Is Monero Untraceable? Analysis of Monero User Anonymity

11 MIN READ
is Monero untraceable

When it comes to money or information, governments are fixated on controlling their flow and micromanaging who gets to handle them. Monero comes as the perfect answer to that, as it was devised as a cryptocurrency that makes trace analysis of its users’ activities difficult or outright impossible. But is Monero untraceable? Yes, it is untraceable due to the fact that the sender, receiver, and amount of every single Monero transaction are hidden through the use of three technologies: Stealth Addresses, Ring Signatures, and RingCT, making every transaction almost impossible to trace. Whether that is enough for you depends on your needs or, to paraphrase Bill Clinton, whose scandalous activities were subject to trace analysis, “It depends on what the meaning of the word ‘untraceable’ is.”

Nobody is immune from trace analysis, not even presidents, but whether anyone gets subjected to it depends on how scandalous the activity was. Another problem is that everything we do in cyberspace leaves a trace that can be used to infer our activities and motives. Cyberspace keeps traces indefinitely; it might be after 10 years that a government or a corporation declares your activities scandalous and decides to investigate them. Here is how Monero holds up when under intense forensic analysis.

Monero Compared to Enigma

Perhaps the easiest way to grok Monero’s security features and discover is Monero untraceable is to compare it to WW2’s Enigma machine. Created and used prior to modern computing, Enigma was the pinnacle of engineering that enabled complex encryption that was resistant to brute forcing. Enigma used mechanical components to their fullest potential, employing tumblers, plugs, and wires that could be repositioned to ensure coded messages are decipherable only by the intended recipient. And yet, the Enigma was successfully cracked. How come?

The vulnerability of Enigma was, in short, that it was too exposed to attack. On one hand, the immense engineering effort made Germans too confident in it and made them rely too much on its use, and on the other, it became a prominent target for the Allies to crack, which they did thanks to concerted efforts in retrieving its schematics. The overuse of Enigma created a deluge of encrypted messages, which allowed the Allies to more easily figure out its operation and crack its code by comparing very similar outputs. There was also the human factor, which we call OPSEC (operations security); people with poor OPSEC get sloppy and start paying less and less attention with time, which is what happened to the Germans.

The same thing might happen to Monero as well — if it gets too popular, it will attract the attention of institutions fixated on micromanaging the flow of information and money online. They will look into Monero users and catch those with the sloppiest OPSEC, using the details of their transactions to unravel the entire network. So, what could someone discover about your use of Monero if other Monero users are compromised? How much effort does anyone need to invest to gather trace evidence to do that, and how difficult is it to maintain OPSEC when transacting in Monero?

Monero Security Features

Compared to other cryptocurrencies, Monero leaves little trace that can be scrutinized by the public. The transaction amounts are confidential, as are senders and recipients on the Monero network; OPSEC is enforced by default thanks to a system of interlinked disposable and permanent addresses. Receiving and sending addresses are created by using the wallet seed, which is a string of up to 25 words. The seed functions as a password — anyone who knows the seed can access the wallet and spend the Monero in it.

Monero wallets use the seed to create one primary address and an unlimited number of subaddresses. The wallet application can generate a new subaddress as needed to receive Monero, which can be shared as a 101-character string or a QR code, but they are never recorded on the blockchain thanks to a feature known as “stealth addresses.” Here is where it gets complicated, so please bear with me.

Stealth Addresses

Stealth addresses allow the Monero blockchain to record a transaction in public without revealing for which wallet it is intended. Since each stealth address is only used once, there is no way for anyone to see the financial state of a Monero wallet like they can with a Bitcoin wallet. It is important to note the difference between subaddresses and stealth addresses — the former is permanent and reusable, while stealth addresses are disposable and tied to a single transaction.

Therefore, if someone posts a QR code that resolves to a subaddress and someone else sends Monero using that QR code, stealth addresses make it so that there is no connection between the two on the Monero blockchain. Multiple people sending money through the same QR code cannot tell where the money is going unless the wallet owner shares the view key. It’s important to note that the use of stealth addresses is mandatory and that Monero wallets create and use them automatically.

View Key and Transaction Key

A Monero wallet allows the owner to create a special “view key” that lets anyone see incoming funds. The view key does not allow the viewer to see outgoing transactions or spend the Monero in the wallet. Additionally, a Monero wallet lets anyone create a “transaction key” that can be tested on the Monero blockchain, returning a specific result if the transaction has been sent.

These two special key types allow the auditing of Monero wallets without revealing all the information or giving full access to the wallet, which isn’t possible with regular banking. For instance, the wallet owner might decide to share some information about the wallet for tax purposes or because the wallet is related to a charity.

Ring Signatures

Another privacy feature of Monero that adds to its untraceability are ring signatures. They hide who is spending Monero by mixing in other transaction details with the intended one. David Chaum’s work was the first serious foray into group privacy, where he proposed a group in which members can sign for one another, but nobody can tell whose signature it was.

How it works in Monero is that a wallet can hide which transaction is being spent by mixing the details of the current transaction with spent transactions in a way that makes forensic analysis difficult. Anyone looking at Monero transactions from the outside sees a bunch of data passed around, but can’t tell if any of it is valid. Which are decoy transactions and which are the legitimate ones?

There is some mathemagic involved with ring signatures, with the gist of it being that the Monero network can reject fraudulent or invalid transactions being spent without revealing which is valid. Prior to 2016, ring signatures were not mandatory on the network. In early 2018, the requirement was increased to seven ring signatures for each transaction, and in late 2018, it was set at 11 signatures. Finally, in August 2022, the mandatory ring signature requirement was bumped to 16. Senders used to be able to ask for more, but that was deemed unsafe, as such transactions could stand out among other transactions.

RingCT

So, how is Monero untraceable when it comes to transaction amounts? It has a feature called RingCT, which stands for “Ring Confidential Transactions.” It allows the Monero network to conceal the amount of Monero in a transaction while preventing sabotage attempts common with other cryptocurrencies. RingCT does two things:

  • transaction commitment
  • range proofs

The first means that each sender has to commit a small amount of Monero to a transaction, preventing hostile parties from flooding the network with invalid transactions, and the second that there are transaction range proofs, which prevent sending impossibly high or low Monero amounts. Together, the two ensure that all Monero transactions are legitimate while keeping their amounts confidential and never exposed to the public.

RingCT was deployed in January 2017, prior to which a Monero transaction’s amount was visible to the public. Any Monero amounts that were sent before that can still be spent, but the network will first convert them to the RingCT protocol.

Kovri

All those splendid encryption and masking features mean nothing if a Monero user has an easily traceable IP address assigned to him. In general, cryptocurrency privacy and security schemes are easily defeated by attacking their implementation with other systems, in this case IP assignment protocols that indicate the geographical location of the user. How is Monero untraceable when it comes to IP addresses? For now, Monero user IP addresses are very much traceable and it is best to use Monero coupled with a trusted VPN solution or Tor. There is currently only a proposal to use Kovri, an IP obfuscation protocol that would prevent miners from refusing to process Monero transactions from certain locations and ISPs from denying Monero transactions to an entire region. Kovri adheres to Invisible Internet Project (I2P) standards that bounces traffic between nodes in a way that basically makes it Tor on steroids.

One big problem with Tor is that, again, it is too popular, and it too is vulnerable to trace analysis. Intelligence agencies have slowly slithered into the Tor network, deploying a multitude of Tor nodes to be able to analyze supposedly anonymous traffic by using fingerprinting techniques. Kovri seems to fit Monero’s needs perfectly, but the Monero devs don’t seem interested in implementing it. While we wait for Kovri or something similar, let’s examine how the Monero network itself is designed to encourage people to participate in the network at random.

Fair Mining Rewards

An interesting aspect of cryptocurrencies is the psychology of the people using them. Crypto developers are generally autistic savants who focus on devising cryptographic measures, but they do not take into account how users will handle them or what groups of malicious users might do, leading to poor implementation that defeats their purpose. Where miners are involved, it is crucial that crypto devs consider miner motivation and solve it in a sustainable way that guarantees equality and network decentralization.

With Bitcoin and other proof-of-work cryptocurrencies, mining speed and the speed of transaction processing are the same and depend on the strength of the hardware. That allows for runaway power — Bitcoin miners who mined the most when Bitcoin launched got the most Bitcoin in return, allowing them to get better hardware and mine even more. They are the ones that can mine and process transactions the fastest, and they have a financial incentive to keep the network running. That centralized mining power turned established Bitcoin miners into super-nodes that could decide to reject transactions, meaning they are essentially banks.

How is Monero untraceable, thanks to its mining rewards? With Monero, there is still work being done to validate blocks, but the chance of completing a block is random and does not depend as much on CPU/GPU strength. When a Monero miner completes a block, he gets all the transaction fees involved with that block plus a small fixed reward. That reward was gradually reduced to 0.6 XMR per every 2-minute block; compare that to the infamous halving present in Bitcoin, where the mining reward halves at certain points, leading to significant upsets with miners and Bitcoin transaction processing power.

Dynamic Mining Difficulty

Bitcoin’s halving is closely tied to how Bitcoin is mined. With each mined Bitcoin block, the mining difficulty steadily increases, which is what leads to those network upsets, but Monero does it differently. To ensure that each block is mined approximately every two minutes, the network automatically adjusts the mining difficulty to guarantee network stability depending on the number of active miners.

Why not just allow for instant transactions? The 2-minute block mining time was chosen by Monero devs as the sweet spot that prevents desynchronization and allows for maximum convenience. Thanks to that, there is a guaranteed reward going to a random Monero miner every two minutes, which serves as an incentive for random people to join the Monero network as miners, work for two minutes in hopes of scoring a reward, and disconnect from the network. That is a brilliant way to prevent the emergence of super-nodes that reap all the mining rewards and get to decide what happens with transactions and the network while serving as a pseudo-Tor networking solution.

is

CryptoNight Mining Algorithm

The initial proof-of-work algorithm used by Monero, CryptoNight, was designed to resist optimization by specialized hardware. That means that, unlike with Bitcoin, there is no incentive for hardware producers to offer hardware that can turn a Monero miner into a super-node. When Bitcoin first started, the blockchain was miniscule and the difficulty was non-existent. A Bitcoin miner could use a laptop to mine Bitcoin and get rewarded for it, because a weak CPU was enough for mining. That is what led to the popularity of Bitcoin as people from all walks got drawn to it.

Over time, finance bros were attracted to Bitcoin mining, and they quickly discovered a better way to mine: use GPUs. That led to logistical problems, because GPUs tend to overheat and are difficult to scale due to the fire hazard when making large mining farms. To solve that, hardware manufacturers started offering special hardware for mining Bitcoin, called ASIC. One of them is Antminer S5, which was first released in 2014 and was also difficult to scale but for a different reason; too many Antminer S5s could cause radio interference

Antminer S5’s profitability has been steadily decreasing, and as of the time of writing, each unit loses $1.64 a day of operation (presuming a $0.12 per kWh price). The most modern ASIC is currently Antminer AL1 Pro, which consumes 3.7 kWh of power and provides 16.6 Th/s (terahashes per second) of networking power, generating $54 a day in profits. With each Bitcoin reward halving, which happens once every four years, the profitability of Antminer S5 and all other ASICs is expected to decline further.

Avoiding the ASIC Kill Switch

There are more problems with ASICs, because they can be easily modified by the manufacturer to possess a vulnerability, allowing a corporation or a government to effectively have a kill switch over a cryptocurrency network. As of 2024, Bitcoin’s networking power is exclusively provided by ASIC mining pools that are easily regulated and controlled. Miners who join those pools don’t care about it, because they are in it for the money, not because they believe in Bitcoin or the technical fundamentals. As soon as it becomes too inconvenient for them to make money off of mining Bitcoin, they will bail and leave Bitcoin users stranded.

If a government or a corporation did decide to cripple Bitcoin mining profitability at a whim, either by legislative bans or hardware kill switches, that would cause a huge upset in Bitcoin mining profitability. If miners are driven by profit and they are the ones providing network security, loss of profit would effectively cripple the Bitcoin network, leading to transactions that cannot complete, panic sell-off of Bitcoin, and further loss of liquidity and network power. So, is Monero immune to those problems? Not quite.

In 2018, the Monero community discovered that, despite the CryptoNight algorithm, there were still Monero ASICs and that they outstripped other forms of mining by some 2,400%, accounting for about 50% of all Monero hashrate. Before panic and apathy could spread, Monero devs tweaked CryptoNight in order to make Monero ASICs useless; ASICs are factory-programmed with the algorithm to be used and they cannot be reprogrammed or tweaked. To discourage further ASIC takeover, Monero devs routinely tweak the algorithm, which was at first every six months. Their efforts eventually culminated in the RandomX algorithm.

RandomX Mining Algorithm

Introduced in Monero update 0.15 deployed in 2019, the RandomX algorithm is designed to curb ASIC use while making things more fair for those who have a bit more CPU or GPU power. RandomX can operate in two modes: Light and Fast. They are faster than CryptoNight by about 2 and 10 times, respectively. Recommended hardware for RandomX is any GPU with over 2 GB of memory and any CPU with hardware AES support and support for large memory pages.

In May–August 2019, RandomX was audited by four cybersecurity companies:

  • QuarksLab
  • Kudelski Security
  • X41 D-SEC
  • Trail of Bits

I’ll just cover one, the X41 D-SEC audit, which discovered four medium vulnerabilities and 11 issues without an immediate security impact. The four vulnerabilities were related to hard-coded settings and assumptions that ignore fringe cases of code execution, potentially leading to out-of-bounds access and buffer overflows. The recommended solutions were to introduce extra code and sanity checks to prevent fringe cases from impacting code execution. The 11 issues had to do with careless implementation of cryptographic functions, potentially leading to easier tracing of transactions.

Off-Ramping Monero

Is Monero untraceable when transferring it to fiat? Off-ramping cryptocurrencies is a huge problem and Monero hasn’t been able to solve it. One service that offered Monero off-ramping, Local Monero, was shut down 5 months ago, with Monero geeks advising the use of Litecoin or Bitcoin Cash and/or using a DEX (decentralized exchange).

The biggest problem with off-ramping Monero is the lack of user-friendly options. Whatever you go with, you will have to go to great lengths to preserve your privacy, and the software is generally in beta. Do your research before committing your Monero, because signing up with a centralized exchange (CEX) means you might be asked to perform KYC out of nowhere.

PlasBit and Monero

In cyberspace, information is power, so any digital system that allows for centralization of information is at huge risk of attracting power-hungry individuals. Like we saw with Bitcoin mining, if there is a chance to centralize and optimize a cryptocurrency, people will do it, no matter how detrimental that is to the system in the long run. That’s why I think PlasBit is a torchbearer when it comes to cryptocurrency exchanges. We’re the only exchange talking about these issues and offering some solutions.

To me, Monero seems like a cryptocurrency that is leaps and bounds ahead of its competitors, primarily Bitcoin. Still, each crypto has its use case, and it’s worth it to research them for yourself to see if they suit your case. I think it’s a grave mistake to consider any given crypto an Enigma machine that should be used all the time, because overuse always backfires. Mixing and matching cryptos and ensuring that there is enough of a gap between various money and information channels should prevent digital trace aggregation and analysis.

I think that there are two ways to guarantee Monero untraceability. The first is to decentralize as much as possible, and the other is to have the maximum possible OPSEC. PlasBit can help you with the former by offering a simple way of exchanging Monero to BTC no KYC, during which PlasBit will only gather the information required by law. With the latter, the biggest Monero OPSEC vulnerability is your seed. As long as you're more careful with your seed than Bill Clinton was with his, your Monero activities should stay an enigma.