46 minute read

Welcome to the nineteenth issue of ‘This Month in Bitcoin Privacy’ newsletter. Enjoy!

73.224 BF2247 Merveille du Jour, Griposia aprilina"73.224 BF2247 Merveille du Jour, Griposia aprilina" by Patrick Clement. is licensed under CC BY 2.0

Table of Contents

  1. Overflow
  2. Trezor Phishing Attack
  3. CBDCs in Emerging Market Economies
  4. More Art Than Science
  5. European Union Trilogue Negotiations


This section is for important stories that would have been included for the month of March:


In TMIBP02, TMIBP07, TMIBP08, and TMIBP13, I covered a data breach from e-commerce and marketing databases belonging to the Paris-based hardware wallet developer Ledger. They have continued to warn their users about phishing attempts and how to recognise authentic messages. However, it seems that the effects of the breach are not contained to their service.

For episode #112 of the Darknet Diaries podcast, host Jack Rhysider interviewed “a guy named ‘Drew’ who gives us a rare peek into what some of the young hackers are up to today.” About thirty-five minutes into the show, they begin to discuss SIM-swapping attacks (TMIBP01, TMIBP03, TMIBP09), and ‘Drew’ confirms that cryptocurrency holders are now one of the most popular targets. As a result, the Ledger databases were particularly valuable because many customers used the same phone number and/or email address for their exchange accounts, including Coinbase. Not only was it easy to check if a given email address had been used with an active account, but “there was an exploit in Coinbase for about one month where you could check the [current] balance of any valid password and username [combination].” So even if the attackers had yet to attempt their swap, they could first narrow down their target list to the most valuable accounts rather than wasting resources compromising empty or low-value ones. Then, because the vast majority of Coinbase users had enabled two-factor authentication (2FA) via text message rather than more secure options, the attackers would carry out SIM swaps on those devices in order to receive the codes too.

With 2FA enabled on your account, you will have to provide your password (first “factor”) and your 2FA code (second “factor”) when signing in to your account. There are many types of 2FA, ranging from a physical key (such as a YubiKey) — the most secure — to SMS verification — the least secure. Many people choose to use SMS 2FA, because it’s linked to a phone number, rather than to one particular device, and is generally the easiest to set up and to use. Unfortunately, that same level of convenience also makes it easier for persistent attackers to intercept your 2FA codes. We strongly encourage everyone that currently uses SMS as a secondary authentication method to upgrade to stronger methods like Google Authenticator or a security key everywhere it is supported.

In September 2021, the exchange reported that “between April and early May 2021, the Coinbase security team observed a significant uptick in Coinbase-branded phishing messages,” related to bypassing of their SMS multi-factor authentication (MFA) process, which resulted in stolen funds from 6,000 customers. ‘Drew’ claimed this flaw was “vital to making your SIM-swap more successful.”

On February 15th 2022, Ledger’s year-in-review included that as per their “public commitment” following the data breach, “we have migrated all order data older than 18 months and will gradually migrate data older than 12, 6 and 3 months in the near future. All this information will be stored in this separate database for 10 years, as per our accounting obligations, and then removed from our system.” Shortly thereafter on February 22nd, they also announced that the “Coinbase Wallet browser extension now supports” their hardware wallet for self-custodial key storage, and released a “co-branded Nano X Coinbase Edition.”

For thefts of ether or ERC-20 tokens, ‘Drew’ noted that Tornado Cash was often used for mixing. This month, Tornado Cash announced that they would use a “@chainalysis oracle contract to block OFAC sanctioned addresses from accessing the dapp.”

Rhysider and ‘Drew’ also cite the Terpin case. In January 2018, investor and public relations manager Michael Terpin had lost $23.8 million worth of cryptocurrency through a SIM-swap attack; in May 2019, he won a $75.8 million civil judgement against one co-conspirator, and then went on to sue Nicholas Truglia, “the mastermind and ringleader.” In November 2021, Truglia pled guilty to criminal charges for conspiracy to commit wire fraud. Terpin commented:

Nearly four years after my $24 [million] hack, Truglia pleads guilty to wire fraud but prosecutors do not pursue other charges. Ironically, this also takes place on same day as the Biden #FCC finally proposes #SIMswap regulation.

He was referring to their Notice of Proposed Rulemaking that seeks “to amend the Customer Proprietary Network Information and Local Number Portability rules to prevent subscriber identity module (SIM) swapping scams and port-out fraud.”

Speaking of the “darknet,” this episode came out on the same day as the announcement that Twitter now has an onion service (using Enterprise Onion Toolkit) and lists the Tor browser as supported! Alec Muffett explains:

Using onion services mitigates attacks that can be executed by possibly-malicious “Tor Exit Nodes” — which, though rare, are not nonexistent — and also the fact that you are using a “.onion” address demands that the person is using a TorBrowser, thereby are also mitigating: national web blocks, TLS-man-in-the-middle, SNI filters, DNS censorship and tracking (both upon the client side, and that potentially impacting exit nodes), a lot of fundamental cookie-tracking and digital-fingerprinting issues… and a bunch of other risks to which non-Tor-browsers are prone.

If you use that bird site for Bitcoin social media and news notifications, you can now do so with a bit more privacy. Read prior Bitcoin and Tor-related news in TMIBP02, TMIBP03, TMIBP04, TMIBP05, TMIBP06, TMIBP08, TMIBP12, TMIBP13, TMIBP15, and TMIBP16.


The Human Rights Foundation (TMIBP01, TMIBP03, TMIBP06, TMIBP09, TMIBP10, TMIBP12, TMIBP14, TMIBP16, TMIBP17) opened a four-month paid research fellowship to investigate whether zero-knowledge (ZK) rollups could “help the Bitcoin network with scaling or privacy.” ZK-rollups are a second-layer scaling solution that has been proposed for various blockchains, including Ethereum.

Zero-knowledge rollups (ZK-rollups) bundle (or “roll-up”) hundreds of transfers off-chain and generate a cryptographic proof. These proofs can come in the form of SNARKs (succinct non-interactive argument of knowledge) or STARKs (scalable transparent argument of knowledge). SNARKs and STARKs are known as validity proofs and get posted to layer 1.

The ZK-rollup smart contract maintains the state of all transfers on layer 2, and this state can only be updated with a validity proof. This means that ZK-rollups only need the validity proof instead of all transaction data. With a ZK-rollup, validating a block is quicker and cheaper because less data is included.

On March 24th, Gladstein announced that John Light had been selected for the position, which would begin in May. “The product of the fellowship will be an industry concept paper that addresses” six questions, including: “How would Bitcoin Core need to change to integrate ZK-rollups? Are there any known current improvement proposals (e.g. OP_CTV) that would help?” OP_CHECKTEMPLATEVERIFY (CTV) is a new opcode central to Jeremy Rubin’s BIP-119 soft fork proposal, to support “applications for transaction congestion control and payment channel instantiation, among others.” In July 2021, Rubin wrote:

CTV enables committing to a specific “next” transaction from script. This is the ability to make an unbreakable promise on chain which Bitcoin can enforce (e.g. “This coin can only be spent to my multisig, or my backup after a timelock”). This is a departure from normal script which is traditionally only concerned with restrictions on the sender, CTV imposes restrictions on the recipient. More technically, CTV is essentially the ability to embed a signature of a specific transaction inside of a script without needing any elliptic curve operations. The validation costs are low. For more advanced logic, you can nest multiple different CTV Hashes either using taproot or up to the script length limits in regular script.

On April 22nd, following Rubin’s announcement of an upcoming CTV-compatible client release, BitMEX Research wrote a summary of the proposal and reactions to it, which have been mixed. Bob McElrath, who has co-authored research on Bitcoin convenants and vaults, responded that the “new wallet infrastructure is substantial, requiring a new private communication between sender and receiver… NACK from me on this concept.”


In TMIBP05, I covered how various tax autohrities, including Her Majesty’s Revenue and Customs (HMRC), were seeking to collect personally identifying information, ownership and transaction records from users of cryptocurrency businesses; in TMIBP07, I also covered the closure of a long-time U.K.-based exchange. In connection with “an unprecedented package of economic sanctions on Russia and Belarus, in response to Russia’s invasion of Ukraine on 24 February,” the Financial Conduct Authority (FCA) has written to “all registered cryptoasset firms and those holding temporary registration status to highlight the application of sanctions on various entities and individuals.” On the same day, they have also made a public reminder that cryptocurrency ATMs are effectively now banned in the U.K.

Crypto ATMs offering cryptoasset exchange services in the UK must be registered with us and comply with UK Money Laundering Regulations (MLR). None of the cryptoasset firms registered with us have been approved to offer crypto ATM services, meaning that any of them operating in the UK are doing so illegally and consumers should not be using them.

… We are concerned about crypto ATM machines operating in the UK and will therefore be contacting the operators instructing that the machines be shut down or face further action.

Since we published the list of unregistered crypto firms that may have been continuing to conduct business, a recent assessment found that 110 are no longer operational.

In their list of recommendations for reducing “the risk of sanctions evasion,” they urge firms to consider “where blockchain analytics solutions are deployed, ensuring that compliance teams understand how these capabilities can be best used to identify transactions linked to higher risk wallet addresses,” and to flag “the use of tools designed to obfuscate the location of the customer (eg an IP address associated with a virtual private network or proxy) or the source of cryptoassets (eg mixers and tumblers).”

On March 14th, Juraj Bednar (TMIBP15) published a blog post on how to start a local trading group with privacy in mind:

How do you get members for these groups? Add your acquaintances who are already involved with cryptocurrencies. They don’t have to buy and sell right away. Exchange links, experiences and tips in the discussion group. Group members can invite other members they personally know. In larger cities, this will create several such groups, and some members may be in more than one group. They are thus able to link supply and demand between groups using their reputation (and may even make some money by doing this). It is good if the group also meets in person from time to time. A dinner once a month or some joint crypto event. You will build mutual trust and build interpersonal relationships that will increase the willingness to trade and trust.


Wasabi announced that “the zkSNACKs coordinator will start refusing certain UTXOs from registering to coinjoins.” For anyone not familiar with their architecture, the coordinator is a server which ‘coordinates’ UTXOs in a CoinJoin. While the code is open-source, and Chaumian or Schnorr blind signatures prevent it from linking inputs and outputs, it can still selectively exclude UTXOs from the input registration phase and thus from participating in a CoinJoin. Technically, they were already practicing temporary bans on coins where the user failed to provide a signature, to prevent denial-of-service attacks. However, that was not the reason for this announcement.

Ádám ‘nopara’ Ficsór referred back to a November 2013 forum thread where “the Bitcoin community successfully pushed back against blacklisting,” and commented, “Glorious days.” When asked whether they would support “swapping to other coordinators,” Ficsór replied, “I think it’d be unwise from me to discuss the circumvention of the above measures, sorry.” And when it was suggested that they would be “teaming up” with a blockchain surveillance business, Wasabi contributor Rafe responded:

No. We are trying to protect the company and the project by minimizing the amount of these hackers and scammers using the coordinator and getting us in trouble. This should be in the rights of the company to do but believe me, none of us are happy about this.

Chaincase, an iOS client based on Wasabi (TMIBP11, TMIBP12, TMIBP13, TMIBP16), soon published guidance on how to manually connect to their coordinator instead.

On March 15th, Financial Times (FT) reporter Cristina Criddle published an article with comments from the U.K. National Crime Agency (NCA). Spokespersons say they would support new regulation that “would force mixers to comply with money laundering laws, with an obligation to carry out customer checks and audit trails of currencies passing through the platforms.” On what legal authority this would stem from, no mention was made. Pointing to Wasabi and Samourai Wallet, Criddle cites the Europol report (TMIBP01, TMIBP05, TMIBP06, TMIBP10, TMIBP14) and allegations by Elliptic, as well as Chainalysis and CipherTrace in another September 2021 article on decentralised finance (DeFi):

The worry among regulators is they would replace the very entities that governments turn to for help in enforcing the laws against money laundering — bankers, brokers and money transmitters that stand between people and markets.

“DeFi is using loopholes in regulation because they don’t actually hold the customer’s money, unlike a broker,” says David Jevans, chief executive of CipherTrace, a cryptocurrency intelligence company started in 2015 with funding from the US Department of Homeland Security to help prevent financial crime.

Samourai Wallet confirmed that they had been asked for comment on March 11th, and then published “our entire response that we sent” to the FT. The day before the publication of the article, they had also explained and defended the role of coordinators:

CoinJoin coordinators are simply message passers. This is true of Wasabi & Whirlpool. They are not money transmitters, they are not facilitators[,] they simply pass data packets to connected clients… Your ISP is not responsible for the websites you visit, even though they serve you the data packets that made your visit possible.

… The ability to share data freely be it books, art, media, thoughts and ideas, or UTXO state is essential for free society and is fundamentally human. The radical encroachment of the state into the lives of ordinary law abiding citizens is on a concerning upward trajectory. By bending the knee to [regulatory] overreach instead of fiercely fighting, especially when you have the resources to do so effectively, you tacitly accept and endorse that overreach and the next one. Give an inch and they’ll take several miles.

On March 17th, Bitcoin Magazine published an article on the decision, quoting zkSNACKs co-founder and CEO Bálint Harmat. They note that it “was a proactive one as there is no current legislation obliging them to do so.”

“People started to identify Wasabi with illicit activities and actors, and we wanted to differentiate ourselves from these players in the space,” Harmat said, adding that the route taken on Sunday was zkSNACKs’ solution to enforce it.

Harmat explained that the company doesn’t want to be associated with criminal activity of any kind, adding that multiple reports over the past year linking hackers, money launderers and other nefarious actors with Wasabi and zkSNACKs have in part prompted the move as such an angle hurts the brand’s image…

“We did our research and really went into the legal details,” Harmat said. “There are no current regulations on ongoing joint coordinators. However, I’m aware this is going to change in the future.”

They also contradict Rafe’s earlier reassurance:

zkSNACKs co-founder Adam Ficsor posted a message on the Wasabi Wallet public Telegram channel on Tuesday saying that the company will “have to hire” a blockchain analysis firm “and filter out CoinJoin input registrations with them” — a plan that Harmat echoed.

BTC Sessions host Ben Perrin, who has made many tutorial videos on Bitcoin privacy wallets, tweeted that he had “ended my engagement with Wasabi.” 402 Payment Required similarly said that their tutorials will remain available in case “some fork of it might attract enough liquidity to be useful in the future.” Former Wasabi contributor and WabiSabi co-author Yuval ‘nothingmuch’ Kogman (TMIBP01, TMIBP05, TMIBP07) also shared that he had left the project in December 2021:

I was involved with Wasabi until December but left because of what I perceived as systemic issues with the development process. To be clear, I cannot wholeheartedly support the project or recommend its use, for ethical and technical reasons.

On March 28th, Wasabi published a full statement on their website, where they assert that they “broke one of the largest taboos of Bitcoin[,] blacklisting, to achieve something greater: survival of the best Bitcoin privacy technology.”

Wasabi Wallet is making Bitcoin anonymous and most people are afraid of the idea of anonymous money. They don’t care that it existed for thousands of years before the last century, nor do they understand the gravity of the fact that fungibility is an essential property of good money. Ignorance of first principles has resulted in unwanted media attention and claims of money laundering that we are obviously not trying to enable. Such claims by mainstream media have travelled far and ultimately led to legal challenges, which forced the company to choose between discontinuing its operations or introducing blacklisting so that the coinjoins can continue.

On April 1st, Stephan Livera published episode #364 with contributor and “Join the Wasabikas” podcast host Max Hillebrand. He extensively outlined the pros and cons of both a multi-cooordinator ecosystem for CoinJoins, and more decentralised models.

There are many reasons why you would want to run your own coordinator. One of the other main reasons is because you want to control which inputs are actually gonna be registered there. You can have invite-only CoinJoins. There are ZeroLink Wasabi coordinators out there where the actual onion is not public knowledge. So someone needs to invite you by sending you this onion, and only then can you CoinJoin. Here you could have CoinJoins just among your friends who know about this onion address of the coordinator. To curate who actually gets to register is already a live use case of one quite big ZeroLink coordinator.

He then says that to “also add the additional metadata that we have on the Bitcoin blockchain that chain surveillance companies provide — all these tags of the risk factor of certain coins” is “definitely something new,” implying that Wasabi plans to do so.

I’m not trying to [downplay] this here, but it’s somewhat of a soft fork, right? You’re changing the acceptance of which coins do you consider valid — not on the Bitcoin consensus layer, that’s the other important thing. Bitcoin consensus is still permissionless and decentralized enough that you can make payments even if you are blacklisted: you can just either get hashrate yourself or bribe a miner to hash a block with your transaction in it… What we’re talking about here is: will you get access to someone else’s computer? Will someone else allow you to write stuff on his computer, basically? And in my opinion, ultimately it comes down to property rights. A coordinator is just someone else’s computer — and it’s not yours. So you ought to be quite thankful that someone actually provides you a service where you can use his computer for certain things like coordinating a round.

Disclosure and Personal Note: In January 2018, about seven months before the beta launch of Wasabi, my podcast co-host and I started a short-form video series called “zkSNACKS,” a food-related twist on zk-SNARKs, which stands for “Zero-Knowledge Succinct Non-Interactive Argument of Knowledge.” I had come up with that name sometime leading up to the publication of the first episode. We are called “Block Digest,” we care about privacy, and we can be snarky as hell, so it was perfect wordplay. We published three episodes in the series in total. At the Building on Bitcoin conference in July, Nopara gave us a shout-out and attributed credit to us for the name of his new company that would manage development of Wasabi. This (the company name) was news to my co-host and I as much as to everyone else; we had not been asked or told beforehand. At the time, I would say that I felt proud of this inadvertent branding contribution. However, recent events have now soured the memory and association.

One of the valuable side-effects of a socio-political environment that supports freedom of association, where there are little to no inherent legal consequences for engaging non-violently with others, is that you can more easily see and understand the character of those around you based on their choices. You may still be the recipient or deliverer of ‘soft’ judgement and consequences for who you include or exclude, and the basis on which you made that determination (ex. gender, race, sexuality, religion, political orientation, etc), but either way your preferences are more honest and visible to everyone around you. They can in turn make an informed decision about whether to include or exclude you, depending on what they believe your preferences reveal about your character.

It is very true that the operators of the Wasabi coordinator are not required to accept any and every UTXO for CoinJoins. I haven’t seen anyone argue that they are. Indeed, disassociating from (real or perceived) malicious actors, network nodes, or users who may abuse your time, space, and resources to your detriment or that of your community is a valid reason to limit or close the connection. Even if your reason is wrong or misplaced, whether according to your own standard or someone else’s, you can still (largely) do so anyway. In recent years we have even seen the result of rapid mass-disassociation, often socially compelled and coerced, including in financial ways.

Yet, the existing ‘success’ rate of identifying criminal capital flows is limited, to say the least. Based on all available estimates, less than 1% of the total amounts that are being laundered are detected. Data collected by the US State Department suggest that some US$3.1 billion were seized in connection with money-laundering activities in 38 countries out of 62 countries analysed (2010 or latest year available); more than 80% of this was seized in North America.144 This would be equivalent to some 0.2% of the best estimate of the extent of money-laundering at the global level. In comparison, more than 20% of the globally produced illicit opiates are being seized and more than 40% of the cocaine.145 Are money-launderers really so much smarter than drug traffickers, or is there something wrong with the existing control system?

— “Estimating Illicit Financial Flows Resulting from Drug Trafficking and Other Transnational Organized Crimes: Research Report” by the United Nations Office on Drugs and Crime (2011)

Readers should know that I have included material many times on the fallibility of blockchain surveillance tools, including in this newsletter. The foundation of their business model is mapping association: address to address, coin to entity, entity to identity, and then identity to crime. For that last step to resemble a just due-process of any kind, preceding steps should follow the same rigorous and transparent standard of evidence, no? However, most of the people who have been and will be affected by blockchain surveillance purveyors have committed no crime and are not under any formal or informal suspicion of committing a crime. They are blocked and suspended because anyone who actually takes their privacy seriously is considered “risky,” where risk is measured not by crime but merely the degree of visibility and obedience (or, sadly, their personal power to pay their profile away). Meanwhile, the risks inherent to mandatory sharing of sensitive personal information for millions of ordinary people are witnessed daily and largely ignored.

The legal fungibility of banknotes — their homogeneity, or the characteristic of being interchangeable with others of equal denomination — was determined through common law in 18th century Scotland (see Reid, 2013). In 1749, a court considered the case of two £20 notes which had gone missing in the post, and examined the ownership of one of those notes which had subsequently turned up at a branch of the Royal Bank of Scotland — identified courtesy of the serial number recorded by the sender. The case determined that one who took possession of a banknote in normal and legal exchange was free from the “infirmities of title which affected those from whom it had been acquired” (Reid, 2013, p.2; see also Silver, 2018). In general, this means that the history of an individual banknote — which I analogise to its identity — has been determined to be irrelevant according to this 18th century case law. However contemporary legislative and regulatory requirements have challenged this precedent.

— “The Identity, Fungibility, and Anonymity of Money” by Alastair Berg (2019)

It was understood centuries ago that ascribing criminality to the current holder of fiat currency based on that particular coin or bill’s alleged illicit provenance is a dangerous move that can erode economic efficiency and the value of that currency system over time. How is it then not obvious that states which feel threatened by the adoption of non-state decentralised money would have an interest in enforcing a different standard for the legal fungibility of bitcoin? By accepting the involvement of blockchain surveillance, you are not only providing them with tacit approval that their methods are effective at the task they claim to do, but also supporting the state’s goal: degradation of legal fungibility.

In August 2013, the encrypted email service provider Lavabit was abruptly shut down after being served with a pen register order requiring the disclosure of information about a single customer’s account. The founder, Lardar Levison, wrote: “I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit.” For years, Levison was “forbidden… under threat of contempt and possibly jail time, from identifying who the government was investigating.” Through a redaction error by the government, it was revealed that the account belonged to NSA whistleblower Edward Snowden.

So if you believe that complying with extra-judicial threats of currently non-existent regulation will save your brand, then either I do not understand what your brand means anymore or you are mistaken about who you should be saving it from. You may have won the battle for a few more months or years of profitable business, and you are of course free (for now) to prioritise that, but I believe you’ve surrendered in the war for principle.

KYC is the illicit activity. Compliance is the taint.


The U.S. Senate Committee on Banking, Housing, and Urban Affairs hosted a morning hearing on “Understanding the Role of Digital Assets in Illicit Finance” with four witnesses, including former Financial Crimes Enforcement Network (FinCEN) director Michael Mosier (TMIBP08, TMIBP11) and Chainalysis co-founder and chief strategy officer Jonathan Levin; between June 2019 and February 2020, Mosier also had a role as Chief Technical Counsel at Chainalysis.

Levin’s testimony included a list of the “world’s most high-profile cyber-crime cases” that they were involved in, took credit for the relatively low amount of illicit activity using cryptocurrency, and argued for increased integration of and funding for blockchain surveillance:

Our 2022 Crypto Crime Report was released last month and it shows that transactions involving illicit addresses represented just 0.15% ($14 billion) of digital assets transaction volume in 2021 (not including centralized exchange volumes). This is because digital asset usage is growing faster than ever before and the legitimate use of digital assets is vastly outpacing the growth in their criminal use. This figure may rise slightly as we identify more addresses associated with illicit activity and incorporate their transaction activity into our historical volumes, and it also only reflects on-chain activity. This means, for example, that illicit activity happening within exchanges is not captured, as we do not have the internal order book data of exchanges. Those caveats aside, I do think it is important to note that illicit activities using digital assets is reflective of significantly less than 1% of transaction volumes, and this is thanks in part to the types of tools we provide to digital asset companies to support their AML/CFT compliance and the excellent work of law enforcement and regulators.

… With a blockchain-based financial system, regulators could have a real-time view into financial flows, risk exposures, and interconnectedness across all asset classes. Advanced risk analytics could provide regulators the ability to easily independently stress test the entire portfolio of a financial institution, as well as an entire financial system using current or historic portfolio data. Enhanced transparency afforded by blockchain technology could also facilitate and improve the efficacy of regulator and independent examinations, including as they relate to disclosure and reporting.

… We commend the Consolidated Appropriations Act for FY 2022 for increasing funding for FinCEN and the Office of Terrorism and Financial Intelligence (“TFI”) in the Department of Treasury. We recommend that FinCEN and TFI, along with law enforcement, market regulators, and national security agency stakeholders, invest in blockchain intelligence and analytics capabilities, both headcount and tools/services, that will enhance their ability to detect, disrupt, and deter illicit uses of digital assets.

Interestingly, Mosier’s testimony acknowledged that anti-money laundering legislation has often been used to target innocents and suppress political activism:

Because no matter the best intentions, people are fallible. In thinking about self-determination, when we speak of “illicit finance,” we must not forget defenders of democracy whose financing might be considered “illicit” to the autocrats and invading armies they resist. As we painfully see around the world right now, it is fundamental to democracy that people have the opportunity to protect themselves in the face of fallibility and brutality.

The same cryptographic capabilities discussed here today enabled secure, auditable humanitarian aid to 60,000 healthcare workers in Venezuela under a repressive regime… No doubt the Venezuelan regime considered the use of those previously frozen assets “illicit finance,” but to us they were cryptographically secure humanitarian aid.5

… The democratic resilience of cryptography doesn’t stop with mere messages.

He also discouraged the adoption of the FATF’s Travel Rule guidance:

Further, until there are global registration standards to identify trusted exchanges to send personal information, industry cannot implement the Travel Rule. Congress should press U.S. FATF representatives to focus on standardized licensing across jurisdictions, instead of FATF developing new, expansive definitions of “Virtual Asset Service Provider” that include software developers in a way that FinCEN cannot implement under our Constitution.


Ruben Somsen (TMIBP05, TMBIP18) wrote to the mailing list to propose “a new scheme for private non-interactive address generation without [extra] on-chain overhead.”

The recipient generates a so-called silent payment address and makes it publicly known. The sender then takes a public key from one of their chosen inputs for the payment, and uses it to derive a shared secret that is then used to tweak the silent payment address. The recipient detects the payment by scanning every transaction in the blockchain.

Compared to previous schemes1, this scheme avoids using the Bitcoin blockchain as a messaging layer2 and requires no interaction between sender and recipient3 (other than needing to know the silent payment address). The main downsides are the scanning requirement, the lack of light client support, and the requirement to control your own input(s). An example use case would be private one-time donations.

So far, reviews of the draft have come from Tim Ruffing (TMIBP05, TMIBP06, TMIBP09) and Martin Habovštiak (TMIBP14, TMIBP18) among others. Meanwhile, it has now been more than year since Justus Ranvier published a new draft of his BIP-47 specification from 2015 (TMIBP09), and Sparrow Wallet has pushed compatible PayNym generation and management with Samourai Wallet (TMIBP18), on which BTC Sessions host Ben Perrin recently published a tutorial. A feature request to add BIP-47 to the Bitcoin Dev Kit project was opened in February. Ranvier’s pull-request to finalize the standard remains unmerged at this point, even despite approval from Greg Maxwell. On March 4th, ‘TDev’ commented:

Following the completion of BIP47 v1 Justus Ravier indicated his desire to remove all updates for BIP47 from the BIP process itselfBIP47 v1 as described above is the existing de facto standard with over 96000 PayNyms created by Samourai Wallet and a new daily influx of PayNyms from Sparrow Wallet users. The Samourai & Sparrow implementations are interoperable. Since 2015 the existing BIP process has proven itself to be incapable of advancing bitcoin privacy in general or validating a proposal for reusable payment codes in particular.

On April 29th, Ross Ulbricht’s support account shared a new PayNym that can be used to donate to his legal fund. In December 2021, Ulbricht reached his 3,000th day in prison (TMIBP18); on March 27th, he turned 38 years old. You can learn more about his story from ‘What Bitcoin Did’ podcast episodes #10 and #27.


Hardware wallet company Trezor (TMIBP06, TMIBP11, TMIBP12, TMIBP13, TMIBP15, TMIBP18) warned that there had been “a potential data breach of an opt-in newsletter hosted on MailChimp.” Soon, they were able to confirm that “their service has been compromised by an insider targeting crypto companies.”

We have managed to take the phishing domain offline. We are trying to determine how many email addresses have been affected. We will not be communicating by newsletter until the situation is resolved. Do not open any emails appearing to come from Trezor until further notice. Please ensure you are using anonymous email addresses for bitcoin-related activity.

In March, CoinDesk had reported on a similar breach and subsequent phishing attacks with other companies using Hubspot. In a statement to The Verge, Mailchimp’s chief information security officer “said that the company had become aware of the breach on March 26th when it detected unauthorized access of a tool used by the company’s customer support and account administration teams.” On April 4th, Trezor published a blog with a copy of the phishing message, more information about the incident, and what affected users could do:

The Mailchimp security team disclosed that a malicious actor accessed an internal tool used by customer-facing teams for customer support and account administration. The bad actor gained access to this tool as a result of a successful social engineering attack on Mailchimp employees.

… The only reason to worry about your funds is if you entered your seed into the malicious app. Your device can not be compromised or affected by this attack without explicitly typing your seed into your computer. Never enter your seed anywhere unless your Trezor device tells you to!

Foundation Devices co-founder and CEO Zach Herbert encouraged Trezor and other Bitcoin companies to self-host as much of their communication and marketing infrastructure as possible, which would have prevented this attack:

At @FOUNDATIONdvcs we run our own @WordPress @WooCommerce, Followups email marketing tool, @matomo_org analytics, @jitsinews for meetings, FreeScout customer support desk, @BtcpayServer. This means we do not run Shopify, Mailchimp, Google Analytics, Zoom, Zendesk, Coinbase/OpenNode, or other similar centralized services. We are also constantly improving and figuring out how to better safeguard customer data and self-host critical systems. It’s easy to think of this as a distraction, especially at a small startup. But it’s really important when you’re receiving customer emails, mailing addresses, and phone numbers. Feel free to reach out with any questions or ideas for great self-hosted tools we can use!


In TMIBP05, TMIBP08, TMIBP12, TMIBP14, and TMIBP17, I have followed exploration, promotion, and criticism of central bank digital currencies (CBDCs). This month, the Bank for International Settlements (BIS) published a volume of papers contributed by banks from more than two dozen countries around the world, titled “CBDCs in emerging market economies.” The sections address each country’s approach toward data privacy, governance, promoting “central bank objectives,” and “the implications of cross-border use.”

Several have progressed to the pilot or proof-of-concept stage (eg Hong Kong SAR, Saudi Arabia, Thailand, the United Arab Emiratis (UAE)). A few are close to launching (eg China’s eCNY), while some do not see a pressing need for a CBDC in the near future (eg Poland, Singapore).

Below are several interesting excerpts from this 214-page document on the subject of privacy, with clarifying additions when needed. In the introductory BIS background paper, the authors state that “CBDC designs can allow for privacy by separating payment services from control over the resulting data.”

Such designs could allow anonymity with respect to specific parties, such as PSPs [payments service providers], businesses or public agencies. Like some FPS [fast payment systems], CBDCs could give users control over their payments data, which they need only share with PSPs or third parties as they decide (BIS (2021)). For example, with [the India-based retail FPS] UPI, data ownership and control over their credentials are addressed through application programming interfaces (APIs) that use public key cryptography. For a system that relies on biometric digital ID systems, such as Aadhar in India, the safeguards are even more stringent and crucial. Thus, data and privacy management challenges under CBDCs are not new.

Citing Aadhaar as an example of “data and privacy management” done right does not sit right with me. If you want to know more, check out Malavika Jayaram’s talk on “Biometric ID Cards by the Billion” (2017) and Kiran Jonnalagadda’s talk on “Unpacking the Compromises of Aadhaar, and Other Digital Identities Inspired By It” (2019). Next, in the paper on China’s e-CNY aka “digital renminbi” system, they claim that anonymity will be allowed for “small-value” transactions:

The e-CNY system follows the principle of “anonymity for small-value and traceability for high-value transactions”, and attaches great importance to protecting personal information and privacy. It aims to meet the public demand for anonymous small-value payment services based on the risk features and information processing logic of current electronic payment systems.

The Czech National Bank (CNB), on the other hand, states plainly that “full anonymity is not plausible… Anonymous electronic payments between users are not possible at all.”

However, increasing digitalisation could leave some sections of society behind as potential barriers around trust, digital literacy, access to IT and data privacy concerns create a digital divide. For central banks in many emerging market economies, a key driver for researching CBDC is the opportunity to improve financial inclusion.

Yet for a CBDC to increase financial inclusion, it must address the causes of exclusion, which vary by jurisdiction and are often complex.

… so a CBDC could only increase privacy partially, but we cannot rule out the possibility that it would not increase it at all (if it created motivation to obtain the data in other ways).

The Hong Kong Monetary Authority (HKMA), like others, believes that privacy can be well protected between users and payment services. In describing their retail central bank digital currency (rCBDC), they say that it is built using a UTXO model (like Bitcoin) and even that “a pseudonym system” could be implemented.

… preservation of user privacy vis-à-vis other users and non-client intermediaries could be made possible by a pseudonym system. While the natural transaction traceability of a UTXO model allows intermediaries and users to know who held the rCBDC in the past, such traceability would have privacy implications. To address this issue, the proposed architecture explores the possibility of creating pseudonyms, similar to “nicknames”, to represent the transacting parties during each and every transaction. Only a user’s bank has access to the mapping between the pseudonyms and the user’s real identity, which means that only a user’s bank, not other users or intermediaries, knows the real identity of an rCBDC owner.

The Bank of Israel’s answer on their “digital shekel” warns that the decisions of “major economies” will affect those of “smaller countries,” if they don’t want to risk being excluded from interoperability. They also suggest that providing more identifying data may be rewarded.

If, for example, the standard set in the major economies regarding anonymity would require that authorities are able to obtain information regarding a specific transaction if such information is needed for law enforcement, it may not be possible for smaller countries to execute policies that give a greater weight to privacy concerns, if they want their CBDCs to be more similar to cash in this regard.

… Let us take the example of privacy requirements – any future platform should allow for different privacy levels, even between existing consumers, who may have different requirements regarding privacy. Some may be willing to allow some access to their data in return for, say, lower commissions.

Ten days earlier on April 4th, Eurogroup’s monthly meeting included “privacy considerations related to a digital euro and how they relate to other policy objectives, such as preventing money laundering, illicit financing and tax evasion.” A presentation given by the European Central Bank (ECB) notes that ‘offline functionality’ should allow “full privacy only for close proximity payments that are low-value and low-risk,” without revealing what they considered those thresholds to be.

User anonymity is not a desirable feature, as this would make it impossible to control the amount in circulation and to prevent money laundering.

On April 5th, the European Commission opened a public industry consultation on the digital euro, to last until June 14th, on the basis that they soon “may issue the digital euro in line with its objectives and mandate.” On April 28th, they also opened a “call for expressions of interest in providing prototypes for digital euro projectpayment solutions.”

Almost three months earlier on January 20th, the board of governors for the U.S. Federal Reserve published a 40-page paper “to foster a broad and transparent public dialogue about CBDCs in general, and about the potential benefits and risks of a U.S. CBDC.” They note that public comment “will be accepted for 120 days and can be submitted here,” a deadline of May 20th, though as Bitcoin Magazine predicts, “Your opinion means nothing in this decision-making process.” They begin by asserting that a CBDC “would best serve the needs of the United States by being privacy-protected, intermediated, widely transferable, and identity-verified.”

Any CBDC would need to strike an appropriate balance, however, between safeguarding the privacy rights of consumers and affording the transparency necessary to deter criminal activity.

… In practice, this would mean that a CBDC intermediary would need to verify the identity of a person accessing CBDC, just as banks and other financial institutions currently verify the identities of their customers.

In response to this and a recent executive order, assistant professors Andrew M. Bailey and William J. Luther (TMIBP16) wrote:

The recent executive order, to the administration’s credit, notes that a CBDC should “maintain privacy; and shield against arbitrary or unlawful surveillance, which can contribute to human rights abuses.” But a reasonable person might worry that the government is paying lip service to privacy concerns.

… Policymakers may be tempted to compromise on financial privacy when implementing a CBDC. Instead, they should attempt to replicate the privacy afforded by cash. Like non-alcoholic beer, the Fed’s “digital form of paper money” would superficially resemble the real McCoy while lacking its defining feature.

Exactly one year before the BIS volume’s publication, the ECB had released “a comprehensive analysis of its public consultation on a digital euro” that ran from October 2020 to January 2021. They received “over 8,200 responses – a record participation for an ECB public consultation. A large majority of respondents were private citizens (94%).”

The analysis confirms, by and large, our initial findings: what the public and professionals want the most from such a digital currency is privacy (43%), followed by security (18%), the ability to pay across the euro area (11%), no additional costs (9%) and offline usability (8%).

… Privacy is the most important feature of a digital euro for both the public and professionals, especially merchants and other companies. Both groups support requirements to avoid illicit activities, with fewer than one in ten responses from members of the public showing support for full anonymity.


In TMIBP01, TMIBP06, and TMIBP16, I have reported on Coinbase’s acquisition of Neutrino for blockchain surveillance software and their subsequent contractual relationships with, and data disclosures to, government agencies. This month, the Coinbase Special Investigations Team have published the third and final blog post in a series about what blockchain analysis is. According to a few of their job openings, the Special Investigations Team:

… prides itself on being on the front lines of the financial revolution, protecting Coinbase from emerging novel threats. On the Special Investigations team, the data-focused investigator will take on high-risk escalations and proactive research into potential threat actors, particularly those related to the world of NFTs. The role will also include writing queries and scripts to automate future identification. The investigator will help support high risk urgent cases, special projects, and refine and automate new and existing tools.

A defining trait of any successful investigator is inquisitiveness - someone who questions premises and never takes things at face value, while always fact-checking their own intuition. Ideally, the data-focused investigator should be a crypto-forward individual with a drive to see beyond the curve, strong knowledge of various networking protocols, programming languages, and an artful touch of OSINT expertise.

In the first part, they show how to go about attributing an address to an entity or individual, comparing “evidence quality and standard of proof.” However, even though they use the language of science, they declare that this is “more of an art than science.”

The public nature of blockchains allows for a certain degree of predictive analysis, enabling researchers to associate addresses and transactions with entities and sometimes individuals. Anybody can look at blockchain, but what makes a difference is the accurate interpretation of this public data, as well as corroborating it with other types of information gathered externally. Once combined such data can be used for blockchain analytics.

Blockchain analytics is widely used for market intelligence, trend analysis, and investigations, among many emerging spaces. The main objective of blockchain analytics is attribution — linking specific assets and events to particular entities or even individuals.

Attributing ownership, however, is often nuanced because outside observers can only infer it depending on factors such as availability and quality of the evidence. Evidence means proof that indeed an address belongs to an individual or entity. Unless you own an address yourself, it is very difficult to say with absolute certainty who an address is owned by. This is why it’s more fitting to consider blockchain analytics more of an art than science.

In the second part, they illustrate “the commonspend,” also known as the common-input-ownership heuristic, and point out that a CoinJoin through Samourai Wallet or Wasabi is “one example of defeating commonspend.” They end the post by highlighting the U.S. Office of Foreign Assets Control (OFAC) list of sanctioned addresses and noting that “our list of blocked addresses is significantly larger. It includes other sanctioned entities as well as designated individuals. We also engage in proactive work to identify sanctioned activity originating from various jurisdictions, including Russia.”

In the third part, they look at change address detection, “more complex and novel blockchain analysis scaling methods, their drawbacks and why time is a critical feature of blockchain analytics.” In their first post, they had asserted that “an external observer cannot possibly gain a full picture or claim 100% confidence in attribution,” and here they further state that “a conservative approach would dictate not attributing anything that cannot be determined with close to 100% certainty; a liberal approach would allow wider attribution, at the cost of expanding the potential margin of error.” At no point do they explain how anyone involved even determines their degree of certainty.

Certainty of attribution is almost scarce and because multiple parties are relying on different tools for conducting transaction tracing on blockchains, it can sometimes yield dramatically different results.

While I do not disagree with their characterisation, it is quite shocking that purveyors of blockchain surveillance would so easily admit that the methods which will inform whether a customer’s deposit is refused, or account is closed, or identity flagged and reported to authorities, or accused of being / associating with criminal elements, have such an absence of scientific foundation despite their marketing to the contrary. If only more AML experts would be similarly honest (TMIBP05, TMIBP18). Anything less is certainly not a pretty picture.


In November 2021, the European Council announced that they had reached agreement “on two proposals that are part of the digital finance package: the ‘Regulation on Markets in Crypto Assets’ (MiCA) and the ‘Digital Operational Resilience Act’ (DORA).”

This agreement forms the Council’s negotiating mandate for trilogue negotiations with the European Parliament.

… The purpose of MiCA is to create a regulatory framework for the crypto-assets market that supports innovation and draws on the potential of crypto-assets in a way that preserves financial stability and protects investors.

In December, they further announced their intention to “update existing rules on information accompanying transfers of funds” to apply to crypto-assets.

The aim of the proposal is to introduce an obligation for crypto-asset service providers to collect and make accessible full information about the sender and beneficiary of the transfers of virtual or crypto assets they operate. This is what payment service providers currently do for wire transfers. The purpose is to ensure traceability of crypto-asset transfers, so as to be able to better identify possible suspicious transactions and if necessary blocking them.

The modifications introduced by the Council in its position streamline and clarify the Commission’s proposal, in particular by introducing requirements for crypto-asset transfers between crypto-asset service providers and un-hosted wallets. It also requires that the full set of originator information travel with the crypto-asset transfer, regardless of the transaction amount. Given the urgent need to ensure traceability of crypto-asset transfers, the Council in its position aims to synchronise the application of the proposal on transfer of funds and the market in crypto-assets regulation (MiCA).

On March 14th 2022, the European Parliament announced that the Committee on Economic and Monetary Affairs (ECON) had “adopted, with 31 votes to 4 and 23 abstentions, its negotiating position on new rules on crypto-assets,” and “a decision to enter into negotiations with EU governments on the final shape of the bill was adopted with 33 votes to 25.” On March 31st, they further announced that ECON and “the Committee on Civil Liberties (LIBE) adopted, with 93 votes to 14 and 14 abstentions, their position on draft legislation strengthening EU rules against money laundering and terrorist financing,” including the traceability of crypto-assets. They noted that “the rules would not apply to person-to-person transfers conducted without a provider.” From here, “the adopted text represents the draft mandate for MEPs to negotiate the final shape of the legislation with EU governments. The EP as a whole should vote on it during the plenary session in April.”

For those unfamiliar with European bureaucracy, trilogues are:

informal tripartite meetings on legislative proposals between representatives of the Parliament, the Council and the Commission. Their purpose is to reach a provisional agreement on a text acceptable to both the Council and the Parliament. They may be organised at any stage of the legislative procedure and can lead to what are known as ‘first reading’,’early second reading’ or ‘second reading’ agreements, or to a ‘joint text’ during conciliation.

Trilogues have been framed as a way to “speed up the legislative process while ensuring representativeness and oversight.” However, the latter aspect of that description seems to be less of a priority. In March 2016, the European Digital Rights (EDRi) association responded to a public investigation by the European Ombudsman into “the transparency of trilogues.” They believed, among other risks, that trilogues “profoundly undermine and weaken the position of the only directly democratically-elected institution in the EU, the European Parliament.”

Blockchain for Europe (BC4EU), a Brussels-based lobbying union that works to “develop a European regulatory framework to support and promote blockchain-based innovation,” wrote that the decision was a “missed opportunity” and “will lead to insufficient consumer protection, huge privacy concerns.” The “final adoption of MiCA” is anticipated to occur in September.

Luckily, the politically-driven mistakes of the European Parliament can be fixed during the trilogue negotiations with the Council of the EU. The latter has taken the right approach when it comes to unhosted wallets. We call on the French Presidency of the Council of the EU to safeguard this approach for the sake of the future of the European economy and the safety of its consumers.

The day before the March 31st vote, Ledger encouraged their customers to “contact members of the committees and urge them to vote against Compromise D and E of the Transfer of Funds Regulation.” They also challenged the “necessity and proportionality” of these proposals – as the Tilburg Institute for Law, Technology, and Society had done for AMLD in general (TMIBP11) – and used conclusions from Chainalysis. They later published a 27-page document of recommendations for policy makers before the first trilogue meeting on April 28th.

In their recently published 2022 report, Chainalysis found that only 0.15% of cryptocurrency transactions in 2021 involved some element of criminality. Of that, money laundering accounted for just 0.05% of all cryptocurrency transaction volume in 2021. In dollar terms, Chainalysis reports that $8.6 billion worth of cryptocurrency was laundered in 2021. Meanwhile, the UN Office on Drugs and Crime estimates that up to $2 trillion – 5% of global GDP – is laundered every year through the traditional financial system in fiat currencies. Moreover, the transparency and immutability of public blockchains equips law enforcement with greater tracking capabilities than they have for fiat currency. Using these figures, the amount laundered through fiat currency is more than 232 times greater than the amount laundered through crypto. These facts call into question the fundamental EU principles of necessity and proportionality.

Patrick Hansen, who has written about the history and development of MiCA, also described it as “a recipe for disaster.” On April 22nd, Hansen was a guest on the ‘DeFi Download’ podcast regarding this topic. Unstoppable Finance, a Berlin-based startup where Hansen was head of strategy and growth, warned that “overall, the [Funds Transfer Regulation (FTR)]’s reporting regime will create massive personal data honeypots, both within private crypto companies & government agencies.” Coinbase CEO Brian Armstrong’s comments from the previous day agreed with this interpretation; he described the legislation as “anti-innovation, anti-privacy, and anti-law enforcement.”

any time you will receive 1k EUR or more from an “unhosted” wallet, providers like Coinbase would be required to report you & your data to AML authorities. Imagine if your bank had to report you to the authorities for every wire transfer over 1k EUR you receive.

These obligations are inspired by guidance from the Financial Action Task Force (FATF) on the Bank Secrecy Act (BSA) Travel Rule (TMIBP02, TMIBP04, TMIBP05, TMIBP06, TMIBP07, TMIBP10, TMIBP11, TMIBP12, TMIBP13, TMIBP14, TMIBP17). In Hansen’s view, “the EU went beyond what’s required” and “clearly has a very strong urge to become the regulatory champion in every tech field out there.” As I highlighted in TMIBP11, the FATF has no legislative authority in and of itself to require anything.

:information_source: Check out Bitcoin Optech Newsletter #189, #190, #191, #192, #193, #194, #195, #196, and #197 for other recent technical developments beyond Bitcoin privacy.

Thanks for reading! Feel free to :bookmark: bookmark or subscribe to catch the next edition of ‘This Month in Bitcoin Privacy.’