaction leaks the amount received by the recipient to the sender

Common UX hurdles in monero

These hurdles make it hard to use monero privately

Many monero wallets share the user's "view key" with a server so that it can scan the blockchain in the background for any stealth public keys belonging to the user and tell them to look up how much money they contain, which speeds up wallet functions at the expense of user privacy
Many monero wallets connect to monero nodes via an RPC connection in order to broadcast transactions, thus leaking their user's ip address to whatever nodes they connect to. These RPC connections bypass the Dandelion upgrade that is supposed to protect the sender's ip address, so privacy-conscious users of a monero wallet that leaks data in this way ought to take other measures to protect their ip address, like using a vpn or tor
Many monero users reuse their monero address by e.g. providing it to multiple exchanges. But address reuse is bad for privacy because it allows multiple senders to easily "compare notes" and see if they sent money to the same person, and it allows the same sender to more easily log whether they sent money to the same person more than once
It is difficult to safely "rotate keys" in monero -- and delete your old private keys -- because monero wallets commonly support a "contact list" which works by directly storing the recipient's monero address for future reuse. So if you do delete your private keys, someone might send money to a monero address whose key you deleted. But rotating keys is wise because, in monero, your private keys are cryptographically linked to their whole transaction history, which can be looked up on the blockchain by anyone who acquires those keys. Rotating keys (and safely deleting the old ones) is thus wise but hard to do in monero, and that's a serious UX hurdle

Case studies

1. The admin of Incognito Market

The Justice Department says they found the admin of Incognito Market by tracing his monero. source - January 2024

Key quote: "cryptocurrency was first swapped through Swapping Service-1 and converted...to Monero... After the swap, the funds were transferred into [the perp’s] Crypto Account...[at the KYC exchange]..." source - page 25

2. A Columbian drug dealer

Chainalysis says they found a Columbian drug seller by tracing his monero. source - September 2024

Key quote: "And so that was a really exciting moment for us because we were able to start using just this list of Morphtoken swaps occurring on the monero blockchain---very little information, and not many breadcrumbs to follow. We were able to trace that forward on the monero blockchain to an rpc ip observation and then leverage other chainalysis tools in order to find more potential results that we can return to law enforcement." source - 38:37

Attack type: Eve-Alice-Eve attack with poisoned outputs and RPC connections

Data leaked by the target:

In several transactions, monero leaked the amount received by the target (Alice) to the attacker (Eve)
In several transactions, monero leaked the target (Alice)'s stealth public keys which received money to the attacker (Eve)
In several transactions, monero leaked the time of the target (Alice)'s "send" transactions to the attacker (Eve)
In several transactions, monero leaked the ring signatures of each of the target (Alice)'s "send" transactions to the attacker (Eve), which referenced the same stealth public keys where the target originally received money
In several transactions, monero leaked the amounts sent in each of the target (Alice)'s "send" transactions to the attacker (Eve)
In several transactions, monero leaked the fee paid by the target (Alice) in their "send" transactions to the attacker (Eve)
In several transactions, the target's wallet leaked that it was a "light" wallet by using RPC connections to various monero nodes to broadcast its transactions
In one transaction, the target's wallet leaked the user's ip address while connecting to a monero node via an RPC connection

Data used by the attacker: The attacker's report used all of the above-listed leaks except for the fee data. (Although they did not use the fee data, they mentioned that it is sometimes useful for fingerprinting wallets, e.g. they mentioned that widely-used services like exchanges, darknet markets, and custodial wallets tend to set larger fees than do users of self-custodial wallets.) The target's use of a RPC connections was particularly meaningful because the target eventually revealed their ip address when their wallet connected to one of the attacker's nodes to broadcast a transaction, and the attacker was then able to use that ip address to find the target's real identity. To ensure that this transaction was created by the target, however, they had to do the following analysis: in several transactions, the attacker successfully used off-chain data about the "decoy" public keys in the ring signatures to eliminate some decoys, and at least once they identified the target as the true spend. They used these transaction analysis techniques several times, looking for transactions where the target connected to one of the attacker's nodes to broadcast a transaction via an RPC connection. The attacker found several transactions that did this, most of which could not be used to identify the recipient because he used a VPN to guard his ip address. But in one of them, he did not use a vpn, so they found his ip address and nabbed him. The only thing the attackers used timing analysis for, in this case, was to identify which transactions were sent before and after the Dandelion upgrade in monero, which makes it harder to identify the ip addresses of monero senders who use their own nodes.

3. A Finnish ransomware operator

Finnish authorities say they traced a ransomware operator’s monero from a swap service to a monero wallet to binance. The description of the case makes it sound like they used poisoned outputs, but there is evidence that the perpetrator leaked his monero private keys shortly before his arrest, which would have enabled a simpler attack: simply look up his transaction history on the blockchain. source - January 2024

Key quote: "[He began] swapping for Monero and then transferring the funds to a dedicated Monero wallet. [Then] the funds were later sent to Binance." source - more details here

4. 18 Japanese perpetrators of computer fraud

Japanese authorities say they analyzed monero wallets found on the computers of 18 criminals who they arrested on other grounds. They then used the data they found in those wallets to charge them with money laundering. source - October 2024

Key quote: "Japanese authorities said they analyzed about 900 of the group’s Monero-based money-laundering transactions...[and] told local media outlet Nikkei that this marked the first time the country’s law enforcement agencies had used Monero transactions to identify criminals." source - more details here

5. The operators of Archetyp

Interpol shut down monero-only darknet market Archetyp and says they found its operators by "tracing [their] financial flows". It is not *certain* that this means they traced their monero, but it was a monero-only exchange, so monero is the only type of finances I know they had available to trace. source - June 2025

Key quote: "The takedown follows years of intensive investigative work to map the platform’s technical architecture and identify the individuals behind it. By tracing financial flows, analysing digital forensic evidence, and working closely with partners on the ground, authorities were able to deliver a decisive blow to one of the most prolific drug markets on the dark web." source

6. The Bitfinex hacker

Chainalysis reports that after the Bitfinex hacker was arrested, the police found monero wallets on his computer with their private keys, and they then used the private keys to simply look up his XMR transaction history on the blockchain. source - July 2023

Key quote: "agents [got] a search warrant for Lichtenstein and Morgan’s home and cloud storage accounts, where they found files containing details of the cryptocurrency addresses used to move the stolen funds---including their private keys---along with the false information used to open accounts at cryptocurrency exchanges and plans to acquire fake passports. That discovery enabled investigators to trace the flow of funds in its entirety." source

7. The Ciphertrace tool

Mastercard offers a monero tracing tool created by Ciphertrace. It is part of their Crypto Source product. source 1, source 2 - August 2021

Key quote: "Ciphertrace takes Monero tracing capabilities to the next level with the ability to follow the flow of funds backwards from the transaction of interest to its source." source - see also this video interview with a Ciphertrace employee about their monero tracing tool

Monero leaks