go back

OpSec for Monero Users

Chain analysis firms and law enforcement entities are observing the blockchain with spy nodes which log IP addresses. Safeguards such as Dandelion++ intended to mitigate this are not fool-proof. Swap services and exchanges comply with these agencies and provide additional metadata such as IP addresses, transaction hashes, and transaction amounts. Exchanges enforce KYC anyways, you're already identified there.

Additionally, these entities are "poisoning" wallets by sending tainted UTXOs - transactions which can allow them to monitor activity with a high degree of confidence if the user unknowingly spends them. Look at following image:

This is the donation wallet address I have hosted on the front page of this site. It has received several tiny transactions which are very likely tainted UTXOs intended to monitor my wallet activity. If I were to spend Monero and it ends up in a wallet controlled by a compliant entity then the additional metadata would confirm that the transaction came from my wallet. Other metadata could be combined to de-anonymize my identity. My activity can more or less be "traced" if I'm not careful to cover my metadata tracks.

Read more about the discussions here: MRL Notes

Recommendations

Read this. Watch this.

Here are the best things you can do to mitigate surveillance and protect your financial privacy:

Run Tor and I2P proxies alongside your own monero node with --tx-proxy enabled: instructions. Always use your own node for any wallet spending. Doing this ensures your transactions are always sent over anonymous networks and thus your IP won't be captured by listeners.
Be vigilant and check for the existence of unexpected transactions (typically very small) as potentially tainted outputs. If you end up with tainted outputs you have to go through a process to "weaken" them to reduce tracing probability and confidence).
Use a wallet with "coin control" which allows you to specify UTXOs you want to include/exclude. Exclude tainted coins in any future spends / include only coins you know exactly where they came from. I recommend Feather Wallet.
Consolidate the tainted outputs using coin control (send all of them to yourself in one transaction like the images below). Then once you have them in one output you send that to yourself a few times. The more times you do this the more it obfuscates the true sender and reduces tracing confidence.
Send tainted outputs to a donation address to some community thing such as CCS

Running a Node

I run my node with the following command-line arguments (requires this ban list at ~/ban_list.txt and running Tor and I2P proxies).


            monerod \

                --tx-proxy tor,127.0.0.1:9050,disable_noise \ 

                --tx-proxy i2p,127.0.0.1:4444,disable_noise \ 

                --enable-dns-blocklist \ 

                --ban-list ~/ban_list.txt

Alternatively, I offer a full node Docker Compose option for those comfortable with running containers. It includes the proxy configurations as well as other helpful monitoring/observability features. docker-monero-node on Github.

go back