• J
  • No Comments

De-Anonymizing Anonymous Crypto Services

With the exit scam and proceeding arrests of administrators for the dark web market Wall Street Market(WSM), there are some important takeaways from the investigative work on the blockchain forensics. The arrests arose from the de-anonymizing of the bitcoin that were tumbled by the administrators of WSM.

The largest concern here is not so much that these anonymization services are failing but that the online operational security practices of the people interacting on the site were so poor. There were references in the DoJ document segregation of accounts between a specific user. Page 28 and 29 of the DoJ document details how one user was tied to multiple accounts by PGP key and Bitcoin wallet identification. The bitcoin wallets were anonymized using a bitcoin tumbling service similar to bestmixer.io. The process behind tumblers and more recently coinjoins aim to launder the path of the funds.

Tumbling Services

Tumbling services have existed for a few years. As the idea of Bitcoin’s assumed anonymity faded away technologies were created to obfuscate the outputs on the blockchain. Tumbling services first came onto the scene. Tumblers give you someone else’s BTC and occurs at a centralized location. Surveillance can discover the transaction if done properly. IP address tracing can help to narrow the possible users as well. coinjoins take your BTC and mixes it with a set of other people’s BTC. There is a link but plausible deniability allows for the user to claim ignorance. There is still a link to the coinjoin service. Nopara73 does a very good job at explaining at a high level how a coinjoin transaction is executed.

For a normal Bitcoin transaction:

You send some coins from one address to another address, and you get back the change to the same address. Of course, this model provides terrible Bitcoin privacy, therefore change addresses were introduced.

However instead of getting the change to the same address, your wallet software internally generates a third address where you receive the change. This highlighted another problem, with how you store so many addresses in a wallet. Hierarchical Deterministic wallets solved this issue, however this is outside the scope of this article.

Coinjoin’s then tried to leverage this issue to bring in a sense of anonymity to the Bitcoin network.

When a CJ happens everyone has to send let us say 1 Bitcoin somewhere with a big combined transaction and then nobody can tell who sent coins and where. Of course, this is only true if you are looking at single transactions and not transaction chains.

One glaring issue surrounding coinjoins is finding people to offer the same amount of BTC to join them together to build that plausible deniability that would occur from this coinjoin operation. As well as further blockchain analysis. The technology around blockchain analysis is only getting better. The web-scraping/OSINT tools available to these forensic firms, that are complicit in helping the government, have jumped up in terms of magnitude from when they were first coming online a few years ago.

There have been multiple stories about the 3-letter agencies being able to figure out the source of the laundry activities. This email chain with a bunch of cypherpunks in 2017 warns of the dangers that come from using these services. These services offer a solution but the services claim are not always achieved.

Blockchain Forensics and Investigatory Prowess

From the DoJ documents, the Postal Service was able to de-anonymize the Bitcoin that was owned by the administrators. The wallet addresses alone did not lead to the discovery of the identities of the WSM admins. The admins biggest issue was being able to completely segregate themselves or previous aliases from their current account on WSM.


The third administrator for WSM was known as “TheOne,” and as described below, the investigation has further revealed probable cause to believe that FROST is “TheOne” for two primary reasons. First, as described below (at paragraph 30), the PGP public key for “TheOne” is the same as the PGP public key for another moniker on Hansa Market, “dudebuy.” As described below, a financial transaction connected to a virtual currency wallet used by FROST was linked to “dudebuy.” As explained above in paragraph 4.l, a PGP public key, in the context of darknet investigations, is likely a unique identifier to an individual.

Most people publish their PGP key in a public domain that can be tied to their account/username/email. “TheOne” had the same PGP key linked to another account named “dudebuy” which was used to tie both identities. The online identities were linked most likely by mistake. When “TheOne” was creating their account, I’m sure they were not thinking about creating a completely unique identifier such as a PGP key pair. This one tiny mistake led to the feds coming down on this person.

The report goes on to explain how they were able to link “TheOne” to his bitcoin wallet addresses that were tied to this account and the “dudebuy” account. This link gave further credit to law enforcement agencies belief that “TheOne” and dudebuy were the same individual.

Another administrator for WSM was tied back to their physical location due to their VPN provider giving up their IP address the law enforcement. VPN’s encrypt your traffic so that no one besides the VPN provider can see your traffic.

The BKA also investigated a second individual suspected to be an administrator, who was using VPN Provider #2, to access certain administrator-only components of the WSM server infrastructure. The BKA advised me, based on its investigatory process, that it learned that an IP address assigned to the home of this individual (the account for the IP address was registered in the name of the suspect’s mother) accessed VPN Provider #2 within similar rough time frames as administrator-only components of the WSM server infrastructure were accessed by VPN Provider #2. Based on my training and experience, I believe that this individual, later determined to be KALLA, accessed VPN Provider #2 to access administrator-only components of WSM server infrastructure.


I have recommended this site before and believe this is the best resource for anyone looking for a very good perspective on privacy/security bolstering services. Logging by your VPN provider will always be an issue. If surveillance is a concern for you, there needs to be measures taken. Just registering a VPN under a family member’s name will not cut a link. It doesn’t take a forensic mastermind to make connections. All it takes is a court order for a VPN service provider to hand everything they have about your account. They can give the exact IP address that is connecting to their service. There are ways in which you can anonymously pay/register for a VPN service and the link above addresses how to do that if looking to achieve that level of privacy.

Why It All Went Wrong

The admins on WSM as well as the other darknet market that was also taken down this past week (Valhalla) needed to be on the ball every time they interacted on their marketplace. This means always taking the utmost care when logging/interacting with the site. The financial instruments used on the site make for assumed anonymity, but the service you use plays a large role in if it actually anonymizes your digital asset. You won’t really know if your BTC is anonymous until it is being tested in real time, and by the time this occurs, it could be too late for a person to make drastic changes. If looking for private digital currencies, look no further than some of the private cryptocurrencies that are available for most people to buy.

Law enforcement agencies will always be around to take these kinds of services down. An easier way for individuals to avoid jail time, besides evading the jailors is to move towards a DAO setup. OpenBazaar and Bisq offer solutions for what something like this would look like and the human risk is much further lessened.

Airfoil does NOT condone illicit activities. Educate yourselves and learn how to remain private and secure.