In recent times, two of the most popular privacy-focused Bitcoin wallets have been Samourai Wallet and Wasabi Wallet. On July 22nd, the former said the latter appeared to have something seriously amiss with its trustless coin shuffling service.
Released last fall, Wasabi is an open-source wallet that leverages the so-called Chaumian CoinJoin mixing technique for anonymizing bitcoin transactions.
On Monday, the Samourai team said blockchain analysis indicated a malicious entity was seemingly using address reuse within Wasabi to de-anonymize its users.
Specifically, Samourai pointed toward an entity the OXT blockchain explorer calls ANON-2300390908 as the culprit.
This entity participates in Wasabi transactions and enjoys an address reuse rate of over 60%. Of course, there should be 0% address reuse within any mixing platform, so something is not right. Let's look into it.
OXT Entity Cluster: https://t.co/AxIzE1OhRY pic.twitter.com/kK2FhAokvc
— Samourai Wallet (@SamouraiWallet) July 22, 2019
In analyzing ANON’s “two primary addresses of interest,” dubbed Address A and Address B, Samourai found the agent appeared to be clustering Wasabi transactions to taint them and thus track their senders and receivers. The activity started on June 1st, per OXT.
“These two addresses are the biggest address reuse violators, and by merging unconnected UTXOs with these addresses have created a cluster of 254 addresses connected to this entity,” the Samourai team noted.
As for who might be responsible, Samourai didn’t name names, though the wallet makers said they had “circumstantial evidence” indicating who or what was operating the questionable wallets. They chose to initially withhold that information but said right out the gate it didn’t appear Wasabi Wallet was aware of the activity.
We have circumstantial evidence to who this entity may be. However, we are not in the business of peddling false info, so will avoid preemptively naming this entity.
To be clear, we are NOT suggesting this activity is known or condoned by the operators of Wasabi Wallet.
— Samourai Wallet (@SamouraiWallet) July 22, 2019
What Happens Next?
In the very least, caution is warranted until more is known.
“Almost every [Wasabi] transaction since June 1 is impacted by this,” Samourai Wallet argued in their Monday public service announcement.
Users should avoid registering their UTXOs for mixing until this is addressed by Wasabi Wallet. This report was initially intended to be sent privately to the developers, but due to yet another social media attack by those developers upon our team, it was decided to go public.
— Samourai Wallet (@SamouraiWallet) July 22, 2019
Samourai said it would commit to publishing more information on ANON-2300390908 if the entity responsible didn’t “publicly acknowledge and apologize” for its actions in the near future.
The wallet makers added that their fresh falling out with the Wasabi team influenced them to go public, though technically the information was always publicly available on the Bitcoin blockchain:
“Responsible disclosure does not apply in this case, The effects of this are on the public blockchain since June 1 and cannot be erased. We are simply the first to see it and say something about it. Good luck and stay safe out there.”
Notably, on July 21st Wasabi Wallet creator nopara73 posted an article titled “WasabiLeaks — Is Wasabi Wallet Deanonymized?” Therein, nopara73 accused Samouri Wallet’s developers of conducting a recent “misinformation campaign” against Wasabi’s implementation of CoinJoin.
So far, Wasabi hasn’t publicly addressed Samourai’s latest allegations regarding ANON-2300390908.
Who Could ANON Be?
It’s no secret that blockchain analysis firms like Chainalysis and CipherTrace are all routinely assumed to be probing mixing services.
With that said, such companies are surely high on the lists of many when it comes to possible ANON-2300390908 suspects.
Of course, there’s no proof at present that professional blockchain investigators are behind the mysterious Wasabi entity. And even Samourai Wallet have said they only have circumstantial evidence for now.
Yet these companies certainly have the motivation, as they’re paid the big bucks to bring authorities and regulators bird’s-eye view insights into blockchain activity — activity that was public but inscrutable in years past.
Indeed, if a curious “Ask Me Anything” thread from r/Bitcoin last month is any indication, then Chainalysis is considering privacy wallets like Wasabi.
In the since deleted AMA, a Redditor using the handle Chainalysis1 alleged to be a “current or former employee of Chainalysis” and fielded a few questions. In their answers, the Redditor suggested that privacy plays like Wasabi were seriously concerning to the blockchain analysis firm’s leadership.
There’s no telling if the episode was a publicity stunt or an authentic AMA. But it suggested what some already know as clearly true: there is a growing appetite to crack blockchain privacy solutions.