π¨Interpol just took down Monero-only Darknet Market Archetyp by tracing financial flows. In its 5 years of activity Archetyp amassed 612,000 users and a total transactions volume of over $289m (in XMR). While you can find the full Interpol PR here, here is a noteworthy quote:
By tracing financial flows (Archetyp was a Monero-only DNM), analysing digital forensic evidence, and working closely with partners on the ground, authorities were able to deliver a decisive blow to one of the most prolific drug markets on the dark web.
Archetyp's admin was arrested in Barcelona and other top vendors are being hunted down in Sweden and Germany. Like I've been arguing for a while, DNMs are honeypots and, as Monero's crime marketing suggests, Palantir/Chainalysis likely play a key role. Crime marketing consists of openly encouraging people to commit crimes with Monero (such as selling drugs online) with the promise of impunity (something Monero influencers do a lot). Chainalysis/Palantir then generate ROI by offering premium tracing services to LE to catch the criminals of their own making.
By the way, in March 2025 Chainalysis was sued by bankrupt crypto lender Celsius over 'sham audit confirming $3.3B of AUM'. Just so you've an idea of their moral/ethical compass.
To conclude, this piece of news only confirms what I've been saying for a long time and what advanced hackers (like those indirectly surveyed in the Lockbit admin panel leak) have known for a while: Monero is obsolete privacy tech turned honeypot by Chainalysis & Co.
By tracing financial flows (Archetyp was a Monero-only DNM), analysing digital forensic evidence, and working closely with partners on the ground, authorities were able to deliver a decisive blow to one of the most prolific drug markets on the dark web.
Archetyp's admin was arrested in Barcelona and other top vendors are being hunted down in Sweden and Germany. Like I've been arguing for a while, DNMs are honeypots and, as Monero's crime marketing suggests, Palantir/Chainalysis likely play a key role. Crime marketing consists of openly encouraging people to commit crimes with Monero (such as selling drugs online) with the promise of impunity (something Monero influencers do a lot). Chainalysis/Palantir then generate ROI by offering premium tracing services to LE to catch the criminals of their own making.
By the way, in March 2025 Chainalysis was sued by bankrupt crypto lender Celsius over 'sham audit confirming $3.3B of AUM'. Just so you've an idea of their moral/ethical compass.
To conclude, this piece of news only confirms what I've been saying for a long time and what advanced hackers (like those indirectly surveyed in the Lockbit admin panel leak) have known for a while: Monero is obsolete privacy tech turned honeypot by Chainalysis & Co.
π₯12π€‘2β€1π1
Archetyp DNM: From Monero only to Interpol only by tracing financial flows. Yes, they traced Monero. Yes, DNMs are honeypots. Yes, Monero is obsolete privacy tech turned honeypot by you know who.
π€£9π©5π₯1π€‘1π1
Yesterday, a Chainalysis proxy (obvious from the misinformation contained in it) released a report on deanonymizing Zano by exploiting the weak network privacy and its staking feature. The core argument seems to rotate on the importance of having a strong p2p network communication protocol, which neither Monero nor Zano have.
That of p2p communication protocol is a topic I covered in February. Monero and Zano share the same weaknesses at the p2p communication protocol level. The disinformation piece by "Zaldo/jhendrix" on Zano argues that Dandelion++ in Monero defends against such type of attack. That's completely false, and if you've read my previous posts you should know why. I will still explain again here for the new ones, but first and foremost, before proceeding any further, check my pinned post infographic. You will see that as I explained there, both Monero and Zano have the weakest privacy of all UTXO chains. The outcome of this Zano (Chainalysis) investigation confirms that while misleadingly trying to hide Monero's weaknesses (which I will address here).
Monero's Dandelion makes sure that each node first propagates the transaction to a single node ("first single node"), instead of to all nodes in all directions at the same time (like Zano's p2p protocol). Dandelion's solution can be easily attacked by a chain analysis actor by simply increasing the amount of spy nodes, because this increases the odds that a user node picks a spy node as its first single node when broadcasting a new transaction.
For this reason, Dandelion does not provide protection in a network where at least 90% of nodes are spy nodes. We have a lot of proof today that over 90% of nodes in Monero are spy node (or circa 11300). Now let's read together what these honeypot promoters say about Zano:
If we have one spy in our peerlist, then once we relay a transaction, the Dandelion protocol will choose a random peer to broadcast it to, resulting in a 1/8 chance of picking our spy.
This passage proves they're engaging in disinformation, because if you know this much then you cannot claim to not know that even Dandelion can be easily bypassed by simply increasing the number of sybil nodes. By the same logic as employed to explain Zano's weakness, if in our list (network) 9 out of 10 nodes are spy nodes (like in Monero: see this and this), then the Dandelion protocol has a 9/10 chance of picking our spy node. In other words, Dandelion leaks at least 90% of the user IPs and this can be made more accurate by increasing the number of spy nodes further.
Let's read more what they say about Zano:
We can determine the user's IP address by comparing all spy node relay information, and by filtering for the earliest timestamp, we will identify the source with a 100% success rate.
But we can do the same in Monero, where 90% of nodes are spy nodes, and we will get the user's IP with min 90% success rate. Of course the Chainalysis interns have been instructed to suppress or censor any mention of this, even as a theoretical scenario, let alone admit its factual existence in Monero. Yet considering the evidence out there, it's obvious they cannot disagree with the statement that running your own node provides no protection in Monero, just like in Zano. Or maybe, to be fair, we can say it provide at most 10% more protection in Monero.
So the jhendrix/Zaldo piece can be best summarized as, we have deanonymized Zano by leveraging its weak p2p communication protocol and Monero's p2p protocol is, at its current state, only 10% stronger. Then Monero isn't private, is it?
The only cryptocurrency that effectively mitigates network level attacks is Dero, and it does it by combining UDP with/over TLS and erasure coding. In Dero, you can run your own node and not use a VPN and an outside observer still has no way of pinpointing a transaction to its node of origin because thanks to UDP and erasure coding it can't know who broadcast it first.
That of p2p communication protocol is a topic I covered in February. Monero and Zano share the same weaknesses at the p2p communication protocol level. The disinformation piece by "Zaldo/jhendrix" on Zano argues that Dandelion++ in Monero defends against such type of attack. That's completely false, and if you've read my previous posts you should know why. I will still explain again here for the new ones, but first and foremost, before proceeding any further, check my pinned post infographic. You will see that as I explained there, both Monero and Zano have the weakest privacy of all UTXO chains. The outcome of this Zano (Chainalysis) investigation confirms that while misleadingly trying to hide Monero's weaknesses (which I will address here).
Monero's Dandelion makes sure that each node first propagates the transaction to a single node ("first single node"), instead of to all nodes in all directions at the same time (like Zano's p2p protocol). Dandelion's solution can be easily attacked by a chain analysis actor by simply increasing the amount of spy nodes, because this increases the odds that a user node picks a spy node as its first single node when broadcasting a new transaction.
For this reason, Dandelion does not provide protection in a network where at least 90% of nodes are spy nodes. We have a lot of proof today that over 90% of nodes in Monero are spy node (or circa 11300). Now let's read together what these honeypot promoters say about Zano:
If we have one spy in our peerlist, then once we relay a transaction, the Dandelion protocol will choose a random peer to broadcast it to, resulting in a 1/8 chance of picking our spy.
This passage proves they're engaging in disinformation, because if you know this much then you cannot claim to not know that even Dandelion can be easily bypassed by simply increasing the number of sybil nodes. By the same logic as employed to explain Zano's weakness, if in our list (network) 9 out of 10 nodes are spy nodes (like in Monero: see this and this), then the Dandelion protocol has a 9/10 chance of picking our spy node. In other words, Dandelion leaks at least 90% of the user IPs and this can be made more accurate by increasing the number of spy nodes further.
Let's read more what they say about Zano:
We can determine the user's IP address by comparing all spy node relay information, and by filtering for the earliest timestamp, we will identify the source with a 100% success rate.
But we can do the same in Monero, where 90% of nodes are spy nodes, and we will get the user's IP with min 90% success rate. Of course the Chainalysis interns have been instructed to suppress or censor any mention of this, even as a theoretical scenario, let alone admit its factual existence in Monero. Yet considering the evidence out there, it's obvious they cannot disagree with the statement that running your own node provides no protection in Monero, just like in Zano. Or maybe, to be fair, we can say it provide at most 10% more protection in Monero.
So the jhendrix/Zaldo piece can be best summarized as, we have deanonymized Zano by leveraging its weak p2p communication protocol and Monero's p2p protocol is, at its current state, only 10% stronger. Then Monero isn't private, is it?
The only cryptocurrency that effectively mitigates network level attacks is Dero, and it does it by combining UDP with/over TLS and erasure coding. In Dero, you can run your own node and not use a VPN and an outside observer still has no way of pinpointing a transaction to its node of origin because thanks to UDP and erasure coding it can't know who broadcast it first.
π₯5π3π€‘2π1π¨βπ»1
Zachxbt (Chainalysis) traced a WHITE marketing wallet to the Zkasino scam. Zkasino raised 10k ETH & team went MIA.
It's highly likely that Chainalysis (Zachxbt) traced Monero transactions to get to the bottom of the WHITE scam. Quote:
I noticed a number of transactions in late Feb to early Mar 2025 where Zkasino funds were sent to an instant exchange and WhiteRock wallets received similar quantities from other instant exchanges via XMR.
The flow chart has no evidence of Zkasino funds that were sent to swap services to buy XMR. If that's how he traced them, then show us the ~60ETH TXs from Zkasino to instant exchanges that preceded the funding of the WHITE wallet so we can verify timing and amounts, no? No, bc that's probably not how he traced them.
WHITE is the same type of scam as EOS. EOS raised $4.1bn (2018), delivered 0, but is going public today as Bullish ("Peter Thiel backed"). Zach won't look into EOS/Bullish, despite being 100x bigger. But he'll trace XMR for WHITE. Paypal mafia, innit?
It's highly likely that Chainalysis (Zachxbt) traced Monero transactions to get to the bottom of the WHITE scam. Quote:
I noticed a number of transactions in late Feb to early Mar 2025 where Zkasino funds were sent to an instant exchange and WhiteRock wallets received similar quantities from other instant exchanges via XMR.
The flow chart has no evidence of Zkasino funds that were sent to swap services to buy XMR. If that's how he traced them, then show us the ~60ETH TXs from Zkasino to instant exchanges that preceded the funding of the WHITE wallet so we can verify timing and amounts, no? No, bc that's probably not how he traced them.
WHITE is the same type of scam as EOS. EOS raised $4.1bn (2018), delivered 0, but is going public today as Bullish ("Peter Thiel backed"). Zach won't look into EOS/Bullish, despite being 100x bigger. But he'll trace XMR for WHITE. Paypal mafia, innit?
π€3π€―2π€‘2π2π1
A quick ICYMI'd update on the only protocol that is not chain analyzable today:
1. In April, Civilware released new Dero binaries that contain new seed nodes and some other updates. Link to Civilware's most recent Dero binaries (141): https://github.com/civilware/derohe/releases/tag/Release141
2. In May, Civilware released a wallet version that patches the wallet payload randomness re-use bug. If you want to review/test the patched wallet and provide feedback you can download it here: https://github.com/civilware/derohe/commit/f5b765417b949f62e19f043d370993db9b837f31
SixofClubs, Dank, Azylem and other community contributors are part of Civilware. If you're new to Dero and want to get started running a node and/or mining, you should be using Civilware's binaries as they are the most recent ones.
UTXO chains (XMR, Zano, ARRR, ZEC) are old tech, both onchain (because of UTXO and single use outputs generated with each transaction) as well as at the network level, which is always TCP based. Their p2p protocols were not designed to resist state actors or well funded actors like Chainalysis/Palantir.
DERO combines homomorphic encryption with the account model for onchain privacy-through-encryption, and UDP (connectionless, no handshake metadata) with erasure coding in its p2p communication protocol. This obfuscates transaction origin and reduces traceable patterns.
1. In April, Civilware released new Dero binaries that contain new seed nodes and some other updates. Link to Civilware's most recent Dero binaries (141): https://github.com/civilware/derohe/releases/tag/Release141
2. In May, Civilware released a wallet version that patches the wallet payload randomness re-use bug. If you want to review/test the patched wallet and provide feedback you can download it here: https://github.com/civilware/derohe/commit/f5b765417b949f62e19f043d370993db9b837f31
SixofClubs, Dank, Azylem and other community contributors are part of Civilware. If you're new to Dero and want to get started running a node and/or mining, you should be using Civilware's binaries as they are the most recent ones.
UTXO chains (XMR, Zano, ARRR, ZEC) are old tech, both onchain (because of UTXO and single use outputs generated with each transaction) as well as at the network level, which is always TCP based. Their p2p protocols were not designed to resist state actors or well funded actors like Chainalysis/Palantir.
DERO combines homomorphic encryption with the account model for onchain privacy-through-encryption, and UDP (connectionless, no handshake metadata) with erasure coding in its p2p communication protocol. This obfuscates transaction origin and reduces traceable patterns.
π₯18π5π€‘3β€1π1π€―1
Another XMR-only hacker goes down, with at least 3 huge hacks attributed to him whose ransoms were collected in XMR. Guy's name is Kai West and he went by the monicker 'IntelBroker'.
In the Palantir controlled press they are saying he got caught because of a $250 BTC transaction in February 2023, before any of the 3 huge hacks between March 2023 and November 2024 had happened. Seriously dudes, so they knew who he was and let him on the loose for 2 years despite that $250 BTC transaction tied to a Ramp account with his driving license being 'how they caught him'?
I read the complaint, and here is what the complaint actually says. Forum user IntelBroker, which was part of a digital ransomware gang, accepted $250 in BTC once in February 2023, and this transaction is used to prove that the identity of Kai West and that of the IntelBroker forum user are connected. That's it. The bulk of his criminal activity however occurred much later. According to the DOJ complaint, there have been at least 4 more high profile victims spanning from March 2023 until December 2024 whose ransoms were collected in XMR.
Since in all the successive breaches he sold the data for XMR, the only way to prove that these ransoms went to Kai West is to be able to trace Monero and see where the money goes. You know, to make sure that ransoms don't go to someone else that has stolen Kai West's identity or that is using Kai West as a front. So either Monero was traced, or it was traced. There is no other way you can attribute those hacks to Kai West without tracing Monero for confirmation that it's actually him and not someone impersonating him. Or someone else inside the gang.
As recently as 2 months ago, Intelbroker gave an interview to Palantir Crime Marketing shill Sam Bent (Bent is the guy that encourages people on social media to commit crimes with XMR). At some point Sam Bent does his favorite crime marketing question. What is your favorite privacy coin, IntelBroker? 'XMR, for the flawless privacy tech' he answers. Woah! Palantir you saw that? Give Sam Bent a raise please.
In the Palantir controlled press they are saying he got caught because of a $250 BTC transaction in February 2023, before any of the 3 huge hacks between March 2023 and November 2024 had happened. Seriously dudes, so they knew who he was and let him on the loose for 2 years despite that $250 BTC transaction tied to a Ramp account with his driving license being 'how they caught him'?
I read the complaint, and here is what the complaint actually says. Forum user IntelBroker, which was part of a digital ransomware gang, accepted $250 in BTC once in February 2023, and this transaction is used to prove that the identity of Kai West and that of the IntelBroker forum user are connected. That's it. The bulk of his criminal activity however occurred much later. According to the DOJ complaint, there have been at least 4 more high profile victims spanning from March 2023 until December 2024 whose ransoms were collected in XMR.
Since in all the successive breaches he sold the data for XMR, the only way to prove that these ransoms went to Kai West is to be able to trace Monero and see where the money goes. You know, to make sure that ransoms don't go to someone else that has stolen Kai West's identity or that is using Kai West as a front. So either Monero was traced, or it was traced. There is no other way you can attribute those hacks to Kai West without tracing Monero for confirmation that it's actually him and not someone impersonating him. Or someone else inside the gang.
As recently as 2 months ago, Intelbroker gave an interview to Palantir Crime Marketing shill Sam Bent (Bent is the guy that encourages people on social media to commit crimes with XMR). At some point Sam Bent does his favorite crime marketing question. What is your favorite privacy coin, IntelBroker? 'XMR, for the flawless privacy tech' he answers. Woah! Palantir you saw that? Give Sam Bent a raise please.
π€£13π¨βπ»3β€2π€‘2π2π©1
Deanonymizing a XMR transaction from X using simple onchain heuristics. Someone forwarded this tweet to me, so I had a look at it. Let's start with what we know:
1. Real spends are recent TXOs (we eliminate super old TXOs)
2. this is a retail transaction, real spends are fragments from the same retail wallet (rest TXOs) and therefore should share transaction heuristics (structure, fees)
3. since it's the same user, they should share other behavioral patterns (day, time zone)
4. the target transaction happened in August 6th, 15:19 UTC, with a fee of 0.000044360000 XMR, with 2 inputs and 2 outputs (retail structure)
With these heuristics I went through the decoys in the TX and added next to each their onchain metadata. Siblings refer to other outputs that were created with that specific output. KIs (key images) refers to the number of inputs in the TX that created that output. The fee is the fee paid in the TX that created the output. In my next post I'll explain how to identify the highly likely real spends.
1. Real spends are recent TXOs (we eliminate super old TXOs)
2. this is a retail transaction, real spends are fragments from the same retail wallet (rest TXOs) and therefore should share transaction heuristics (structure, fees)
3. since it's the same user, they should share other behavioral patterns (day, time zone)
4. the target transaction happened in August 6th, 15:19 UTC, with a fee of 0.000044360000 XMR, with 2 inputs and 2 outputs (retail structure)
With these heuristics I went through the decoys in the TX and added next to each their onchain metadata. Siblings refer to other outputs that were created with that specific output. KIs (key images) refers to the number of inputs in the TX that created that output. The fee is the fee paid in the TX that created the output. In my next post I'll explain how to identify the highly likely real spends.
π₯10π4π€―2π€‘2β€1
Since we know our real spends come from a retail wallet then we rule out all TXOs created in many-to-many or one-to-many transactions. These are the TXOs that have more than one sibling (marked with asterisk). The reason is that the transactions where these TXOs were created are not compatible with normal users because normal user transactions have 2 outputs (receiver and rest). By doing this we eliminate 8 decoys in the first ring and 10 decoys in the second input ring (among which also the oldest).
Next we start looking for TXOs that share a fee with our target transaction. By comparing fees there is only 1 TXO in the first ring that matches our fee, and 2 TXOs in the second ring. We have most likely found the real spend of the first ring. If we look at the time when this candidate TXO was created, it's 13:32 UTC, which is UTC afternoon time of the same day of our target transaction (2h prior). This TXO (from block 3209243) is the first highly likely real spend because it is recent (created 2h earlier), is generated by a user (not program), and uses the same fee structure.
When we look at the 2 candidate TXOs that are left in the second ring (on the right), we notice that one of them was created at 10AM UTC (5h earleir), while the other was created at 14:26 UTC (1h earlier). By following the recency heuristic the most recent TXO is the second real input of the transaction (from block 3209273).
Therefore based on onchain data and what we know from X, the highly likely real spends of this 2 input XMR transaction are the one from block 3209243 and block 3209273.
To find the receiver we need to identify the rest TXO (that stays in user's wallet). One way of doing so would be to monitor the blockchain for when one of those TXOs is included in another transaction in afternoon UTC time that shares the same fee size (or some other pattern). By exclusion, once the rest is found we can get the highly likely receiver.
Ok, so this is what I can do with a simple explorer by applying simple heuristics. Something like Chainalysis can cross reference with other Monero databases and get hits with 100% certainty. Therefore, like I've said for a while, Monero is 100% traceable just like Bitcoin. And by the way, this kind of analysis is not possible on Dero because Dero uses the account model where balances are simply updated (homomorphically), we don't have new outputs created with every transaction. Therefore there is no "recency" heuristic or heuristics like "retail/non retail" that are made possible by the UTXO accounting model such as in the one/many-to-many structure in this case.
Next we start looking for TXOs that share a fee with our target transaction. By comparing fees there is only 1 TXO in the first ring that matches our fee, and 2 TXOs in the second ring. We have most likely found the real spend of the first ring. If we look at the time when this candidate TXO was created, it's 13:32 UTC, which is UTC afternoon time of the same day of our target transaction (2h prior). This TXO (from block 3209243) is the first highly likely real spend because it is recent (created 2h earlier), is generated by a user (not program), and uses the same fee structure.
When we look at the 2 candidate TXOs that are left in the second ring (on the right), we notice that one of them was created at 10AM UTC (5h earleir), while the other was created at 14:26 UTC (1h earlier). By following the recency heuristic the most recent TXO is the second real input of the transaction (from block 3209273).
Therefore based on onchain data and what we know from X, the highly likely real spends of this 2 input XMR transaction are the one from block 3209243 and block 3209273.
To find the receiver we need to identify the rest TXO (that stays in user's wallet). One way of doing so would be to monitor the blockchain for when one of those TXOs is included in another transaction in afternoon UTC time that shares the same fee size (or some other pattern). By exclusion, once the rest is found we can get the highly likely receiver.
Ok, so this is what I can do with a simple explorer by applying simple heuristics. Something like Chainalysis can cross reference with other Monero databases and get hits with 100% certainty. Therefore, like I've said for a while, Monero is 100% traceable just like Bitcoin. And by the way, this kind of analysis is not possible on Dero because Dero uses the account model where balances are simply updated (homomorphically), we don't have new outputs created with every transaction. Therefore there is no "recency" heuristic or heuristics like "retail/non retail" that are made possible by the UTXO accounting model such as in the one/many-to-many structure in this case.
π₯13π€‘5π«‘5π3π©3π€―2
Here is a recap of the top privacy coin tracing heuristics, and how vulnerable different privacy coins are to each method. As you can see, none of the top heuristics works on DERO because of its choice to use the account model with homomorphic encryption, and on the transport layer to resort to UDP over TLS and erasure coding.
The weakest privacy coin where an attacker can employ the biggest number of heuristics, Monero, has the highest market cap. Almost as if some companies (Palantir? Chainalysis? TRM Labs?) are inflating its valuation, and promoting it with crime marketing, exactly because it can be traced.
The weakest privacy coin where an attacker can employ the biggest number of heuristics, Monero, has the highest market cap. Almost as if some companies (Palantir? Chainalysis? TRM Labs?) are inflating its valuation, and promoting it with crime marketing, exactly because it can be traced.
π₯16π€‘7π€―3π€1π1π―1
π¨The privacy community has a right to know that a core developer of Pirate Chain doesn't know that his own chain is a UTXO chain.
That's not a minor misunderstanding so I can't help but wonder, how can he not know? One explanation I've heard, which sounds plausible, is that Forge simply forked the ARRR codebase from Zcash so he has no deep understanding of it.
The UTXO heuristic with respect to ARRR stands and is not weak. Even though links between inputs and outputs are broken onchain with ZK proofs, these can be unmasked by applying transport layer heuristics. When a user creates a transaction, the wallet generates new outputs (notes) and zk-SNARK proofs. It then broadcasts everything: the nullifiers of the spent inputs, the new notes, and the zk-SNARKs to the network.
By checking for the node/IP that first broadcasts a group of nullifiers and new notes, we can correlate nullifiers to new outputs created and learn if the outputs come from a consolidation, one to many, or many to many transaction.
That's not a minor misunderstanding so I can't help but wonder, how can he not know? One explanation I've heard, which sounds plausible, is that Forge simply forked the ARRR codebase from Zcash so he has no deep understanding of it.
The UTXO heuristic with respect to ARRR stands and is not weak. Even though links between inputs and outputs are broken onchain with ZK proofs, these can be unmasked by applying transport layer heuristics. When a user creates a transaction, the wallet generates new outputs (notes) and zk-SNARK proofs. It then broadcasts everything: the nullifiers of the spent inputs, the new notes, and the zk-SNARKs to the network.
By checking for the node/IP that first broadcasts a group of nullifiers and new notes, we can correlate nullifiers to new outputs created and learn if the outputs come from a consolidation, one to many, or many to many transaction.
π13π6π€―5π€‘3π₯±3π2π€ͺ1
After reading this reply, I'm now really concerned about the expertise of the people working on Pirate Chain. Despite my explanation, their team still completely misses the vulnerability of UTXO heuristics when applied to their chain.
In my next post I will publish an ordered rebuttal of Pirate Chain teams's latest response...
In my next post I will publish an ordered rebuttal of Pirate Chain teams's latest response...
π€£6π6π
2π1π€―1π€‘1
Techleaks24 π΅πΈ
After reading this reply, I'm now really concerned about the expertise of the people working on Pirate Chain. Despite my explanation, their team still completely misses the vulnerability of UTXO heuristics when applied to their chain. In my next post I willβ¦
1. I'm glad they acknowledge ARRR is technically a UTXO chain.
2. Because ARRR is UTXO, in each transaction new shielded notes (outputs) are created locally, together with the zk-SNARK proof. Then the nullifiers of the spent inputs, the zk-SNARK proof and the newly created notes are broadcast together from the sender's wallet to the wider network.
3. While the linkage between shielded notes and nullifiers created with each transaction is broken once they are published onchain, links can be revealed by spying who broadcast them first (through network layer heuristics).
4. "Transport layer applies to every other chain" - Not true. Not all chains have a transport layer that allows tracking who broadcast a transaction first. VPN, TOR are not a solution as they are easy to compromise for a state actor. The only privacy coin I know that eliminates transport layer heuristics is Dero. Dero does it not by telling users to use a VPN or Tor, but by using UDP over TLS with erasure coding. On Dero, even if the user doesn't use a VPN/TOR, other nodes can't tell which node a transaction originated from.
5. If the accounting model wasn't UTXO, then there would be nothing to leak. Since Pirate is UTXO a user/entity has to broadcast different amounts of nullifiers and new notes depending on the transaction type.
6. By exploiting transport layer heuristics, and monitoring the amount of nullifiers and new notes published by a wallet/user node, we get not only the transaction's origin but also behavioral information on the sender (from the transaction structure, such as consolidation transaction, one to many or many to many).
7. Even when it comes to UTXO, I'd happily mention another coin but the only coin to have eliminated UTXO heuristics is Dero which does it by using the account model. So even if Dero was using Pirate Chain's weak p2p communication protocol, you still wouldn't be able to glean behavioral information such as those provided by one to many or many to many transactions because Dero's accounting model is not UTXO.
To conclude, like explained in my infographic (check pinned), UTXO heuristics apply to ARRR and reveal a lot of information on senders. Stating the contrary would be malicious towards all those naΓ―ve users that rely on ARRR for privacy.
2. Because ARRR is UTXO, in each transaction new shielded notes (outputs) are created locally, together with the zk-SNARK proof. Then the nullifiers of the spent inputs, the zk-SNARK proof and the newly created notes are broadcast together from the sender's wallet to the wider network.
3. While the linkage between shielded notes and nullifiers created with each transaction is broken once they are published onchain, links can be revealed by spying who broadcast them first (through network layer heuristics).
4. "Transport layer applies to every other chain" - Not true. Not all chains have a transport layer that allows tracking who broadcast a transaction first. VPN, TOR are not a solution as they are easy to compromise for a state actor. The only privacy coin I know that eliminates transport layer heuristics is Dero. Dero does it not by telling users to use a VPN or Tor, but by using UDP over TLS with erasure coding. On Dero, even if the user doesn't use a VPN/TOR, other nodes can't tell which node a transaction originated from.
5. If the accounting model wasn't UTXO, then there would be nothing to leak. Since Pirate is UTXO a user/entity has to broadcast different amounts of nullifiers and new notes depending on the transaction type.
6. By exploiting transport layer heuristics, and monitoring the amount of nullifiers and new notes published by a wallet/user node, we get not only the transaction's origin but also behavioral information on the sender (from the transaction structure, such as consolidation transaction, one to many or many to many).
7. Even when it comes to UTXO, I'd happily mention another coin but the only coin to have eliminated UTXO heuristics is Dero which does it by using the account model. So even if Dero was using Pirate Chain's weak p2p communication protocol, you still wouldn't be able to glean behavioral information such as those provided by one to many or many to many transactions because Dero's accounting model is not UTXO.
To conclude, like explained in my infographic (check pinned), UTXO heuristics apply to ARRR and reveal a lot of information on senders. Stating the contrary would be malicious towards all those naΓ―ve users that rely on ARRR for privacy.
π―10π€£3π₯2π€―2π2β€1π1π€‘1
Three researchers from the Technische UniversitΓ€t of Berlin and TRM Labs, released a paper in May explaining why Haveno crosschain swaps are not private.
By using UTXO, timing and transaction fee heuristics, and combining these with Haveno's public trade history, they were able to create a system to completely deanonymize Haveno XMR-BTC crosschain trades. Here is a quick breakdown of how these heuristics are used:
1. Fee heuristic: Haveno uses an unusually high fee for its transactions, such as when initiating security deposits (whenever a trade is taken).
2. UTXO heuristic 1 (2->2 high fee transaction): Since security deposits happen in pairs, using the fee heuristic to look for pairs of transactions where outputs are mined in the same block creates leads of potential Haveno trades.
3. UTXO heuristic 2 (cluster analysis): Once a trade is completed successfully, Haveno releases the security deposits in a single high fee transaction, where one of the outputs goes to the taker and one to the maker. So next they look for 2 of the outputs from the previous transactions to appear together as inputs in a new transaction.
4. Timing heuristic 1: Since Haveno trades (offchain wrt XMR) must be completed within 24h, the second transaction (UTXO heuristic 2) must happen in less than 24h
5. Timing heuristic 2: Haveno publishes its trade history by obfuscating amounts by +-5%, therefore by looking up the transaction history and time, and analysing the BTC chain for transactions in the same amount in the obfuscation window, they expose the BTC transaction involved in a specific trade.
Not much else to say, just that when they tell you buy XMR on Haveno to go dark, you're not really going dark. Any KYC data (home address, photo of you holding your ID) tied to your BTC address is now transferred to your XMR outputs.
This attack combines many heuristics (UTXO, fee, timing) with information exposed by relying on a semi-centralized third party Haveno, such as trade amounts and time, to deanonymize all cross chain swaps.
By using UTXO, timing and transaction fee heuristics, and combining these with Haveno's public trade history, they were able to create a system to completely deanonymize Haveno XMR-BTC crosschain trades. Here is a quick breakdown of how these heuristics are used:
1. Fee heuristic: Haveno uses an unusually high fee for its transactions, such as when initiating security deposits (whenever a trade is taken).
2. UTXO heuristic 1 (2->2 high fee transaction): Since security deposits happen in pairs, using the fee heuristic to look for pairs of transactions where outputs are mined in the same block creates leads of potential Haveno trades.
3. UTXO heuristic 2 (cluster analysis): Once a trade is completed successfully, Haveno releases the security deposits in a single high fee transaction, where one of the outputs goes to the taker and one to the maker. So next they look for 2 of the outputs from the previous transactions to appear together as inputs in a new transaction.
4. Timing heuristic 1: Since Haveno trades (offchain wrt XMR) must be completed within 24h, the second transaction (UTXO heuristic 2) must happen in less than 24h
5. Timing heuristic 2: Haveno publishes its trade history by obfuscating amounts by +-5%, therefore by looking up the transaction history and time, and analysing the BTC chain for transactions in the same amount in the obfuscation window, they expose the BTC transaction involved in a specific trade.
Not much else to say, just that when they tell you buy XMR on Haveno to go dark, you're not really going dark. Any KYC data (home address, photo of you holding your ID) tied to your BTC address is now transferred to your XMR outputs.
This attack combines many heuristics (UTXO, fee, timing) with information exposed by relying on a semi-centralized third party Haveno, such as trade amounts and time, to deanonymize all cross chain swaps.
π₯6π€£4π€―1π€‘1π1
Privacy activist Derolytics has just released a Dero explorer for all transactions between January 2022 and July 2025. By exploiting the randomness reuse bug, Derolytics has brute forced amounts, sender and receiver (where possible) of all Dero transactions conducted with the first generation Dero wallets.
Did this reveal an inflation bug? No.
Derolytics findings prove Dero's bulletproofs, the most critical component of any privacy coin, work as intended and have no known or unknown vulnerabilities.
Is there a protocol privacy flaw? No.
His work exploits a wallet bug. Transactions were deanonymized through bruteforce bc all Dero wallets to date re-use randomness. These transactions were NOT deanonymized
bc of a protocol weakness or flaw.
Will future transactions with new wallets be affected? No.
All transactions with new wallets that don't reuse
randomness will be immune against all the heuristics used to trace Monero & other UTXO privacy chains (ie the most private in crypto today).
Did this reveal an inflation bug? No.
Derolytics findings prove Dero's bulletproofs, the most critical component of any privacy coin, work as intended and have no known or unknown vulnerabilities.
Is there a protocol privacy flaw? No.
His work exploits a wallet bug. Transactions were deanonymized through bruteforce bc all Dero wallets to date re-use randomness. These transactions were NOT deanonymized
bc of a protocol weakness or flaw.
Will future transactions with new wallets be affected? No.
All transactions with new wallets that don't reuse
randomness will be immune against all the heuristics used to trace Monero & other UTXO privacy chains (ie the most private in crypto today).
π13π±4π4π―4π€£4π€‘3π€―1π1
Bulletproofs verify (without seeing balances, "zero knowledge" proofs) that Alice, with a balance of 10, cannot send Bob 10M coins. In privacy coins they are extremely important because they make sure the tokenomics are respected and the supply isn't inflated by minting illegal coins.
We've seen bulletproof exploits in the following projects:
1. Haven, where the amount of illegal coins in circulation turned out to be over 400M. This was more than 10 times the official circulating supply based on the emissions schedule. Haven was forced to shut down
2. Zephyr (16M minted)
3. Salvium (10M minted)
4. Xelis (team refuses to do a supply audit so we don't know the amount minted)
A bug in bulletproofs is fatal because exploits are very difficult to detect since balances are hidden and as result network participants can't detect the extra coins just by inspecting the blockchain (like they can do with Bitcoin and other transparent chains).
Dero's rocket bulletproofs are tailored to Dero's account based model and its integration with smart contracts. Rocket bulletproofs are undocumented anywhere in literature, they are first of their kind and released for the first time on Dero in 2022.
Considering how advanced Dero's bulletproofs are, and the risks of a bug in anything that is new and cutting edge, it makes sense that Captain released them in 2022 with a mechanism in place to detect a potential bulletproof exploit. To be clear, this is my opinion. Captain himself has not commented on the bug so far.
A counterargument I've heard is that this still makes him incompetent because someone could have built a custom wallet without randomness reuse to exploit BPs in case of a bug. Yes, they could have, but that would have also been detectable. Yet nobody had created such wallet until at least May 2024.
Derolytics' explorer exploits RR to deanonymize, among others, transaction amounts. It has done this for all transactions from genesis to date, and nothing indicative of a BP exploit has been found. Dero's rocket bulletproofs are, therefore, proven to be safe and bug free as of today.
Can randomness reuse (RR) be considered a backdoor by Captain? No, because RR was placed in Dero's wallet and the wallet has a warning stating that it is to be used for testing purposes only. Anyone who used Dero's CLI wallet even once saw the warning.
The reason we refer to RR as a bug is that those outside Captain who found and publicised it decided to disclose RR as a bug. This most likely because they couldn't comprehend the rationale behind RR.
Does RR tarnish Dero's reputation? RR cements Captain as someone that cares not only about innovation but also security. Releasing such advanced bulletproofs without an auditing mechanism on a chain that already had 12M coins in circulation would have been reckless from a security point of view.
To this day, Dero's protocol is the most advanced privacy protocol in existence because it is immune to all the key image, UTXO, transport layer and recency heuristics that are used to successfully deanonymize Monero and other UTXO privacy coins. The combination of the account model with homomorphic encryption, and UDP with TLS and erasure coding in the transport layer, eliminates all those heuristics at once.
We've seen bulletproof exploits in the following projects:
1. Haven, where the amount of illegal coins in circulation turned out to be over 400M. This was more than 10 times the official circulating supply based on the emissions schedule. Haven was forced to shut down
2. Zephyr (16M minted)
3. Salvium (10M minted)
4. Xelis (team refuses to do a supply audit so we don't know the amount minted)
A bug in bulletproofs is fatal because exploits are very difficult to detect since balances are hidden and as result network participants can't detect the extra coins just by inspecting the blockchain (like they can do with Bitcoin and other transparent chains).
Dero's rocket bulletproofs are tailored to Dero's account based model and its integration with smart contracts. Rocket bulletproofs are undocumented anywhere in literature, they are first of their kind and released for the first time on Dero in 2022.
Considering how advanced Dero's bulletproofs are, and the risks of a bug in anything that is new and cutting edge, it makes sense that Captain released them in 2022 with a mechanism in place to detect a potential bulletproof exploit. To be clear, this is my opinion. Captain himself has not commented on the bug so far.
A counterargument I've heard is that this still makes him incompetent because someone could have built a custom wallet without randomness reuse to exploit BPs in case of a bug. Yes, they could have, but that would have also been detectable. Yet nobody had created such wallet until at least May 2024.
Derolytics' explorer exploits RR to deanonymize, among others, transaction amounts. It has done this for all transactions from genesis to date, and nothing indicative of a BP exploit has been found. Dero's rocket bulletproofs are, therefore, proven to be safe and bug free as of today.
Can randomness reuse (RR) be considered a backdoor by Captain? No, because RR was placed in Dero's wallet and the wallet has a warning stating that it is to be used for testing purposes only. Anyone who used Dero's CLI wallet even once saw the warning.
The reason we refer to RR as a bug is that those outside Captain who found and publicised it decided to disclose RR as a bug. This most likely because they couldn't comprehend the rationale behind RR.
Does RR tarnish Dero's reputation? RR cements Captain as someone that cares not only about innovation but also security. Releasing such advanced bulletproofs without an auditing mechanism on a chain that already had 12M coins in circulation would have been reckless from a security point of view.
To this day, Dero's protocol is the most advanced privacy protocol in existence because it is immune to all the key image, UTXO, transport layer and recency heuristics that are used to successfully deanonymize Monero and other UTXO privacy coins. The combination of the account model with homomorphic encryption, and UDP with TLS and erasure coding in the transport layer, eliminates all those heuristics at once.
β€13π4π€2π€‘2π―1π¨βπ»1