Let's say you hand me a $100 bill, and that you have marked that bill. I then take that bill to a bank and ask for 3 $20 bills and 4 $10 bills. The bank takes that $100 and puts into the vault, and takes out the bills I asked for out of the vault. Later, someone comes in with $100 worth of bills, and asks for a $100 bill. The bank goes to the vault and gets the marked $100 and gives it to that customer.
Tracking the bill doesn't help, because as soon as it's in the bank, what happens to it (and how it's exchanged), is hidden from you. Mixers work the same way.
You're right, but the article didn't find a mixer. They found the temporary deposit addresses every exchange uses and then wrote a FUD article to drive traffic and awareness of their sketchy ICO.
2. Their address is always transferring money to accounts.
3. Sometime after you pay them, some amount, not quite the same, leaves their address to an address you control, but which has no established connection to you.
So an observer can see:
1. That you put money into the mixer.
2. The full list of addresses the mixer payed 'out' to (very long).
Which allows them to say if an address has "mixed" money but not to determine which account is connected to which person. If you're careful and you don't transfer any coins to addresses linked to your 'real world' persona, it becomes difficult to trace the account containing the 'mixed' coins to you (though trivial to identify it as coming from the mixer).
A well designed mixer would not be so easy to detect. In a perfect world, you'd have matching clients all the time, and the only contamination is the fee being siphoned off. If the fee is managed well it could be very difficult to determine coins that went or came from the mixer.
In reality, you probably need to batch a few customers together: 10 customers putting in 1 BTC, 1 customer putting in 10. But these don't need to be long-lived groups, if the mixer has the volume. So "their address" would only be the same for a few customers. An attacker would need to constantly make transactions to determine the addresses involved.
Most mixers give you completely "clean coins": That is there's no transaction chain from your inputs to your outputs. So they are probably doing some sort of system similar to what I describe.
Sort of. It seems to me though that once you've missed coins from many sources in various ways 90+ times then the coins are distributed in parts to many end recipients its then very hard to to say if some fraction of a coin came had any one source. If I were designing a way to launder cryptocoins that may or may not have a questionable source I think this is pretty much what I'd come up with.
Kinda, the problem is once you've moved through a couple wallets (many wallets, in the case of the mixing services), it becomes very hard to tell the difference between one person moving their coins around, and one person paying another person.
A --> B
A --> B --> C --> ...--> Z
Pretend you know who A is already. Who are B through X? Is the person in control of A also in control of Z? Or any of the other wallets? These are answers the blockchain doesn't give you.
Wouldn't an interested party just assume A and B are both guilty and given the current taste for asset forfeiture laws, require proof of the origination of the funds? At one point does it not become possible to "capture" people this way? 10k wallets? 100k? I may be too simple to understand the math here, but in the end you've got people with guns to deal with.
You can assume all you want, but then you can end up with thousands of tainted addresses that participated in tumbling. Good luck proving anything with that to the jury.
RE: your question about inherent privacy, there is Monero (XMR) and ZCash which implement transactional privacy in different ways.
In my opinion XMR/Monero are the only implementation to do it all the way through, so it's what I prefer but as with all things, you should research what the differences are and which is better for you. ZCash has a higher value per coin right now and is probably more accepted than XMR/Monero.
Except no large systems support receiving shielded zcash transactions because of the CPU and RAM involved. They recently made some improvements, but it still takes many seconds of solid CPU time. Maybe in the future it'll be fast enough to be practical and they can make it the default.
ZCash is ideal, theoretically. If they get the performance amped up so that private transactions don't take forever, it could really work cause they could make privacy mandatory. Though a 10% tax of all coins is rather questionable. The CEO of the company did say he felt zcash could be made traceable enough to be uninteresting to money launderers, whatever that means. Sounds like the opposite of fungible.
Monero's less theoretically secure, and indeed, there's no info on how to safely "launder" coins through Monero. Ringsize is very small, at 5. But it seems to be a proper community effort and probably the best contender right now.
Dash is mired in mishaps, from its inception and instamine as Darkcoin. A single user or group of users hold magical keys that can undo 24 hours of blocks. They have centralized nodes and the mixing scheme isn't even theoretically secure.
I should add that Monero doesn't use mixing in the same sense. The ring size works so that you cannot see which of the different choices is the correct output until spent. This is different from having the participants swap coins as you do when mixing. The ring size isn't directly comparable to the number of mixing participants or mixing rounds as the former isn't susceptible to blockchain analysis. You can only make probabilistic guesses or IP tracing.
There is no "official" recommendation of how to securely launder coins in Monero. What you can do is to send the coins to yourself a number of times using the default ringsize or "churning".
Sending coins to yourself, aka churning, might not work so well after all, according to the latest MRL report. They say:
"
We at the Lab previously thought that one possible solution to knacc's described attack would be churning, where one sends funds to oneself multiple times before using at a merchant. Unfortunately, this leads to chains of self-referential transactions, which leave an undesirable and identifiable statistical signal.
"
Now the follow-up I've gotten says that this just means you can't churn too quickly. There is still no analysis of how often to churn, how long you need to wait, and on and on, until you're safe. The Monero wallets offer no way to manage your inputs either, so if you ever re-use a wallet (exchange->WalletA->WalletB a couple times) you'll leave even more of an trace.
So the number one idea that springs to mind, Exchange->Monero->Exchange, might be a worst-case scenario where you can easily be linked with a high probability. Especially when the approximate input time is known.
For instance, if you know a target exchanged Bitcoin in a certain transaction, you can simply trace all possible chains from that output and see when one hits an exchange, prioritizing shortest first: if an exchange output goes right back to an exchange, that's probably enough to get a warrant or targeted investigation.
Furthermore, an attacker could make a bunch of transactions so other transactions use known inputs, reducing effective ringsize even more. This wouldn't be very expensive at current volumes.
Even still, Monero still seems far ahead of competition. My biggest concern is that they don't put any sort of disclaimers, and incorrectly state it's untraceable. This will get people into trouble. The Tor Project does a far better job of being clear with the risks and shortcomings. The Monero community, mostly, seems to just advertise as if everything was solved. That plus the ridiculously low ring sizes feel rather irresponsible.
I'm really interested in Monero but I lack a comprehensive understanding of the underlying technology.
Is there a good resource (apart from the Monero community itself) that explains Ring signatures and similar technologies, including their limitations?
From your answer, you sound very knowledgable in this area - could you advise some good resources to learn more?
