The Privacy Adversary Model
Who attacks Monero privacy — chain observers, analysis firms, spy nodes, global network observers, KYC exchanges — and their goals, split into on-chain and network-layer adversaries.
Every privacy system is defined by the adversary it is built to resist. You cannot judge whether Monero "works" without first asking a sharper question: works against whom? A curious neighbor, a chain-analysis contractor, and a nation-state watching the whole internet are wildly different threats, and a defense that defeats one may be irrelevant to another. This course takes the adversary's chair. Before we study specific attacks, we need a clear map of who they are, what they want, and what they can actually see.
Why Start With the Attacker
Defenders who never model the attacker tend to over-invest in the wrong places — layering exotic on-chain maneuvers while leaking their identity at the network layer, or vice versa. A threat model is simply an honest inventory of who might target you, what they are trying to learn, and what capabilities they realistically possess. Get that inventory right and your defensive effort flows to where it matters. Get it wrong and you build a tall wall with an open gate. Throughout this course we will pair each attack with the specific adversary who could mount it, because "is Monero private?" only becomes answerable once the opponent is named.
Two Fundamentally Different Layers
The single most important distinction in this entire course is the split between the on-chain adversary and the network-layer adversary. Monero's cryptography — ring signatures, RingCT hidden amounts, and stealth addresses — protects what is written to the blockchain. It hides the sender among decoys, conceals amounts, and makes recipients unlinkable. None of it touches the fact that your wallet must connect to a node over the internet to broadcast. That connection lives at the network layer, where your IP address is exposed, and it is governed by an entirely separate set of defenses.
Keep these two planes separate in your mind. An on-chain adversary reasons about outputs, key images, ring members, and timing. A network adversary reasons about IP addresses, packet timing, and who talked to whom. A complete attack often combines both, and, as we will stress repeatedly, the network layer is frequently the weaker one.
A Catalog of Adversaries
It helps to name the recurring characters you will meet in later lessons:
- The passive chain observer. Anyone can download the full Monero blockchain and analyze it forever, offline, at zero cost. They see every transaction but never interact. Most academic attacks assume this baseline adversary.
- The chain-analysis firm. A commercial actor (think Chainalysis or the former CipherTrace) selling deanonymization services to exchanges and governments. They combine on-chain heuristics with off-chain data like KYC records and often work under government grant contracts.
- The malicious or "spy" node. A remote node your wallet connects to. It can log which outputs and key images you query, record the timing of your broadcasts, and — on clearnet — see your real IP. Spy nodes have been deployed at scale specifically to harvest this metadata.
- The global network observer. An ISP, a hosting provider, or a state-level adversary who can watch large portions of internet traffic and attempt to correlate a transaction's appearance with the IP that originated it.
- The KYC exchange. Perhaps the most underrated adversary. When you deposit or withdraw at a regulated exchange, it links your legal identity to specific Monero outputs and shares that data on request. No cryptography is broken; you simply handed over the endpoint.
Goals and Capabilities
Adversaries rarely need to "break Monero." Their real goals are narrower and cheaper: link a withdrawal to a later spend, cluster addresses that plausibly belong to one person, prove a specific transaction touched a specific service, or place a probability on who spent an output. Notice the word probability. Much of what chain analysis sells is statistical likelihood, not cryptographic certainty — a distinction we will return to in Chain-Analysis Claims vs Reality. Capability also varies enormously: a passive observer is bounded by public data, while a firm blending KYC leaks, spy-node logs, and network timing is far more dangerous than any one technique alone.
How This Course Is Framed
With the adversary map in hand, the lessons ahead move from the historical to the current: the pre-RingCT traceability era and what it taught us, decoy and poisoned-output attacks, timing and graph analysis, network-level de-anonymization, and finally a sober audit of the marketing claims. For each, we name the adversary, describe the attack honestly, and then show the defense.
Hold onto the two-layer split as your compass: as you read every attack that follows, keep asking whether it targets the chain or the network, because knowing which one an adversary can reach is the first step to knowing whether they can reach you.
Comments
Log in or create a free account to comment.
No comments yet — be the first.