0
0
Article

How to use crypto without doxing yourself

Implementing the four steps of good address hygiene to protect your privacy
0
0
Dec 3, 20198 min read

Level up your open finance game three times a week. Subscribe to the Bankless program below.


Dear Crypto Natives,

What do each of these statements have in common?

“I just voted in Maker governance an hour ago!”

“Sure, just send the DAI to ethismoney.eth”

“OMG I won the PoolTogether lotto this week!”

“Just sent 1 ETH to a GitCoin grant”

Give up?

Here’s the answer: each of them link an identity to an crypto address.

If you’re not careful with your crypto address hygiene, simple public statements like these have the ability to dox your full crypto transaction history to the world.

Yeah, not good.

Here’s a Bankless tactic for avoiding that.

Let’s level up!

- RSA


TACTICS TUESDAY:

Tactic #14:
How to use crypto without doxing yourself

How would you feel if your bank account was on display for the world to see? Your net worth, the assets you hold, how you spend your money—all public. That’s what happens when your identity is publicly linked to an ETH or BTC address you own. But with good address hygiene and a few rules of thumb you can avoid publicly doxing your accounts.

  • Goal: Learn good address hygiene so you don’t dox your accounts
  • Skill: Beginner
  • Effort: 1-2 minutes of planning before you transact on the public ledger
  • ROI: Privacy—shield your account activity from the general public


Who’s this for?

Let’s set expectations. This tactic won’t help you shield your crypto activity from law enforcement or state-level actors. And it’s not great for hiding activity from the view of fiat-on ramps, centralized exchanges, or chain analysis companies. If you’re a criminal, well—I bet you’ll find cash and traditional banking way more useful than crypto.

This tactic is written to prevent Bankless readers from inadvertently linking their identity to their crypto addresses and exposing their transactions to the world. It’s really easy to slip up and lose your pseudonymity when using globally public ledgers like Ethereum and Bitcoin. So use this tactic to level up our efforts and preserve some basic privacy.


The first thing about crypto addresses

A public Ethereum address looks like this:

It’s public but it’s pseudonymous. There’s no indication as to who owns it. It could be anyone’s: maybe Coinbase, maybe Leo DiCaprio, maybe a kid in South Africa. Identity isn’t included in the Ethereum ledger.

But the minute I say publicly “Oh, that’s my address” it’s no longer pseudonymous. Now someone knows I owe it. And if I say it on Twitter, well…a lot of someone’s now know I own it. Including the chain analysis bot that’s parsing every tweet to cross-link twitter identities with crypto addresses.

Here are other ways to say this is my address without saying “this is my address”:

  1. “I just paid .02 gwei in gas fees—why is gas so expensive rn?"
  2. “Couldn’t get my MKR vote in, transaction failed. Can anyone help?”
  3. Purchasing the ENS name of your twitter handle
  4. “Psyched! Just bought an Avatar of Light GU card!!!”

Any of these statements can be used to link your identity to your Ethereum address. The .02 gwei comment? Just takes a query of all .02 gwei transactions by time range. The MKR transaction failure? Easy, look at the MKR votes that failed in the last hour.

Every transaction on Ethereum and Bitcoin is public. The fact that your identity isn’t linked to the address involved in the transaction is the only thing preserving your privacy. But if a link between address and identity is made—bye, bye privacy. You crypto bank account is now identified and on display to the world.

The second thing about crypto addresses

Here’s the second problem. Say you slipped up. Someone identified your address after a dumb comment you made on twitter. “It’s ok” you think. There’s only 10 transactions in the address and just a bit of ETH. You keep the bulk of your crypto holdings in a different address—your cold storage address. No big deal right?

Hold on.

You look at the transaction history.

The first transaction in your identified account was some DAI you sent to yourself. You moved the DAI there after minting it from a Maker loan. The Maker loan is held by your cold storage address. And your cold storage address is linked to your exposed account! Oof—that means your cold storage address is now linked to your identity.

The identification of one of your addresses reveals the identity of your others addresses that have transacted with it. See how easy this happens?

You doxed yourself badly because you didn’t have good address hygiene.


Bitcoin addresses work the same way. I’ve been talking about Ethereum addresses but the same is true of Bitcoin addresses. They are public but pseudonymous. If your identity is linked to a Bitcoin address then all the transactions associated with that address become linked to your identity.


Good address hygiene

Here are four steps for good address hygiene to avoid doxing yourself:

  1. Separate your addresses—public and private
  2. Don’t reuses addresses—use new addresses whenever possible
  3. Wash your transactions—sever the chain of transactions between your addresses
  4. Be careful what your reveal—don’t inadvertently dox yourself

Let’s walk through them.

Separate your addresses

It’s fine to have crypto addresses you publicly share. Yes, put your ENS address in your twitter handle. Yes, use StablePay to accept payments for your services. But make sure any address you share publicly doesn’t interact with any address that should remain private.

It’s helpful to create two types of addresses:

  • Public addresses: publicly shareable—for activity you intend to keep public
  • Private addresses: not sharable—for activity you intent to keep private

Then firewall them off. Public addresses should never interact with private addresses and vice versa. Public addresses hold ENS names. They’re used for payments. Or for holding God’s Unchained collectibles. Private addresses are never shared. These transactions aren’t meant to be seen publicly. They’re used for cold storage.

Don’t reuse addresses

Whenever possible—don’t reuse addresses. Start with a fresh address as often as possible. This will silo your transaction activity across many addresses and make it difficult to aggregate your transaction history. It also limits your privacy damage in the event that you slip up and one of your addresses is identified.

The tricky part here is address management—how do you keep track of all your addresses? DeFi dashboards, crypto accounting systems, and wallets can be very helpful here.

The other tricky part is making sure you wash the transactions to and from your new address to sever the link between it and the other addresses you own.

Wash your transactions

To setup a new address that’s clean—not tainted by the transaction history of another addresses—you’ll need to wash transactions going into or coming out of it.

There are two ways to do this today:

  1. Use a crypto bank
  2. Use a mixer

Using a crypto banks to wash transactions. Say you spin up a new address to receive payments using MetaMask. Easy enough. Someone sends DAI to that address. Now you want to move the DAI to your private cold storage address. (You also need ETH in the new address to pay for gas to move the DAI). To wash your transactions using a crypto bank you’d:

  1. Send ETH to a crypto exchange you trust (enough for the gas you’ll use)
  2. Transfer the ETH from the crypto exchange to the new address
  3. Transfer the DAI back to the crypto exchange (use the ETH for gas)
  4. Now transfer the DAI from the crypto exchange to your cold storage address

The DAI is now in your cold storage address, but you’ve severed the public link between your cold storage address and your new address by using the exchange as an intermediary. Of course, the exchange knows the identities of both addresses—you’re AML/KYC’ed on their platform and they see both sides of the transaction. But at least it’s not public. This is equivalent privacy to the traditional banking system.

Using a mixer to wash transactions. A more bankless option is to use a crypto mixer to anonymize your transactions. Mixers aren’t perfect. The user experience can be clunky and the anonymity isn’t 100%—these work by anonymizing your transactions through clever cryptography and by bundling them with the transactions of users doing similar transactions. The benefit—mixers do not require a centralized intermediary or AML/KYC.

The best mixer for Ethereum now is Tornado Cash. This is a reputable project but is unaudited and still in beta. And it usually doesn’t have enough users to bundle transactions larger than 1 ETH. AZTEC has promising tech here and Argent is working on something, but nothing you can use today.

The mixer options on Bitcoin are better. Wasabi is wallet and mixer for desktop you can use. Requires a bit of setup, but not bad. Samourai is a mobile wallet and mixer. A bit easier, but still not mainstream ready. Privacy requires extra work.

Use a crypto bank to wash transactions at minimum. Use a mixer for additional privacy. Those are about the only options on Ethereum and Bitcoin today.

Be careful what you reveal

Lastly, be careful what your reveal.

As we’ve seen by example throughout this tactic it’s easy to inadvertently dox yourself by revealing information about your crypto addresses or your transactions. You are your own worst enemy here. So ask yourself before you tweet, type, or talk—could this information be used to identify one of my crypto addresses?

No need to reveal more than necessary.

Final Thoughts

It’s easy to slip up and reveal the identity of one of your crypto addresses. Think before you share specifics about your crypto transactions. Practice good address hygiene—that means separating your public and private addresses and making sure the transactions between them are washed first. Use new addresses when possible. Don’t reuse. You’ll limit the damage of an identified address this way.

Privacy on Ethereum and Bitcoin isn’t ideal right now, though mixers are slowly getting better. This means you might be reliant on a crypto bank for the convenience of transaction washing—be sure it’s one you trust.

Actions

  • Learn and implement the 4 steps for good crypto address hygiene
  • Evaluate crypto banks vs crypto mixers for transaction washing


BONUS TIPS

The Inner Circle came up with these fantastic supplemental tips on how to avoid doxing yourself after the initial article was published.

  1. Obfuscate the transaction amounts when you wash them. If you send an easily identifiable amount (like 11.43118754 ETH) into Coinbase and then out of Coinbase to another account, split or combine amounts (potentially from a few different accounts) it’s easy to track on chain.

    To avoid this:

    • Split or combine amounts (potentially from a few different accounts)

    • Add some delay between sending into an exchange and sending out

    • Consider pre-washing some funds for emergencies—potentially to catch a dip on a project you want to invest in. Waiting until the last minute could cause you to slip-up and dox yourself.

  2. Don’t forget—you can’t wash NFTs. Consider an ENS name. If you were to register a domain name through an unwashed Ethereum address that could be associated to your cold wallet then there’s no good way to un-dox yourself. Right now there are no ways to erase NFT owner history or transfer NFTs privately. Known tricks like routing funds through exchanges or using mixers like Tornado don't apply here.

  3. Check your addresses using Ethtective. Plug in an address you’d like to check here. It will show all other addresses linked to that address. Use it as a tool to ensure make sure your addresses are properly washed.


Subscribe to the Bankless program. $12 per mo. Includes Inner Circle & Deal Sheet.


Filling out the skill cube

Learning how good crypto addresses hygiene is not just important for privacy—it’s important for the security portion of the skill cube. Make it part of your routine!


👉Send us a tip for today’s issue (rsa.eth)


Not financial or tax advice. This newsletter is strictly educational and is not investment advice or a solicitation to buy or sell any assets or to make any financial decisions. This newsletter is not tax advice. Talk to your accountant. Do your own research.


Disclosure. From time-to-time I may add links in this newsletter to products I use. I may receive commission if you make a purchase through one of these links. I’ll always disclose when this is the case.

Not financial or tax advice. This newsletter is strictly educational and is not investment advice or a solicitation to buy or sell any assets or to make any financial decisions. This newsletter is not tax advice. Talk to your accountant. Do your own research.

Disclosure. From time-to-time I may add links in this newsletter to products I use. I may receive commission if you make a purchase through one of these links. Additionally, the Bankless writers hold crypto assets. See our investment disclosures here.

Account Light mode Log Out