> to properly set up lightning takes anywhere between $500 to $5,000 dollars
you can properly set up lightning for $0 if you already have a laptop or an android device -- except for channel opening fees, each of which costs 1 btc transaction, i.e. 44 cents at current feerates
"send XMR to address"
that's what these folks did, and they got arrested:
The finnish guy: https://cointelegraph.com/news/finnish-authorities-traced-monero-vastaamo-hack
The 18 japanese people: https://cointelegraph.com/news/monero-transactions-japanese-authorities-arrest-18-scammers
"Just sending xmr to an address" is also bad advice when the most popular monero wallets (cake wallet and monerujo) are known to have been unwittingly giving a list of nearly all their users' xmr transactions plus your ip address to Chainalysis: https://www.digilol.net/blog/chainanalysis-malicious-xmr.html
It is very easy to leak your personal info, especially your ip address, so do not "just send XMR to address" -- even the Monero website warns against this stupid "just use xmr" meme:
It is more private than monero, but you should not use it for serious privacy needs without additional defense-in-depth strategies. E.g. you should only connect to the lightning network after hiding your ip address via something like tor and you should not open channels with nodes who openly state they log all transactions that flow through their node in order to report them if necessary. (E.g. binance's privacy policy mentions that they do this.)
> anyone on the path knows the amount of the payment
Thanks to the commonality of multipath payments, nodes along the path only know a lower bound of the amount, not the definite amount
> it is possible to identify recipients, and senders with high accuracy, by only controlling some of the nodes on the path
I do not think this is true. Let's suppose you control 5 nodes along the path (Charlie, Dave, Edna, Filbert, and Genna) and you start to trace a payment that flowed through your nodes. You trace it back to Bob on the "sender" side and Harry on the "recipient" side. But you can't tell whether Bob is *really* the sender or just another routing node. And you can't tell if Harry is *really* the recipient or just another routing node. All you know is, those nodes were as far as you could trace it.
Here is what a monero transaction looks like:
You can see a list of people who might have sent the transaction on the left under "ring members" -- one of them did it!
Now...can anyone show me a lightning transaction?
Anyone?
I'm waiting...
How privacy works in monero versus lightning
you mean because it wasn't a Nintento-made pokemon game?
Someone ran pokemon on bitcoin using bitvm 🤯
In honor of Ross' release, nostr:nprofile1qqs2xugc5jyguqkj36rk0syv4tmnkjdtmtperttl7x9rqjy3ustdcvcppemhxue69uhkummn9ekx7mp0qy2hwumn8ghj7un9d3shjtnyv9kh2uewd9hj7qg6waehxw309aek2mnyd96zumn0wdnxcctjv5hxxmmd9uxa0uz8 is now accessible as a Tor Hidden Service:
ikduzlpwcc4khvj27rlywgic6eaxj5w3brj4uo54z2sfyj7b2hfrepyd.onion
I'll be dropping the repo in a bit for those who would like to be able to run it themselves. Soon, you'll also be able to run your own instances on an Umbrel and Start9.
The free market must bloom! 🫡
Yet another lightning network DNM
Monero bros down bad
I think a grey market is a white market that is friendly toward black market participants, i.e. a marketplace where no one sells anything illegal, but people who sell illegal things in *other* markets are *there* and you can talk to them to acquire information about the black market
I think so, I asked them recently and they said it is still *one of* the most active
Me versus monero people lately
>"appears in two transactions. He receives money in this transaction"
You seem to be confusing reciever and sender privacy again. One is an input the other is an output. It doesn't appear as another output again.
>"It is not zero knowledge"
Yes it is. Potential receivers can literally be any Monero user that has ever existed. All you know is that the receiver is a Monero user - that's all.
>"That doesn't imply that users use custodial wallets for anything other than zaps. I use a custodian for zaps and then withdraw them to my self custody wallet whenever they grow to be worth about $20."
Are zaps not lightning transactions? Value of the transactions are irrelevant.
>"Of the top 10, half are self custodial (Acinq, C=, and 3 LNBigs)...It just means that's a place where lots of money flows into and out of."
The main point is the reduced privacy they provide from your ideal presentation of lightning (running your own node, etc.), not if they are custodial or not. Everything flowing through these large node isn't ideal for privacy and reduces the benefits of onion-routing of Lightning,
>"Okay, I did, and here are the results: https://gist.github.com/supertestnet/5bceb60d9c691da744a55dad3f60e65e"
Interesting chart. I also have a similar one I made awhile back to see for myself. I noticed you don't have Strike or Chivo included (some of the largest custodial lightning wallets in downloads - 1,000,000+ each). You also only have two types of wallets, but I would include another category of non-custodial LSP wallets like Phoenix which reduces user privacy. Blinded paths are also not widely used yet and not default for most.
Some of the wallets included that have multiple kinds are hard to figure out, but considering Bitcoin only has 60,000 nodes and there being roughly 80-130 million total Bitcoiners in the world, it's pretty safe to assume the vast majority aren't running their own Lightning nodes. I'm sure the ratio is similar for those wallets.
>"I agree, I'm just saying that if you have to do that for good privacy anyway, then do the thing that gets you better privacy. Run a lightning node, not a monero node."
Far more Lightning and Monero users don't run their own node and likely never will. So when it comes to those users it's probably good to direct them to use Monero. If you're going to run your own node and do everything correctly then yea I at least see your argument in that case, pros and cons, but imo it's still debatable especially if you're going through large LN nodes in your hops that reduce the benefits of onion-routing.
>"This is because in LN the sender and the recipient are actually encrypted so that the remote node cannot see them"
Not sure this applies to custodial LN, and pretty sure LN receive privacy is notorious for being bad. I know blinded paths exist, but aren't widely used yet. Not sure how popular multi-path payments are yet either.
>"Good point, I didn't think of that. Makes me want to get more statistics."
Yea in the future ecash tokens will not reveal amounts, but that isn't true at the moment. I've heard about Calle saying he is going to eventually implement "blinded amounts" in addition to blinded signatures which would solve this particular problem. Don't get me wrong I think ecash is cool because it can do some neat things that Monero can't, but it has it's own downsides obviously. Ecash (and even L2s) aren't necessarily unique to Bitcoin either. You can build ecash on Monero now somewhat trivially (and a Bitcoiner is actually currently doing that) and L2s will soon be possible with FMCP.
>"Exchanges like Kucoin and Huobi Global continue to list monero and do millions of dollars in volume in XMR trading pairs....everyone in the monero community that I've talked to sings the praises of DNMs even though almost all of them take custody of user funds."
In comparison to Bitcoin this is nothing even accounting for Mcap and tx volume of each. The largest exchanges like Binance have already delisted Monero.
DNM thing is true, good point, but I doubt anyone uses those as their personal wallets theyre actually using. They're usually only used to deposit/withdraw funds. Even if Lightning was used there would have to be a similar setup for this. Some use multisig, but not as common.
Thank you for pointing out the omission of Strike and Chivo. I've updated the gist:
https://gist.github.com/supertestnet/5bceb60d9c691da744a55dad3f60e65e
>it's called a "one-time" stealth address [because it] only ever appears on the blockchain once
"One-time" stealth addresses almost always appear on the blockchain multiple times. For example, this stealth address:
7d1526b3376ecc11530dc68650111013b125fa32b1d3c639bd7a694d8c6275f7
appears in two transactions. He receives money in this transaction: https://localmonero.co/blocks/search/936c2d0659e21d81f26388f9a21a2965085ab0e7dd3b4b97194967b05ca5fdff
And he appears as a possible sender in the fourth input of this transaction: https://localmonero.co/blocks/search/5470b681c6c443556722150f496f07b2b5d36c47b30c65cb132b9d0cbb5dff76
See this screenshot:
> Receiver privacy is zero knowledge
It is not zero knowledge. The receiver's "stealth address" is unencrypted and it is not in fact "one time." Despite some people calling it that, you cannot spend from it unless you put it on the blockchain a second time as a possible spender in a future transaction. So analysts can and do watch for that to happen and then use heuristics to estimate the probability of it being the "real" spender in that future transaction.
>"Using monero in a "plug and play" manner gets people arrested. For example, Chainalysis was able to successfully trace a monero payment to the right user in part because they had access to so many user IP addresses"
I'm saying in relation to Lightning it has better "plug-and-play" privacy than the average Lightning user who is using a custodian like Wallet of Satoshi
I'd like to deal with your contention that most lightning users use custodians here. You cite the following evidence:
> There is Zapalytics. Custodial wallets for Lightning zaps and addresses are near ~80%
That doesn't imply that users use custodial wallets for anything other than zaps. I use a custodian for zaps and then withdraw them to my self custody wallet whenever they grow to be worth about $20. I suspect thus usage pattern is very common.
> You can check out all major LN liquidity providers mempool space (mostly custodial wallets, CEXs, LSPs)
Of the top 10, half are self custodial (Acinq, C=, and 3 LNBigs) and half are exchanges (OKx, Binance, 2 Bitfinexes, and Kraken). And this doesn't tell you anything about the distribution of that money. Lots of people open a channel to Binance from their own node, because you earn money by doing so. The channel opener retains self custody of all of that money, but the amount of money listed as being in a "Binance channel" will increase. Just because it's in a channel with Binance or another exchange does not mean the exchange has that money. It just means that's a place where lots of money flows into and out of.
> Compare total downloads from custodial LN wallets, LSP wallets like Phoenix, and wallets that require or allow you to run your own LN node
Okay, I did, and here are the results: https://gist.github.com/supertestnet/5bceb60d9c691da744a55dad3f60e65e
As you can see, self custodial lightning wallets are more popular than custodial ones
> What is unique about this to Monero [i.e. having to run your own node over tor for good privacy]? Same thing applies to a Bitcoin and Lightning nodes
I agree, I'm just saying that if you have to do that for good privacy anyway, then do the thing that gets you better privacy. Run a lightning node, not a monero node.
> The only difference is if a Monero user is using someone elses remote node that node has way less information about transactions than a Bitcoin node or LSP/LN custodian
A lightning user who connects to a remote node reveals less information to that node about the sender and the recipient than a monero user who connects to someone else's remote node. This is because in LN the sender and the recipient are actually encrypted so that the remote node cannot see them; in monero, they are unencrypted, though at least the sender is obscured as being one in a group of 16. The recipient is barely obscured; most transactions only list 2 outputs.
Regarding amounts, the remote node in a monero transaction gets to see the total amount you paid in fees, and can use that to get an exact lower bound on the amount money in the inputs and an estimated lower bound on the amount of money in the outputs. In lightning, the remote node does not get to see the total amount you paid in fees, and, given the prevalence of multipath payments, they also don't know how much money you sent, though they can get a lower bound on it. This lower bound is less useful than the one monero gives you because it's harder to estimate how much of the payment flowed through your node.
>"And besides that, some custodians (like ecash mints) offer better privacy than monero"
Being custodial already disqualifies it from the same category as Monero which offers non-custodial privacy
Some users care more about their transaction being private than about having self custody of the money. I wonder if ecash mints are more popular than monero wallets. I'll have to think of a way to assess this statistically.
> Mints can see token denominations (amounts) so the anonymity set is fractured in buckets within each mint (1,2,4,8,16,32, etc). This means less common denominations such as larger amounts offer less privacy
Good point, I didn't think of that. Makes me want to get more statistics.
> Considering the attitude of the community and that Monero is banned from almost all major exchanges I would say custodial Monero users are far fewer
Exchanges like Kucoin and Huobi Global continue to list monero and do millions of dollars in volume in XMR trading pairs. As for the community, everyone in the monero community that I've talked to sings the praises of DNMs even though almost all of them take custody of user funds. (The largest one did an exit scam last year: https://x.com/DarkDotFail/status/1765104459913330820)
So I suspect custodial Monero users are a large percentage of the total -- especially since there aren't very *many* monero users.
Some people say LN usage is primarily custodial. My statistics don't support that
Here's a list of LN wallets on Google Play, with their kind (custodial or not) listed with their number of downloads
https://gist.github.com/supertestnet/5bceb60d9c691da744a55dad3f60e65e
Conclusion: self custodial LN wallets are more popular
> it is a one-time stealth address it is useless for tracing or tracking anything beyond that
If that was true, it would still only be *almost* as good as lightning, because (1) that's also true of lightning invoices (they are useless for tracking down *other* payments to the recipient) and (2) unlike monero public addresses, the sender *can't* (usually) map it to the "real" destination
But it's not true that stealth addresses are useless for tracking. You can watch a stealth address to see when it shows up as a possible spender in a future transaction, and then use heuristics to probablistically identify whether or not it's the "real" spender. You cannot do that with a lightning invoice because it *actually* never appears again (and never shows up on the blockchain at all).
> The problem with Lightning is the complexity involved in using it in a sovereign manner. It's not as "plug-and-play" as Monero.
Using monero in a "plug and play" manner gets people arrested. For example, Chainalysis was able to successfully trace a monero payment to the right user in part because they had access to so many user IP addresses, given to them for free (along with user transaction data) by Cake Wallet and Monerujo: https://www.digilol.net/blog/chainanalysis-malicious-xmr.html Even the monero website warns against using monero without taking extra precautions to guard your personal info: https://www.getmonero.org/get-started/faq/#anchor-magic
To use monero properly, you have to run a tor service and your own monero node. It's not a "plug and play" privacy solution, there is no "plug and play" privacy solution. So if you're going to do privacy properly, run a lightning node, not a monero node. Neither one is plug and play, and both require some setup, but lightning offers better privacy once you do the setup.
> Vast majority of users are using custodians and a small portion use LSPs - both introduce third-parties back into the equation along with privacy implications...
There are no good statistics on whether the majority of LN users use a custodian or not. The best I've seen is nostr statistics, where most people self-report using a custodian. But using a custodian for nostr zaps does not imply that you use a custodian for your daily spending money. And besides that, some custodians (like ecash mints) offer better privacy than monero, and some LSPs (like Acinq and Zeus) also offer better privacy for their users by supporting blinded paths, and often defaulting to them. Moreover, what are the stats on custodians in monero? I suspect it is rather large. The XMR blockchain indicates that a lot of the payments in monero are batch (multi-output) payments, which are usually done by exchanges and probably DNMs. Maybe I'll make a stats page tracking probable-custodian usage in monero and see how it compares with nostr.
I am about to give you three links instead of one. I recommend starting by reading this readme:
https://github.com/supertestnet/hurricash
I think it is the simplest way to begin to understand how my channel factory works. While implementing that, I figured out a way to solve its principal problem, which is that the way "withdrawal transactions" work in hurricash does not allow users to know the txid of their "withdrawal utxo" in advance. Having figured out a solution, I created Tornado Factory: https://github.com/supertestnet/tornado_factory
I recommend reading that readme because it tells how I solve hurricash's problem. Also, play with the implementation! It calls itself a channel factory, but it doesn't actually produce channels; each user only gets a withdrawal utxo whose txid and amount they know in advance.
Lastly, there is Hedgehog Factory: https://github.com/supertestnet/hedgehog_factory
That doesn't have a readme yet, but it is a WIP attempt to improve Tornado Factory in three ways:
(1) it has real, usable channels now, not just a random utxo you get to withdraw (though the channels are currently receive-only)
(2) users can run the app separately now and coordinate over the internet to do the funding transaction (in Tornado Factory, all users are just different pubkeys generated by the same page, so it's really just one user with n pubkeys)
(3) I implemented a massive efficiency gain by delegating *one* person to do the funding transaction and having everyone else *pay him over lightning* as a kind of admission-fee to the pool. This makes it so that n channels are opened with a single transaction needing only one input and two outputs (the multisig and some change).
This greatly reduces the cost of channel opens *and* gives people an opportunity to make money on their bitcoin. E.g. if a btc transaction costs $10, you can make money on your bitcoin offering more than 10 people the opportunity to open a channel in a pool where you are the delegate, and then you just charge each person a $1 admission fee. Everyone wins: you make money, and they each get a channel for $1 that would have costed them $10 otherwise.
So that's what I'm currently building in Hedgehog Factory: a tool where you can invite people to enter a pool where you perform the funding transaction and charge an "admission fee" to recoup your costs and hopefully make something extra.
As noted by @bitcoinoptech: "For large numbers of users under ideal situations, channel factories can reduce the onchain size and fee cost of LN by 90% or more." https://bitcoinops.org/en/topics/channel-factories/
I am excited, my channel factory implementation is making great progress! I got "receiving" to work today -- which is the hard part. Right now I am working on making it so users can also "send" money from their off-chain channels.
Once that is done, it won't just be a channel factory, it will also count as a coinpool: n users share a utxo locked to an n-of-n multisig, and any member can spend money from it on LN (because it's a channel factory) OR on the base layer via an LN-to-base-layer swap.
if any member chooses the latter, a transaction will appear on the base layer that an analyst might be able to trace to the pool (if the swapper colludes, along with all routing nodes from the pool to the swapper), but they can't trace it any further. Nothing on the blockchain tells who's who in the pool, and not even the channel counterparties know who's who in the pool.
hopefully this will help fix two problems with LN: the sometimes-high cost of creating a channel and the privacy drawback of putting your channel-opening transaction on the base layer