There are numerous inputs and a single pay-to-script-hash (P2SH) output.
The relatively high fee is due in part to the large number of inputs. ~400 satoshis/byte is high by today's standard but not too unreasonable as early as 2017.
We can't tell anything about the identity of the owner(s) of the new coin from the block chain alone.
Making a transaction this large is a security risk. It effectively establishes a billion dollar bounty for any party who can rewrite enough blocks to erase it. Now that the value resides in a single coin, any subsequent transaction faces the same risk. Plunking this much value into a single coin seems like an odd strategy at best. Not to mention the destruction of privacy in combining all those inputs into a single transaction with a single output.
I can think of one reason you might want to do this. A consortium/trust has formed in which individuals pay into a common pool of money. That money is then protected with a multi signature script (consistent with the P2SH type). Given a threshold of signatures, the money can be spent, subject to other constraints. These will remain unknown until the first payment is made. At that point we'll know the number and identity of all the eligible keys and the threshold needed to make payment.
If so, this transaction can be thought of as a kind of digital charter for the consortium in that it defines how the money can be spent going forward.
Edit: to be clear, the "bounty" I'm talking about can't be directly claimed just by mining some blocks. Instead, it would have to be claimed as part of a double spend of either the transaction in question or as subsequent transaction of the now-enormous output. Most likely, there would be collusion of some kind between a miner and the owner of the keys. I'm not saying this will happen, but the bigger the transaction, the greater the risk.
I don't really agree with that statement. Yes, someone could mount a 51% attack to rewrite that block. However, it would be pretty straightforward to see what was happening (and which nodes were the malicious actors). If that did happen, the possible outcomes would be:
1. The value of bitcoin would fall to basically 0. The reason bitcoin has any value at all really has to do with trust - belief that the protocol is secure and can't be broken. In this case, an easily detectable spending "override" would cause faith in the protocol to evaporate.
2. Note I don't believe #1 would happen. The response would be all the other miners who do have a vested interest in bitcoins success would put all their resources in ensuring the original block was maintained.
I.e. the options aren't between one address getting the billion+ dollars or another address getting a billion+ dollars. The options are one address getting a billion+ dollars or everyone's bitcoin going to 0.
Edit: Another likely possible outcome is you could get what happened to Ethereum when the DAO was hacked: a fork to Ethereum vs. Ethereum Classic. But it's still important to note Ethereum Classic is worth a teeny fraction of what Ethereum is.
1. "51% attack" is not a thing as in "one has to have 51% of hashpower to perform it". it's just that with 51% of hashpower it becomes relatively cheap to perform such attack. one can throw enough money at the problem and get lucky to perform large reorg with just 10% of hashpower. the lower the number - the more lucky attacker has to get.
2. "rewriting a block" or "billion dollar bounty" as the GP put it are just conveying wrong ideas. there is zero chance for that $1B to get stolen even if attacker gets 100% of hashrate. all they can do is revert the transaction so that money goes back to original owners by generating a fork in the chain that doesn't include said transaction.
even that is not enough because competing miners (assuming attacker doesn't really have all 100% of hashpower) will still eventually include the transaction because it pays lucrative fees.
the trick here is that in Bitcoin parties agree to finalize the deal only after certain number of confirmations (blocks created after the one that includes the transaction). general rule is to wait for 6 confirmations.
if there indeed was some $1B deal where 94k BTC changed hands i wouldn't be surprised if their agreed upon number of confirmations was ~500 blocks (half the value of transaction in question in miner rewards), which is roughly 3 days wait.
ultimately though i'm pretty sure this was some kind of cold-storage consolidation so no BTC actually changed hands.
1. A malicious syndicate gathers a billion dollars of bitcoin and sends it to themselves
2. In a short period of time, like a few days, the syndicate exchanges that bitcoin for non-bitcoin assets
3. The syndicate spends tens or hundreds of millions of dollars to fork the chain, backing up the ledger, so that they own the billion dollars of bitcoin again
So anyone accepting bitcoin for non-bitcoin assets for the next week or so is at risk. It doesn’t have to be a single transaction, though; this danger occurs whenever the transaction volume on bitcoin gets above the cost of mining.
which is now worth zero :)
The qualitative difference is that with 51% of hashpower you can sustain the attack indefinitely. Other miners might get the occasional block and temporarily take the lead but in the long run you'll always have the longest chain using only blocks you've mined yourself.
With less than 50% there's a chance that you can revert a transaction temporarily by mining two consecutive blocks (one to omit the transaction and another to make your chain longer than the original) in less time than it takes the main network to reach the same block height, but the odds of maintaining the attack drop by at least half with each additional block. The main network will always win eventually.
In any case no one controls anywhere close to 51% of the hashpower right now. There are pools which approach that size but they aren't monolithic entities; if the pool operators attempted to leverage their position as coordinators to carry out a sustained attack then miners would leave the pool.
If you're concerned that the person you're receiving funds from might be willing to attempt a double-spend then you should wait for a suitable number of confirmations before considering the funds successfully transferred. However, if they control over 50% of the hash rate then there is no suitable number of confirmations that would make the transfer safe.
That seems a little out there.
(1) There is something like 1 person who uses bitcoin to move billions of dollars around. The small-time users (<$1,000,000 per transaction) wouldn't have any reason to lose trust in the system. If some company loses $1 bil in dollars, I really don't care; I don't live in a world where it affects me personally. Nobody is ever going to put serious resources into stealing from me because I'm just not that important.
(2) If they re-write the block, that doesn't mean that they've gotten away with it. Most countries have a legal system that would sit up and take notice if someone signs up for a billion dollar transaction, takes the goods and welches on paying.
Yes, but why bitcoin then?
Yes indeed. There are a number of very interesting game-theoretic feedback loops built into bitcoin that enhance security. This is one of them.
The expectation, at this point, is that defense will only occur if you are an elite insider. An unknown user may or may not be such an elite, and thus may or may not get defense.
Surely you aren't going to make such a statement without examples! I can think of examples where things were attacked, including some of the largest value destructions, and insider status didn't help. For example, the multisig thing that happened to Gav Wood (the second time).
If your lone example is the Dao attack, that looked like successful governance to me.
I wasn't sure what you were referring to, but it looks like maybe https://cointelegraph.com/news/parity-multisig-wallet-hacked...
The astounding, insane decision to use "libraries" aka delegate call in any immutable smart contract always boggled my mind. The amount of space saved is so ludicrously small as to beggar belief. Hope the 10k or whatever worth of space savings (about 20 transactions worth) was worth it.
Anyway, he didn't get a roll back, and the $200m in value that disappeared didn't either.
I note that my emails from seekingalpha recently have ads saying "Vote <you-know-who> in 2020! Free Gold Victory Coin For Supporters - Claim Yours Now".
The Bitcoin and Ethereum ecosystems are rather different.
So around $12 billion (plus the datacenter, operations, etc). You'd pretty much send BTC to being worth $0...and then you're stuck with $12 billion in useless hardware.
Even if we were extremely generous would be a billion in hardware at the very least (I am assuming $500 manufacturing cost)
Theoretically, I can spend that much to make it's value go to $0. (yes, there are liquidity and other concerns, but you get the point)
The Market Cap of Bitcoin is $184,000,000,000
I have plenty of money to play with.
Moreover, to gain $184B by shorting Bitcoin you'd need to find someone willing to loan you $184B worth of Bitcoin, and then somehow sell all of it without crashing the price or drawing unwanted attention to your activities. Of course if the price doesn't react the way you expect you could end up paying a lot more than $184B to buy it all back to repay the loan. You shouldn't assume that even a successful (but expensive, and obviously temporary) 51% attack will drive the price down to zero.
That is, the attack you're proposing would require commandeering 15% of the world economy and more than doubling world electrical generation capacity.
Bribing or backdooring ASIC miners is a far more likely vulnerability.
Hash functions used in the real world haven't been proven to have this property (and there are various theoretical limits on how readily they could be proven to have it, and maybe on the extent to which they could actually have it), but in order to be widely adopted, a hash function has to pass every available statistical test for approximating pseudorandomness, and also has to resist mathematical analysis aimed at finding useful structure. That means that ordinary human intelligences fail to find a practical recipe for predicting properties of the output from properties of the input.
In the same way, we would expect that deep learning systems fail to find such recipes too.
On the other hand, it's not absolutely impossible that there are some kinds of regularities that a deep learning system might discover. If so, they would be considered very serious flaws in the hash function in question. But deployed cryptographic primitives have sometimes had problems like this. The best example that I know of is the RC4 cipher
where there have been a series of statistical biases (which are often forms of correlation between input and output, which should not exist if RC4 approximated pseudorandomness well). Some of these were apparently discovered experimentally by researchers with some kind of hypothesis testing tools, as opposed to based on theoretical abstract reasoning about the mathematics of RC4. This makes me think that some kinds of deep learning systems might also have been able to discover those correlations, although I'm not sure that they would have been the most efficient methods for doing so. (An interesting test might be to try to use deep learning to find new correlations in RC4 that aren't yet known -- which seems plausible since researchers have repeatedly found new ones over time.)
I think there are interesting problems about what kinds of correlations and structures deep learning systems can or can't learn efficiently, and whether those are the kinds of correlations and structures that are likely to exist as genuine flaws within deployed hash functions. I definitely don't know enough about the mathematics of deep learning to appreciate how to begin answering this question; I only know that if it turned out to be useful in some case, it would mean that the application of human intelligence and existing statistical tools to assessing hash functions' security had dramatically fallen down on the job.
Most people think that this is impossible, but it has not been proven yet. Unless you had some reason for believing the technique would work, it's probably not worth the effort to try.
A sort-of precedent for that kind of problem which I mentioned in my sibling comment is the correlation weaknesses in RC4. While they're not the most powerful possible break of RC4, by any means, they are unanticipated flaws in the structure of RC4 specifically, and they might well have been discovered by software tools that can't solve NP problems in general. It seems to me that we don't have security proofs for symmetric cryptography at all, including for block cipher security properties as well as hash function security properties, and so while your observation is totally right in general, in any specific case it might just turn out that the cryptographic primitive we were using was weak in an unanticipated way that's specific to that class of functions.
Compare https://en.wikipedia.org/wiki/Random_oracle (although reading that article reminds me of how much I don't understand about this topic)!
As schoen pointed out, no common hash function, including the ones used in Bitcoin, has a proof of NP-completeness.
Moreover, none of those hash functions involve factoring numbers, and factoring numbers is also not known to be NP-complete, although it is also not known to be tractable in polynomial time. One reason commonly-used proof-of-work functions do not involve integer factorization is that, while integer factorization is not known to be doable in polynomial time, there are a number of algorithms that require subexponential time, so an integer-factorization-based proof-of-work witness would be much larger than an equivalent hash-function-based proof-of-work witness.
Also, it is not the case that efficient integer factorization would completely break all current encryption. Not only do no commonly-used hash functions depend on it, neither do any commonly-used symmetric ciphers (such as AES), and the currently-most-popular asymmetric cryptosystems also do not depend on the difficulty of integer factorization; instead they depend on the difficulty of the elliptic-curve discrete logarithm problem.
ECDLP is also not known to be NP-complete, but the currently-known algorithms for it are much worse than currently-known algorithms for integer factorization, so elliptic-curve cryptosystems require much smaller keys and less computation to resist the known attacks than integer-factorization-based cryptosystems.
As little as ten years ago, algorithms that could be broken by better integer factorization algorithms were relatively much more important than they are today, because elliptic-curve cryptography was much less widely used. Many vulgar accounts of the situation intended for the ignorant are not up to date.
Finally, it is not true that a proof that P=NP would "completely break all current encryption", for two reasons. First, it might not be a constructive proof — it might show that a polynomial-time algorithm for factoring integers, solving ECDLP, or computing hash preimages exists without actually telling you how to compute it. Second, even a constructive proof of P=NP might not provide an algorithm that was adequately efficient — if it takes O(n²) time to encrypt and decrypt, where n is the size of a key, but O(n⁸) time to break a message or a key, you might be adequately safe with, say, RSA-4096. But an O(n⁸) algorithm for 3-SAT would definitely be a constructive proof of P=NP.
(Shor's algorithm on a quantum computer can break RSA, because it does depend on integer factorization, in O(n³) time, if quantum computers can exist, which they probably can. This would not make it impossible to do RSA encryption securely, but it would require much larger keys than are currently used.)
However, your fundamental point is that a successful attack on Bitcoin's hashing algorithm, using artificial neural networks or anything else, would be very surprising and have major implications, because that proof-of-work scheme is designed to require exponential work, and as far as anyone knows, it does. And that fundamental point is correct, even though you have made a number of errors in your supporting points.
SO these machines are made to specifically mine bitcoin, other ASICs do other jobs, but individual units cannot transfer from one job to another and cannot be re-purposed.
Finally, you certainly cannot buy off the ASIC miners with a few million, not least because they own billions of dollars worth of ASICS that can't do anything but mine Bitcoin, and a successful state-orchestrated attack on Bitcoin would make all of them worthless. I don't think a state government taking down Bitcoin by its own rules is completely impossible, but you don't seem to have any grasp of the scales involved.
And in the end, after your massive investment, the community would just make some trivial change to the protocol and completely ignore the attack. Really, if this sort of thing was so easy then everyone would be doing it. You're certainly welcome to try.
Bitcoin has long since passed the stage where you could 51%-attack it for piddly amounts of money.
Most other altcoins, though...
Or are ASICs capital expense cheap and available and already over provisioned compared to operational costs, like dark fiber optics?
Separate from the manufacturers, relatively easy courses of action I can see are buying hashing power from marketplaces like nicehash, and temporarily concentrating their machines on BTC and not mining BCH. This can only get you so much though since BTC hashrate dwarfs BCH hashrate.
And really, if you’re talking about limiting cases, you’re bounded by what your counterparties are good for, and by what your relevant regulators will let you get away with (or, depending on who your counterparties are, how far you can go before you end up in a ditch somewhere)
To do what exactly?
Nobody can redirect the transaction to themselves and the best they can do is erase it. 51% attacking the network will cost you a lot, and you won't actually win anything in your attack.
Even if the owner of the coins is the attacker, you can only win by double-spending the transaction by reversing a payment to someone else. Of course if we're talking about such a large transaction you should wait for more confirmations, making the double-spend attack so much more difficult to pull off.
Anything you would get in return, like a bank transfer or parts of a city, would have a much longer settlement time. Being afraid of your Bitcoin transaction being reversed should be the least of your worries.
The transaction now has 572 confirmations. Nobody will ever reverse that.
... accomplishing exactly nothing as all that would do would be returning the money to original spenders. Really, the amount of misinformation floating here is unexpected.
> Now that the value resides in a single coin, any subsequent transaction faces the same risk.
Non sequitur. A rollback of such a block would, by significance be somewhere between "mildly annoying" and "introducing suspicion that future transactions could also be rolled back." In any case, coins would end up where they are supposed to, and no theft can be done. There would be increased risk of double spends, but worried parties could always invest in more (legit) hashpower.
> A consortium/trust has formed in which individuals pay into a common pool of money.
Speculation, but reasonable. It makes business sense.
> That money is then protected with a multi signature script (consistent with the P2SH type). Given a threshold of signatures, the money can be spent, subject to other constraints. These will remain unknown until the first payment is made. At that point we'll know the number and identity of all the eligible keys and the threshold needed to make payment.
Speculation, but too wild. Basically wishful thinking.
> Edit: to be clear, the "bounty" I'm talking about can't be directly claimed just by mining some blocks. Instead, it would have to be claimed as part of a double spend of either the transaction in question or as subsequent transaction of the now-enormous output. Most likely, there would be collusion of some kind between a miner and the owner of the keys. I'm not saying this will happen, but the bigger the transaction, the greater the risk.
Again, wild speculation. So the theory is that someone collected $1B in BTC just to pull off a massive double spend stunt? At that level, it's likely that rubber hose cryptanalysis would resolve the issue quite efficiently.
The value of the address is denoted in 'coins'
The holder of that 'address' is the owner of the coins.
Multiple 'addresses' controlled by the same owner would exist in a 'wallet'
I wonder if they finally swept all those inactive accounts out.
I started using it back in the $50 days, so some thousands of bitcoin may have been a lot less of a deal when they got deposited
Your second point makes even less sense. A bug bounty on what exactly? Why would anyone attempt to erase this transaction when it can be resubmitted?
This is incorrect. It creates a billion dollar bounty only for the sender if they want to commit fraud by effectively reversing the transaction and trying to double-spend the coins by sending them elsewhere.
Anyone with 94k BTC would probably be harming themselves by simply driving the value of BTC to almost 0 by performing such an attack. It would be extremely obvious to everyone once this transaction was reversed due to a chain reorg.
BTC-e was the longest running bitcoin exchange and the single most reliable. I had more money than I'd like to admit stolen from me. Their statement was only people who participate in tax evasion use btc-e.
BTC-e was a cover to help criminals steal from Bitcoin exchanges and safely dilute the funds.
It sucks that you lost your money, but it was wrapped up with billions of dollars of dirty money, and it's probably tough for investigators to distinguish the two.
It was not. Coins going in and out of btc-e were labeled making laundering through btc-e difficult at best.
>BTC-e was a cover to help criminals steal from Bitcoin exchanges and safely dilute the funds.
BTC-e was around longer than those exchanges.
The thing about BTC-e is every time bitcoin crashed btc-e would chug along just fine without going down. All other exchanges would become unresponsive. This made, at that time, btc-e the only "safe" program trading bitcoin platform. (Of course, in hindsight, with the us gov coming in and stealing all that money, safe is a bit of an over statement.)
BTC-e was perhaps "safe" in that it seemed to be operated competently from a technical standpoint, and it didn't appear to attempt to scam its users (both of which may not be true of Mt. Gox), but it didn't really need to worry about costs due to the absurd amount of profit they were making from their laundering hustle.
It wasn't that they merely turned a blind eye to the laundering. Vinnik personally assisted in the laundering, presumably by working with some of the exchange hackers.
>BTC-e was around longer than those exchanges.
I should've said "a cover to help criminals launder illicitly gained cryptocurrency". There were plenty of reasons to launder cryptocurrency before any large exchanges existed. He didn't help just with exchange hacks. But when exchange hacks started happening, business was certainly booming for him, since that was the easiest way to steal a lot of cryptocurrency at once.
The US government may have inadvertently stolen your money, and other people's, but they did it to reappropriate billions of dollars money stolen from citizens around the world, including American citizens. Vinnik helped intentionally steal money from ordinary people who used Mt. Gox and other exchanges, and pocketed a lot of it for himself. Hopefully some of the money the US government seized will be returned to their rightful owners one day, but who knows.
The court case is starting in a little over a week, so Alexander Vinnik (the one accused of the MtGox hack, who was a technician working at btc-e) has yet to be found guilty or innocent.
>On 25 July 2017, suspected BTC-e operator Alexander Vinnik was arrested at the behest of the United States Justice Department while vacationing with his family in Greece. Wanted for money laundering by both France and Russia, in addition to the US. Vinnik agreed to be returned to Russia, where he was charged only with fraud. In October 2017 the extradition request by Russia was approved by one Greek court, but the request by the United States was approved by another. The decision to extradite Vinnik to the United States was upheld by the Greek Supreme Court on December 13, 2017. However, in July 2018 Greece agreed to extradite Vinnik to France instead, giving precendence to the European warrant.A final ruling is scheduled for September 19, though Vinnik's lawyer claims that "the decision on Vinnik's extradition to Russia has been made".
It's good that he didn't end up going to the US. The US, while legitimate in many ways, has a history of corrupt court practices. If it's in the government's interest to keep the 2 billion, which it is, they will do everything they can to throw him under the bus.
I don’t know how can anyone with straight face compare US court system to Russia’s and not conclude that US is orders of magnitude more fair and less corrupt. Are you being serious right now? Russian court system is literally proxy for Putin’s decisions.
EDIT: disregard that, i somehow assumed extradition to russia was a sure thing already
it may surprise you that france is not a province of russia
Russia may have a bias, I'm uncertain. I'm not sure how happy Russia was about btc-e. BTC-e may have been in the Ukraine, but Russia implicitly requires neighboring countries to follow Russian law. Did BTC-e break Russian law? I have no idea. But because he is not being extradited to Russia, we'll probably never find out what Russia thinks.
So the US stole money that was stolen and... might give it back?
Some quote about bitcoin enthusiasts rediscovering the reason for regulations in the financial markets one loss at a time.
If btc-e were part of a well-regulated financial system, they would have gone through a liquidation process and creditors would have been paid some % on the $ what they were owed.
This is what happened with BCCI when it was raided and shutdown for massive money laundering.
>Just a month later, BCCI's liquidators (Deloitte, PWC) pleaded guilty to all criminal charges pending against the bank in the United States (both those lodged by the federal government and by Morgenthau), clearing the way for BCCI's formal liquidation that fall. BCCI paid $10 million in fines and forfeited all $550 million of its American assets – at the time, the largest single criminal forfeiture ever obtained by federal prosecutors. The money was used to repay losses to First American and Independence and to make restitution to BCCI's depositors.
Likely what makes the US special in this instance is that they did it first, and as long as other countries aren't going to make a stink about it (i.e. the US backs up its claims to some degree or the other countries don't want to question them), then it will get away with it.
Rule of law is for people. Countries operate on a mixture of laws, norms, and consensus building. If every country but one decided to raid that one country, and they had the power (as in economic and military power) to do so, what's to stop them? Not a law, which they my nature can just rewrite.
Real justification: Extraterritoriality is a thing you get to do when you're an empire.
This is exercise of extraterritorial jurisdiction, which is not the same thing as (though also not unrelated to) extraterritoriality.
And everyone gets to do it, it has nothing to do with being an empire (actual extraterritoriality beyond what is normal for, e.g., diplomats might, but this isn't that.)
Trivial amount of money laundering
The only company within US jurisdiction that BTC-E did business with is a company called "tradehill". The amounts of money moved were small, ranging between $12.60 and $17,000. Less than $100,000 was moved overall and all of it was moved in early 2012.
The US doesn't care about tracking down the $12.60 that you laundered on 24 January 2012 like it says in the indictment. The US is just using that as an excuse to impose it's money laundering laws outside of it's jurisdiction. The indictment is a pretext for extraterritoriality. Extraterritoriality is a thing you get to do when you're an empire.
Just seems silly to try and cast the US as an "empire" here when all you're really saying is "the US is a very powerful nation".
Because no one is able to stop them.
A foreign power can have any law it wants, and no other foreign power has to respect it. You can try to sue them, but sovereign immunity, and foreign sovereign immunity, stops almost all of these attempts. The exceptions generally are human rights abuses (by the same state doing the suing...) and commercial transactions.
In this case, the USG stole from money launderers in a foreign country. So not only can people in the US not sue the USG over it (sovereign immunity), people in the Ukraine can't sue the USG over it (foreign sovereign immunity). The thieves would have the best claim, but it doesn't work out well when you claim your illegal business was stolen from. And since it's a foreign power, if the US balks, it would be covered under international law, and guess who enforces international law?
It may take some time and effort to get the property back, but there is a process.
It looks like the man behind it was arrested while holidaying in Greece - a US ally.
At some point, someone will want to do something in the real world with this money, and the government can step in there.
What I seem to remember is that they plastered their logo on a website and the servers just launched another frontend under a different url
I saw that they imposed fines
I didn't see that they actually seized any
> The traditional banking model achieves a level of privacy by limiting access to information to the parties involved and the trusted third party. The necessity to announce all transactions publicly precludes this method, but privacy can still be maintained by breaking the flow of information in another place: by keeping public keys anonymous. The public can see that someone is sending an amount to someone else, but without information linking the transaction to anyone. This is similar to the level of information released by stock exchanges, where the time and size of individual trades, the "tape", is made public, but without telling who the parties were.
> As an additional firewall, a new key pair should be used for each transaction to keep them from being linked to a common owner. Some linking is still unavoidable with multi-input transactions, which necessarily reveal that their inputs were owned by the same owner. The risk is that if the owner of a key is revealed, linking could reveal other transactions that belonged to the same owner.
Recently there are newer cryptocurrencies like Monero and ZCash that focus specifically on anonymity/privacy.
There’s the IP record of the user hitting the server that processes their request (it might be your own box if you’re storing the whole chain yourself but most people use thin clients). Then there’s the list of inputs (cryptonote based currencies like monero use ring signatures which provide obfuscation but not binary privacy). Then there’s the list of outputs, which may be able to be linked to inputs revealing the transaction graph (zcash helps solve this with their circuit proving technology, but it’s limited in temporal scope by the fact that there’s a transition between transparent and hidden addresses). Then there’s the amounts of a given transaction (modern cryptocurrencies use range proofs to conceal the amounts but older currencies don’t).
To recap, there’s access information like IP, transaction information that can be used to reassemble the transaction graph, and balance information which, again, can be used to reassemble the transaction graph. The broad point is that if you can assemble the transaction graph, any additional information, like a list of known addresses, will severely deprecate the privacy of the entire system.
There are potentially ways around this, but they all involve breaking transaction linkability, which is fraught with peril for a variety of reasons (such that no currency has actually achieved this in a meaningful way so far).
There's also zero knowledge proof contracts on Ethereum that provide privacy, like the mixer tornado.cash
Unfortunately, Bitcoin (BTC) is not anonymous, as you pointed out. It never was; and with tax laws requiring copious transaction information, it is particularly easily traceable.
That's the idea behind Monero & Co., which tries to mix things up a bit (literally). The anonymity is still not perfect, especially against state-level actors.
With PirateChain it is, but true anonymity brings with it other technical challenges.
If most people report their PirateChain transactions, amount in, amount out, then the problem is that unreported transactions would stick out and would probably be associable with wallets. Am I getting this wrong?
I know it's necessary to report transactions which establish the cost basis for capital gains, but doesn't mandate report of all transactions.
If you bought a Bitcoin when it was $5000 and you spend 0.2 Bitcoin today (now they're ~$10000 a piece) you would need to report $1000 of capital gains.
You could argue that would make your 0.2 Bitcoin / $2000 purchase cost more, because you have to add the tax. On the other hand, if you sell those Bitcoin later, you would have to pay those capital gains tax anyway.
The story does become a bit more complex when you factor in long-term vs short-term capital gains tax.
But it can be used anonymously and probably in some industries is still used anonymously. A counterparty that is willing to swap anonymously acquired and sent altcoins for Bitcoin can provide a privacy conscious individual with anonymous Bitcoins.
If using proxy-chains, Tor, or a real person in another country to broadcast your trade isn't your cup-of-tea because you don't trust them, there is still another less practical way. If you secretly give someone your Bitcoin private key (for example: written on a small piece of paper), you can give or trade those Bitcoins to someone without the network knowing about the transaction.
>so most likely it is the same entity, or a transaction partner.
Conceivably, the transaction could be broadcasted from an important individual's hacked phone or computer without a trace. This is where being innocent until proven guilty becomes important.
Not if amounts are tracked, rather than addresses. "oh look, this gal X just lost 5.3876BTC and gained 3.76549ALTCOIN, and this other dude Y just gained 5.3876BTC and lost 3.76549ALTCOIN. Geeze, I wonder if they traded."
And with the proper graph theory tools, much more complex interactions could be tracked.
It's still not immune to tracing, obviously, but it's a much harder problem than just looking for symmetric transactions.
The simplest system, though, is probably just to spend some BTC renting time on a mining rig. It doesn't have to be profitable, just break even. Newly mined bitcoins have no official history to show who paid for the mining.
"And with the proper graph theory tools, much more complex interactions could be tracked."
> The simplest system, though, is probably just to spend some BTC renting time on a mining rig. It doesn't have to be profitable, just break even. Newly mined bitcoins have no official history to show who paid for the mining.
That is a good idea.
So you've said, and I already agreed that it isn't impossible. But do you have any real-world examples where someone followed reasonable OPSEC (fixed denominations, mixers, randomized timing) and still had their transactions successfully traced via these "proper graph theory tools"?
Typically that would be either the academic researcher attempting to prove that their investigation technique works, or the prosecutor looking to use the results of such an investigation as evidence in a trial.
> When we deal with opsec, we have to consider what is possible...
Anything is possible. Even ideal encryption algorithms—other than one-time pads—have some non-zero probability of being broken within a reasonable timeframe by a brute-force search, but that doesn't make them useless. As long as it's not cost-effective to trace the transfer, that's enough. It doesn't need to be mathematically impossible.
> or the prosecutor looking to use the results of such an investigation as evidence in a trial
I'm inclined to believe in the possibility of parallel constructions being used to cover up the best sources of intel.
> Anything is possible.[...] As long as it's not cost-effective to trace the transfer, that's enough. It doesn't need to be mathematically impossible.
And here, I think it is probably cost-effective to come up with that technology, because it would allow tracing people and transactions that might otherwise be impenetrable. And, if that were the case, I don't have a hard time imagining that it would be of utmost importance to keep such technology under wraps.
But again, at this point it seems like we're comparing pessimism to optimism.
So am I, to a point, but even if they prefer not to disclose their actual methods (and are willing to commit perjury) they can't exactly hide the results. And others wouldn't have any incentive to keep their successes hidden.
> ...I think it is probably cost-effective to come up with that technology...
This isn't a matter of "technology" where some R&D spending up front is likely to lead to a method of cheaply tracing funds. If such a method existed then the system would indeed be broken; it would be akin to finding a critical weakness in an encryption scheme. Barring design flaws, however, the idea is to make all the transactions look the same so that even using your best graph theory tools you can't narrow down the possibilities enough to reasonably investigate all of them. That's what I meant by "not cost-effective": When there are 50 transfers that fit the parameters then you can investigate them all, but if there are 50,000 plausible trails to investigate then that effort would only be worthwhile in very high-profile cases.
Yes, I think that is the fundamental problem with depending on 'mixers' against state-level actors. We both agreed earlier that the tech is theoretically possible. It seems like we're disagreeing about whether someone exists who is motivated enough to build the tech, and whether that person is also motivated to keep their tech under wraps.
> they can't exactly hide the results
It's a known method that US law enforcement has done in the past. Parallel construction is absolutely a thing. https://en.wikipedia.org/wiki/Parallel_construction
> the idea is to make all the transactions look the same so that even using your best graph theory tools you can't narrow down the possibilities enough to reasonably investigate all of them
I just don't get the impression that it's successful. There's a lot of 'metadata' that could be used to narrow the candidates down: geography, time, transaction amount, method of accessing the exchange (API / browser / desktop app ), age of wallets - I don't know which is specifically relevant here, but there's a lot of similar information which could be used to narrow the possibilities down, and most of it could probably involve 'fuzzy logic'. I just don't think that a threat model which includes state-level actors should ignore the possibility that transactions could be traced through mixers.
By the way, I'm really enjoying this discussion. Thanks for playing. :)
If you want an anonymous currency check out something like Zcash or monero. They use some fancier crypto to obscure transaction inputs and outputs, which gets you a bit farther towards being anonymous.
Bitcoin has and always will be a way to cut down transaction costs, cutting out the middle man ie cutting out the banks. To do that, everyone has to be able to audit every transaction and verify authenticity of a transaction. In this way bitcoin is anti anonymous, always has and always will be.
The entire history of every transaction between every wallet is visible. This means if someone knows your wallet ID (i.e. you bought something from them and shipped it) they know exactly how much bitcoin you have in that wallet.
Some people try to be anonymous on it, but as some of the drug dealers on Wall Street Market found out, that's pretty hard to do. Law enforcement was able to track down some of them by tracing their bitcoin transactions.
It's not anonymous anymore. Transactions are being tracked to the ip addresses they originated from. This tracking has been going on since 2014
From the article:
>But there is no top-down coordination of the Bitcoin network, and its flow is far from perfect. The Koshys noticed that sometimes a computer sent out information about only one transaction, meaning that the person at that IP address was the owner of that Bitcoin address. And sometimes a surge of transactions came from a single IP address—probably when the user was upgrading his or her Bitcoin client software. Those transactions held the key to a whole backlog of their Bitcoin addresses. Like unraveling a ball of string, once the Koshys isolated some of the addresses, others followed.
>Ultimately, they were able to map IP addresses to more than 1000 Bitcoin addresses; they published their findings in the proceedings of an obscure cryptography conference. ....
Today Monero or maybe ZCash is leading the privacy department and they do offer the anonymity you're after (with some weaknesses of course).
Monero, and to a lesser extent, Zcash are coins that were designed to be anonymous (Although Zcash has opt-in privacy, whereas Monero is default)
Having a public transaction record makes it possible, even easy to identify and track behaviors of anyone.
Everyone you give money to knows exactly where all of that money has been and presumably who you are.
You can make it more anonymous by doing some things, but then it's just ordinary money laundering, but honestly, more difficult.
it's when you connect the transaction to some bank (like, when you transfer from the wallet on your computer to Coinbase where they have your tax ID number, then withdraw to your real-world bank) that it can be so easily traced.
but if you just keep some btc in a wallet and do business out of that it's effectively cash. even if you bought bitcoins on Coinbase then transferred to your local wallet, once it leaves Coinbase the wallet ID itself doesn't have anything tying it to the laptop in your friend's basement in Brazil. from there who knows where it goes, I just bought pizza with it officer idk what the guy who sold me the pizza spent it on
a transaction ledger itself isn't inherently identifiable. otherwise we would know who just transferred $1B+ in this article and not have a bunch of comments wondering who it is lol
Now, there true anonymous cryptocurrency but bitcoin isn’t one of them.
Or in other words, what makes that sentence more true than sentences replacing the word Bitcoin with the words phone/email/pigeon carrier/etc?
Genuine question, not rhetorical - I don't really follow bitcoin.
Bitcoin can be used with novel targets (receiving addresses) for each uniquely received transaction: i.e. instead of having one bank account with all your transactions, each transaction is in its own anonymous bank account. By doing this, outsiders cannot know that two transactions are owned by the same person without that owner otherwise revealing the association via co-mingling funds or revealing ownership off-network (ex. sending to exchange that does KYC+AML).
Also, I can't imagine it's very convenient to manage a large number of separate keys.
You can have one secret master key and then derive many keys from that . Without the master key you cannot tell that they are linked.
A computer can do that for you.
...what is a "system administrator" anyway, and why is my computer telling me to ask them for help?
The recipient would be wise to immediately spend the coins to an address only they know, unless they have absolute trust in the giver.
As they say: not your keys, not your bitcoin...
The person "Paying" the other person could have backed up the private key and simply recovered it at a later date to send to another wallet.
Bitcoin is not gold, so don't think of it like gold.
How could you possibly know?
Just gotta say, its pretty amazing we live in a world where 1 billion dollars can get transferred pseudo-anonymously in a reasonable time frame, only costing the transfer party $600. As a really stupid, non-real-world comparison, Western Union has a transfer limit of $2500 per transaction, and a $20 fee per transaction. If you were to initiate a $1,000,000,000 transfer it would take something like 400,000 transactions costing you something like $8 million dollars in fees.
There's a lot of dollars moving around in the global financial system quickly and affordably, Bitcoin advocates just don't seem to know about it for some reason.
If you need to spend it locally, you still need forex at some point — but that's a much more predictable proposition than going from the wildly volatile BTC to local currency.
Given the tick size, crossing the spread with this ETF is going to cost you around 10bp alone. Never mind that this ETF only holds $45m in assets - you're only going to be able to get a very small amount without eating through price levels. On top of all this you have to carry 3 days of currency risk?
I'm sure other online discount brokers are similar, but I checked Interactive Brokers, since I'm a customer, and they charge max 0.2bp fees, the spreads are around 1bp and there's no currency risk.
The most common use case I'm familiar with is within RRSPs, as there is sometimes a tax advantage to using US-listed ETFs within them. Most brokerages charge 1.5-2% to do currency conversion so it would be a lot better deal to do Norbert's Gambit to get USD trading funds.
Paying 1.5%-2% for FX conversion between two major currencies is very expensive unless the sums are small. The last time I converted currencies using a discount broker - including all costs I was charged less than .1% compared to the mid-market rate at the time.
I was just wondering, what weirdness must be going on to make that so.
Bitcoin advocates know very well that centralized systems are faster and more efficient, that’s just the trade off of actually owning your assets. Right now you own nothing but some promise in some database controlled by bunch of potentially corrupt individuals governed by potentially repressive institutions.
Are you describing Bitcoin or fiat currency?
“Supposedly” because no proper audit of tether assets and liabilities was done and there is little transparency.
Counterargument is that if tether is insolvent, it would affect Bitcoin but only to some degree.
Here’s the logic: if tether was printed without backing to buy and prop up price of bitcoin then somewhere somebody is sitting on a pile of USDT which they will want to get rid of. You can get rid of USDT by asking tether to buy them back from you for USD or you can trade them on the market for BTC. Assuming tether goes dark USDT owners will be forced to sell USDT at discount creating even more buy pressure for BTC. The whole thing will be a huge debacle and incur some damage to BTC but ultimately it’ll be perceived like one more exchange scams - not your keys not your Bitcoin, trusting that USDT can keep USD parity is purely on you.
Bottom line is - people are being manipulated, not Bitcoin. Bitcoin will continue to live up to its promise - distributed open ledger and transaction platform, solving consensus problem via proof of work and there will only ever be 21 million of them.
Many people cannot access bank accounts that allow this sort of transfer and thats why Western Union etc exist, they charge a % of the value being transferred as well as a flat fee.
As a really stupid, non-real-world comparison
This is largely a feature, not a bug, as various Bitcoin exchanges have discovered.
Except we're all out here talking about this and no one knows what other $1bn transactions have occurred in the banking system today so we're not talking about those.
With that in mind you seem to be conflating a FOREX transfer with a bank-to-bank transfer which you can use a $30 (or as cheap as free) wire to more the whole billion instantly.
Actually, this isn't true. That's the lowest-cost way of converting the bitcoins to actual things. But if you don't want to interact with an exchange, you have enough BTC that you can easily find someone who will just take your payment in BTC and take on the job of going through the exchange themselves.
For instance, if you came to me and offered me either $500K in dollars or $500K worth of BTC at today's prices (good luck defining that with volatility) I'd say sure, for $550K worth of BTC and I'll exit it immediately. Well, probably not, because I'm sure that BTC is either dirty or avoiding taxes and that's not a conversation I want to have with the IRS/FBI, but that's why you'd have to pay me so much more.
 ie. anything at that rate or greater would confirm in the next block, so there's no difference in paying more
So, what is the minimum amount you could send with a proper transaction fee? Could someone flood the network with millions of unconfirmed transactions?
So, people are continuing the theme of redundant comments initiated by the original.
I'm quite sure the banking system could do the same, no problem. These are not technical limitations, they are regulatory. It's controversial enough whether any human actually needs a billion dollars, let alone the freedom to move/spend it however they want with zero oversight. But that's just me.
Wouldn't a normal bank wire of the same amount cost less than that, say $25?
And then the bank might charge a fee too, although I suspect with accounts that large, banks would do what they could to minimize fees since that much capital helps them with loads/interest.
Not only that, is that you would have the Eye of Sauron quickly looking at you for moving such quantities especially if it were a private individual or some smaller group that isn't all registered with the powers that be.
There's simply no comparison.