Hackers can break anonymity of the Bitcoin virtual currency disclosing users’ IP addresses with a €1,500 monthly investment, researchers have found.
A major breakthrough in Bitcoin security research, the finding follows similar projects that revealed earlier that it was possible to identify which transactions belong together even if the users change pseudonyms between the transactions.
“It’s hard to predict the future, but some people think that Bitcoin could do to finance what the Internet did to communications,” said Professor Alex Biryukov, leader of a digital currency research group at the University of Luxembourg.
“Our Bitcoin network analysis combined with previous research on transaction flows shows that the level of anonymity in the Bitcoin network is quite low.”
The increasingly popular virtual currency Bitcoin allows users to make profit by renting out their computer capacity to solve various tasks – a process known as Bitcoin mining. Users can then anonymously exchange Bitcoins on the Internet without having to pay any fees to banks or authorities.
The Bitcoin system is not subject to any central management and relies solely on peer-to-peer network on the Internet. Anyone can join the network as a user or provide computing capacity to process the transactions.
In the network the user’s identity is hidden behind a cryptographic pseudonym, which can be changed as frequently as the user likes. Transactions are then signed with this pseudonym and broadcast to the public network to verify their authenticity and attribute the Bitcoins to the new owner.
The key to the recently discovered vulnerability is the phase of the process when the user’s computer connects to the so-called Bitcoin entry nodes in order to make the transaction.
These nodes form a unique identifier for the duration of the session, which can be tracked back and linked to the user’s IP address
Moreover, transactions made during one session, even those made via unrelated pseudonyms, can be linked together. With this method, hackers can reveal up to 60 per cent of the IP addresses behind the transactions made over the Bitcoin network – all they would need is a few computers and about €1,500 per month for server and traffic costs.
The researchers also found that not even the dark web anonymisation network Tor can sufficiently protect the IP address.
The Luxembourgian team has written software patches to fix the problem and is currently in talks with Botcoin developers.
The study has been presented at the ACM Conference on Computer and Communications Security.