I like cryptocurrency as a concept and a technology (despite beefs with being forced into Javascript with Ethereum). I do not like the financial community that surrounds it– it’s full of grifters and scammers, holdovers from Wall Street eager to take advantage of unregulated markets. This financial community’s historical abuses in tandem with the hacker’s natural desire to defy authority ultimately led to regulatory bodies like the Securities and Exchange Commission in the United States to crack down on the technology. Ultimately, this led to the bane of crypto enthusiasts everywhere: Know Your Customer regulations, somewhat lifting the veil on anyone who tries to be anonymous with their cryptocurrency.

Piracy isn’t as free as we like to think. It costs money to run torrent trackers– see TorrentSeeds’s closure for financial reasons. I like to support the pirate community’s efforts through donations for various sites I use. Naturally, piracy may not be a crime, but they do result in crippling violations from your ISP when caught. Do I want it to be financially trackable that I’m supporting copyright violations? No. Is it a good idea that I’m even admitting to financially supporting piracy publicly on a known identity? Also no– if piracy was more critically regulated, this would be a massive opsec failure, the ultimate killer of any anonymous cryptocurrency activities. Still, cryptocurrency is a good way to support your favorite tracker. Before its demise, TorrentSeeds would simply allow you to buy an account with the stuff.

Despite what flashy news about ransomware payments and huge gains from cryptocurrency grifters may have you believe, cryptocurrency fucking sucks as a currency. Freedom in how you spend it has been yanked from the clutches of hackers by the financial industry as a whole via experienced and newbie grifters alike, providing barricades and footguns where the only gatekeeper should be knowledge of a cryptocurrency’s particulars of implementation. In this post, I’d like to cover some of the particulars I’ve faced attempting to use cryptocurrency as it was intended (a liberating form of currency) from the hacker’s perspective of the ever-eternal quest to creating anonymity for one’s self.

Reputable vs. Untrustworthy Money

Have you ever tried to spend money anonymously without resorting to cash? It’s hard. Visa gift cards have limited maximum values and refillable debit cards are bound by regulation of the financial industry to provide identities of its users. Once you’re forced to give a social security number, it’s over for your identity evasion. Either way, traditional methods of currency exchange like credit card networks are of good reputability. Except in limited cases, everyone seems to accept a Visa gift card. This contrasts strongly with cryptocurrency– it is a grab bag if a cryptocurrency payment gateway will even let you use your own wallet generated by your currency of choice. Many processors gatekeep you to known wallet programs! Not very hacker friendly.

Nonetheless, because cryptocurrency is not explicitly bound to an identity in some way or another, it is considered untrustworthy. Cryptobros would steam and say “but cash is anonymous,” and they would be right to be mad. But as Scotty from Star Trek famously said, “if my grandma had wheels, she’d be a wagon.” The current generation of gatekeeping financiers just don’t see it as a trustworthy vessel– cryptocurrency is merely a good speculative security like the stock market. You don’t spend it– you hoard it. This is why some cryptocurrency payment gateways will demand your social security number if you attempt to use it– it is a security, not a currency, how dare you try to do otherwise.

This divide exists among the cryptocurrency world as well, with a few clear winners of the currency wars and one notable loser, all at the hands of traditional financial gatekeepers. Let’s talk about Ethereum and Monero.

Ethereum is not necessarily the name of the cryptocurrency, as it is actually the name of the cryptocurrency platform built upon a specific blockchain. Many currencies use the Ethereum platform, and Ether is the name of the main cryptocurrency of it. As blockchains are wont to do, transactions and their addresses are part of a public ledger you can actively explore. As a result, regulatory bodies didn’t come down as hard on it– transactions on this public ledger are clearly traceable to a reputable source, typically an exchange like CoinBase where you can purchase the token. To deal with this public ledger problem, hackers came up with the idea of cryptocurrency tumblers, the most famous of which is Tornado Cash, an Ether mixer that obfuscates the source of the Ethereum transactions. Any wallet that touches Tornado Cash is of ill repute as a result.

As far as acceptance in the traditional finance community, Monero is considered of ill repute as well because you can’t see the full transaction history of an address on its chain– it’s a currency with privacy at heart. No one tends to accept it as payment because exchanges are implicitly banned from providing it due to securities regulations. Other than drug dealers, hackers and privacy aficionados, anyway– they love it for those privacy reasons.

You will note a common theme among the cryptocurrency landscape is this hostility toward anonymity. It is the same sort of drama in traditional finance you see play out in crypto– the big bad bogeyman of anonymous cash versus verified and identified credit card and bank transactions. A hunger for any excuse to gather your identifiable characteristics, because only a drug dealer or a criminal would want their transaction to be anonymous. Only criminals use cash transactions!

Ultimately, though, the goal from this ideological financial divide is to go from untrustworthy money to reputable money to whatever variance of reputable you may be attempting to be. One supposes this is laundering, so it would be advised not to do this in large enough increments to get noticed. They get mad when you do. But how do you get reputable money from untrustworthy money? Not surprisingly (I hope), there are ways.

From Reputable Crypto to Reputable Fiat

We can go from cryptocurrency to traditional financial networks in one simple move: buy some Visa gift cards. This, of course, requires reputable cryptocurrency such as Ethereum. Coingate has a marketplace for all kinds of gift cards you can buy with cryptocurrency. BitRefill is another one. When I fuck up opsec on a wallet I recycle the funds in the wallet into a DoorDash gift card and shred the wallet. The beneficial part of recycling a wallet into a DoorDash card is that there’s more of a likelihood of draining the full gift card for a transaction or two. With a Visa gift card there’s the possibility of some dollars left lingering and unspendable on the card if you’re not careful. I’m not sure if this is specific to Ethereum, but crypto enthusiasts call those few left over cents and dollars “dust.” Dust is pretty infinitesimal with cryptocurrency, but can be costly when converted to fiat money.

While Visas are useful, they can’t be easily turned into funds for, say, deposit to a bank account. This is where a decentralized exchange which offers fiat payments comes in. A decentralized peer-to-peer cryptocurrency exchange like Bisq offers multiple options for cashing out to fiat. You will note, however, much like Visa gift cards the cash outs come with financial limits. For example, payment methods such as the scammer-inspiring USPS money order comes with a 1000 limit. Money laundering is hard– accept these financial limits as a necessary hurdle to your privacy and you should be good. The only problem with the peer-to-peer exchange is the minimum limits on how much currency you can trade on the network is usually set pretty high by the buyers. For obvious reasons, automated trading of crypto to fiat is not really available.

It used to be that what you could do to turn your crypto into anonymous-cash-until-deposit was buy a Visa debit gift card and recycle it in a specific way. I want to put emphasis on debit because debit functionality is a requirement of this former loophole, only some Visa gift cards allow you to place a debit pin on the card. What you used to be able to do was place a money order with the Visa debit gift card. This was as recent as a few years ago. The loophole is closed– debit gift cards no longer accept transactions for money orders! Not sure what they did exactly, but as of this post, that loophole is provably closed!

You will note I left out “go to an exchange” to cash out, despite it being the most logical option. The entire point of this post is to focus on the anonymity aspects of cryptocurrency– centralized exchanges demand so much information about you attempting to be anonymous with them is futile. They are also inescapable as potentially useful to your cryptocurrency ecosystem– you must be aware that any cryptocurrency that comes from a centralized exchange is tainted with your identity in some way or another. The public blockchain can be traced back to the individual transaction which sourced your crypto, and thus, eventually, you.

But hackers find a way to survive. Thanks to being fiercely anti-KYC, hackers and the cryptocurrency community ultimately have the nomad’s back.

Crypto Operational Security and Threat Models

Let’s take a look at the identifying characteristics of a currency purchase through an exchange. Here is a transitional wallet with a transaction I purchased from CoinBase.

A wallet with a few definitive transactions

For common courtesy purposes, exchanges will identify their public keys on the blockchain. In this transaction, you can clearly see them being ferreted off to another wallet entirely. This does not hide our funds from being viewed– it simply hides the target wallet from CoinBase. If they cared, they could pursue the wallet by following the transaction hash and pursuing the wallet, but we want to make them work for that metadata. We can follow the wallet being funded to snoop on transactions I’ve made with the wallet we’re hiding from CoinBase.

The target wallet of the previous transaction

Here, you can see a few transactions being made with unidentified wallets being paid. Clicking through, it is clear that these are BitRefill payments, though it isn’t clear what was purchased. I’ll tell you: I was purchasing Visa gift cards because I was extremely mad at BitPay’s aggressive KYC requirements. I paid for a renewal and a new domain, then proceeded to move my domains off NameCheap for their needlessly aggressive KYC requirements. I should not have to give you my social security number for a transaction that barely requires identification.

If you’d like to explore the wallet in question, check it out with Etherscan. This is a wallet full of transactions I don’t mind being public– I call it my dirty wallet in my notes. You will note for the most part the transactions contain useless information if you’re trying to do anything other than prove I made a specific transaction. There is ultimately nothing you can do to prevent this information from being public on this particular blockchain– every transaction is public. This is why operational security is key and you have a threat model in place to determine if your transactions are potentially vulnerable to eyes you don’t want to see. I don’t care if you, the reader, see that I use BitRefill to purchase items– it’s not a threat for you to know those facts. I am doing nothing illegal nor socially sensitive here.

Don’t be surprised if I abandon that wallet and start all over again with a new dirty wallet now that I’ve revealed it belonging to me. This is the freedom of running your own node of a given cryptocurrency. It does come at a cost, however– Ethereum is a great example of an extremely cost-prohibitive cryptocurrency.

Required Ethereum hardware specs to run an Ethereum nude

Taken from the salespitch of running your own node, it becomes extremely obvious why people want to rely on the freedom-restricting nature of available software wallets. Monero, by contrast, only requires a few hundred gigabytes to follow its chain. If you can find a wallet which will let you arbitrarily create and destroy individual keys for your wallet address, I would suggest using it, but I haven’t really found one. Exodus has a concept called portfolios, which lets you have up to three different sets of keys, but that’s the closest I’ve seen to full wallet freedom of a wallet application.

With wallet freedom, we can hypersegment our private spending to one wallet per transaction if we so desired, so long as our target payment processors of our crypto don’t require low-risk, established wallets. This doesn’t typically become a requirement for anything non-KYC involved. But if our threat model deems it necessary, how can we improve our cryptocurrency opsec?

Send It Through the Wash

Despite having extremely difficult cash-out capabilities, I do agree that cryptocurrency is ultimately a platform for money laundering for the financially creative. While you can’t cash out to fiat easily without an identity, you can certainly recycle and reinterpret your cryptocurrency without one. Enter kycnot.me, a website that provides all sorts of information in avoiding KYC requirements. Here, you can find various platforms for automatic trading and peer-to-peer trading of your target cryptocurrency to another cryptocurrency.

We mentioned Monero earlier as the red-headed stepchild of the cryptocurrency landscape: capable of privacy preservation on the blockchain but ultimately shunned from the financial community. There are a good amount of anti-KYC exchanges which can facilitate going from Ethereum to Monero. A good non-KYC required exchange I use is StealthEx. I like them because they’re a good automated exchange so long as you stay under $700-equivalent transactions (see: how to buy crypto with a credit card). You may not want that limitation for whatever reason– which I understand, I like to play within the limits of the system to stay under the radar. For greater amounts, there are other exchanges which actually have high automated minimums which may be more suited for your purposes. Filter for exchanges to see what your options are.

Nonetheless, crossing a cryptocurrency with Monero is like crossing over international waters– the trail disappears when you use Monero like a financial shield. You will ultimately respect why its hated by the financial gatekeepers when you perform this sort of currency seance– it’s reassuring attempting to go backwards in the blockchain to your original Ethereum transaction from any point and failing without employing timing analysis.

Speaking of timing analysis, it would be wise to wait to convert your Monero back to Ethereum to prevent such timing attacks from coming to your doorstep. But, with proper opsec and a clean wallet, you can store your cleaned Ethereum in a fresh wallet with only dedicated identity-diffused transactions. While you can’t make transactions with this wallet private in itself, you can prevent its communication with maintaining a tight lip. Just be warned that not every payment gateway is built the same– Coingate does not require KYC to pay, but BitPay does.

Conclusions

Cryptocurrency is not the hacker’s utopia its perceived to be– it was ultimately mangled and reigned in by the financial industry’s demons. They don’t want you to be anonymous and they try at every opportunity to identify you at the very last minute, trapping you in an identifiable transaction. To remain anonymous with cryptocurrency– like trying to remain anonymous on the Internet as a whole– you really have to work for it. You need to be aware when your identity could be compromised and know how to act accordingly without losing your money at the same time. Learn to know when to cash out and recycle when your identity or operational security is potentially compromised. It is not enough to just shut the fuck up– we need to share information. You must threat model where your weaknesses and potential compromises are when attempting to be anonymous in any way. Put thought into your financial actions and you should be okay.