After both Oasis and Alphabay announced the support of the lesser-known cryptocurrency Monero, marketplace forums and the /r/DarkNetMarkets subreddit have been filled with posts riddled with misinformation on the topic. Being less popular than Bitcoin and Ethereum, the usage and security of Monero raises many questions that need answers.
One of the moderators of /r/DarkNetMarkets, “sapiophile,”submitted a post titled “IMPORTANT WARNING to those who want to use Monero/ShapeShift and NOT end up in jail”. This post unsurprisingly clears up many of the concerns brought up by the community.
The majority of the community’s concerns stem from not knowing how the currency works. Bitcoin’s decentralization is part of its major appeal. Monero working in a completely different fashion seems to go against the reasoning behind the creation of cryptocurrency like Bitcoin. True or not, in terms of anonymity for transactions on darknetmarkets and the deepweb, the argument is completely different.
Important parts of Sapiophile’s post:
“So here’s the TL;DR: Monero’s privacy comes from the sending side of the transaction. There is absolutely zero privacy gained simply by using a vendor’s Monero receiving address, if you are not sending the Monero yourself, on your own computer, running your own Monero software. In that sense, it’s just like GPG – never trust another party to do it for you.This is a problem because people obviously don’t want to bother running their own Monero software, and would rather do something like just send BTC to ShapeShift and have ShapeShift send Monero to the market or vendor they want. THAT IS BAD. By doing that, every ounce of privacy that you could be gaining from Monero is entirely dependent on trusting ShapeShift, which is a registered corporation that is subject to various laws, including financial Know Your Customer/Anti-Money Laundering (“KYC/AML”) laws. Those laws almost certainly require ShapeShift to keep a complete record of their transactions so that they can be viewed by Law Enforcement at any time (within some number of years), and those records completely destroy any privacy gained through Monero’s Ring Signatures and Stealth Addresses. On top of that, even disregarding their probable legal obligations under KYC/AML, they are also potentially subject to lawful orders from a judge or other LE official, including subpoenas and National Security Letters (which are usually kept secret from the target(s) of investigation). They might even already have an NSL that requires them to give complete, unfettered access to de-anonymize every transaction they process, and in fact, I would estimate that this is fairly likely.From ShapeShift’s own “Terms and Conditions” document (PDF warning):‘You accept that ShapeShift will comply willingly with all legal requests for information from it. We reserve the right to provide information to law enforcement personnel and other third parties to answer inquiries; to respond to legal process; to respond to the order of a court of competent jurisdiction and those exercising the court’s authority; and, to protect ShapeShift and our users.’
So what does this mean? If you have to trust another party for your security, privacy or anonymity, you are at risk (cough, I’m looking at you, VPNs, and even centralized tumblers…). The whole beauty of systems like Tor, GPG, Bitcoin, etc., is that they are trustless – they work to ensure your well-being without having to trust any other parties.
This is also why it is so important to be very careful with “light” bitcoin wallets like Electrum, and only use them when they are very well anonymized (which is hard to do), like the one integrated into Tails. Because in that case, your privacy is totally dependent on trusting some random Electrum server(s) not to snitch you out, and that is not a good position to be in.There are certainly some limited gains in privacy to be had, even if you are trusting ShapeShift, by “breaking” the blockchain trail across two different currencies – but honestly they are fairly minimal if your adversary is LE, like is the case for most of us here. It just adds another hour of work to their investigation, but is not really an actual barrier (assuming that ShapeShift is, in fact, untrustworthy – which we will probably never have an answer for, but is safe to assume).So, if you want to get the most out of Monero, it’s unfortunately necessary to run it yourself. I don’t have experience doing this in an environment like Tails, but that would be the advisable way to do it. And like with Electrum, it is extremely important to ensure that the Monero client you use is completely Torified before you even let it know about any Monero addresses you own, or are sending to. Note that programs have a tendency to “leak” identifying data when people try to use them through Tor and they aren’t designed for it from the ground up – it’s important to make absolutely damn sure that the Monero program is properly Torified, including DNS queries. Tails will not do this for you, since it is not integrated into it.”
So, to break it down into even simpler terms: you are going to have to run it yourself. A major deterrent keeping people from selling coins directly to the market that they plan to buy from. Securely using Monero relies on a similar principle, the Reddit post concludes.
A basic knowledge of Monero is required in order to benefit from using it and there are a couple of recommended starting places. One of the most obvious is Monero’s own website. Alternatively, and often an even better resource is the Monero subreddit: /r/Monero.
To read Sapiophile’s full post and the following comment thread, click here.