Hey,
more than a year ago I wrote my bachelor thesis about mixing services/anonymous bitcoin transactions (yes, bitcoin is pseudonymous).
I found some trivial bugs (timing attacks, leakages, xss, ...) through which nearly all relevant centralized bitcoin mixing services could be broken. Based on outgoing mixing transactions (transactions sent by the mixer) I was able to identify the correct incoming transactions sent by customers (vice versa).
My thesis is quite easy to understand and the bugs are also trivial, however, at the time of writing, I did not find any specific work related to these problems.
The most important conclusion of my work is, that even though a mixing service/a mixing algorithm might seem to be reliable at the moment, through a single leak/implementation fault, an attacker could be able to deanonymize any past transaction which has been processed by the mixing services. Even though the leak/implementation fault gets fixed by the service, every transaction which has been processed prior to the fix is irreversible vulnerable.
bitmixer.io & coinmixer.se are offline now, however its still possible to use the bugs I describe in my thesis to reverse nearly all transactions which have ever been processed by these services.
In my thesis, I attacked coinmixer.se (at the time of writing it was the biggest centralized mixing service), however - except chipmixer.com
1 - every other centralized mixing service I checked could be broken in a similar fashion.
If there is interest in this topic, I can publish further information (source-codes, examples, ..) on this topic and attacks.
Link to my thesis (python source inside):
https://www.dropbox.com/s/3yapwyfz72tvswh/BA_mixing_services.pdf?dl=0Author: Felix Maduakor
Email:
felix.maduakor@rub.de1 Chipmixer was the only centralized mixing service which I did not break fully. However, I did not put much work into checking this mixing service.