Kind of beginning to wonder if the #Monero ecosystem itself is under attack.
A few weeks ago, a Bitcoin exchange called #bisq was hacked and the most common pair on that exchange is Bitcoin to Monero.
Then, like a week ago, another decentralized exchange called Thor Chain that is in the process of adding Monero was hacked.
Then yesterday #haveno was exploited
And I'm hearing rumors that a Bitcoin to Monero Atomic Swap service (eigen wallet) is under distributed denial of service attacks.
When you put all of those together in a three or four-week timeframe, that begins to seem a lot less like accidents and a lot more like intentional sabotage.
I wonder which three-letter agency it is.
Login to reply
Replies (10)
Seems just as likely it's LLM-assisted hackers no?
As long as Monero is a threat they will always try to attack it.
Yes, and...
Zcash VC pump doesn't work as they envisioned. There's a lot of organic counter narrative wherever I follow discussions.
And the Monero chart is so ready and loaded that I think they maxed out their price control mechanism. You can see that KuCoin volume shrinks. It's their main exchange to control price since Binance went away. Less volume for whatever reason means other venues have more influence on price.
It's maybe a nice gift to them that LLM find weaknesses exactly when Monero is ready for price discovery. But then none of those exchanges was contacted by a white hat hacker. All of them got exploited by black hats.
Could be 🤔
Does anybody remember this from 2021? #Monero
Outlawing the use of anonymity-enhanced virtual assets and their underlying technology
Presently, the FATF does not recommend banning the anonymity-enhanced virtual assets and blockchains, but it also does not exclude such a solution. States have the discretion to prohibit virtual assets activities or virtual assets service providers [27]. The main reason for the recommendation is that banning such activities and services would not reduce the states’ obligations regarding AML. After the outlawing of anonymity-enhanced virtual assets and blockchains, states will still need to actively monitor cyberspace to detect and prosecute violations of the ban, just as they currently do when detecting and prosecuting unregistered VASPs.
In a study prepared for the European Parliament [99], introducing the ban was considered as a possible AML/CFT policy measure Experts warn that ‘we must avoid being naïve, even if a ban would be imposed, how do we detect a breach, given that the purpose of the object of the ban just is to obscure identities’ [99]. Eventually, they are against the general bans on cryptocurrencies because ‘[t]hat would go too far’ [99]. Instead, they suggest imposing a ban ‘on specific aspects facilitating the illicit use of cryptocurrency’ [99].
The above indicated proposal to ban only ‘certain aspects’ facilitating the abuse of technologies and anonymization techniques associated with permissionless DLT networks, however, carries the same ‘risk of naïveté’ as would a general ban. When prohibiting the use of privacy-coins or ‘only’ the use of anonymization features, it seems to be equally tricky, and sometimes impossible, to detect users violating each of these bans. Therefore, limiting the ban on the use of anonymity-enhanced features does not solve problems relating to the enforceability of such a ban. The ban on the use of anonymity-enhanced cryptocurrency and its underlying DLT-based network would not be a reasonable tool if the sanctions for failing to comply with the ban were limited to traditional criminal sanctions. The enforcement of these sanctions requires bringing an accused person to court. Such a person often would not be detected, as long as they effectively continue to break the ban using anonymity-enhanced permissionless blockchains. Nevertheless, as the experts indicate, it is worthwhile to consider introducing a ban because ‘if authorities bump into the prohibited activities, they have a legal basis for prosecution, insofar not yet available’ [99].
Imposing such a ban on the use of anonymity-enhanced cryptocurrency, where reporting features are not provided and any other AML tools or sources of surveillance data are not available to FIU, is vital for a different reason, as presented below.
Towards effective tools for combating non-transparent permissionless DLT-based networks
It is emphasized in the literature that while backdoors seem technically feasible, it is unlikely that they can be sustained in decentralized systems, whose raison d' ệtre is the rejection of privileged parties with special access rights [91]. I see the needs to create means which could motivate decentralized systems to accept limited access rights needed for the achievement of AML/CFT objectives. It should induce the process of shaping the permissionless networks in the direction required by law, to make the systems respectful of some fundamental values which are protected by systems of law, for example, of privacy and public security (the AML/CFT risks minimization).
Why people comply with laws and regulations is complex and controversial within criminology. Empirical research projects have identified variables that are critical for law-abidingness in individuals. Researchers have found that although the severity of punishment is an effective deterrent [100], the probability of punishment is also a crucial factor. ‘[S]ome significant level of legal enforcement is essential in generating and assuring compliance’ [101]. Therefore, regulators may induce shaping the architecture of permissionless DLT-based networks in the direction required by the law only if legal requirements were feasible and if sanctions for non-compliance could be effectively enforced. As indicated above, the use of anonymity-enhanced technologies, such as, for example, zero-knowledge proofs, would result in low enforceability of criminal sanctions. Such technologies are continually being developed and implemented into new platforms. In my opinion, the impact of threatening communities’ members with criminal sanctions would not be sufficient to induce shaping the blockchain protocol and architecture in the direction desired by the governments. Moreover, even successful enforcement of a criminal sanction against some individual members of the ecosystem will hardly affect the efficiency and operation of the highly decentralized network. Consequently, traditional criminal sanctions from government, which had to be enforced individually against particular members of ecosystems, appear to no longer be sufficient to motivate all members of globally decentralized community to shape architecture of networks in the direction expected by governments. As decentralized network governance is sometimes it is summarized ‘[n]o regulatory agency has the resources to go after that type of Medusa-like entity’ [102].
Targeting the privacy-cryptocurrency, not its users
Taking into account the above findings, instead of going after privacy-blockchains communities’ members to punish them, these tools should be, in my opinion, directed against privacy-cryptocurrency that creates ML/FT risks which cannot be overcome using any available approaches. The focus should be on the direct source of risk to public safety, not on the people which create that risk. An analogy to the off-chain world is where enforcement law agencies directly targeted the building constructed in violation of building regulation, and destroyed it rather than—or in addition to—targeting people responsible for the building’s construction. The ultimate aim of new tools in the blockchain space should be to reduce the economic value of the outlawed native cryptocurrency whose value drives the operation of a given platform, in particular by reducing trust in the stability and security of the network. If effective, means that reduce the value of the cryptocurrency will therefore reduce the number of the network’s users and nodes. The decreasing number of users and nodes (and thus the decreasing infrastructural and political decentralization [66]) should automatically reduce blockchain security. Networks underlying the privacy-coins will then become more vulnerable to further attacks on their currencies or any activities reducing the value of given privacy coins, which can be systematically repeated by a government until the virtual assets cease to be accepted for payments or used for investment purposes. There is a need for in-depth interdisciplinary research to identify and analyse in detail the whole spectrum of different tools which may help policy makers to govern the permissionless privacy-blockchain space without going after the members of the communities. The nature of possible conceivable tools that can reduce the value and trust in the outlawed (or blacklisted) virtual assets vary significantly, including technological, economic, fiscal, sociological, and legal means. As indicated above, this article is not intended to describe and analyse all these possible tools. This article’s goals in that scope are to indicate this direction (targeting the value of privacy-cryptocurrency, not its users), where the effective tools can be found, as in my opinion most promising for further exploration by policy makers. The second goal of the article is to indicate some of these tools to consider by regulators, namely embedded reporting (presented above) and state attacks on outlawed privacy-coins.
State attacks on the value of outlawed privacy-coins
Each permissionless network’s security and the value of its native cryptocurrency depend on the mass usage of that network and its cryptocurrency, which, in turn, depends on the prospective trust of persons in and around blockchain ecosystems regarding the network’s security and their acceptance of a given currency as a means of payment. The users’ confidence in the networks may be significantly undermined by successful attacks on networks which could undermine the trust of the blockchain community in the ability of the network’s protocol to ensure smooth operation of the network. By smooth operation I mean particularly the operation without the double-spending of coins, with high level of scalability, and without the risks of gathering by one or few governments enough control to could manipulate the system.
The effects, chances, and costs of successful attack vary significantly—they depend on the network size (level of decentralization) and type of network consensus (e.g. 51% or Sibil attack for networks based on the proof of work [103, 104] or the proof of stake [105]), but also on many other elements of the system’s architecture. The levels of decentralization also differ substantially within networks. The idea of decentralization of permissionless DLT-based networks is aimed at excluding all central points of failure within a network’s architecture. However, in practice, some elements of centralization do occur [66], which is observable, for example, in relation to different consensus algorithms. Permissionless networks’ points of failure usually result from various compromises in the architecture of a given blockchain [106], which are needed to simultaneously ensure many desirable network properties such as scalability, decentralization, security (including anonymity or strong pseudonymity), and low operation costs. The need to strengthen some of these properties often, at the same time, weakens others, causing networks to be vulnerable to different type of attacks [106]. As researchers point out, despite common arguments about the prevalence of blockchain technology in terms of security, privacy, and immutability, in reality, several attacks can be launched against these networks [107]. Attacks on some permissionless blockchains have failed so far because attacking them is cost-effective for attackers who launch an attack to gain profits. However, the profitability of an attack would not be the primary determinant for the states.
This article is not intended to describe the technology of attacks nor to suggest states use one of them. The AML/CFT policy should adopt a technology-neutral approach in that scope and should avoid determining the techniques of attacks on cryptocurrency. The security experts should decide which technology is appropriate to be used on a case-by-case basis. To return to the building metaphor, specific methods of building demolition by law enforcement bodies are not determined by legal regulations because the appropriate means depends on the targeted building’s architecture. The same is true for DLT permissionless platforms. Some features are similar among networks, but some are different, for example, different cryptography methods and architectures, varying levels of decentralization and different off-chain governance. No two permissionless distributed ledgers are identical, so the appropriate methods of attack could more or less differ.
As DLT continues to develop quickly and network decentralization increases, the challenges in identifying and developing a successful method of attack on the value of a cryptocurrency will continue to grow [108]. Facebook’s current effort to launch the permissionless DLT-based network, which will underly OpenLibra cryptocurrency, shows the possible scale of the challenges faced by governments worldwide. Because of the possible colossal decentralization of some networks in the future, it might be impossible for a single government to impact those networks’ ecosystems effectively. In such a situation, cooperation among many governments may become fruitful.
Outlawing of certain virtual assets
The outlawing (banning) of the use of certain virtual assets and their underlying network is, in turn, a legal measure useful for combating a privacy-cryptocurrency if AML/CFT purposes may not be achieved in relation to a particular network in any other ways. However, I do not see the primary purpose of such regulation creating a basis for criminal prosecution against people who breach that law. That ban will likely be so consequential that the outlawed cryptocurrency will not be used in transactions which parties intend to report to FIU or any other supervisory body. Moreover, such a law may also discourage the participation of a significant number of those network’s users who prefer to comply with regulations regardless of threatening sanctions. The outflow of some users from the network can weaken that network’s security. Effective attacks on a network cryptocurrency, distorting the network’s operational stability, will demonstrate the state’s ability to implement such tools. In turn, this should further reduce the outlawed cryptocurrency’s value, thereby reducing the economic significance of a given cryptocurrency. The proposed solution will not have a physical impact, and any hardware infrastructure and the targeted DLT-based network can continue to operate until the last single node (and user) records transactions on its ledger. However, the trust and currency value of such a network can drop to zero. Such a cryptocurrency may no longer be accepted as a means of payment and may cease to have the legal status of being a virtual asset. If cryptocurrency is no longer qualified as within the realm of virtual assets, the AML/CFT rules do not apply to it because such a cryptocurrency no longer poses ML/FT risks. In that case, governments should refrain from further interference in that network’s operation because such a network has lost the character of a financial platform.
Legal basis for combating a problematic cryptocurrency
To combat some cryptocurrency, including state activities aiming at reducing the value of cryptocurrency, the governments need to adopt a legal basis for interference in several human rights of community members. A necessary element of such regulation is setting out prerequisites for using such a tool towards certain privacy-coins. At minimum, such prerequisites should refer to the lack of availability of any other tools, approaches, or external sources of surveillance data that could effectively allow the FIU to limit the AML/CFT risks in relation to a given network. If a given network enables anonymization of processed data (as defined by the GDPR), it is highly likely that there are no other tools and approaches that would allow for the achievement of AML/CFT objectives; however, it cannot be excluded a priori. All circumstances related to a given network must be assessed.
Defining sanctions for non-compliance of privacy-blockchains with AML/CFT requirements should be the second element of such regulations. As pointed out above, these sanctions should not be targeted only against individual actors within the network, but rather against its currency. In the off-chain world, we use similar sanctions, regardless of the possibility of identifying and punishing the individuals who are responsible for breaching the rules.
State attacks on cryptocurrency as a last-resort policy tool
The attack on cryptocurrency is proposed to be included in national or international policies towards permissionless privacy-blockchains as a last-resort tool. It should be targeted only against those DLT-based financial platforms where no other means are available to achieve AML/CFT objectives. If any available approaches of minimizing AML/CFT are effective, there is no reason to attack, nor should be legal grounds for attacking, any network nor its cryptocurrency. In such a case, an attack could be non-proportional interference in human rights (as it is elaborated in the next subsection).
Concept of gradual application of different AML/CFT policy tools can be understood with an analogy used earlier. If somebody built a building with such serious breaches of construction law that the building jeopardized public security, demolishing this building is (and should be) the means of last resort for a law enforcement body. The regulations usually require other means to be applied before the building is destroyed as a law enforcement tool. These other measures, which should be used primarily if they are accessible and efficient, are aimed at maintaining the building by means of ordering the owner to bring the building into compliance with the construction regulations. That is, and should be, a consequence of the requirement of proportional interference with human rights (see the next section). The above considerations could also relate to permissionless blockchains that underlie virtual assets (financial platforms). If governments could use any other effective means to minimize AML/CFT risks on privacy-blockchains, then those means should be primarily used. In a situation where there are no feasible means which may ensure achieving AML/CFT objectives in relation to a given network and if embedded reporting will not grant, the state should be entitled to use effective measures to combat the network, including state attacks on its cryptocurrency.
It would be worthwhile to discuss in the future whether attacks on permissionless networks may and should be used as a policy tool to protect privacy if a network does not ensure GDPR-compliant processing of data. It is doubtful whether it would be a proportional interference in human rights. Today, the sanctions for GDPR non-compliance are primarily severe fines for GDPR non-compliance (although these sanctions can hardly reach most of the controllers’ and processors’ assets if they are located outside the EU or if they are located on permissionless ledgers and obfuscated by advanced anonymization technologies). Using such a tool may perhaps be acceptable in light of human rights rules if a transparent DLT-based network community does not implement into the network architecture any effective tools which would allow for fast removal of at least content which is treated as illegal worldwide, such as child abuse content. However, I leave this problem for a future discussion.
https://academic.oup.com/cybersecurity/article/7/1/tyab004/6166133?login=false
View quoted note →
P2P systems requiring dedicated software always have a greater attack surface, that's why @MoneroSwap relies on widely available components
"I wonder which three-letter agency it is"? Yes. All of them.
Transacting via hidden data in meme jpg files is going to happen.
@shortwavesurfer2009
At least Basic Swap DEX is still working.
Could be for the financial reward. Lets be honest, there is no normie traction going on with any of this stuff. Whats happening wit android and operating systems in general may get people to noticed the cage we are in.