A few days ago, a mysterious Twitter user claimed to have found the magic formula to crack Monero.

Fireice_UK shared a web address that “revealed” personal information of several Monero users, even including their sexual preferences.

The website in question, Monero BADCACA, features a table with the TxID of a Monero transaction, its city of origin, the node’s IP —perhaps not the sender’s, more on this later— and the person’s favorite porn based on the torrents they downloaded.

The Dark Side of Monero?

The site also has a FAQ. Fireice_UK claims to have been tracking the blockchain for some time and that the Monero development team knew about the project’s shortcomings, basically turning a blind eye to it and caring mostly about the money:

I have been logging Monero transactions for over a year now. Main reason why I decided to go public are blatant lies that there is nothing to worry about Ciphertrace and that Monero is private.

All things considered, how did the hacker get access to this information? Another tweet could be the key to the answer:  Unlike Ciphertrace, they got it from the nodes; basically intercepting the data before it spread through the network.

What Actually Happened

Riccardo “fluffypony” Spagni, who served for a long time as Monero’s lead developer, explained what happened in an extensive thread. TL;DR: It’s nothing alarming, and in fact, Monero’s very design makes it virtually impossible to identify the user with certainty.

A Sybil attack occurs when a malicious actor tries to obtain information from a user through various practices such as creating multiple accounts or nodes to intercept and block transactions. This can happen on many public blockchains, not just Monero.

Read Also:   CipherTrace: two patents for tracking Monero (XMR)

Monero uses a transaction broadcast system called Dandelion++. Unlike Bitcoin —where a person usually broadcasts a transaction as quickly as possible to as many nodes as they can— in Monero, the transaction bounces off several individual nodes before one of them spreads it across the network.

How Dandelion++ works in Monero. Image: Bean Privacy

In short, the nodes can know the IP that spread the information, but are not sure if it’s the IP of who sent the transaction. In fact, intermediate nodes also don’t know if they are communicating with the sender or they’re just bouncing the information.

Therefore, the intercepted IP does not necessarily belong to the people involved in a transaction. Nor is it 100% real that fireice_UK has “broken” Monero. The amounts, addresses, and sensitive data associated with those transactions remained unknown. Equally important, what about the porn? Well: obfuscation methods like VPNs, Tor or i2p make it almost impossible to link a user to one of the IP addresses shared by BADCACA —but there’s always a chance.

Read Also:   Monero: implementation of atomic swaps financed

Still Nervous?

Spagni explains that the hacker tried really hard in order to achieve such a difficult attack, but even after all the effort, the reliable information they were able to obtain was very little:

In other words, it seems like there is nothing to fear, but if the possibility of a Sybil attack worries you, just follow some essential tips:

  • Run your own node
  • Broadcast your transactions on a block explorer’s pushtx functionality
  • Use Tor or i2p
  • Get a girlfriend and stop downloading porn


Download MAXBIT Android App, Your best source of all crypto news!
Google Play

Source link


Yes, Monero Was Attacked... But No, It Was Not "Broken"

by Steven Willis
Choose A Format
Poll
Voting to make decisions or determine opinions
Story
Formatted Text with Embeds and Visuals
List
The Classic Internet Listicles
Open List
Submit your own item and vote up for the best submission
Meme
Upload your own images to make custom memes
Audio
Soundcloud or Mixcloud Embeds
Image
Photo or GIF
Gif
GIF format