All Bitcoin transactions are public, anyone can look at them. There is nothing special required to view every Bitcoin transaction that has ever occured — they are all publicly available on the blockchain. You don’t need a node, just a simple block explorer website will do, such as Mempool.space, KYCP.org or Blockstream Explorer. You can assume that your adversaries are watching.
What isn’t stored on the blockchain are your personally-identifying details such as your name, address, phone number, etc. That information is cataloged externally by third parties such as your employer, your brokerage/exchange or possibly a fundraiser that you donated to and volunteered that information to. If your employer paid you in bitcoin, then they would be able to follow your public transactions and see that you made a donation to a fundraiser, for example. Likewise, the organizer of the fundraiser would be able to see the history of your Bitcoin transactions and they would know how much bitcoin you had going into the transaction where you sliced off a small portion to donate.
Furthermore, any external observer who knew what the Bitcoin donation address was, would be able to monitor all incoming donations and then see where the remaining change from those donations was sent. These external observers could also see where the donations went after the initial deposit. If there was any personally-identifying information held by a trusted third party where fiat was traded for bitcoin or where bitcoin was traded for fiat, then the custodian of that information will be compelled to turn over those details that personally identify an individual.
“The existing [legacy financial] system has several legislative mechanisms built in that ensure basic privacy (your bank doesn’t share your account balance and transaction history with the barista at the coffee shop for example). The blockchain doesn’t have the luxury of legislative power to solve these problems, therefore software solutions such as CoinJoin are used to obtain these basic protections.”
–Samourai Wallet blog post, March 15, 2022
Table of Contents
A Real-World Example Of The Need For Bitcoin Mixing
Let’s dive in and learn to understand the implications of a fully-transparent transaction ledger in the face of an ever-increasingly adversarial environment. This section will provide that background with a real-world example and an explanation of how Bitcoin transactions are scrutinized in such a scenario.
After establishing that, in this real world example, the tracing of Bitcoin transactions could allow authorities opposed to these transactions to crack down on them, this article will explain how Whirlpool, a CoinJoin implementation built by the developers of Samourai Wallet, could have broken the deterministic links between the transactions and could have provided forward-looking anonymity.
Here is a timeline of the recent Canadian Freedom Convoy with notable events as they relate to Bitcoin:
- February 5, 2022: GoFundMe announces that all donations to the Freedom Convoy would be refunded to the donors, banning any further involvement between the crowdfunding platform and the Freedom Convoy. This was essentially an advertisement for unstoppable money like bitcoin. Donations to the @HonkHonkHodl fundraising campaign through @tallycoinapp start to ramp up.
- February 7, 2022: Under an order issued by the Ontario Superior Court of Justice, another crowdfunding platform, @GiveSendGo, is compelled to freeze access to millions of dollars donated to the Freedom Convoy. This further escalated fundraising via Bitcoin through the @HonkHonkHodl fundraising campaign.
- February 11, 2022: Ontario declares a state of emergency. This declaration explicitly made it “illegal and punishable to block and impede the movement of goods, people and services along critical infrastructure.” Ontario Premier Doug Ford further clarifies that, “Fines for non-compliance will be severe, with a maximum penalty of $100,000 and up to a year imprisonment. We will also provide additional authority to consider taking away the personal and commercial licenses of anyone who doesn’t comply with these orders.”
- February 14, 2022: Canadian Prime Minister Justin Trudeau invoked the Emergencies Act. Among expanding the powers and reach of the Canadian government beyond that which may be appropriate in normal times, the Emergencies Act has two specific and sweeping financial implications: First, it would capture crowdfunding platforms and payment service providers under the Proceeds of Crime and Terrorist Financing Act. Second, crowdfunding platforms and the payment service providers they use have to register with and report large and/or suspicious transactions to the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), the national financial intelligence agency. Financial accounts would be frozen without court order for individuals identified as being associated with the Freedom Convoy.
- February 14, 2022: On the same day that the Canadian government invokes the Emergencies Act, @HonkHonkHodl closes out the fundraising campaign on @tallycoinapp, having exceeded the original goal, reaching nearly 21 bitcoin in total donations.
- February 15, 2022: The Ontario Superior Court of Justice enacted the Mareva Injunction, a $306,000,000 class action lawsuit. This injunction names 17 individuals, two organizations and 62 anonymous entities as defendants further stipulating that “Any other person who knows of this order and does anything which helps or permits the Defendant to breach the terms of this Order may also be held to be in contempt of court and may be fined or imprisoned.” Essentially, anyone who did so much as serve coffee to a Freedom Convoy suspect will now face fines and imprisonment. This injunction goes as far as to include several Bitcoin addresses, so if one of these ends up in connection with your identity, then you would be in violation of this injunction.
- February 16, 2022: News breaks that the Royal Canadian Mounted Police (RCMP) published a blacklist of cryptocurrency addresses related to the Freedom Convoy donations. Essentially, this means that any funds connected to any of these addresses hitting a bitcoin-to-fiat off ramp would trigger seizure and immediate reporting to authorities based on the emergency measures put in place just days prior.
Essentially, what transpired in the timeline above is that in less than two weeks, the Canadian government managed to turn a swath of the population into criminals and then there was nothing stopping the government from disregarding the rights of this massive group of people.
This is what this author refers to as the “pendulum swinging.” One day, you are leading a perfectly normal and legal life, the next you are a criminal and face severe consequences for doing what was once inconsequential. If you value being able to communicate with your friends and family, the freedom of movement and being able to access financial services or spend your money on the things you choose, then it would benefit you to start taking small, incremental steps to guard these freedoms.
There are many resources available to those who want to learn more about the tools available to you in this fight:
Follow The Money
This section will follow the flow of a donation on the Bitcoin blockchain to the Freedom Convoy Bitcoin address, then beyond to the disbursed payments to the truckers. At points along this path, it will be pointed out where Whirlpool could have been used and how it would have helped prevent the targeting of specific individuals who allowed their identities to be linked with their on-chain activity. The transaction IDs (txids), bitcoin addresses and dates have been obfuscated, but these are actual transactions surrounding the @HonkHonkHodl donations.
This demonstration follows the transactions of an entity named Alice. Alice has about 28 bitcoin in her wallet, in a single unspent transaction output (UTXO). One day, Alice decides to use the UTXO to make a 0.3 BTC deposit to a Coinbase account. On-chain heuristics would make the reasonable assumption that the Coinbase account is owned by Alice. In that transaction, the 28 BTC is used as the only input and there are two outputs. The first output is the 0.3 BTC to her assumed Coinbase account. The second output is her remaining 28 BTC.
As time goes on, Alice makes three more transactions with this 28 BTC, each time providing the 28 BTC as an input with a small amount being spent and the remainder being returned to her as change. This kind of spending pattern on-chain is known as a “peel chain,” and Whirlpool helps break this cycle by breaking the deterministic links.
On the fourth transaction, Alice made a donation to the Freedom Convoy.
Each time Alice made a transaction, the 28 BTC UTXO was used as an input and a little bit was spent, returning the bulk of that 28 BTC to Alice as the change. Then that change was spent as an input to the next transaction with a little bit peeled off as the spend and the remainder returned to Alice again. Because of this peel chain pattern of simple transactions, the 0.3 BTC spent to Coinbase in the first transaction makes the assumption that Coinbase is aware of Alice’s true identity and aware that she owns the 28 BTC that she continued spending downstream. Coinbase can also see every transaction related to that bitcoin.
By the time Alice made a donation to the Freedom Convoy, she used what was left of that original 28 BTC. In the donation transaction, Alice provided a 24.07 BTC input. The transaction had two outputs, a 0.25 BTC donation to the known Freedom Convoy Bitcoin donation address hosted on the Tallycoin website. The other output was 23.82 BTC being returned to Alice as change.
Assuming Coinbase knows Alice’s true identity and her on-chain activity is directly linked to her Coinbase account, her true identity can be revealed as a donor to the Freedom Convoy if authorities investigate the matter. After Alice made her donation, more bitcoin was consolidated and moved downstream by the Freedom Convoy Bitcoin donation organizer(s).
The entity in control of the Freedom Convoy donations makes several transactions that consolidate bitcoin and move the new balances to new addresses. Throughout the entirety of the Tallycoin fundraising campaign, the same Bitcoin donation address was used.
In order to disburse donations to Freedom Convoy truckers, the entity in control of the bitcoin established 100 different wallets for the truckers. They made three deposits to each wallet. Unfortunately, they used the same address in each wallet for each of the three deposits instead of using a new address each time. Address reuse is bad for privacy because then all transactions involving that one address are known to be controlled by the entity that possesses the signing key for that address. The Whirlpool coordinator enforces strict rules that do not allow address reuse in CoinJoin transactions.
This graph shows many donations being made to the known Tallycoin Bitcoin donation address. Then those donations are consolidated and moved to new addresses in three transactions leading up to the transaction where the bitcoin was disbursed to 100 wallets in what seems to be a test transaction. Each deposit was only 4,800 sats.
A few blocks later, another deposit was made to the 100 wallets for the truckers. This transaction was funded by a 14.67 BTC consolidation of the Freedom Convoy donations. There were 100 equal-sized outputs of 0.004 BTC, each going to the same address as the 4,800 sat deposit in each of the 100 wallets. There was a 14.27 BTC output from this transaction as well.
The 14.27 BTC output was used a few blocks later as an input to the third trucker wallet deposit. This transaction deposited 100 equal-sized outputs of 0.14 BTC, each going to the same address as the 4,800 sat deposit and the 0.004 BTC deposit in each of the 100 wallets.
The majority of the trucker deposits have remained unspent. The ones that have been spent have gone to KYC exchanges like Coinbase, Crypto.com and Kraken.
Unfortunately, the Canadian government has blacklisted several if not all of these addresses, ready to impose strict penalties on anyone who is associated with these donations. For the trucker who sent their deposits to Coinbase, this means that they will be identified as guilty parties. The exchanges will seize and report any activity on their platforms related to any of these donations. For Alice, it is now possible to directly tie her identity to some of the donated bitcoin, because of her deposit to her Coinbase account several transactions prior to the donation. This means that Alice will be reported and possibly face penalties in relation to supporting the Freedom Convoy.
How Whirlpool Fixes This
To understand how the Whirlpool CoinJoin implementation can be used as a tool for breaking on-chain heuristics and gaining forward-looking anonymity, it is important to first understand the issues with simple Bitcoin transactions that have one input and two outputs. In the real-world example above, you can see how an individual making these kinds of simple transactions can leave traces on chain that irrevocably connect them to activity which authorities are actively trying to punish. Here is a visual example to help elaborate the point, this is Alice’s transaction that spent one output to her assumed Coinbase account.
You can see that there is only one way to interpret this transaction, Alice owned the entire 28.49 BTC input, sent 0.3 BTC to Coinbase and received 28.18 BTC back in change. Then, further heuristics can be made to extrapolate information that is not embedded in the transaction, such as it being more likely than not that Alice owns the Coinbase account that the 0.3 BTC were deposited to. Going further then, it is possible to reasonably attach Alice’s real identity with the 28.18 BTC change from the KYC records kept by Coinbase.
This is what a Whirlpool transaction looks like on-chain. There are always five inputs and five outputs. All of the outputs are the same denomination, 0.05 BTC in this case. You can view this transaction on the KYCP.org website for yourself here.
There are strict rules determined by the ZeroLink CoinJoin implementation in Whirlpool that are enforced by the coordinator. The coordinator is a blinded server that facilitates the CoinJoin transactions. Some of the rules that the coordinator enforces are:
- Each CoinJoin transaction will have five inputs.
- Each CoinJoin transaction will have five outputs.
- No address reuse.
- All of the outputs from a CoinJoin transaction will be the same denomination.
- UTXOs do not cross from one pool to another — 0.05 BTC UTXOs do not get used as inputs in 0.01-BTC-sized Whirlpool CoinJoin transactions, for example.
- No single wallet may have more than one input to a transaction. So all five inputs must come from different wallets.
- No two outputs from a CoinJoin transaction may be used together in a future CoinJoin transaction.
- Every CoinJoin transaction will have a minimum of two fresh participants to the liquidity pool and a maximum of three.
- Every CoinJoin transaction will have a minimum of two re-mixing participants and a maximum of three. These participants may be referred to as “free riders.”
- Fresh participants cover the miners fee.
- Re-mixing participants continue mixing for no additional fee.
- Only UTXOs from a previous CoinJoin transaction (free riders) or UTXOs from a transaction zero (TX0) (fresh participants) will be allowed as inputs.
These rules are how Whirlpool breaks deterministic links and provides forward-looking anonymity. There is nothing about any single Whirlpool CoinJoin transaction output that distinguishes it from any of the other four outputs. Every output has an equal likelihood of being linked to any given input, therefore no definite conclusions can be drawn about the ownership of any given output.
Another important feature of Whirlpool is this TX0 concept mentioned above. TX0 is what creates the UTXOs that can be used as fresh participants to a Whirlpool CoinJoin transaction. Every UTXO used as an input to a Whirlpool CoinJoin transaction must first come from a TX0. Very simply, TX0 will take for an input some bitcoin from your deposit wallet. This can be a single input or it can be several inputs. In the example below, the TX0 input was 0.81 BTC.
In this particular example, the selected pool size was 0.05 BTC, meaning that all UTXOs from this pool will be 0.05 BTC. You can see that the single 0.81 BTC input was used to create the following outputs:
- 18 0.0501 BTC outputs: These will be fresh participants available for new Whirlpool CoinJoin transactions. They carry a little extra bitcoin so that they can cover the miners fee of the Whirlpool CoinJoin transaction that they will participate in.
- One 0.0134 BTC output: This is called “Doxxic Change,” it is separated from the other UTXOs and the Samourai Wallet application will prompt you to label this UTXO as Doxxic Change and to change the spending status of this UTXO to “un-spendable.” More details about Doxxic Change will follow.
- One 0.0025 BTC output: This is the fee paid to the Samourai Wallet developers for this service.
At this stage, whatever on-chain history tied to the 0.81 BTC input is still linkable to each of the outputs mentioned above. However, as each of the 0.0501 BTC UTXOs gets included in a new Whirlpool CoinJoin transaction, the deterministic link to that history gets broken. After that, the on-chain heuristics cannot be used to make assumptions about the ownership of the Whirlpool CoinJoin UTXOs. This is how forward-looking anonymity is achieved, all of the UTXOs are the same size and have the same likelihood of being linked to any particular input. These UTXOs blend into a crowd, so to speak.
To demonstrate this blending into a crowd effect, the next several pictures illustrate how many possibilities there are when trying to link one of the inputs from this first transaction to one of the outputs. If one of the outputs of any proceeding transaction is used as an input to another Whirlpool CoinJoin transaction, then those outputs are marked in red and the paths expanded, again and again. By the end, any blue dot or un-expanded red dot represents a transaction that the suspect entity could be the owner of.
Five inputs were used in this transaction, trying to follow the possible trail of a suspect entity, any output could belong to them. Three of the outputs were used in another Whirlpool CoinJoin. There are one of five possibilities.
Two of the outputs lead to further Whirlpool CoinJoin transactions. There are one of 16 possible transactions to follow.
Three of the outputs lead to further Whirlpool CoinJoin transactions. There are one of 24 possible transactions to follow.
Six of the outputs lead to further Whirlpool CoinJoin transactions. There are one of 34 possible transactions to follow.
Ten of the outputs lead to further Whirlpool CoinJoin transactions. There are one of 55 possible transactions to follow.
Nineteen of the outputs lead to further Whirlpool CoinJoin transactions. There are one of 87 possible transactions and one unspent output to follow.
Forty two of the outputs lead to further Whirlpool CoinJoin transactions. There are one of 133 possible transactions and two unspent outputs to follow.
At this point it is becoming too difficult to manually count and the idea is well illustrated by now. Each red dot represents another Whirlpool CoinJoin transaction that will lead to five additional outputs that could belong to the entity who owned the original input. Each blue dot represents a transaction that is not a Whirlpool CoinJoin but could contain the output of interest.
This just keeps going and going. This is the asymmetric advantage that breaking deterministic links has when an outside observer views the blockchain transaction data in an attempt to follow someone.
If Alice had donated to the Canadian Freedom Convoy with bitcoin from a Whirlpool output, then there would have been no deterministic way to link that donation back to Alice’s prior transaction history. Any investigation of the matter going backwards through the transaction history would have led to a cloud-looking transaction graph, as demonstrated above.
Likewise, if any of the Canadian Freedom Convoy donation recipients would use Whirlpool to CoinJoin their bitcoin, then there would not be a deterministic way for a KYC exchange to link their deposit to the donations in question. Also, if the organizer of the donations had been Whirlpooling donations as they came in, then the trail of those funds on chain would have been obfuscated. Additionally, deposits to the truckers’ 100 wallets could have been made using privacy-preserving collaborative transactions instead of batch spends.
To learn more about Whirlpool anonymity, read this article. Read this article to learn more about the blockchain explorer used in this demonstration, KYCP.org. Check out this Stephan Livera podcast with @ErgoBTC on the subject of unwinding CoinJoins, tumblers, Wasabi and JoinMarket.
This is a guest post by Econoalchemist. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.