Amidst yesterday’s report by crypto journalist Laura Shin that claims to identify who hacked The DAO in 2016, there was a small detail crucial to the findings but with other implications.
It was the claim, by blockchain analytics firm Chainalysis, that it was able to unmask the path of transactions through a popular bitcoin mixing service called CoinJoin — something that would defeat its entire raison d’etre.
CoinJoin is a crypto mixing tool by privacy-focused Wasabi Wallet. It helps users obscure their transaction history by mixing their funds with those of other users. It’s much harder to follow the movement of money across a string of blockchain transactions when they go through CoinJoin.
Shin’s report that claims to have found the hacker of The DAO — a crowdfunding platform set up on the Ethereum blockchain that fell foul to its own code in 2016 — cashed out some funds, mixed them, and sent them to several exchanges.
It was the cashing out at the exchange point that supposedly identified the alleged perpetrator. But this is all based on Chainalysis successfully following the money through CoinJoin.
Now there are two possible options here. Either the blockchain analytics firm is able to unmask each and every transaction through CoinJoin — the worst-case scenario for privacy proponents — or it’s able to do so under certain circumstances, such as sloppy privacy practices.
When we reached out to Chainalysis, it refused to provide more details about its abilities with regard to CoinJoin. “We helped trace funds despite the attacker’s attempts to cover his tracks [with] mixers,” said Chainalysis. “This is yet another example of evidence preserved on the blockchain forever.”
“We aren’t providing further comment, but we can confirm (as we did here) that Laura’s report about our role in her investigation is accurate.”
When asked whether all CoinJoin transactions could be traced, Wasabi Wallet founder Adam Fiscor told The Block, “Unfortunately we have no more information on this than you do. I think it’s unlikely, but I’d love to learn more, too.”
A view from Elliptic
Tom Robinson, co-founder and chief scientist at blockchain analytics firm Elliptic, said that it’s not possible to demix all CoinJoin transactions. But he acknowledged that some transactions can be traced.
“Yes, Elliptic can also demix Wasabi transactions in some circumstances. However, this does not mean that all Wasabi transactions can be demixed. This is typically possible in situations where the Wasabi user has made a mistake,” said Robinson.
He clarified that it’s possible to track funds through Wasabi due to bad practices by a user — specifically, address re-use.
But what about other crypto mixers such as Ethereum’s Tornado Cash?
“No one can demix all crypto mixer transactions,” said Robinson. “Some mixer transactions can be demixed, for most mixers.”
Elliptic said that it isn’t trying to trace all mixer transactions. “There are completely legitimate reasons to use mixers, and our aim is not to violate peoples’ financial privacy without cause,” said Robinson. “However, we do try to trace specific funds, known to have originated from illicit activity, through mixers.”
Elliptic also doesn’t plan to do its own analysis on Shin’s claims, said Robinson.
Read full story on The Block