Privacy

Can crypto mixers adapt to survive US authority prosecution?

Cryptocurrency mixers face a dilemma between preserving financial privacy freedom or embracing increased compliance measures to avoid U.S. scrutiny.

Tornado Cash — a cryptocurrency mixer service that can hide the origin of crypto transactions — hit the headlines after being sanctioned by the United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) in August 2022. 

The mixer opened Pandora’s box, igniting an open debate about the role of mixers in ensuring personal financial privacy when using cryptocurrencies.

U.S. authorities have continued sanctions against these services, with Sinbad.io being the most recent big player under OFAC sanction. Tornado Cash and Sinbad have been taken down by the FBI, with the U.S. Treasury accusing them of facilitating billions of dollars in illicit transactions, particularly those of North Korea-based hacking group Lazarus.

Read more

What are stealth addresses, and how do they work?

Stealth addresses in cryptocurrencies act like secret codes for transactions, providing enhanced privacy by generating unique addresses for each payment.

The purpose of crypto stealth addresses is to enable privacy for each transaction, concealing the recipient’s identity and transaction history.

Crypto stealth addresses are a privacy-enhancing feature in blockchain technology that lets users receive money anonymously. Unlike conventional public addresses, stealth addresses provide distinct, one-time addresses for every transaction. The recipient’s actual address is kept secret when a sender transfers funds using a stealth address; the transaction is broadcast to the network. 

Read more

Chinese government plans for blockchain-based identity verification

The Chinese Ministry of Public Security plans to implement a blockchain-based identity verification system that it claims will help keep personal data and identity credentials safe.

The Chinese Ministry of Public Security plans to roll out a new blockchain-based platform called RealDID to verify the real-name identities of its citizens. 

According to a press release for an event held on Dec. 12 by the Blockchain Service Network (BSN), a Chinese blockchain firm, the project, planned with the Chinese government, will have multiple use cases. These include personal real name confirmation, personal data encrypted protection and certification, private logins, business identities, personal identification certificate services and information vouchers on personal identity.

The application will allow Chinese citizens to register and log into online portals anonymously using DID addresses, which will ensure transactions and data remain private between individuals and businesses.

Read more

Chinese government plans blockchain-based identity verification

The Chinese Ministry of Public Security plans to implement a blockchain-based identity verification system that it claims will help keep personal data and identity credentials safe.

The Chinese Ministry of Public Security plans to roll out a new blockchain-based platform called RealDID to verify the real-name identities of its citizens. 

According to a press release for an event held on Dec. 12 by the Blockchain Service Network (BSN), a Chinese blockchain firm, the project, planned with the Chinese government, will have multiple use cases.

These include personal real name confirmation, personal data encrypted protection and certification, private logins, business identities, personal identification certificate services, and information vouchers on personal identity.

Read more

Former US Secret Service asst. director: Keep personal info of FTX users private

Jeremy Sheridan claimed FTX users could become the targets of physical harm as well as attacks through online scams if their information was disclosed.

Jeremy Sheridan, former assistant director of the United States Secret Service Office of Investigations, has warned that certain FTX customers could become targets if their personal information were to be made public.

In an April 20 declaration filed with the U.S. Bankruptcy Court for the District of Delaware, Sheridan supported a motion from the debtors that would withhold “certain confidential information” of FTX users. According to Sheridan, who is currently a managing director for FTI Consulting, releasing the names of customers associated with the failed crypto exchange imposes “a severe and unusual risk of identity theft, asset theft, personal attack, and further online victimization.”

“If Individual Customer Names are made public in these Chapter 11 Cases, such information will provide potential malefactors an itemized list of vulnerable targets,” said Sheridan. “In particular, it will provide malefactors with a menu of potential targets via disclosure of the Debtors’ schedules of assets and liabilities list. […] And each of the Debtors’ customers’ respective cryptocurrency holdings.”

FTX users holding large amounts of crypto, according to Sheridan, would effectively have “a target on their back” and could be victims of fraud by scammers looking at their wallets. He cited examples of common online scams conducted through email and social media, including building fake business and romantic relationships, SIM swaps and phishing attacks:

“Perpetrators of frauds and online attacks are emboldened by, motivated from and attracted to high profile cases like the Chapter 11 Cases. Adding to this environment is the fact that cryptocurrency is already an attractive target for malefactors because it is easy to liquidate, instantaneous, global and pseudo anonymous.”

The legal team representing FTX debtors released a list of creditors owed money by the exchange in January. However, the roughly 10 million users’ names and personal information had been redacted. A group of media outlets, including Bloomberg and The New York Times, has objected to the redaction, claiming that the press and public had a “right of access” to the information.

Related: FTX CEO says he is exploring rebooting the exchange: Report

Judge John Dorsey extended the time that customer information could be redacted until April 20, also expressing concern that users could be put “at risk” with their names going public. FTX debtors and the committee of unsecured creditors filed a motion when the extension was set to expire requesting the bankruptcy court revisit the redaction order. The matter is scheduled for a May 17 hearing, depending on objections filed.

Magazine: Can you trust crypto exchanges after the collapse of FTX?

TransUnion to begin providing identity-protected credit scoring for DeFi lending

The American credit reporting agency is teaming up with Spring Labs and Quadrata for a new service that should make DeFi borrowing easier and less risky.

TransUnion, one of the three major United States credit reporting agencies, announced on April 20 that it would begin supplying credit scoring to public blockchain networks. Off-chain credit data have not previously been available to Web3 and decentralized finance (DeFi) applications.

In the new TransUnion service, credit information will be made available to decentralized applications, or DApps, at the consumer’s request. Complete credit information will be delivered to the consumer, and excerpts will go to the DApp.

TransUnion partnered with Spring Labs and Quadrata to provide credit data through a digital passport network that will protect the consumer’s identity on the blockchain. The project apparently took some time to get off the ground, as it was first announced over a year ago.

TransUnion executive vice president of financial services Jason Laky said the new product will help minimize lenders’ risk while “providing borrowers more opportunity for better terms.” TransUnion claimed it “can offer credit scoring for nearly the entire U.S. adult population” and has operating associates in more than 30 countries.

Credit scoring has long been a sore spot for DeFi. TransUnion competitor Experian announced at the beginning of 2023 that it was partnering with Bulgarian DeFi lending platform Credefi. That deal gave Credefi “the rights to use Experian’s officially recognized and reputable brand materials.” Experian will participate in European Green Company scoring through the deal. In October, Equifax, the other major TransUnion competitor, said it was partnering with the Oasis blockchain to provide Know Your Customer services.

Related: DeFi securitization of real-world assets poses credit risks, opportunities: S&P

Masa Finance recently launched an identity protocol based on soulbound tokens that also accommodated on-chain credit information. Pngme, which, like Masa Finance, was founded by Brendan Playford, helped create scores for “credit invisible” people in Africa based on mobile money data.

Magazine: 6 Questions for Lisa Fridman of Quadrata

MetaMask third-party provider was hacked, exposing email addresses

The incident affected users who submitted a MetaMask customer service ticket between August 1, 2021 and February 10, 2023.

The email addresses of some MetaMask users may have been exposed to a malicious party due to a recently discovered cyber-security incident. According to parent company ConsenSys, the incident affected users who submitted a customer support ticket to MetaMask between August 1, 2021 and February 10, 2023.

According to the April 14 blog post, unauthorized actors gained access to a third party’s computer system that was used to process customer service requests, potentially allowing them to view customer support tickets submitted by MetaMask users.

These tickets did not ask for information other than what was necessary to help the user, including email address to facilitate replies. However, they did include a “free text-field,” which some users may have used to submit personally identifying information. This may have included “economic or financial information, name, surname, date of birth, phone number, and postal address,” the post stated.

Consensys emphasized that it does not ask for personally identifying information in customer conversations, but some may have provided it anyway.

The company estimates that the breach may have affected up to 7,000 MetaMask users who submitted customer support tickets.

In response to this incident, hardware wallet provider Keystone warned MetaMask users that some might receive more phishing emails due to the incident since the attacker may use this swiped email database to look for potential victims.

Phishing is a scam that tricks a user into providing sensitive information to an attacker. It is often performed by sending an email to the victim that appears to be from a trusted party or someone the victim knows.

Related: MetaMask launches new fiat purchase function for cryptocurrency

Consensys said it had taken steps to eliminate unauthorized access in the future. As a result, tickets submitted after February 10 should be unaffected by the incident. They have also contacted the Data Protection Commission of Ireland and the Information Commissioner’s Office of the United Kingdom to report the breach. In addition, the company’s third-party customer service provider is working with a cyber-security and forensics team to perform a more detailed investigation of the incident.

MetaMask came under fire from privacy advocates in late 2022 when it revealed that it sometimes logged users’ IP addresses. However, it updated its app in March to give users more control over which providers could obtain this information.

MetaMask third-party provider hacked, exposing email addresses

The incident affected users who submitted a MetaMask customer service ticket between August 1, 2021 and February 10, 2023.

The email addresses of some MetaMask users may have been exposed to a malicious party due to a recently discovered cybersecurity incident. According to parent company ConsenSys, the incident affected users who submitted a customer support ticket to MetaMask between August 1, 2021 and February 10, 2023.

According to the April 14 blog post, unauthorized actors gained access to a third party’s computer system that was used to process customer service requests, potentially allowing them to view customer support tickets submitted by MetaMask users.

These tickets did not ask for information other than what was necessary to help the user, including an email address to facilitate replies. However, they did include a “free text-field,” which some users may have used to submit personally identifying information. This may have included “economic or financial information, name, surname, date of birth, phone number, and postal address,” the post stated.

ConsenSys emphasized that it does not ask for personally identifying information in customer conversations, but some may have provided it anyway.

The company estimates that the breach may have affected up to 7,000 MetaMask users who submitted customer support tickets.

In response to this incident, hardware wallet provider Keystone warned MetaMask users that some might receive more phishing emails due to the incident since the attacker may use this swiped email database to look for potential victims.

Phishing is a scam that tricks a user into providing sensitive information to an attacker. It is often performed by sending an email to the victim that appears to be from a trusted party or someone the victim knows.

Related: MetaMask launches new fiat purchase function for cryptocurrency

ConsenSys said it had taken steps to eliminate unauthorized access in the future. As a result, tickets submitted after February 10 should be unaffected by the incident. The company also contacted the Data Protection Commission of Ireland and the Information Commissioner’s Office of the United Kingdom to report the breach. In addition, the company’s third-party customer service provider is working with a cybersecurity and forensics team to perform a more detailed investigation of the incident.

MetaMask came under fire from privacy advocates in late 2022 when it revealed that it sometimes logged users’ IP addresses. However, it updated its app in March to give users more control over which providers could obtain this information.

Blockchain Association files brief in Tornado Cash case

The advocacy group was joined by the DeFi Education Fund in arguing that the crypto mixer has important social functions and that the sanctions from the Office of Foreign Assets Control could set a dangerous precedent.

Crypto advocacy groups Blockchain Association and DeFi Education Fund filed a brief in United States District Court in Austin in the case brought by six individuals against the United States Treasury Department over the sanctioning of Tornado Cash. The amicus (friend of the court) brief supports the plaintiff’s motion for a partial summary judgment.

The six plaintiffs in the case filed suit against the Treasury Department and associated parties in September after the Treasury’s Office of Foreign Assets Control (OFAC) placed addresses allegedly connected with the Tornado Cash cryptocurrency mixer on its Specially Designated Nationals and Blocked Persons List in August.

The agency accused Tornado Cash of laundering more than $7 billion, including hundreds of millions for the Lazarus Group of North Korean hackers. The designation makes it illegal for U.S. persons to interact with those addresses, under threat of large fines and imprisonment.

The plaintiffs argued that OFAC violated the Administrative Procedures Act by sanctioning an entity that was not liable to its sanction, violating users’ right to free speech and deprivation of property (crypto tied up in the mixer) without due process. The plaintiffs filed a motion for partial summary judgment on the counts of APA violation and free speech on April 5.

Related: Tornado Cash dev says ‘sequel’ to crypto mixer aims to be regulator-friendly

In their brief, the Blockchain Association and DeFi Education Fund reiterated that Tornado Cash is software, not a person or property, and argued that it is an autonomous tool that serves an important function in preserving user privacy. Blockchain Association CEO Kristin Smith added in a statement:

“Ordinarily, OFAC would not consider sanctioning neutral tools used by some people for illicit activities, it would sanction the people committing those activities. The same perspective should apply to OFAC’s action against Tornado Cash.”

The brief expanded on the legal arguments already presented. It introduced the major questions doctrine in its discussion of OFAC’s authority, for example, and stated:

“OFAC’s sanctions are ‘not in accordance with law’ for yet another reason: the sanctions are arbitrary and capricious.”

It claimed that, if the sanction is allowed to stand, it would be “effecting a vast expansion of OFAC’s power.”

Crypto think tank Coin Center sued the same parties over Tornado Cash’s sanctioning in October. Tornado Cash creator Alexy Pertsev was arrested in The Netherlands several days after the initial OFAC Tornado Cash designation. He is accused of money laundering.

Magazine: US enforcement agencies are turning up the heat on crypto-related crime

Shapella could bring institutional investors to Ethereum despite risks

The latest fork on the “roadmap” shores up the network’s new validation mechanism while finally allowing stakers access to their ETH rewards.

Ethereum’s Shanghai/Capella upgrade — also known by the portmanteau Shapella — may not be the technical marvel of last year’s “Merge” or introduce turbocharged speeds to the network. 

Volumes of over 100,000 transactions per second will have to wait for future “danksharding” upgrades, according to the Ethereum Foundation.

But the hard fork remains an important step on Ethereum’s roadmap to the future, i.e., further shoring up the network’s new validation mechanism while (potentially) removing barriers for institutional investors.

Currently scheduled for 10:27 pm UTC on April 12, the upgrade will allow stakers to unlock their Ether (ETH) rewards — or even exit staking entirely — for the first time since September’s Merge.

Pre-fork publicity hasn’t matched that surrounding last autumn’s change of consensus mechanisms from proof-of-work to a proof-of-stake (PoS). “This time, we won’t have a war room,” Freddy Zwanzger, Ethereum ecosystem lead at Blockdaemon, told Cointelegraph. Still, “there’s always risks” when one reshuffles the deck like this.

Ethereum’s stakers and validators will shortly be able to withdraw $32 billion of Ether from the Beacon Chain, which accounts for about 15% of the ETH’s circulating supply, according to Coinbase’s April 5 newsletter. Some worry that the upgrade, also known as the Shanghai hard fork, may lower the overall number of validators and put selling pressure on the network, among other concerns.

“Every hard fork brings some upgrade risk,” Paul Brody, EY’s global blockchain leader, told Cointelegraph, especially in cases like this where you’re enabling withdrawals. On the technical side, there could be bugs latent since “day zero” in some of the network’s staking smart contracts, for example, that may not emerge until the withdrawal date — though Brody doesn’t think that’s likely.

The upgrade should mitigate risks for investors. “Lower volatility plus a yield makes for a more familiar and less risky asset to hold long-term,” Rich Rosenblum, co-founder and president at GSR, a crypto market-making firm, told Cointelegraph.

More institutional investors?

Will Shapella really attract more institutional investors to the blockchain, as some believe? Research and brokerage firm AB Bernstein stated in a late-February research report that the upgrade could bring in staking from new institutional investors, and Blockdaemon’s Zwanzger, whose firm has many institutional clients, foresees more interest in Ethereum staking opportunities from large professional investors. Some institutional investors have been reluctant to lock up funds without a clear withdrawal option.

“There’s probably going to be a queue for the first couple of weeks,” Zwanzger said. “So they might be better off waiting until that comes down to normal levels.”

According to Rosenblum, “Once the PoS network is fully operational, more institutions will feel comfortable holding ETH, especially once the staking yield becomes more accessible.”

EY’s Brody, on the other hand, doesn’t see much of a change. “A lot of the big institutional investors that we know and work with are basically sitting on the sidelines. They want to comply, but they want to be more comfortable that they know what the rules are.” Comprehensive crypto reform legislation in the United States would probably be more likely to get them off the sidelines.

Longer-term risks

So what about regulatory risk, particularly in the United States? For years Bitcoin (BTC) and Ether were thought to be impervious to Securities and Exchange Commission (SEC) scrutiny, with many U.S. regulators tacitly agreeing that the native coins for decentralized systems like these were more like commodities than securities, placing them under the Commodity Futures Trading Commission’s jurisdiction. But with Ethereum’s move to a staking validation mechanism, some think the SEC may now have Ethereum in its sights.

Still, “I wouldn’t consider it a significant risk for the network,” even if that happens, said Zwanzger. The Ethereum protocol is global, and not all jurisdictions will likely share the SEC’s view of what needs regulating. Of course, other countries could ultimately choose to follow the U.S., so one never knows.

Others worry that Ethereum’s move to staking may herald increasing network centralization. In March, Cointelegraph reported that “concentration of ETH staked through third parties raises concerns over decentralization at Lido and Coinbase in particular.”

Recent: Crypto audits and bug bounties are broken: Here’s how to fix them

“The battle to keep Ethereum sufficiently and properly decentralized is probably one of the most important ones out there in terms of governance and organization,” Brody told Cointelegraph. If any single staking partner were to have 33% of the ecosystem, that “could potentially — and I say potentially — have an impact on transaction finality, although you would get slashed for doing so.” If any single or cooperating group of entities controlled two-thirds of the staking infrastructure, “you would have the potential to change the governance of the chain” — something that would be “very suboptimal,” he said.

But these dangers remain largely theoretical given how things have evolved since the Merge. “A relatively vibrant staking ecosystem” has emerged, said Brody, with “a few highly centralized custodial players” but also “some semi-centralized custodial players” like Lido, which is a liquid staking pool leader that invests with funds from tens of thousands of individual crypto wallets. There are also prominent staking groups that are “trying to be more fully decentralized,” like the Rocket Pool, he added.

“As long as this remains a very competitive ecosystem,” dangers from centralization are unlikely, Brody continued. Moreover, as more enterprise users join the network and become de facto stakeholders, including “Fortune 1000” companies, the system “becomes quite heavily decentralized.”

Zwangzer said that centralization was more of a threat in the pre-Merge days when a few proof-of-work pools dominated ETH mining. In any event, he added:

“I don’t think this is going to become a problem as long as we can keep the centralized [cryptocurrency] exchanges at bay.”

“The golden age of digital monopolies”

One might wonder why decentralized digital networks are even important for commerce and society. Cointelegraph posed this question to EY’s Brody, who believes that public blockchains, especially Ethereum’s, “are going to be the big global winners,” with the caveat that public blockchains will first need to be “privacy-enabled.”

Decentralized blockchain-based networks simply offer the world’s best hope to develop monopoly-resistant global digital marketplaces, he said. “We live in the golden age of digital monopolies” like Amazon, Google and Facebook, mainly because that is simply the nature of networks. According to Metcalfe’s Law, as a network grows, its value increases exponentially. The first to market has a good chance to dominate.

But monopolies come at a social and economic cost. New York University finance professor Thomas Philippon has estimated that monopolies cost the median American family $300 a month, and the inefficiencies they entail “deprives American workers of about $1.25 trillion of labor income.” According to Brody, “If we want to fully digitize the economy, and we want to do it without digital monopolies, we should be doing it on public decentralized systems.”

In recent years, EY Global has been devoting significant resources to “industrializing blockchain privacy technology” through its Starlight project, a zero-knowledge proof compiler that enables secure, private business logic on the public Ethereum blockchain. The project is still in beta, but developers can now experiment with building privacy-enabled features for solidity smart contracts. The goal is to enable blockchain-based business agreements where business logic is shared at the network level, but privacy from potential competitors is still preserved.

This last point is critical. In the business world, no company wants another firm to know its commercial secrets, after all. A pharmaceutical manufacturer, for instance, may want to track its medicine packets through its supply chain, beginning with the drug’s raw materials, through to distributors and hospitals.

Each packet can be attached to a nonfungible token recorded on a public blockchain. The pharma firm may also want to attach some business agreements as well. For example, a distributor selling one million units of the manufacturer’s drug could trigger an automatic rebate payment to the distributor via a smart contract. But the pharma firm doesn’t want the whole world to know about this rebate agreement.

“We are starting to build a blockchain-based inventory management system that’s going to use privacy technology to manage those individual tokens,” said Brody. It’s starting on a private chain, but they “are building it with privacy technology because they want to go on to the public chain so that anybody can join with them using these standards.” Brody added:

“So essentially, you’ll be able to take an entire business contract and supply chain operations and run it under privacy on public Ethereum at a cost-effective level.”

Tasks like tracking products and attaching business agreements to digital ledgers may seem mundane, but their economic impact could be huge. “Somewhere between 2 and 5% of all the money on earth in corporations is spent administering stuff, keeping track of it, moving it around,” said Brody. “By using smart contracts and tokenized assets, we could drive that down dramatically.”

Feature: The state of the Bitcoin Lightning Network in 2023

All of this brings us back to Shapella and why such upgrades matter. A trouble-free launch would be further evidence that Ethereum is still on course to achieve the three key goals laid out in the Ethereum Foundation’s roadmap: scalability, security and sustainability. Or as Blockdaemon’s Zwanzger told Cointelegraph:

“It also will reinforce the confidence in the network and in the protocol design so that a developer launching a project can be sure that, for example, gas fees and scalability will not be a big problem over the next one or two years.”