ErgoBTC, a pseudonymous bitcoin ‘white hat’ privacy analyst joins me in this episode to talk about his journey tracking PlusToken scammers in their attempts to mix and dump 200k BTC. This is a must listen episode for bitcoiners to understand how your privacy can be impinged, and we also talk about tools and techniques for assessing and defending your own bitcoin privacy.
- How he got into bitcoin privacy analysis
- PlusToken scammers – what is the scale of it, and what did they do wrong
- In depth discussion on bitcoin mixers and bitcoin privacy
- Key takeaways for listeners, mixing products, exchanges on privacy
- Future of chain analysis
- ErgoBTC Twitter: @ErgoBTC
- Tracking the PlusToken Whale article: https://medium.com/@ErgoBTC/tracking-the-plustoken-whale-attempted-bitcoin-laundering-and-its-impact-on-wasabi-wallet-787c0d240192
Stephan Livera links:
Stephan Livera: Ergo, welcome to the show.
ErgoBTC: Thanks Stephan. Happy to be here. Big fan of the podcast.
Stephan Livera: Thank you. Yeah. So look, man, I know you’ve been doing a lot of really interesting work. I know you are obviously operating under a pseudonym, so we’ll be careful not to dox too many components about yourself but just obviously without doxing or giving off too much of your own anonymity set. Can you just tell us a little bit about how you got into Bitcoin and particularly what we might call white hat, Bitcoin chain analysis?
ErgoBTC: Yeah, sure. I guess I’m kinda like most Bitcoiners, and that I started out as, looking at libertarian politics, Austrian economics, those are good, gateway drugs that lead into Bitcoin and in the last year, so I’ve probably gotten a little bit more discouraged with the current political and economic landscape, around the same time earlier this year, I started hanging in a few telegram groups and I found some bitcoiners with an ideology that I kind of aligned with from there, stumbled into crypto anarchy.
ErgoBTC: For those that kind of don’t know, crypto anarchy is basically this concept of creating, a parallel voluntary system that people can opt into, as they wish. It’s sort of this gray market stuff, and Bitcoin fits pretty much perfectly into that framework, you know. So I started listening to a couple of crypto anarchists do talks and they’re pretty objective. They seem legit kind of old school cypherpunks and many of them raised some valid concerns about Bitcoins on chain privacy, but with the rise of some of these new non-custodial mixing services, I decided to start doing my own research and figure out if these services were enough to keep Bitcoin from becoming, I guess its own panopticon, as these guys seem a little bit worried about. And then the process of doing my own research, I sort of stumbled into something a little bit bigger.
Stephan Livera: Yeah.
ErgoBTC: You know. So from there I basically have been, hanging around looking at these blockchain explorers, mostly OXT and KYCP looking at different types of mixing services. I’ve looked at, Shared Coin, I’ve looked at JoinMarket, I’ve looked at Wasabi and I’ve looked at Whirlpool. And during looking at into Wasabi, I noticed somebody was merging large, really large volumes of Bitcoin into a a post mixed cluster.
Stephan Livera: Gotcha. Sorry. Can we just back up just for a second there. I want to just make sure this is accessible as well. So maybe we could just talk through a little bit on the basics of blockchain surveillance and what are some of the key methods and heuristics that are applied. So maybe we could just start with some of that and if you could just outline a little bit around what is the common input ownership heuristic?
ErgoBTC: Yeah, that’s an important one. It’s probably one of the most powerful, chain analysis heuristics. The merged input heuristic is the assumption that all of the inputs in a transaction belong to the same party. And what this does or what chain analysis can do with this information is they can, they can cluster the inputs from a transaction. And if this process is repeated with a handful of other transactions or more, you’ll wind up with a, a bit of a bigger cluster. And what this kind of shows them is that, a larger entity might be the owner of, you know many addresses and that’s sort of what sparked this off for me.
Stephan Livera: Excellent. And for listeners who are interested in some further background, I recommend checking out episode 58 with Chris Belcher and also reading the Bitcoin privacy Wiki, which he updated. Now while we’re on this topic of merging and common input ownership heuristic and so on, there are multiple ways in which our privacy can be doxed when we’re dealing with Bitcoin. One of those ways is, again, as you mentioned, the most obvious one is the merge heuristic because every Bitcoin transaction has inputs and outputs and then where those inputs are being merged, that can indicate, well, it’s probably the same owner. Right? And that’s like the general heuristic. Obviously there are other countermeasures to be deployed against that, but that’s the basic high level way to think about it. But another key angle is what Chris Belcher calls data fusion. And that’s where somebody might post an address just publicly, right? They might have a donation address. And then the combination of that with on chain analysis can be what deanonymizes that individual or that exchange or that large party. Can you just comment a little bit on your thoughts around that?
ErgoBTC: Yeah, I mean there certainly are a combination of additional information that chain analysis can use to get, to paint a bigger picture. Bitcoin is pretty powerful. It’s got some pseudonymous traits that make it harder to, pair it to the real world. But a lot of what chain analysis does, at least from some of my reading is, is use these, these multiple heuristic types to try to paint a better picture. And every, additional piece of information, can help you sort of refine your analysis a little bit more. some of the other important ones include address re use. There’s the change output heuristic and timing analyses as well. Those, those are all, can help contribute to paint, a more detailed analysis.
Stephan Livera: Would you mind to helping break some of those down. So can you tell us why, address reuse? What are the specific implications of that?
ErgoBTC: Yeah, I mean, so Bitcoin is at the protocol layer pseudonymous. Each address can be considered to be, basically anyone, but once you reuse an address that pseudonymity is destroyed, we know that the previous owner of a transaction or a previous owner of an address is the owner of the address when it’s reused. And you don’t need to to do any clustering. You don’t need to do any merged input heuristics. It’s just a fact, so that one, is pretty powerful. It’s not even a heuristic, it’s just the way it is.
Stephan Livera: Right. And I guess just to unpack that a little bit further, for the listeners who are not familiar address reuse can impact not only the party taking payment but also the parties who are making a payment because they can be linked in some way. Correct?
ErgoBTC: That’s correct. Yeah, I mean, address reuse is a pretty big problem. And during my research, I didn’t even realize this until a little bit later, but OXT which I’ll probably talk about more later does a couple of privacy metrics and one of them is address re use, you can go and you can check out and any recent block and you’ll see address re use anywhere from 30 to 50%. So it’s pervasive.
Stephan Livera: Exactly. And you also mentioned the change output heuristic. Can you just outline what that is for the listeners?
ErgoBTC: Yeah, the change output heuristic is sometimes it works and sometimes it doesn’t, that’s the problem with these heuristics that there’s, they are mental shortcuts to try to, shortcut an analysis to make it easier to do.
ErgoBTC: And the change, the change output heuristic is, is something along the lines of, I make a payment to Stephan, I send him, I have, a 1.1 BTC UTXO I send him one BTC and the 0.1 is likely the change output or something along those lines. It’s sometimes it’ll also pair that with , round number payments can help refine that a little bit further.
Stephan Livera: Right. And I think another component to add there would also be the index number of the outputs. So as I understand can’t remember the exact BIP, but I believe there was a BIP that tried to standardize which, so if you’ve got a set number of inputs and outputs to every transaction and those outputs are ordered and depending on how a certain wallet constructs or crafts the transaction, it may be that the change output was always the second one, for example.
ErgoBTC: Yeah, that’s correct.
Stephan Livera: Right. And you also mentioned timing analysis. Can you just outline a little bit on how that could deanonymise a person using Bitcoin?
ErgoBTC: Yeah , we’ll talk about it a little bit later, but I’ve been integrating this a little bit into my analysis. And it’s that if you have at least enough of an idea of maybe what one entity is doing you can, you can sort of better refine your analysis by evaluating when their transactions hit the blockchain or when , the transaction first hits the men pool. And , sometimes transactions from a single party might be all broadcast in the same block and you can go back and you can pick through that. So that can help you sort of paint an even better picture.
Stephan Livera: Right. And another one that I can just think of now is also just around the way the script is constructed because I understand certain wallets can be subject to fingerprinting analysis. So an outside observer trying to spy can try to understand based on the way the Bitcoin scripting is crafted, what sort of wallet was used to create that transaction.
ErgoBTC: Yeah, that’s also the case. And I think a lot of users are also aware of some of the issues with multisig in their current form that once they’re spent, you reveal, , how many parties are involved. This is similar to the scripting that you just described.
Stephan Livera: Right. Yeah. That’s great. So I think they’re some of the basics and a potentially we should also talk a little bit about network level privacy. So could you just offer some overall thoughts on that if you have any anything to share on that?
ErgoBTC: Yeah, I’m not a network level expert, but , there are of course issues with, how you broadcast the transactions. Of course everybody knows how important it is to run your own full node, to be using that to broadcast your transactions rather than a third party server. Also, querying your own Bitcoin node to keep from revealing your address balances or sharing your xPubs. These are some common things that are problems, especially with some of these hardware wallets.
Stephan Livera: Great. And so yeah, I think that’s probably enough, a little bit, enough on the basics. Let’s now go a little bit into the story of how you came across this PlusToken and so on. So how did this first come across your radar? Yeah, so these kind of how I started off a little while ago was, I was sort of doing my own research on this these non-custodial mixing services. And I was looking at the Wasabi mixer in particular, and I noticed that a single entity was basically merging a significant amount of Bitcoin.
ErgoBTC: The initial tip off to me that this was a single entity was that this entity experienced a significantly high amount of address re use in that mixer. I’d have to look up what some of the stats were. I think I found one transaction that was nearly 100% address re use from mixed outputs, which is something that really shouldn’t happen, but I guess can happen in some scenarios. And from there I just sort of followed the the merged input heuristic and watched these these merged outputs as they were joined together into a relatively large cluster. Basically sent to, these merged transactions were sent to Huobi an Asian exchange and pretty large volumes anywhere from 50 to 100 Bitcoin or I think in some cases even up to 200.
ErgoBTC: So it was pretty obvious that there was a very large entity using the mixer. I think my initial cluster estimates for around 2,600 Bitcoin, which is not chump change. And from there I started thinking, well, I mean if I found 2,600 on the way out, it’s very likely that I could probably find this on the way in, which would be, sort of a timing attack. And so that’s what I did. I started doing, I looked back and found, some of these larger inputs were, all coming from a reused address for the most part. I shared that address publicly. And Laurent, the developer of OXT I think he just took a quick Google and found that some of those addresses related to PlusToken.
Stephan Livera: Wow. There you go. And so that’s an example there of data fusion, right? Because those addresses had been publicly listed and then anyone, any outside observer with enough knowledge and skill and tool sets. So KYCP.org and OXT.me and so on. Could like yourself could go and use those tools to try and understand or try and pierce through that veil if you will, and understand what was going on. So can you tell us a little bit about the timeline here? So when did you first come across this and what was the timeline of this PlusToken scam?
ErgoBTC: I guess maybe it’s worth going back and talking a little bit about PlusToken. At least sort of what we know. The available information about PlusToken is pretty limited. It sounds like it was pretty popular in Asia, particularly Korea, Japan, China. And a lot of the information is hard to come by. But I guess that the main point of this was that it was a Ponzi scheme. users were promised some ridiculously high monthly returns. I dunno, something like 10 or 15% a month, which is outrageous. And just like most other Ponzi schemes, they pay out right up until they don’t. I think that they started early in 2018 and sort of, I guess really got some momentum early in 2019. I think that they may have had a few additional hiccups with their centralized server, which was, used to do their payouts. that was I guess, up until late June when a handful of the associates of PlusToken were arrested.
ErgoBTC: I think they were Chinese nationals. But you know the data is, is is pretty hard to come by. From what I understand, the ringleader was not arrested. And so I’m going to guess that the ringleader is the one that controls the private keys to these coins. So, June 27th or the late June arrests happen, PlusToken is basically shut down. We sort of have a couple of coincident events including, the blow off top in the exchange rate. And from there I think things sort of remained quiet for a little while. There were a couple of reports from others, some tweet threads and I think some research reports about PlusToken that sort of surfaced in, in August or so that indicated that some of the funds were on the move. That’s early August was when I originally noticed the first large whale deposit into Wasabi.
Stephan Livera: And so for a bit of context from what I’ve anecdotally heard is that in other cases of big hacks, so like Bitfinex hack and some of these others, what actually happens is often those attackers just leave the coins waiting. They’re not actually trying to sell them yet. It could be that they’re waiting for a later, more opportune time. Maybe they’re waiting for better mixing technology before they actually try and sell those Bitcoins. But in this case it looks like they have attempted to, as we’ll point out, I think they used some poor methods of trying to self shuffle or running massive volumes through one mixer and so on or in an incorrect way. So let’s talk a little bit about what do you think they were doing and doing wrong, as you pointed out?
ErgoBTC: it’s hard to guess what exactly they were doing, but I think they were, trying to hide the movement of their funds. I know that there are some big links between Huobi and PlusToken and that Huobi, was one of the main sources of most of the PlusToken deposits. I don’t remember what some of the percentages were. I think it was something on the order of 50 or 70%. It was a large amount. So, in theory, Huobi has a decent idea of how much has gone to PlusToken. And from there, PlusToken needs to, if they’re going to try to sell their coins, they need to do something. They can’t just go straight from Huobi to PlusToken back to Huobi, they’re going to have problems.
ErgoBTC: So I think what they were trying to do was to basically hide their transactions on the blockchain. And that sort of was through, I picked up two main methods. One was the Wasabi mixer and I think around 20,000 Bitcoin were, were forced through the Wasabi mixer and there’s another process that I called self shuffling. And, it’s hard to come up with a good term for this. But it’s easier to see than it is to explain, but it’s sort of, is a repeated process of splitting the UTXOs and merging them back together. And this is not mixing. We would consider it mixing if they had identical outputs. But that is very rare. I think even in the cases where they tried to do it Boltzmann, the OXT algorithm, was able to chew through that, and and still create some deterministic links.
ErgoBTC: So the the self shuffling processes, like I said, it’s repeated splitting and merging of transactions. Sometimes I don’t know, a hundred transactions in a self shuffle cluster before, you know merging them on the other way out. And I had originally thought this might have been some type of you know tumbler or subpar tumbler. But now the more I’ve been looking into this, I’m starting to think it’s just a manual process. And, that sort of comes back to this timing analysis where the self shuffle transactions might sit for a few days and then resume, which to me is a little bit more of an indication that it might be a manual process.
Stephan Livera: Right. Yeah. And so just for the listeners, would you mind outlining a little bit around what is a deterministic link and why is that a bad thing?
ErgoBTC: Yeah. So it’s probably helpful to describe what a standard Bitcoin transaction looks like, or at least the majority of the Bitcoin transactions. like let’s say I want to pay, I have 0.4 and I want to pay you 0.1. we’ll have an input of 0.4, an output of 0.1 and, a change back of 0.3 to me. And this is what most Bitcoin transactions look like. And in this case we say that they’re deterministically linked. The inputs and the outputs are deterministically linked because we can run the coinjoin Sudoku algorithm on this transaction and and, and verify that the input must have paid, the outputs and this coinjoin Sudoku, which is used to determine, find deterministic links. It works not just in this case, with one input, it works with multiple inputs as well.
ErgoBTC: And so deterministic links are, are bad because, with all we have to do is look at a transaction and we can say with 100% certainty that we know that an input paid an output.
Stephan Livera: Right. And on top of that I’ve noticed as well with KYCP.org there are tools that help you can type in a TX ID, a transaction ID and it will assess that transaction from a Boltzmann point of view and from a deterministic link point of view, and it will show there deterministic links and also probable deterministic links. So can you just outline a little bit of how that assisted in your analysis? I presume you used that KYCP.org as well?
ErgoBTC: Yeah. I started out using KYCP and sort of moved towards using OXT later, which is something we should also go over. But KYCP is a transaction privacy visualizer. It’s used to show the relationships between inputs and outputs. So specifically it will look for address reuse. It will look for deterministic links between the inputs and the outputs. If there are no deterministic links it will show the probabilistic links and it will also show which inputs were merged into the transaction and which outputs were also merged into a subsequent transaction. So all of these things are used to help elaborate on some of the privacy issues with a transaction.
Stephan Livera: Yep. And sorry, just one other thing while we’re on that topic, interpretations. So the other thing that you’ll see on KYCP.org is interpretations. And for instance, in a Whirlpool transaction, it will show 1496 possible interpretations. Can you outline a little bit about what that is?
ErgoBTC: Yeah. This, this gets to the concept of entropy and hopefully I don’t butcher this too much, but entropy is, is at least in from my understanding of Laurent’s mental model of a Bitcoin transaction. He looks at it as a flow between inputs and outputs. This is sort of a statistical mechanics or a thermodynamics kind of model. I guess the point is that you can see how inputs are paid to outputs. And from there, if a transaction has any type of coin join characteristics, and the most easily way to identify coinjoin characteristics is if there are identical outputs, then the transaction has what’s called multiple interpretations. And sort of what this means is that if you have, for example, in a Whirlpool transaction, you have three inputs of it’s basically five inputs of 0.01 and five outputs of 0.01.
ErgoBTC: You have no way of knowing that one of the 0.01 inputs didn’t pay all five of the 0.01 outputs. There’s just no way to distinguish that, in the code. I guess it’s sort of, satoshi’s don’t have serial numbers kind of perspective. So I guess it’s a little bit of a difficult concept, but if anybody that’s had thermodynamics will sort of understand this intuitive concept of entropy. But what the algorithm does is, like I said, is there’s no way of not knowing that one of the inputs didn’t pay all of the outputs or one input didn’t pay two of the outputs or one input didn’t pay one of only one of the outputs. And this sort of gets to this idea of multiple interpretations.
Stephan Livera: Yeah, that’s, that’s fascinating. And I think for listeners who really want to go deep on this I would suggest looking at some of the discussion between Laurent and Adam Gibson, also known as waxwing. There was some discussion around when Laurent first posted some of the Boltzmann scoring. But again, that’s probably a little bit beyond the technical level that we can handle on this podcast today. But bringing it back then to, self shuffling and then running the massive volume through Wasabi. So let’s bring it back to the behavior that you saw. So basically they had this big pot of stolen money and they want a way to try and get fiat out, presumably. And so that’s where as you mentioned, they were doing this quote unquote self shuffling process where they’re not really mixing, they’re just trying to obscure the traces on the blockchain by doing this kind of weirdly structured transactions that then later all merged back together. And I think you demonstrated this very nicely in some of your chart and some of the graphs that you were showing from OXT.me. Can you outline a little bit around your process there?
ErgoBTC: Yeah, so I think if we pick up sort of where I left off in the timeline, I had found that the, the 2,600 Bitcoin cluster on the way out of Wasabi, I went back and found that the major reused address. And from there I found that multiple branches off of that reused address where were making deposits into Wasabi or into this self shuffling process. and after sort of seeing enough of this, I was able to kind of come to the conclusion that, this is likely one entity that’s trying to hide their funds. So, I think I had shared that PlusToken or no I had shared the original address and Laurent brought it back to PlusToken. And from there, he created a little bit of a diagram using OXT to illustrate the flow of funds between different clusters. And from there I was able to sort of get at least a preliminary estimate of some of the size of the the scam. And at the time, I wrote the medium article, I think it was, you know 50,000 or so Bitcoin self shuffled and 19,000 or so that went through with Wasabi.
Stephan Livera: You also point out in the article that it’s approximately 200,000 BTC that was total in the amount that got scammed. So there might be more to come.
ErgoBTC: Yeah, that’s correct. At the time I wrote the medium article, I hadn’t really done enough digging into the size and extent of the PlusToken premix cluster, after I thought that for the most part they had finished at least around the time that I was writing the medium article, I thought that they were done. I found some self shuffled transactions that were sort of stalled and weren’t going anywhere. Some addresses that were full of funds, that hadn’t moved since, since the middle of August. And recently, they had started moving again. And that’s when, I followed them through the self shuffling process and I found a reused address that was used to sort of collect transactions before sending them, typically to Huobi again, more address reuse.
ErgoBTC: From there I evaluated the, the history of that transaction and was able to sort of verify at least how much through that address had been sold. I think around by now, I think it’s around 77,000 that I was able to cluster through that address.
Stephan Livera: Wow.
ErgoBTC: Yeah. I mean it’s starting to get, astronomical numbers. You sort of start to, lose track. But after having looked at that, the most recent address reuse, with Huobi I went back and decided that, okay, I need to really get a handle on what premixed funds are left. And that’s when I sort of came up with the recent, tweet thread that estimated around 185,000 Bitcoin at least in their premixed cluster.
Stephan Livera: Wow. So there’s a lot more to come. And I think that also raises the question then that it was basically address reuse on the part of these scammers that enabled you to actually try and trace them. Right. Because if they hadn’t done that address reuse, it would have been harder for you to do that. Right?
ErgoBTC: That’s absolutely correct. That address reuse was a big problem. And it’s been pervasive throughout this whole kind of process. It’s been present in the pre-mix, it’s been present in some of the mixing, well actually both of the mixers and has been present in, the post mix behavior. And I mean, that really shows just how bad address for use can be.
Stephan Livera: Yeah. And I guess that means now scammers will probably listen to this and that means next time they won’t reuse addresses and that’ll make this task even harder for next time, right?
ErgoBTC: Well, I mean, I guess part of the problem too is just the volume of Bitcoin that they’ve been moving. regardless of whether or not, you’re reusing addresses or you’re using a mixer or not, it’s rel-. I don’t want to say it’s easy to track, 190,000 or 180,000 Bitcoin depending on what they do with it. But that was part of the reason too that I was able to notice the problem with the Wasabi mixer was that no one is merging 2,600 Bitcoin on the back end of a Wasabi mix. That’s just, crazy. It’s gets back to sort of a timing analysis problem that if you’re going to do something with that volume of coins, it’s got to take more than, I don’t know, a couple of weeks or whatever they were trying to do it in. It’s probably a year process or longer.
Stephan Livera: Gotcha. Now let’s talk a little bit around their use of Wasabi then. So you were commenting a range of things, right? So there were some address reuse that initiated this investigation. As you mentioned, the timing attack. You also mentioned Sybil attacking. Can we talk through the process then from a Wasabi perspective, from the PlusToken scam people trying to move through with Wasabi?
ErgoBTC: Yeah, it’s sort of like I said before, is that timing analysis is a problem for such a large amount of Bitcoin. And the Wasabi mixer is relatively big. If you look at some of their transactions there might be anywhere from, 20 to a hundred Bitcoin that gets processed in, I don’t want to call it an average transaction, but in the majority of the transactions and it’s not enough volume for them to process 20,000 Bitcoin or 200,000 Bitcoin in the case of PlusToken. But, like I said before, I noticed this, this massive volume on the way out. So I started looking for a kind of a source on the way in. And after I had found the reused address that was used to do most of the deposits into Wasabi I was able to use OXT’s transaction graph to expand Wasabi transactions and follow them back to this reused address.
ErgoBTC: And from there I was able to get a little bit of an idea of how much of a hurry were the PlusToken scammers in you can only mix, so much with one mixing client. And so in order to speed up the process, it looks like what they did was deploy multiple mixing clients. This is sometimes referred to as a sybil attack. And a Sybil attack. The is often taken into account, but I see sybil attacks are problems for all types of mixing services where there is no reputation and you’re trying to keep people anonymous and usually there are different ways to mitigate this. But like I said, the the scammers were basically in a big hurry. They opened up multiple mixing clients and they forced a large volume through Wasabi in a relatively short amount of time.
Stephan Livera: Yeah. And so it’s probably fair to say that this is just generally just a hard problem for any kind of mixing service and particularly those mixing services that are trying to remain non-custodial. Right. So, I guess just quick, high level, there are some mixing services and so on that are custodial and they’ve been shut down. I think bestmixer is an example. And then there are others such as JoinMarket and Wasabi and Samourai Whirlpool. Which you don’t give up control of your Bitcoins and, but then now the risk is Sybil attacks, correct?
ErgoBTC: That’s correct. It’s a problem that all mixing services have not just Bitcoin. It’s something that, privacy researchers have been struggling with for a long time. And it’s not something that we’re going to really solve, on this podcast, but, it is an issue. It still needs to be addressed. And usually what mixing services, at least in Bitcoin do is they charge a fee a mixing fee. And there are different ways to do this. JoinMarket has their maker taker model. Wasabi has a volume based and participant based model and Whirlpool for example, has a deposit based model. and it’s very hard to address this problem. The fee is, at least in Bitcoin mixers too, isn’t just a security measure. It’s also an economic measure. And there are some incentives around there that, that can make it, a very difficult problem to solve.
Stephan Livera: Right. And for example, I think I saw Chris Belcher on the mailing list talk about this idea of fidelity bonds as a way of deterring scammers, right? That they would have to post up some money so that it would make it harder for Sybil attackers. Right. And that’s just, that’s just one example. But I guess just generally, what are some of the lessons that can be drawn from this in terms of mixing services and how they could mitigate this kind of problem or at least reduce it where possible?
ErgoBTC: Yeah, I mean, it’s probably useful to talk about how much this attack might’ve cost. I did a quick estimate a little while ago. And I built a very simple model based off of just, my observations of, the mixed deposits from the PlusToken scammers and the model still needs validation, but I think it’s legit for most of them mixing through Wasabi and I, I came up with a number estimate of around 12 and a half Bitcoin. It’s not entirely accurate, but I just wanted to get a ballpark number just so I could for my own sake think about this problem a little bit better. So we’ve got 20,000 Bitcoin sent through the mixer and on the order of 12 and a half Bitcoin paid and fees, it’s like, a half a percent or something.
ErgoBTC: It’s some negligible amount. You’re not going to deter 20,000 Bitcoin getting, forced through a mixer that way. And it’s the same thing for Whirlpool. I think Whirlpool, at least based off my model, might have cost three times as much as the Wasabi mixer, but it’s, even if it’s 50 Bitcoin, 50 Bitcoin is a drop in the bucket and this, 20,000 Bitcoin problem, there maybe are lessons here, and that’s, it’s again, it’s a difficult problem to solve, but, it’s, how do I want to say this? I only really have sort of the three mental models that we talked about before we had JoinMarket, which has this maker taker fee process you’ve got with Wasabi, which has this volume and participant base fee process and Whirlpool, which has this deposit based model. And I sort of lean towards favoring Whirlpool’s model because, there’s no way to not know that each mixed deposit isn’t a new user. So you, you sort of, you know adjust towards charging each deposit. Each deposit basically is what it kinda comes down to.
Stephan Livera: Gotcha. Yup. And there’s also the importance of having good post mix practices. So let’s just again, for the listeners who aren’t familiar with mixing, can you just outline the typical structure then with pre-mix and then post mix?
ErgoBTC: Yeah this is kind of, a pretty cool concept. Even JoinMarket from what I understand had a premixed tumbler where they would separate, large, mixed deposits and prepare them for mixing that way. Nobody was trying to do what happened here with, PlusToken and trying to run 20,000 Bitcoin through a mixer. Now most people don’t have 20,000 Bitcoin, but even if it’s a hundred Bitcoin trying to get run through, maybe JoinMarket type volume or liquidity situation, it’s going to be still a problem. So what they would do is they would pre split their UTXOs. And so I guess maybe, it’s good to start with pre-mix. At least with I don’t think that Wasabi doesn’t have any premix preparation. But Whirlpool does, it has their tx0 and the tx0 will take the fee.
ErgoBTC: It will pre split the transactions into the, pre-mix deposit amounts so that they’re prepared for mixing. And this is, it’s a pretty neat concept, at least with Whirlpool because what it does is it is, it gets the, the mixed deposits to be very similar to the mix outputs. And this gets gets the mixer pretty close to an ideal coinjoin, which technically isn’t possible, but Whirlpool is getting close. So that’s, that’s I guess the pre-mix. Right. Do you want to talk about post mix?
Stephan Livera: Sorry, one other point, I guess just to outline the way that might work. So for example, if you’re using Samourai, you might put in, I don’t know, for example sake, you might put in 15 million sets, which is a 0.15 BTC. And if you wanted to put that into the 0.01 pool, what it does is it kind of cuts it up into 14 different pieces. And you would then have the unmixed change, right? So that part would get put back into your I guess main wallet or whatever you want to call it. And then all those other pieces are basically like 0.01 with just a little bit more for the mining fee to account for that transaction. I think it might be important to also talk about the unmixed change at this point as well. Would you mind just outlining some of your thoughts around that?
ErgoBTC: Yeah, it’s, unmixed change is always going to be a problem no matter what type of mixer. I mean there’s change, with almost any type of transaction except for one that’s a true merge of multiple inputs to one output. So there’s, just about always some type of change in a Bitcoin transaction. And the same thing holds true for mixing services JoinMarket. I think they have unmixed change technically in their mixes, but they have a little bit of a, a neat privacy twist on their, how they handle the change. This is due to their maker taker model. It, makes it hard to predict what the unmixed change outputs will be because there’s some, transfer from the makers to the takers in that process. As far as Wasabi goes I think that unmixed change is typically just, included in the mix. It’s paid back out to the mixed participants in the mixer and for Whirlpool, Whirlpool takes the unmixed change and leaves it outside of the mixer and it’s taken as part of the Tx0 which is sort of what we said before.
Stephan Livera: Gotcha. Yeah. Great. And I guess we should just while we’re on this topic, just talk about how toxic that is and how bad that can be because that can link multiple mixes together and if the user is not careful, could you just outline a little bit around that point?
ErgoBTC: Yeah, absolutely. And it’s probably worth noting back to JoinMarket who also did some of this laid some of the groundwork for some of this thought process. They had this concept called mixing depth where they would basically separate your mixed outputs and your unmixed outputs into different different parts of your wallet with different xPubs or different private keys so that you wouldn’t merge your unmixed change with your mixed outputs. And this is, a problem that is, somewhat hard to deal with and they sort of did it, a couple of years ago. As far as the Wasabi mixer goes, it’s the, the exchanges, I guess it’s technically included in the mix outputs. And users are the, the onus goes on the users to to avoid moving that change.
ErgoBTC: I think that they ha they have a little red symbol to show how toxic the unmixed change is. And in Whirlpool, like we said before, the unmixed changes is kept separate, sort of similar to this JoinMarket style. And so the problem with this unmixed change is that if you merge your unmixed change with your mix outputs, then you basically will re link, your premix history with your post mix history and for the most part completely undo the privacy that you gained through the mixing service.
Stephan Livera: Yeah, great explanation there. So I guess let’s move on then. So that’s pre-mix part then let’s talk through the mix and and the post mix parts.
ErgoBTC: Yeah. so, I’m not as quite as familiar with JoinMarket as I probably should be. But from what I understand, they, they will the, the maker will broadcast that. He is willing to do a transaction, a coinjoin transaction for a certain amount. They have a taker process where the taker pays the fee to the maker. They come together in this market style mixer and they decide to do, a transaction for whatever amount that, basically the I think it’s the taker demands but the makers is broadcasting, and like I had said before, you wind up with depending on the size of the JoinMarket transaction at a handful of identical size mixed outputs and a little bit of unmixed change with some adjustment for the fee taken.
ErgoBTC: The Wasabi mixer has a lot of moving parts to their mixing process. There are multiple mix outputs is for one. And it sort of depends on the way that the mix outputs get done depends on sort of who shows up to mix. If somebody shows up, a couple of users show up with some larger mix amounts, then you’ll have some larger mix outputs. But it’s not really kind of set in stone. It depends on kind of who comes to the party. And then with, I guess with Whirlpool, the idea is to try to, from my understanding, to try to get as close to this ideal coinjoin transaction as possible. And so this sort of gets back to the the the tx0 concept where the premixed coins are split and prepared for, mixing and they are, they’re basically the exact mix output plus a little bit for the miner fee. And on the way out they all wind up with, basically identical mix outputs. This is sort of gets to the concept of perfect or 100% entropy, which I know some of the Samourai guys are a fan of.
Stephan Livera: Great. And so then once you’ve done gone through that mix, now you have to think about post mix strategy. So what are some things that we should think about with post mix strategy? And also if you could just elaborate on that risk that I think this is an underappreciated point, which is if you have just gone through a mix with other people, if those other people do not now take their privacy seriously in a post mix sense, that can screw up your own privacy too. Right. So there’s like a externality if you will. Can you just outline a little bit of the thoughts around that?
ErgoBTC: Yeah some people think that post mix is just as important or more important potentially as the actual mixing process. As far as I know, I think JoinMarket implemented some type of pay to end point or PayJoin type transaction. Wasabi wallet relies on users to perform coin control. And then the Samourai mixer whirlpool has a couple of different post mix tools that will keep users from hopefully merging, a lot of their mix outputs into a single transaction. And this is another sort of difficult problem to solve. You can’t take full control away from the user. While still, needing to try to enforce best mix, best post mix practices. So, at least with Samourai, they have a couple of posts, mixed tools that will keep users from basically, shooting themselves in the foot.
ErgoBTC: And the problem is, I know that some people say something along the lines of, users need to do their own research and figure out how to do this kind of stuff. But, it’s sort of like you said before, there’s a little bit of a problem here. When you’re fellow mix participants decide that they don’t want to know what they’re doing or don’t want to pay attention. So like for example, with PlusToken, merging hundreds of mixed outputs on the way out, affects everybody, negatively. So, and again, this is a difficult problem to solve, without, taking full control away from the users. But there are some things, that people can do
Stephan Livera: Great. And so let’s keep it to now keep it on PlusToken for now, and then we can come back to some of those other concepts around PayJoins and STONEWALL and so on. But with PlusToken and how they basically cornered the market. Right? They’ve got a large well let’s say they’ve got 200,000 Bitcoins that’s, close to 1% of Bitcoin’s supply. And you were commenting on how there were some impacts on Bitcoin’s market price and potentially even the run up. There might’ve been that artificial price run early this year. Can you outline some of your thoughts there?
ErgoBTC: Yeah. I’m not a markets expert, but it’s, it’s a, I know everybody gets upset when one number doesn’t go up, pretty consistently. But, it’s pretty obvious to look back in hindsight and say that the runup may be from March until June was a little bit over done. And that might have been basically caused by, these PlusToken scammers, just like you said, cornering effectively 1% of of Bitcoin supply. And an artificially, fast and an artificially large, amount. So I really think that what’s happening now is basically just working off a little bit of a hangover from, from that party. And I had tried to do some estimates where I tried to total how many coins were mixed and then estimate over the period of time since mixing started to come up with a little bit of an average of the daily distribution from the PlusToken scammers and I think I had numbers somewhere between 1100 and 1300 Bitcoin, which, if you put in perspective compared to the miner daily issuance is, something on the order of 60% or so of the, of the miner’s daily issuance. So, if miners are consistent sellers, or at least presumed to be consistent sellers, then, this is pretty significant daily supply. So like I said, this is probably mostly just, working off a little bit of that PlusToken hangover, and it’s also worth noting that of course, I, I do a tweet thread and I’m a few days later, they, for whatever reason, have slowed down the distribution to Huobi addresses, at least as far as I can tell. I don’t know if it was in response to, I’m sure they’re not on Bitcoin Twitter, but I don’t know if it was that or if they were just shocked by, the recent price drop. They didn’t want the market to drop out from underneath them. So, I don’t think it’s much of a big deal in the long term of things, but people, like to speculate on the exchange rate. Right?
Stephan Livera: Yeah. And so as you were saying, your estimate a little while ago, I think this was maybe one or two weeks ago, you estimated more selling like this for another 1.5 to two months. But as you’re saying, they may have noticed this or maybe there’s now a bit of attention drawn to it. So they’ve tried to slow down the selling pace potentially. Again, we’re speculating here.
ErgoBTC: Right. I mean, all I have is, what, about a week and a half of data since I did the last tweet thread. So I, I don’t want to call it a new trend in that, they’re not selling anymore or that they’ve really cut down. Maybe it’s just a pause, but we’ll see how things go going forward. Maybe they’ll get back in the groove and start doing what they’ve been doing.
Stephan Livera: Haha yeah. Maybe there’s only so much they can spend on whatever they’re spending on.
ErgoBTC: Yeah. All right.
Stephan Livera: So let’s talk then about lessons for listeners coming out of all of this. Are there any lessons in terms of impact on mixers?
ErgoBTC: Yeah there’s a couple things I guess. We sort of talked about the sybil behavior before, and it’s something that is just always going to be a problem, but just something that users kind of need to be aware of. There are definitely, lessons. It’s like we had said, the address reuse is a problem, right? For all of Bitcoin. And users just sort of need to be aware that this is kind of going on. I sort of recommend people go and spend a little bit of time on OXT and take a look around. I had mentioned earlier that address reuses is pretty crazy, anywhere from, like I said, 30 to 50% or so.
ErgoBTC: And that’s, it’s basically because most of the economic activity on Bitcoin is exchange to exchange trading. So, exchanges are a bit of a problem here. There are other things that users can sort of take away. Try to, I guess, avoid merging your inputs basically whenever possible. There might be some times where you can kind of get away with it if you have a fancy algorithm, but it really is a good idea to learn coin control, and try to keep your Bitcoin receipts separate. Those are basically some of the two biggest things that that users can do today.
Stephan Livera: And in terms of fee calculation, and he we’re talking like for the coinjoin providers, right? So JoinMarket and Wasabi and Samourai. Are there any impacts there in terms of how we think about fees, how we think about anonsets as well, coming out of mixes going forward?
ErgoBTC: Yeah, this is probably gonna make some people upset, but Wasabi has decided to do a volume based and a participant based fee structure. That’s the way that they’ve chosen to do it. it’s, and it makes economic sense. It sort of is this you pay for what you get and, you’re basically paying more for mixing more, which, makes perfect sense. This sort of gets into maybe a little bit of a problem with this kind of sybil behavior where you don’t know for a fact that, each new deposit isn’t a new user. Which is why I sort of, appreciate the Whirlpool model. A little bit. So that might be a little bit of a takeaway at least when it comes to when it comes to that sort of simple fee structure maybe there are a couple others as well, it’s that preparing your coins for mixing is also important. Sort of this, tx0 concept or this JoinMarket tumbler concept where coins are somewhat prepared so that it’s not an obvious, massive inflow from the same user. And then you have the post mix lessons as well, which is again, a difficult problem to solve, but hopefully best practices, is encouraged going forward.
Stephan Livera: Great. Yeah. So I guess yeah, there’s potentially some things that the mixing services and products will have to consider coming out of this and in terms of what are customers getting for what they’re paying for. So for example, if there’s a lot of Sybil users in a mix, then it’s kind of, it becomes difficult if you’re charging based on how many users. Right? So I guess that’s just a difficult problem. There’s not necessarily an easy answer here. From an exchange perspective, are there any lessons there? I mean, off the top of my head, they should stop reusing addresses and not have static deposit addresses if they are using that practice, correct?
ErgoBTC: Absolutely it’s absolutely terrible. Bitcoin, is the way I sort of look at it is like I said earlier through this, crypto anarchist lens, which is, privacy is pretty important. I know that, a lot of people are interested in the economics of Bitcoin and I am as well, but these exchanges are just terrible for privacy between the on chain privacy, the KYC’ing yourself. It’s absolutely terrible. I’m sort of been really getting into this concept lately of grey markets and, peer-to-peer Bitcoin is probably better than KYC’ing yourself. But, I don’t think that people are going to stop gambling on Bitcoin anytime soon. It’s just kind of is a shame that, it’s gone the way that it’s gone. But that all being said is maybe the the market will, hopefully come up with a way to I don’t know, maybe punish exchanges for their poor privacy privacy practices.
Stephan Livera: Right. And even in a KYC world, at least if exchanges stopped reusing addresses, that would at least help. Right?
ErgoBTC: Yeah, absolutely. I mean, I’m thinking of people in the future, and I know that this happens already, front running deposits to to you know static exchange addresses, if, you know exchanges are getting front run and not making as much money as they should be, they should be incentivized to to fix that. But anyway,
Stephan Livera: Right. Yeah. Well, I guess it depends on if the exchange is the one losing the money because the exchange is taking a fee for the transaction as opposed to the individuals who are trying to buy or, you know the person who got front run, in that example.
ErgoBTC: Yeah, that’s a good point.
Stephan Livera: Yeah. But anyway. I mean that’s a broader question and I think things like Liquid may help there as well. But let’s turn now to privacy more generally. Right. So we were talking about it before. So I mean we’ve kind of covered the PlusToken stuff and what they were doing with Huobi and so on. Let’s talk about your thoughts around acquiring Bitcoins then in a more crypto anarchist compatible manner. What are your thoughts there?
ErgoBTC: Yeah, I mean it sort of gets back to, some of the things that I was learning about earlier this year, which is, just what are the three sort of main aspects of Bitcoin’s privacy we have on chain, we have network and we sort of have how you acquired them. And how you acquire part is in my opinion very important. This KYC is pretty bad. the pseudonymity of Bitcoin is pretty powerful. Without any additional information, at the network level and the on chain level, don’t matter quite as much. If you’ve acquired your coins through a KYC method. So, hopefully I like to see, more of a peer to peer style, Bitcoin you know self-sustaining economy going forward.
Stephan Livera: Yeah, I guess your main tip then is basically to not use KYC services. Do you have any thoughts around individuals? So for example, they might be thinking, okay, I might buy from a KYC exchange and then do coinjoin afterwards. What’s the big deal with that?
ErgoBTC: Yeah, this is fun. You can’t un-KYC yourself. KYC is forever. So there will always be that, real world link between how you bought your coins and all of the, tag along information, driver’s license, bank account number, how much you bought, when you bought the exchange is not going to forget that. They’ll know that you withdrew your coins to an address. And then from there maybe sent to a mixer. So, okay. You might break the links between, your withdrawal address and, the exchange might not know what you’ve done with them going forward, but they’re just not going to forget that you bought those coins. So it’s, and the same thing sort of holds true for, for network level privacy. It’s like, even if you are using your own full node and you are not sharing your xPubs and you’re checking all the boxes, it’s not going to matter. It’s not going to un-KYC you. So I think it’s just sort of important that that get reiterated.
Stephan Livera: And so in terms of privacy today, I guess you’ve done a lot of white hat chain analysis. Do you have any views on how easy the average user would be to be deanonymized? Like how about basically what I’m asking is how bad is it today?
ErgoBTC: How bad is it today? It sort of gets back to, I don’t want to keep beating a dead horse with this KYC thing, but, that’s very important. As far as, network level privacy, we’ve got our own full nodes, we’ve got our, we’ve got all these, add ons that are coming to Bitcoin core in the future. That should be pretty good privacy enhancements. And then when it sort of comes to, on chain you sort of have to think of, what are you trying to, defend against we’ve, we think of these chain analysis firms, they’re sort of universally hated for basically trying to, bring the panopticon from fiat land to Bitcoin. And so they rightfully should be hated.
ErgoBTC: I think that there’s a little bit of embellishment on their part and sort of what they’re doing and what they’re actually capable of. There was probably a lot of this dis – information into what they’re actually doing. I think for the most part, they’re locked in with exchanges and they’re just, monitoring users transferring from exchange to exchange. And on top of that, maybe they’re doing clustering and they’re doing all the other, heuristics that we talked about earlier. For now, I don’t think that they’re quite as advanced as, we may be like, maybe they like to advertise that they are, but it doesn’t mean that they won’t be in the future. And so, hopefully Bitcoin is going to be able to stay a couple steps ahead of these chain analysis firms.
ErgoBTC: Hopefully with the advent of these these non-custodial mixers that are a lot easier for users to get their hands on is that the chain analysis dataset basically becomes useless junk. Hopefully that’s the way things will go. But if, Bitcoin sort of really does take off you can bet that chain analysis is not going to remain where they’re at. I know we talked a little bit about before this these deterministic links and between inputs and outputs in a transaction, and that if your inputs and you do coin join, you wind up with probabilistic links instead of deterministic links. It’s very likely that, in the future chain analysis, will develop this probabilistic model and do a lot of the things that we talked about, to paint a better picture, including timing, address reuse and all the other problems. So is it awful? I think that we probably have more of a KYC problem than we do have an on chain problem, but hopefully with, with a lot of these new services Bitcoin on chain privacy just gets better.
Stephan Livera: That brings the question then around what approach we’re using, and some of this comes into, as we were talking about earlier, things like PayJoin, things like STONEWALL or manual coin selection. So let’s talk a little bit about the use of some of these techniques and where they may help. So perhaps let’s start with pay to end point (P2EP) or also known as PayJoin. Can you talk about what that is and how that helps break the heuristics?
ErgoBTC: Yeah. so there sort of are two problems with Bitcoins. On chain privacy. There’s the transparent addresses which allow you to basically create the a transaction graph. And then there are transparent payment amounts. None of these things are, hidden with confidential transactions or some type of shielded address. It’s out on the open. So, what can you do to sort of address these things? We have the, if you want to address, the transaction graph problem, you’ll do, a typical coin join. That could be, any of the mixers that we talked about. As well as Samourai has some, some additional tools that you can do in your normal wallet or you can do from post mix. That’s, such as STONEWALL and STONEWALL, is a little bit of a stealth technique.
ErgoBTC: But what it basically does is it’s a simulated one wallet coinjoin rather than being multiple users. It will take a couple of your UTXOs and perform a mini coin join and that will break chain analysis merged input heuristic, the merged input heuristic basically operates under the assumption that will basically result in a cluster and if you do a coinjoin, you either have to cluster everything or you have to say we can’t include this in the cluster. So that’s, one way to attack it as is, is via coinjoin in any kind of traditional coinjoin at least. And then you, you mentioned PayJoin or pay to endpoint before pay to endpoint’s really pretty cool. It’s basically a regular Bitcoin transaction and it looks exactly like a regular Bitcoin transaction, but because you’re involving the recipient of the payment and the transaction, it basically hides the payment amount. So the payment amount never shows up on the Bitcoin. It never shows up on the blockchain. So that’s pretty cool. Hopefully some of these, mini coinjoins get adopted or some more widespread use.
Stephan Livera: Yeah, that’s a great point. And I think one thing we have to be wary with that though is in order to do that sort of PayJoin, so my understanding is Samourai wallet has a feature called stowaway, which is, I think either it is that or it’s similar to that idea. So for example, let’s say I wanted to pay you with a Samourai wallet cahoots transaction. And in the process of doing that, I think there’s like a QR code back and forward process that you and I would share and now you, you would not get control of my UTXOs. But now you would have increased visibility into my UTX is correct. And so that is potentially a vector as well because if everybody starts doing a lot of these pay to endpoint or PayJoins or JoinMarket PayJoins, then people do start getting at least some visibility into their transaction partner’s UTXO set. Correct?
ErgoBTC: Yeah, that’s correct. I mean, there’s always this sort of coordinator problem of, of how do you construct the coin joint transaction, whether it’s, Samourai Wallet cahoots or JoinMarket or Wasabi. There are some, trade-offs to basically each of those systems for trying to construct the transaction. As far as I understand, there’s the maker taker model and JoinMarket where the the taker gets all of the privacy because or it’s the takers as the only one that gets all the privacy. And Wasabi they’ve done a pretty good job with their coordinator to keep things from revealing too much information. And Samourai Wallet is somewhat similar, but these, these sort of in person things they where they require a level of trust between you and a buddy, or something along those lines and sort of at that, peer-to-peer kind of level. It’s really not, as much of a trust issue as it is trying to trust some, total unknown third party that, your friend’s gonna dox your coins or something like that. So, it is a concern, but it’s, it doesn’t seem to be too big of a deal.
Stephan Livera: Great. And one other question around the use of STONEWALL. So let me put this in context. So let’s say somebody is stacking Bitcoins, right? And they wanna stack sats, right? And they want to, and they might have a cold storage some kind of cold storage, set up whatever that is. They might have multisignature whatever they’ve got. And so they might acquire those Bitcoins however they, however they did that, right? Whether that’s KYC exchange or mining or earning it with BTCPayServer or whatever. And then they might run that through a mix. And then the question is how would they now spend into their cold storage without obviously doxing. Okay, this is my cold storage. Right? And so one, I guess there are two main approaches that I have seen here. One is the manual control approach where you literally take each coin, joined UTXO and directly spend that into a new address in your cold storage set up. And then the other approach is the kind of more algorithmic STONEWALL style approach, which creates only probabilistic links but not deterministic links. What’s your view there? Did you agree that that’s a good summary? What’s your view there on that kind of thinking?
ErgoBTC: Yeah, I think that’s a pretty good summary, right? You can either spend to your cold storage with, the manual selection one at a time. Or you can use these algorithmic methods. And so the algorithmic method, might provide you with some, additional, privacy sort of in the short term, the manual selection is like you said, will be deterministically linked. You’ve got at best, you’ll look at the blockchain and some of them will know that maybe that was a self spend or something along those lines if it just sits for quite a long time. But both of them are sort of subject to this time decay, problem that maybe isn’t so much of a threat right now with chain analysis but could be in the future.
ErgoBTC: If your coins sit for, it’s sort of like the reverse, of trying to force too many coins through the mixer at once. If they sit for so long, then you can sort of maybe gain some additional information. If I saw five Bitcoin go in and I see five Bitcoin sitting you might be able to sort of come up with a little bit more information about those coins. So, users are not going to leave all of their coins mixing all of the time. It’s just not the way it’s going to be. Nobody wants to keep all of their coins in a hot wallet. So if you do mix your coins at least in my opinion and you do spend to your cold storage is that you should just be prepared to remix coins in the future.
ErgoBTC: I know a lot of people are big proponents of always be mixing, and that’s probably true here. But I just think that users need to be prepared to be spending directly from mixes to a third party coming in the future.
Stephan Livera: Okay, great. So you were talking there around cold storage practices when combined with coinjoining. Right. And so because most people don’t want to leave the keys hot, they’re not just going to be perma-coinjoining on their cold stash. Now maybe in the future some people have talked about ideas around this with PSBT and so on, but for now let’s just say people are not mixing their main cold stash or main storage, right, or HODL stack or whatever you want to call it. But there is an implication as you were saying around timing, analysis and decay and potentially that means people have to be cognizant that they may need to coinjoin on the way out of their cold storage as well.
Stephan Livera: And one example even, and maybe even before we get to that is just this idea that if you were to, let’s say, spend out into your cold storage and then later you needed to spend all of that cold storage into a new set. Well now at that point, what are you doing? You’re potentially going to merge all those outputs together again, and unless the tools that you’re using for your cold storage also have that kind of tooling to do coinjoint, which likely they won’t, then you’ve got to think about that too. And or the other way is potentially to do it UTXO by UTXO and just move, even if you’ve got a hundred different outputs to move each of those over individually. But then I guess the lesson then is even on the way out of cold storage, you would have to think about that in terms of, okay, maybe I’ll run it through a mix and then do a post mix spent on that.
ErgoBTC: Yeah absolutely like we said, users aren’t gonna leave all of their coins hot even with, potential possibilities for, for ‘cold mixing’, in quotes, so it’s probably the least. The way I think about it is that if you’re going to coinjoin and you’re going to send back to cold storage, just be prepared to mix again in the future and spend directly, to a third party from a mix. Cause that really is sort of how these things are designed to be used, at least in my opinion. I know that, like we said, it’s not going to stop users from mixing to storage, but just as long as they’re, prepared to mix again. I think that will be okay. Cause it sort of gets back to this concept of, what really are the best, what is coinjoin really best for? I know we talked a little bit about kind of transaction graph privacy. We talked about, hiding the payment amounts and all of these sort of technical things. But at the end of the day, you want your counterparty to know your, Bitcoin’s history. That’s really where coinjoin kind of shines. So that’s why I think it’s really just best to spend directly from a mix to a third party.
Stephan Livera: Look, great points. But let me just slightly push back there. I, well maybe it’s just a question of tolling right now. The tooling right now is not easy to use to do that. So for example, if you want to spend straight from the mix, well in the case of Wasabi and Samourai, you can’t really do that because it dumps it out back into your address right now. And with Samourai, it gets dumped back out into a postmix section, right? It’s not spending directly to the party that you want to. And also because of the equal input and equal amounts that are being coinjoined, unless you’re going to pay someone exactly 0.01 or 0.05 or 0.5 in the Samourai model or 0.1 in the Wasabi model, or those other mix amounts although as I understand, JoinMarket does have some tumbler algorithm or script that you can use to say, I want to pay to this address and then mix it directly there. But what’s your view there?
ErgoBTC: Yeah, I mean that would be an interesting, addition is to mix directly to the third party. But that’s, a very technical problem that, has a lot of, I guess technical issues. I keep just going back to spend directly from the mix. You’re going to have maybe these little bits and pieces or in the Wasabi model you’re going to have these deterministic links. But at least the way I see with STONEWALL and Samourai’s, model is that STONEWALL prioritizes the change from a previous transaction. This is to reinforce that model of, is this really one wallet or two wallets? So that helps take care of it. Which is kinda neat. I noticed that a little while ago. But you’re still gonna have these sort of deterministic links or these little bits that you kind of have to deal with in the future. So it sort of is kind of the function of Bitcoin’s UTXO model. There’s just always going to be, some kind of change to be a little bit of a problem.
Stephan Livera: Right. I see you. Yeah. Yeah. I think I might’ve misunderstood yeah, because you were saying spend directly from the mix, whereas I interpreted you and I think from my earlier comment of spending like the result of the mix going directly to the third party, but what you’re talking about is more like having a postmix strategy basically and doing it correctly from a post mix point of view.
ErgoBTC: Yeah. It’s, it’s, are you paying to someone else? Are you paying to yourself? That I think might be maybe a little bit of disagreement there.
Stephan Livera: Gotcha. Okay. So the other cool thing is a STONEWALL well, with the algorithm, my understanding there is that it, will try to include extra inputs into the transaction to basically make it less clear what is actually being spent and who owns what.
ErgoBTC: Yeah, that’s correct. I think we’ve said before, STONEWALL is a simulated, coinjoin, you control all of the UTXOs. But if you look at it on the blockchain, it looks similar to a a traditional coin joint. I think the way that they the Samourai guys have the the algorithm tooled now is that you’ve got basically, your payment amount. It’s got an identical output and then you’ve got two identical quote ‘change outputs’. So you wind up with sort of four UTXOs, typically you wind up with three, the person that you’re spending to winds up with one. And so it’s pretty neat, but you sort of you wind up with, two little bits of two anonset kind of coinjoins.
Stephan Livera: Right, I see. Yeah and then, so then the question then is, what would people do with those other little leftover bits? Would they just sort of continually accumulate?
ErgoBTC: Well, I guess if the exchange rate does what, we think it will do, these little bits become, more and more apt to spending. I think that’s sort of is number one. And the other thing is that, the way that the algorithm works is that you can merge some of these little bits into, a larger transaction that will still, have higher entropy and a higher number of interpretations that we had kind of said before. And then from there, I guess the logical thing is, okay, what do I do with all these little bits? You basically have to remix them. I know that Samourai has some plans for that, kind of going forward, which, hopefully will be pretty neat to see.
Stephan Livera: Yeah. That’s awesome. I’m looking forward to seeing that as well. Okay. So yeah, I think we’ve done a pretty big comprehensive talk through a range of different topics. Are there any helpful resources that you would like to point the listeners to? Anything around the Boltzmann algorithm or any other helpful resources?
ErgoBTC: Yeah, I mean probably the best resource is for users to just go out and play around with, the block explorers that we sort of mentioned before. We mentioned KYCP we mentioned OXT. OXT is really pretty cool. I’ve even seen some other users recently, looking to track some, scammed or stolen coins and tweeting about it. It’s pretty cool, but it has a nice transaction graph feature. Instead of looking at blocks of text, you can play around and it doesn’t even have to be your transaction. It could be somebody else’s transaction. And again, the good things about those sites is that they have sort of these privacy algorithms built in. I recommend that users read the gist sections of Laurent’s Boltzmann posts. I know you had mentioned before the the comment section of the first just between waxwing, Adam Gibson and Laurent was pretty neat.
ErgoBTC: I liked that one particularly because, Adam was coming at it from, okay, what UTXO is the payment to the third party, which a lot of people sort of try to impose on Bitcoin and Laurent’s kind of stance that the blockchain doesn’t really see which user received the output. So that’s a pretty neat back and forth that I recommend people go and go and read. I also like Gregory Maxwell’s original Bitcoin talk posts. Those are great. And beyond that, maybe there’s A Fistful of Bitcoins is a useful research paper and beyond that. I know it’s it’s usually frowned upon to come on and talk about another podcast on a podcast. But Bottomshelf Bitcoin episode 25 with Adam Gibson or waxwing was, it was really very helpful especially for me in sort of getting a good handle on a lot of this stuff. So I think users would be really, if they don’t want to do any of that other stuff, but, and they’re into podcasts. Go check that out.
Stephan Livera: Okay. Sorry. It looks like you just cut out there for a second, but I know the podcast episode you’re talking about, it was a good episode with Adam Gibson on the Bottomshelf Bitcoin show. And I guess the next question I’ve got is just more around your views on the future of chain analysis, right? So to some extent we can view the use and creation of some of these tools like KYCP.org and OXT.me and so on as ways of doing the white hat analysis on ourselves before somebody else comes and does it on us. Where do you see all of this going in terms of the next steps for, let’s call it black hat, chain spies versus the white hat, privacy activist types?
ErgoBTC: I wish that there was some more information about what chain analysis is actually kind of doing now. But of course, they’re not gonna, they’re not gonna let us know that you’d have to be in on their sales pitches to really get a good handle on it. But, I think that hopefully, Bitcoiners are, we’ll stay a couple steps ahead of them. I’m sort of just, like you said, we have some of these privacy algorithms that maybe they’re aware of, maybe they’re not, and that, Bitcoiners will probably stay lighter on their feet than chain analysis is even capable of doing. So hopefully, we can just sort of stay, a couple of steps ahead of them.
Stephan Livera: Right. Yeah. And also, did you have any thoughts around the combination of things like coinjoin techniques with Lightning?
ErgoBTC: I really haven’t spent too much time looking into that yet. There’s just only so much time in the day and I chose to start with with coinjoin and specifically on chain, hopefully I’ll find some time to look into that in the future.
Stephan Livera: Great. Yeah. I think that’s an interesting potential combination in the future as well that we may see. So, yeah, I guess, were there any other points you wanted to bring up or, I think I think that’s pretty much it. So if you’ve got anything else to say, just say that and also just let the listeners know where they can follow you online.
ErgoBTC: No, I think we’re pretty much all set here. You guys can find me on Twitter at @ErgoBTC. Just, hit me up with any questions. I’d be happy to help you out.
Stephan Livera: Fantastic. Well, thank you for joining me.
ErgoBTC: Thanks Stephan.