An application can be open source, with reproducible code, and still have a perfectly undetectable backdoor unbeknownst even to the application developers themselves. How so? Because, as explained in my previous post, machines run on binary code ('bytecode'). The human readable code in which the program was written, such as Python or Go, needs to be translated into binary code. This process goes through a compiler, which the developer is trusting to produce binaries that are faithful to the code he wrote. Compiler risk is a form of supply chain risk in app development. The Vyper compiler, which is the compiler used to convert python-like code into bytecode for the EVM, was found to have a vulnerability in 2023 which compromised re-entrancy locks. Reentrancy locks prevent re-entrancy attacks. Curve, Alchemix and other defi platforms suffered a loss of $70M as result of the Vyper vulnerabilities. Why am I explaining all this? Because now you should be able to visualize how aggressively with security in mind Dero was developed. Dero's virtual machine, the DVM, instead of being a compiler is the only VM in crypto today to be an interpreter. Dapps on Dero are coded in DVM-basic. And contrary to what happens on Eth where solidity or Vyper smart contracts must be compiled before the EVM can run on them, the DVM directly interprets DVM basic without need of compiling. Devs write what a smart contract is supposed to do, and the DVM reads the code line by line. Devs are no longer trusting a compiler. To be clear, compiler risk is not something new that came with crypto. In 1984, Ken Thompson showed how instead of putting a backdoor in the application source code, where it would get caught, one could change the compiler so that it would put backdoors in the login part of any code it compiled (Ken Thompson Hack). It also made the compiler recognize when it was compiling itself to make sure it always inserted the login backdoor even in future versions of itself. The backdoor would stay forever undetected, unless one could audit bytecode. Therefore, in a high stakes environment like crypto, compilers should be avoided altogether whenever possible. By using a compiler we're putting trust in a third party and its developers/auditors. Of all the chains out there, Dero is the only one designed with military grade security in mind. In other words, prepared to withstand an attack by an entire state army, if need be.

Xelis is officially an inflation bug scam. This is not a small scam. Today, after a 90% correction, Xelis has a FDV of $61M. Evidence strongly suggest the Xelis team itself exploited the bug, meaning that they're well funded having sold minted coins at $610M valuation. In December 2024, the Xelis team conducted an 'emergency hardfork' to fix a ZK proofs bug in sender commitments. Two months have passed and the Xelis team keeps refusing to provide cryptographic proof that the bug wasn't exploited to mint new coins. The Xelis team also refuses to do a supply audit, and bans anyone who mentions it. Stop mining Xelis if you're mining and don't buy Xelis if you're thinking to buy.

Around the same time as Xelis announced its inflation Zk proofs bug patch, Salvium announced its own inflation ZK proofs bug. Sal's devs somehow "forgot" to implement a 0 difference check (diff between inputs & outputs) which mints new coins undetectably, even post bug patch. Contrary to Xelis however, Salvium has published a proper bug report. There is a whole lineage of privacy coins, created in this bull market, that seem to be conducting the same exact type of fraud: launch a privacy coin with a hidden proofs vulnerability, exploit it to mint extra coins while everyone else follows the emission curve, announce a patch around new year, and hope to get away with it to slowly dump your illegal coins while releasing small updates. Salvium, despite being a banana republic scam, is at least trying to conduct a supply audit (an attempt to keep the project alive so devs can keep dumping the exploited coins). Xelis, on the other hand, doesn't even allow any mention of supply audit in its community.

If you thought Monero is fungible, then think again. Today the US Treasury announced the sanctioning of five XMR addresses belonging to Behrouz Parsarad. And yes, you read that right, 5 Monero addresses. How is that possible if Monero uses stealth addresses? That's possible by tracing TXOs instead. What the Treasury calls "address" is just a transaction output. This announcement makes it clear why stealth addresses in Monero are pointless, why Monero is obsolete, and why Monero is not fungible. Because of the UTXO accounting model, transaction outputs are the equivalent of addresses. I tweeted extensively about the potential of freezing Monero TXOs in my now censored Twitter account. Monero has no receiver privacy, and through key image analysis one can determine if/when a flagged output is spent. If not spent yet, then it can be sanctioned because outputs can be spent only once. Like I've been saying for 1 year, Monero is obsolete privacy tech exactly as traceable and as censorship tolerant as Bitcoin.

A few people from the Monero community have pointed out an inaccuracy in my previous post. Contrary to what I state, they say, the US Treasury has OFACED 5 Monero addresses not TXOs. I'm grateful to the reasonable people in the Monero community who kindly pointed this out. However, that shouldn't distract from the greater issue that I'm pointing out, ie: Monero TXOs are perfectly OFAC-able. The OSPEAD report released on February 21st showed that Monero Research Labs has already developed a methodology that reduces the effective number of decoys from 15 to 4.2 by exploiting divergences in age between real spend age distribution and decoy age distribution. This is something I had already explained in my January 29 post, where I stated "The second issue is that decoys are picked algorithmically (ie, deterministically). And since we know the algorithm, we can expose real spends by looking for ring members that the algorithm had a very low chance of picking on its own.". This also means that key image analysis (filtering out spent TXOs) has to eliminate only 3 out of 16 decoys because most of the job is done by the age divergences due to the decoy picking algo. When you combine key image analysis and/or cluster analysis (patterns forming TXOs appearing in the same transaction) and/or OSPEAD (assuming that's the best methodology so far), it becomes clear why finding the real spend in a Monero transaction is statistically trivial. And if real spends can be found, then Monero TXOs become OFAC-able just like Bitcoin UTXOs. For example, by using OSPEAD alone one could enforce OFAC compliant mining pools that refuse to mine any transactions where the flagged TXOs cannot be ruled out as decoys by using the OSPEAD methodology. The reason being that in these transactions there is a probability of at least 25% that the flagged TXO is being spent. So regardless of whether the Treasury OFACed addresses or TXOs this time, we already have plenty of data to prove that Monero TXOs are perfectly OFAC-able today.

A common talking point in Monero is that heuristics like OSPEAD can be applied to any chain that uses rings, because rings are a weakness. This is false. For example Dero also uses rings, but Dero's rings are not OFAC-able because there is no way, even statistically speaking, to profile high risk transactions with OSPEAD. An OSPEAD type of analysis does not work with Dero accounts. The reason for this is that TXO age in Monero bears much more behavioral significance than in Dero. TXO age in Monero corresponds to the last time when these TXOs received money, since each TXO can be spent only once. Therefore age analysis of TXOs differentiates between money that was just received (high probability that it will be spent soon) and money that was received long ago (high probability that it was already spent). The age of Dero accounts, on the other hand, corresponds to when a user entered the Dero network and bears no indication whatsoever of when was the last time that the account received money. In other words, the age of Dero accounts bears no behavioral significance. As result statistical analysis like OSPEAD (based on onchain data) cannot reduce anonymity set in no shape or form on Dero. The weakness in Monero are not rings but single use outputs (that give behavioral significance to TXO age) and key images (that allow definitively ruling out decoys reducing anonymity set with 100% certainty).

As the world is catching up with Monero's obsolescence, it's time to critically assess the promise of FCMP. Like explained in my previous posts on key image analysis and OSPEAD, behavioral analysis is key to deanonymizing Monero today. On one hand it allows the creation of sets of related TXOs, and on the other can be used to attack the decoy selection algorithm (eg: OSPEAD). With the introduction of FCMP a few things change, but Monero remains traceable. How? Because in FCMP each TXO still has onchain metadata and offchain metadata. Post-FCMP, onchain metadata lined to each TXO include: merkle root height (age) to which its FCMP(s) refer to (i), number of key images in the transaction that created it (ii), fee structure (iii), onchain metadata by the wallet version such as the way the transaction was built (iv) and any offchain metadata such as IP address. What happens is that these metadata allow the creation of sets of related TXOs whose key images can be exposed by looking for behavioral patterns. For example, it's well known that new TXOs tend to be spent sooner rather than later. If we have 5 TXOs that are marked as related, and a 5 input transaction appears shortly after the most recent of these 5 related TXOs has been created, then we can be fairly certain that those TXOs are being spent if there are no other 5 related TXO combinations with a recent output among them. This example shows how exposing key images of TXOs via pattern analysis continues post FCMP. A merkle root is like a container of all TXOs created up to that point. For every user transaction, CEX TXOs can be visualized as black marbles that don't contribute to the anonymity set. The remaining colorful marbles can be imagined as of different shades of colors, where related marbles share the same shade. We know that a user cannot co-spend marbles of different colors. A FCMP transaction is a zero knowledge transaction that tells the network 3 marbles of the same color are being spent. By looking at related TXO sets we can start looking for possible fits among sets of same color marbles where the third one joined the set recently and find high probability fits depending on the uniqueness of the pattern. For example, if there is only one set of 3 related marbles where one was created recently, then the probability is high that those 3 are being spent. If there are 2 possible combinations, then the probability is split among those 2 combinations. However, as more patterns are analyzed more combinations can be ruled out even in edge scenarios. The conclusion is the same, FCMP doesn't stop behavioral analysis that allows profiling of Monero TXOs and makes possible zero knowledge mapping of input TXOs to FCMP transactions by looking for complementary patterns and time proximity.

The issue isn't even about decoys anymore, maybe in 2022 filtering decoys was the way to trace Monero. Now it's behavioral. Behavioral analysis means that just by knowing the amount of inputs being spent and timestamp of a transaction, you can tell which set is most likely being spent by analyzing existing sets of related TXOs onchain and their respective ages. Because guess what? There aren't many sets that fit a specific pattern. For example, if a 4 input transaction was just created, then you look onchain for related TXO sets with 4 members where one member is recent. How many such sets do you think you're going to find in a specific point in time? Very few, and once you find such set you know that set is being spent. In this case you leverage a well known behavioral pattern, that recent txo are highly likely to be spent and drag behind old TXOs the same user owns. But there are many more patterns like these an AI can identify, behavioral patterns we aren't even aware of. AIs are likely being trained under RingCT for behavioral patterns to trace XMR post FCMP. Decoy analysis today is used only to backtest these patterns for accuracy. Here is an exercise: We let the AI analyze the chain for related TXO sets live. The AI cannot see transactions, it is fed only TXO data as new TXOs are created. Then when a 2 input transaction is formed, we give the AI the timestamp of the transaction and the number of inputs and ask the AI to try and guess which TXOs were spent without looking at rings. The AI gives a result, we look at the ring members in the ringct transaction to verify if the AI got it right. We train the AI this way, after a while the AI can do this consistently because of behavioral patterns. This is how Monero is traced post FCMP.

The so called two-wallet strategy, actually makes your Monero easier to trace. According to this strategy, you should have one wallet for spending and one for receiving. What happens if you do this? In the receiving wallet you create a pool of TXOs (txo1, txo2, txo3 etc) all owned by you. Some of these TXOs will have been earmarked as yours by outside observers (if for example you received money from a CEX). If you don't spend TXOs as you receive them, but accumulate them first, then when at some point you will have to consolidate this high number of TXOs into 1 new TXO, the flagged TXOs will signal that you are consolidating your TXOs (even if you have many more TXOs than the ones that have been flagged). When you do that, an observer will know that all the money you ever received, even from TXOs that they couldn't trace as yours, is now consolidated into the new TXO-S(end wallet). Because of the high number of inputs flagged as yours, TXO-S is provably 100% yours. Since TXO-S is 100% yours, and that's now in your spending wallet, an outside observer will know where the rest of your balance is after each transaction. Because if you always use 1 TXO to spend, and Monero user transactions have 2 outputs, then from TXO-S your balance will move into TXO-S2 and TXO-CEX. TXO-CEX is the TXO of the exchange (the amount you deposited), while TXO-S2 is your change TXO. The exchange (receiver) knows exactly where the rest of your balance is. If from TXO-S2 you deposit into another centralized party, then that centralized party will know that, again, the change contains your remaining balance (so is still tied to the dozens of transactions you received in your receiving wallet weeks/months ago). In other words, if you adopt the two wallet strategy you tie with 100% certainty your receiving transactions to your outgoing transactions. Does that sound like privacy to you? Monero is not private, stop using it. If you want privacy then stop believing the memes and start doing research on how privacy tech works.

Salvium's supply audit was completed last week and has found that 10M extra coins were minted by the 'exploiter' of their proofs bug. In other words, 1 in four coins has been illegally minted. In the audit they've also sneaked in a completely unsubstantiated claim that these extra coins were 'sold via exchanges'. Considering that Salvium never had the liquidity to absorb a malicious dump of 10M coins, the most likely scenario is that these coins were minted by their team which is now holding the coins hoping to recover user trust and then start dumping them. In other words, Salvium is a confirmed scam. Xelis is conducting a similar scam, except that there they are even refusing to conduct a supply audit.

The real reason why Tornado Cash was delisted is that today mixed transactions can be unmixed. Privacy through mixing is technically known as obfuscation, which is the inherent privacy model of Monero and all private UTXO chains. Today obfuscation is obsolete and can be broken even in its strongest form (FCMP++, ZKPs) thanks to AI. For example as explained here, FMCP transactions can still be attacked by timing & pattern analysis, despite the seemingly perfect tech. The same attack model (that analyses output/commitment age and groups them with other related outputs based on metadata to predict & detect when they're spent) can be applied also to Zcash shielded transactions and ARRR. Obfuscation simply doesn't work and is no longer enough. Yet many are calling the delisting of Tornado Cash a win for privacy. In reality, privacy has lost. We're living in privacy's darkest age in human history.

The Monero Chainalysis video still doesn't get the attention it deserves. By the way, Chainalysis CEO Michael Gronager stepped away few weeks after the video was leaked, it was 'unclear whether his sudden leave is related to health issues, internal tensions at the company' (The Block). A new CEO stepped in in December 2024. This chart summarizes what happens in the video. On the left there are the outputs of the swap service (target TXOs). These TXOs enter a chain of 3 subsequent transactions (because in XMR outputs can be spent only once & when spent they are emptied). No metadata were leaked in these 3 downstream transactions. In the 5th transaction a residential IP is leaked. That IP is then connected to the target outputs from TX1 (despite the perfect op-sec in the 3 hops in between). How was it possible to link the IP in TX5 to the outputs from TX1? The reason is that monero is broken and the 3 transactions in between are traceable just by looking at onchain data (key image analysis & OSPEAD).

In every private UTXO chain, not just Monero, there is an important asymmetry created between an actor that has a holistic view of the network and the user. Let's consider Monero and an actor like Chainalysis that has access to quarterly filings from CEXes/centralised parties as well as other transaction data (if for example Chainalysis is spamming the network or controls other centralized shadow entities). The network seen from Chainalysis consists mainly of known TXOs. In other words, TXOs they own or TXOs whose owners report to Chainalysis when spent. From user's POV, OTOH, all TXOs in the network are unknown because a user doesn't aggregate data. This is why from user's POV it may seem that increasing the ring size, or getting rid of rings, will improve privacy. From Chainalysis' POV OTOH, it's clear that user's TXOs are part of a small pool of unknown TXOs and traceable regardless of ring size, and even if rings were to be removed completely (FCMP).