Published on Wed Aug 16 2017
When the cookie meets the blockchain: Privacy risks of web payments via cryptocurrencies
See More ...
We show how third-party web trackers can deanonymize users of
cryptocurrencies. We present two distinct but complementary attacks. On most
shopping websites, third party trackers receive information about user
purchases for purposes of advertising and analytics. We show that, if the user
pays using a cryptocurrency, trackers typically possess enough information
about the purchase to uniquely identify the transaction on the blockchain, link
it to the user's cookie, and further to the user's real identity. Our second
attack shows that if the tracker is able to link two purchases of the same user
to the blockchain in this manner, it can identify the user's entire cluster of
addresses and transactions on the blockchain, even if the user employs
blockchain anonymity techniques such as CoinJoin. The attacks are passive and
hence can be retroactively applied to past purchases. We discuss several
mitigations, but none are perfect.