N/A
(0)
Posts: 12
Earned: 0.1 XMR
Tipped: 0 XMR
Maybe I'm having a retard moment given how tired I am, but I've been giving the traceability of Monero some paranoid thoughts every once in a while. One thing I realized is that it is somewhat possible to trace the origins of specific Monero transactions, especially on a larger scale. Maybe it doesn't identify a specific person, but if you make sufficient transactions, in theory, it could lead to something along the lines of an EAE attack.
For example, say you buy 2 XMR worth of KYC coins via a CEX and you transfer them out into the ether of the Monero network. Eventually, you take 0,5 XMR of those 2 XMR and purchase something via a payment gateway. Later, you return to make another purchase at another vendor's shop and you spend 1 XMR. The 0,5 XMR and 1 XMR could in a way be linked, because they are temporally very close. Even if you use the Monero Wallet Cli, it will show a warning.
Now let's say you swap your coins via "Randoswapper" (made up swapper). When users deposit their XMR into Randoswapper's wallet, it all gets mixed together rather than keeping the coins separate. Should you make a payment to a vendor who also has some coins from Randswapper, once again they will be temporally very close. So if you have coins from a specific source and someone sends you coins from the same source, then you could "guess" where those coins are from.
None of this 100% certain nor how many people have held the coins in–between, such as Bob buying the coins, transferring to Alice, who in turn transfers them to Alex, who buys something via some other vendor. Going this route for tracing coins isn't feasible for an individual, but when you have a state actor, then that could be an issue. Not only is there a problem with buying your coins from a CEX, but there is the other issue of third party payment gateways, like Cryptomus, Coingate, and CoinPayments. Personally, I just assume state actors have unfettered access to both the CEX and any of these third party payment processors, which are also integrated with Chainanlysis and other tools made by other blockchain analysis companies.
For example:
CEX => You (Your own wallet) => Coingate
All this plays a factor:
- Amount in (CEX) / Amount out (Coingate)
- Timing
- Public or private node
- VPN / Tor / Residential IP address
Thanks to ring signatures, it's not a 100% chance, but keep repeating this with the coins from the CEX and eventually you can automatically build a profile. Maybe not enough to charge someone, but possibly enough for an arrest. At the bare minimum, if all these centralized third parties are fully integrated, they could at least know roughly where those coins came from. A lot of this seems like an enormous amount of work, but I could imagine it at least being possible.
As a result, I think it's best for any Monero vendors to use their own payment gateway (e.g. BTCPay server or custom soluion) to prevent this form of analysis of their customers. If you pay 10 different vendors that all use Cryptomus, then the coins still end up in the same place, but if you have 10 vendors each with their own wallets and gateways, then a correlation attack like the one above becomes useless.
Lastly, I think this is also where swapping your Monero can work as an additional layer, especially to other privacy coins like Firo. If you still buy your coins at a CEX, then swapping them with a third party swapper to Firo would break the link. You can swap back from Firo to Monero in split transactions with another swapper effectively giving you new coins without a link back to you. While the best option is to not use a CEX nor third party payment gateways, it isn't always a viable option and if I had to guess, most people are likely getting them from a CEX.
I wish I had the resources to research this in further detail, but I'm not a fed nor the operator of a CEX or third party payment gateway.
Tip Monero to yuzuki 
86GEJPxGRCyYBzQC18xTq1hzv2z2Trpu2RLwcLsgmQEw8itpca2eXknCuoBXo8jw5pevfcwNiHkGf4S257nDG4wLEZuYRXd
Tip Firo to yuzuki 
Publish Tip to yuzuki