Examples of privacy leaks used to trace monero
These hurdles make it hard to use monero privately
The following is a list of attacks used to trace monero. You can get further details about each attack, how it works, and where it's been used by clicking them.
In this attack, two parties collude to deanonymize two transactions of a central figure, Alice. The first party (Eve1) sends monero to Alice in transaction A; the second party (Eve2) receives monero from Alice in transaction B.
They are both called Eve because they are really the same party, in this sense: as part of the attack, they collude with one another and compare the transaction records in their wallets. If the public key Eve1 sent monero to in tx A appears in the ring signature of tx B, where Eve2 received monero, or if the amount in tx B matches the amount in tx A, or if the transaction times match (see Timing Analysis below), it is evidence that Alice received monero in tx A and sent monero in tx B.
Thus the attackers trace the monero across two transactions. The evidence established in an Eve-Alice-Eve attack becomes stronger if the attackers are able to use it repeatedly against the same target. If the target's pubkey keeps showing up in the ring signature of tx B, the likelihood of it being due to chance falls lower and lower.
The Eve-Alice-Eve attack was used to arrest or convict monero users in the following criminal cases, which you can read about in the Case Studies section of this website:
This attack is a digital form of the "marked bills" attack commonly used to trace physical currency. It is typically part of an Eve-Alice-Eve attack, specifically the part where Eve1 sends monero to Alice. The monero is treated as equivalent to a marked bill, where the mark is sometimes a unique amount and sometimes just a record of which pubkey received the monero (sometimes both pieces of data are treated as marks).
As with physical currency, the goal is to get the "marked bills" (the poisoned outputs) to a target and then watch to see if the target sends it to a person or company -- a "colluder" -- who knows the identity of those who send them monero, and who has agreed to share data with the attacker to help identify the target.
If a marked output gets sent to the colluder (i.e. the transaction sends the marked amount or uses the marked pubkey in its ring signature), the attack has worked, and the colluder can tell the attacker the identity of the sender, against whom there is now evidence that they received the poisoned output. Repeated successful use of the poisoned output attack strengthens the case against the target.
The poisoned output attack was used to arrest or convict monero users in the following criminal cases, which you can read about in the Case Studies section of this website:
This attack is typically part of an Eve-Alice-Eve attack. It can be used when the target tries to evade the poisoned output attack (see above), which is commonly done via two methods: churning (i.e. the target repeatedly sends the marked bills to new, fresh pubkeys to get it out of any potentially-marked pubkeys) and amount splitting (i.e. the target splits up the monero and sends chunks of it to different wallets so that no chunk matches the marked amount). If the target uses those techniques, they can still sometimes be traced by timing analysis, which is based on patterned behavior, or habits.
Suppose the attacker suspects he knows the identity of his target, but has no proof. The target can send monero to the target (Alice) as Eve1 -- this is tx A -- and observe how long it takes for Alice to make a new deposit -- tx B -- to Eve2 (e.g. an exchange or merchant who shares information about its customers with the attacker). Even if the target used churning and amount splitting so that the amount and pubkey in tx B no longer match the ones the attacker marked in tx A, the attacker can still mark the time between tx A and tx B, and then try the attack again: send monero to Alice as Eve1 and mark how long it takes for Alice to make a new deposit to Eve2. Then do it again, and again, and again.
If the marked "time" shows up repeatedly as roughly the same in each case, it is evidence that Alice is in some sort of habit of receiving monero, spending a certain amount of time churning it and/or splitting the amount, and then sending it to Eve2. Perhaps she set up a computer program to do this on a schedule, or she herself does it on a schedule, e.g. every Tuesday.
The timing analysis attack was used to arrest or convict monero users in the following criminal cases, which you can read about in the Case Studies section of this website:
This attack is useful in any case where the attacker has a list of transaction ids where they suspect their target sent monero. They can get such a list by scanning the blockchain for transactions containing a stealth pubkey known to belong to the target, or from someone who interacted with the target several times, such as an exchange or a merchant.
With the list in hand, the attacker can use the transaction ids to get the relevant transactions from the blockchain, examine the ring signature(s) in each transaction, and check if any of the pubkeys in the ring signature belong to themselves or someone they know. If they find such pubkeys, they can ask the owner if they created that transaction. If not, they know it was a decoy pubkey, and not the true spender.
This technique allows the attacker to reduce the target's "anonymity set." In the worst case, they can eliminate all decoys and uniquely identify the target's pubkey as the true sender of that transaction, which allows the attacker to then trace the attack backward or possibly forward to another transaction, where they may be able to use the same technique again, or another one, to continue the trace.
The decoy elimination attack was used to arrest or convict monero users in the following criminal cases, which you can read about in the Case Studies section of this website:
This attack relies on the way monero wallets broadcast transactions to the network. Monero "light wallets" pick a node on the monero network and broadcast transactions through it using an RPC command, i.e. a software API. Some wallets pick "spy nodes" which are run by blockchain analytics companies or other attackers, who run them with the direct purpose of gathering transaction data, analyzing it, and identifying user information.
As a result, a user of a wallet that sends some or all transactions through these spy nodes has some probability of leaking his or her IP address to those attackers in a way that links it to a particular transaction. If an attacker gets your IP address, they can often use it to identify what city you are in, and then contact internet service providers in that city to ask them if the IP address was assigned to any of their customers. If so, they can often get the target's billing information from that internet service provider, and thus link a monero transaction directly to a user's real identity.
It is worth noting that this attack applies differently in "light" monero wallets compared to full monero nodes. Monero nodes do a better job of protecting the IP addresses of their users, though the technique they use is not foolproof either. Monero nodes use a protocol called Dandelion++ to protect the IP addresses of their users, and in that protocol, transactions are sent through a series of "stem nodes" before one of them finally broadcasts the transaction to the whole network.
The goal of this "stem phase" is to avoid leaking the sender's IP address to the attacker, who is assumed to run a spy node. When Dandelion++ is used instead of an RPC command, a monero node that receives a transaction does not know if the node they received it from is the sender or just another stem node.
However, the Dandelion++ protocol has weaknesses, including that is based on probability: a node has a certain percentage chance it will act as a stem node and forward the transaction to just one peer. The rest of the time, it acts as a "fluff node" and broadcasts the transaction to all of its peers.
An attacker can exploit this: when he receives a transaction from a peer, he can query other nodes for the transaction id to "find out" if the previous node was in the stem phase or the fluff phase. If, after a delay, no one has the transaction, the attacker knows the transaction is likely still in its "stem phase." That information allows for further analysis: if we are still in the stem phase, then the prior node was definitely not a fluff node. It was either a stem node or the sender, which is data the attacker should not have.
This attack gets better if the transaction passes through *multiple* nodes owned by the attacker or its data-sharing partners during its stem phase. The attacker knows the probability that any node is a stem node; and it knows which peers it received transactions from; so it knows the path of stem nodes is unlikely to go beyond N nodes. The more nodes it controls on the path, the more likely it is that the first node it received the transaction from is the true spender, thus leaking their IP address, and possibly linking their real identity to their monero transaction.
The spy node attack was used to arrest or convict monero users in the following criminal cases, which you can read about in the Case Studies section of this website:
This attack comes into play if a target leaks his monero private key to an attacker, e.g. because the attacker seizes a computer holding that private key in some sort of raid. In monero, your private keys are cryptographically linked to your whole transaction history, so if someone accesses your keys, they can look up your transaction history on the blockchain, and identify transactions where anyone sent you monero.
The tx history lookup attack was used to arrest or convict monero users in the following criminal cases, which you can read about in the Case Studies section of this website:
The Justice Department says they found the admin of Incognito Market by tracing his monero. source - January 2024
Key quote: "cryptocurrency was first swapped through Swapping Service-1 and converted...to Monero... After the swap, the funds were transferred into [the perp’s] Crypto Account...[at the KYC exchange]..." source - page 25
Attack type: Eve-Alice-Eve attack with timing analysis
Data leaked by the target:
Data used by the attacker: The attacker's report used the amounts received by the target, the time of the target's "send" transactions, and the amounts sent in each of those transactions. It did not use the info about the target's stealth public keys, their ring signatures, or their fee data. The report argued that the time and amounts in the analyzed transactions demonstrated that the target did the following procedure several times: the target swapped criminal proceeds into monero via a no-KYC exchange, withdrew them to a monero wallet, and then, within minutes, sent similar amounts -- sometimes identical amounts -- to a KYC exchange, where they sold the monero for fiat currency. The KYC exchange had the target's KYC info, which is how the authorities nabbed him.
Chainalysis says they found a Columbian drug seller by tracing his monero. source - September 2024
Key quote: "And so that was a really exciting moment for us because we were able to start using just this list of Morphtoken swaps occurring on the monero blockchain---very little information, and not many breadcrumbs to follow. We were able to trace that forward on the monero blockchain to an rpc ip observation and then leverage other chainalysis tools in order to find more potential results that we can return to law enforcement." source - 38:37
Attack type: Eve-Alice-Eve attack with poisoned outputs, decoy elimination, and RPC connections
Data leaked by the target:
Data used by the attacker: The attacker's report used all of the above-listed leaks except for the fee data. The target's use of a RPC connections was particularly meaningful because the target eventually revealed their ip address when their wallet connected to one of the attacker's nodes to broadcast a transaction, and the attacker was then able to use that ip address to find the target's real identity. To ensure that this transaction was created by the target, however, they had to do the following analysis: in several transactions, the attacker successfully used off-chain data about the "decoy" public keys in the ring signatures to eliminate some decoys, and at least once they identified the target as the true spend. They used these transaction analysis techniques several times, looking for transactions where the target connected to one of the attacker's nodes to broadcast a transaction via an RPC connection. The attacker found several transactions that did this, most of which could not be used to identify the recipient because he used a VPN to guard his ip address. But in one of them, he did not use a vpn, so they found his ip address and nabbed him. The only thing the attackers used timing analysis for, in this case, was to identify which transactions were sent before and after the Dandelion upgrade in monero, which makes it harder to identify the ip addresses of monero senders who use their own nodes.
Finnish authorities say they traced a blackmailer’s monero from a swap service to a monero wallet to binance. The authorities' description of the trace (available here) says they used poisoned outputs to trace his monero. They also seized one of the blackmailer's wallets that he accidentally leaked while trying to publish information about one of his blackmail victims, and used the resulting information to further trace his transactions. source - January 2024
Key quote: "[The prosecutor] tells the court that [the police] made a fake purchase to investigate the matter, i.e. paid cryptocurrency to the account indicated by the blackmailer. According to prosecutors, the [police] report shows that the funds ended up in [an exchange] account owned by [the blackmailer]. ... The funds [were] converted to [the] Monero cryptocurrency along the way." source - more details here and here
Attack type: an Eve-Alice-Eve attack with poisoned outputs, and a tx history lookup
Data leaked by the target:
Data used by the attacker: The attacker kept the majority of the report concerning their tracing techniques private, but the following information came out during live media coverage of the trial (source) and subsequent interviews (source): the target "converted [funds] to Monero" before sending it to a "cryptocurrency account" at a regulated exchange; the conversion tool he used was a "virtual currency exchange service, where [the police] sent a request for information. This service does not require registration from its customers, nor does it collect personal data," but it "replied that the sender...[purchased] Monero virtual currency and then sent them to a private Monero wallet."
Thus the attacker colluded with a service that knew the target's monero address, his stealth public keys, the amount he received, and the time of the transaction. From there, the monero "ended up next in another virtual currency exchange service. We are talking about Binance," where the police "tried to find out the identity of the recipient with a request for information," and got his email address as a result. Thus the attacker colluded with a service that knew how much they received from the attacker and the time of his transaction sending money to them. "The timing of transfers also coincided perfectly with payments tracked by the [police]." So the attacker used the timing info in the target's transactions as part of their trace.
Moreover, the report states that "a cryptocurrency wallet [was] seized from a server related to the [crime]," and this resulted in "a supplementary investigation." This investigation uncovered that the target sent "tens of thousands of euros" to another Binance account, thus they used the amount information. The police then contacted Binance again and this time they obtained the target's "personal identification numbers."
The attacker was able to seize the target's cryptocurrency wallet due to the following mistake: "[he] accidentally uploaded the home directory of the virtual server he was using for the blackmail. ... The error occurred when the [target] attempted to schedule the automatic publication of a file containing customer data. Instead, the [software] scheduled the entire contents of [his] server to be published. A large file package was leaked onto the TOR network, containing private files from the server used in the extortion. The extortionist only realized his mistake some time later, and a large number of TOR network users managed to download parts of the file package before it was removed from the network." source By leaking his private keys, it became easy for authorities to look up the target's transaction history, because it is typical for blockchain-based cryptocurrencies such as monero to provide a permanent cryptographic link between a target's private keys and the history of transactions involving those keys.
Japanese authorities say they analyzed monero wallets found on the computers of 18 criminals who they arrested on other grounds. They then used the data they found in those wallets to charge them with money laundering. source - October 2024
Key quote: "Japanese authorities said they analyzed about 900 of the group’s Monero-based money-laundering transactions...[and] told local media outlet Nikkei that this marked the first time the country’s law enforcement agencies had used Monero transactions to identify criminals." source - more details here
Attack type: tx history lookup
Data leaked by the target:
Data used by the attacker: the attacker simply used the target's private keys to look up their transaction history and then used the resulting information to charge them with money laundering.
Interpol shut down monero-only darknet market Archetyp and says they found its operators by "tracing [their] financial flows". It is not *certain* that this means they traced their monero, but it was a monero-only exchange, so monero is the only type of finances I know they had available to trace. Additionally, reports say that "assets worth EUR 7.8 million [were] seized," as well as "47 smartphones [and] 45 computers." Assuming monero was among the assets seized, the authorities can simply look up the parties' transaction history, because seizing monero typically means acquiring its private keys. source and source - June 2025
Key quote: "The takedown follows years of intensive investigative work to map the platform’s technical architecture and identify the individuals behind it. By tracing financial flows, analysing digital forensic evidence, and working closely with partners on the ground, authorities were able to deliver a decisive blow to one of the most prolific drug markets on the dark web." source
Attack type: The reports only say two things about the attack, namely the attacker traced the target's financial flows without specifying how they did so, and they ended up seizing the target's computers, cell phones, and assets worth millions of euros, presumably including the target's monero private keys.
Data leaked by the target and used by the attacker: With the target's private keys, the attacker can look up the target's transaction history on the blockchain and trace it that way. As for the initial trace that *led them* to the target, we probably won't know for sure how they did that til more details come out, such as during the trial, which, as of July 2025, is not yet scheduled.
Chainalysis reports that after the Bitfinex hacker was arrested, the police found monero wallets on his computer with their private keys, and they then used the private keys to simply look up his XMR transaction history on the blockchain. source - July 2023
Key quote: "agents [got] a search warrant for Lichtenstein and Morgan’s home and cloud storage accounts, where they found files containing details of the cryptocurrency addresses used to move the stolen funds---including their private keys---along with the false information used to open accounts at cryptocurrency exchanges and plans to acquire fake passports. That discovery enabled investigators to trace the flow of funds in its entirety." source
Attack type: tx history lookup
Data leaked by the target:
Data used by the attacker: the attacker simply used the target's private keys to look up his transaction history and then used the resulting information to charge him with theft.
Mastercard offers a monero tracing tool created by Ciphertrace. It is part of their Crypto Source product. source 1, source 2 - August 2021
Key quote: "Ciphertrace takes Monero tracing capabilities to the next level with the ability to follow the flow of funds backwards from the transaction of interest to its source." source - see also this video interview with a Ciphertrace employee about their monero tracing tool
Attack type: many -- see the above-linked video for further details
Data leaked by the target: depends on the case -- the tool uses many techniques to trace monero and some of them are outlined in the above-linked video
Data used by the attacker: depends on the case -- the tool uses many techniques to trace monero