> You can't tell me the total balance in my wallet

True, just the one address

> or the final destination either

I can tell you that: it's the address I identified. That was the final destination.

> I know at least the public key of the first hop involved (potentially final destination)

True, but knowing the first hop does not get you very far, even though it is potentially the final destination. At least not in countries where you need more than a maybe to put someone in jail.

Both of these stories start with exchanges telling the authorities what pubkey received their money. The fact that they *know* what pubkey received their money (and can prove it) is a design flaw in monero. Lightning fixes it.

Also, in both of these stories, after the money went from the exchange to the user's pubkey, the analysts watched the blockchain to see where the money moved next, and it went to another exchange with a probabilistic identifier marking the user's pubkey as a possible sender. This enabled them to contact that exchange and find out the user's identity, which led to an arrest in one case and better evidence for the charges in the other.

Lightning fixes this too, because not only does lightning not tell them what channel the money went into in the first place, but when it moves out of the channel, the analysts don't get to see that, because the transaction isn't broadcasted. So they never see the money go to an exchange and thus can never know to contact them to obtain the user's identity.

Churning only sometimes works. This thread explains some of the reasons why: https://www.reddit.com/r/Monero/comments/oz69hf/churning_why_is_too_much_detrimental_to_privacy/

One that I'd like to highlight is that Chainalysis tracing video shows a bunch of monero transactions where they managed to eliminate all of the decoys and identify the true spend. Churning makes another transaction where they have to do that in order to see where it goes next, which probably helps since they can't always eliminate all decoys (I don't even think they can *usually* do it), but your mileage may vary.

Lightning fixes this.

nostr:nevent1qqs85jsaq3y00t8mdvd5r75v62wvhvzcc9cgk00xeg5fswr5kfdhwfcppamhxue69uhkummnw3ezumt0d5qs6amnwvaz7tmwdaejumr0dspzqgvra9r4sjqapufyl0vnc4kv4fz70e29em4c655y37vz206f0wt4pc8kkv

> How did he do that?!?

I was able to do it because of a flaw in monero: by design, the sender knows what address he sends his money into and can report that info to authorities with cryptographic proof. This has led to multiple legal charges against monero users, see the attached thread for more info.

Lightning, of course, fixes this. nostr:nevent1qqs9t6glu9k3ps7ct6ad8a3cj9jfntxvlhayh8e3cc56rf4ghdpcjnsppamhxue69uhkummnw3ezumt0d5qs6amnwvaz7tmwdaejumr0dspzqgvra9r4sjqapufyl0vnc4kv4fz70e29em4c655y37vz206f0wt45p7m94

> He is using the view key to see things that are available by design for the sender. ... This is actually a feature, not a bug nor a weakness.

It has led to at least two people getting arrested.

The Finnish guy in this article: https://cointelegraph.com/news/finnish-authorities-traced-monero-vastaamo-hack got arrested after a CEX used this "feature" to trace his payment from their exchange to his private wallet. This "feature" told them the precise pubkey which held the money, which allowed them to tell the authorities to watch the blockchain for that pubkey to show up in future ring sigs. When it did, they discovered that he sent it to binance, where they got his KYC info and arrested him.

Nearly the same thing happened to the Columbian guy in this video: https://v.nostr.build/D4Nzp22vRF35IRnz.mp4

Morphtoken sent his monero to his private wallet, and the authorities subpoena'd them to find out what pubkey they sent it to. They told them, and then they watched that pubkey to see if it showed up in future ring sigs. It did, and they kept tracing it forward til he sent a pair of transactions via a "poisoned node" (one run by Chainalysis) without a VPN, and these transactions sent the money to a centralized exchange and a point of sale system. They were able to get his KYC info from one of them (probably the exchange) and arrested him.

So the "it's a feature, not a bug" cope rings hollow. Lightning is way better for your privacy because the sender does not know what channel his money ends up in. He cannot give that info to authorities because he does not have it, so they do not know where to watch for future transactions, so they never get to contact an exchange and ask for more details about a particular inbound transaction. Lightning fixes Monero's "feature, not a bug" problem where senders can see where their money goes and then report that info to authorities.

That would only follow if I thought all crypto currencies are scams

Another monero user took up my LN v. XMR challenge! I successfully traced my XMR payment and doxed his stealth address. Let's see if he can trace his LN payment and dox my channel!

https://x.com/SuperTestnet/status/1917826627259551777

I think monero's ring signature tech is cool, I like that it enables something similar to coinjoins but without needing everyone to sign something. It's better than doing a coinjoin unless you can get more than 16 people to join you in your coinjoin.

I also think monero's amount encryption tech is cool and better than the encryption standard we use in the lightning network. I wonder if we can adopt it in the lightning network. Their encryption standard has a feature called "perfectly blinding" which means that even if the encryption mechanism gets broken in the future, the data you get is still worthless without the decryption key. Lightning uses a less robust encryption standard and if it gets broken in the future, it would suck very badly for historical transactions.

I made a tool called Examiner for tracing random monero transactions: https://github.com/supertestnet/examiner

It's not very effective. For about 1/5 transactions, it can identify the sender with roughly 80% confidence.

Sounds like this situation:

Found out today that Lightspark's statechain model does NOT use a blinded server. It's not a privacy tool. That's sad. I recommend preferring Mercury's over Lightspark's if privacy is important to you.

I just asked the developers -- Spark does not use a blinded server. That is sad.

It seems to work really well and I am very excited that there is another statechain implementation in the wild

One thing I like about statechains is that they offer similar privacy protections as cashu mints (e.g. they both use a blinded server, though I'm not certain this implementation uses one -- will have to ask) but they improve upon them in some respects (e.g. they carry less risk of shotgun kyc)

The usual caveats apply, however: in the statechain model, the operator is trusted to prevent doublespends, which means they can steal from you by authorizing a doublespend. So don't use them unless you trust the operator not to do that.

> doesn't do the volume

How much volume does it have to do to count as a DNM? $1 million per year? $1 million per day?

> different threat model

How are they different?

> different threat model

How are they different?

> not a DNM

Why not?

here's one: http://z64bvbz2niptamub2lzqnyyuycmsdokkffpak5x5uddsyd427dx7qqad.onion/

As Kanzan points out, monero has serious weaknesses against targeted surveillance

If *you* are worried about targeted surveillance, lightning offers better privacy than monero