• How Monero tries to obfuscate the real spender with decoys
  • Creating sets of related outputs for cluster analysis
• Key image analysis: How Monero’s single use outputs can be exploited to completely brute force rings
• Rare sneak peak into real world Monero tracing capabilities: The Chainalysis 2023 IRS pitch video leak

Contrary to Monero, Bitcoin wasn’t conceived to break the link between sender and receiver onchain. This is Bitcoin’s huge unfixable flaw that likely pushed Satoshi to move on to other things. Contrary to Bitcoin, Monero was conceived to be private and break linkability through the implementation of 3 innovations:

1. Single use outputs with key images (where balances are obfuscated with Pedersen Commitments)

2. public meta addresses from which a new stealth address is generated with every transaction

3. Rings where the output of the spender is mixed with a number of other outputs present onchain that are picked by a decoy picking algo coded in Monero wallets (rings were replaced with RingCT when PCs were introduced)

Yet, despite these 3 innovations it still fails to do so in the real world which should serve as a sober reminder to not conflate a tech created to break linkability with a tech that breaks linkability. Just because something was created to do something, does not guarantee that it’s good enough and fulfills its purpose. For example, China’s anti-stealth radars were supposed to work, and their engineer was considered a national hero, until they were tested in the battlefield in Iran and flopped. Or Leonardo Da Vinci’s flying machines, on paper they were supposed to fly. But when his student Tommaso Masini attempted a flight from Mount Ceceri he crashed in the ground and broke both legs.

§How Monero tries to obfuscate the real spender with decoys

When you spend an output in Bitcoin, a transaction is formed that shows on one side the spending outputs (sender), and on the other side the receiver’s output(s) and sender’s change (if any). So in Bitcoin for every transaction you know exactly who the sender is.

Monero’s protocol tries to obfuscate the sender by mixing the real spending output with 15 outputs among those present onchain. Monero forms a ring with all 16 outputs, which is signed by the real sender to prove that the output being spent belongs to said ring. The additional outputs are known as “decoys” and are picked automatically by a wallet algo known as decoy picking algo, that chooses them by following specific rules. Today the standard decoy picking algo in Monero’s GUI wallet uses a log-gamma distribution with shape parameter 19.28 and scale 1/1.61.

In practical terms this means that the algo has a 10% chance of picking outputs that are younger than 1.6 hours as decoys, 10% chance for outputs between 1.6 and 4.3h, 10% chance for those between 4.3 and 9.2h old, and so on as shown on the chart above.

If you look closely you realize that the decoy algorithm favors recent outputs over older ones, more than 80% of decoys are less than 2.4 weeks old. This preference is illustrated in the schematic chart below, which was taken from one of Rucknium’s presentations and tried to mimic real world usage patterns among UTXO blockchains.

§The behavioral importance of the age of a Monero output

Monero outputs are single use and Monero uses so called public meta-addresses that don’t exist anywhere onchain. These addresses are simply used by the sender to generate a new unique onchain address (stealth adress) every time he sends money to the owner of the public meta address. Therefore the time when an output was created reflects the moment when the owner of that output received the balance contained in it. This wouldn’t be the case if outputs weren’t single use, and as we will see this a huge fatal weakness for Monero’s privacy. By comparison, in Bitcoin, since outputs are not single use, the first time an output appears on the blockchain is not also the last time when said outputs received money, since output balances can be updated.

Studies of UTXO behavior in public blockchains, to create metrics that describe holders’ behavior in different points of a market cycle, have unearthed the so called recency heuristic. The usage pattern of UTXOs across different blockchains is remarkably similar, UTXOs tend to be spent sooner rather than later. In other words, the probability of a UTXO note being spent is exponentially higher in its first hours/days of creation.

While directionally the shape of this curve remains unchanged, which is what makes the recency heuristic, its actual values do change with the price action the underlying coin. So in reality, the curve depicting the actual probability values of a UTXO being spent moves up and down as prices move up and down. For example, during bull market tops the curve tends to move up as the probability of older coins being included in a transaction goes up (since long term holders take profit).

Now the same heuristics and behavioral traits apply to Monero outputs since Monero is also a UTXO blockchain. The recency heuristic is applied to all outputs from the moment they are created, so even if we don’t see amounts we know that new outputs are much more likely to be spent soon. And while the log gamma curve models the distribution of probabilities of UTXOs being spent, the curve will never perfectly overlap with the real probabilities’ curve that can be seen by analyzing user behavior onchain in a specific point in time

§OSPEAD

By conducting statistical analysis on the age of all outputs seen across all rings, and comparing it to the distribution of decoys alone, the difference gives us the noise introduced by real spends. Because if over a period of 4 weeks 1 million rings were formed, and we have a 2x over representation of 5-10 day old outputs in that specific interval, then that tells us that over this period of time most of real spends (which are picked by users) are 5-10 days old. If we now go back and attack individual transactions with this piece of knowledge we can reduce the effective ring size from 15 to 4.2 simply by trying to pick an output that fits that over represented age band.

To address this issue, Rucknium proposed a new dynamic decoy picking algo, that is updated continuously. The problem is that even in that case user behavioral shifts are unpredictable, and any changes to the decoy picking algo will have to be done post mortem. Therefore this lag between the log-gamma distribution used by the decoy picking algo and the real spend distribution seen onchain and determined by actual user behavioral patterns will always be there in some shape or form.

§Would OSPEAD be possible with the Account Model?

All the behavioral patterns discussed so far about the probabilities of a specific coin to be spent are specific to the UTXO model. To transfer them to the account model we have to convert the transaction flow between accounts into a virtual UTXO version of that blockchain. To do that we’d need transparent transaction amounts like in ETH. In a privacy coin this wouldn’t be possible, since transaction amounts are presumed private, and therefore if Monero was using the account model with (if it was possible) Pedersen Commitments then OSPEAD wouldn’t be applicable to it. So in theory, an account version of Monero with rings, obfuscated balances and transaction amounts would be immune to OSPEAD analysis.

§Real Life Monero Tracing Case Study: The Vestaanmo hack

As per the Finnish police, the hacker received payments in Bitcoin and sent the funds to an exchange that was not compliant with Know Your Customer (KYC) guidelines before swapping for Monero and then transferring the funds to a dedicated Monero wallet. According to reports, the funds were later sent to Binance, exchanged for Bitcoin again, and moved to different wallets. The local authorities are maintaining confidentiality and have not disclosed any further details about their on-chain analysis.

As reported by Cointelegraph and others, the Vestaanmo coins were traced after 2 hops. In other words, the hacker received XMR from a swap service (XMR wallet 1). He then move that XMR to a second wallet, XMR wallet 2, and from there he deposited it on Binance.

Despite the extra hop the 3 outputs were linked together.

§Creating sets of related outputs for cluster analysis

While statistical analysis like OSPEAD provides an adversary with a starting point for narrowing down rings, a deeper analysis of output metadata can be much more damning. In fact, the most effective first step for deanonymizing Monero is to start compiling sets of related outputs. The strongest sets are those marking outputs owned by the same user or organization (such as Lazarus). Regulators have the information required to compile such sets for millions of CEX users, because of quarterly reporting requirements. For example, user withdrawal transactions are used in this sense to compile all outputs belonging to the same user “Bob”.

Now you’re probably wondering: how is this possible if Monero uses so called public meta-addresses that aren’t present onchain? While users’ public address is never present onchain, Monero still has onchain addresses that are generated by multiplying those public addresses with a random number. For example, when Alice sends money to Bob, miners don’t mine the amount into Bob’s public address, instead Alice will generate a new unique address by multiplying Bob’s public address with a random number and then she will publish the transaction with a fee for miners to mine that amount into the new address she generated from Bob’s public address.

This new address, once mined, will be engraved onchain and will create a new output. Everyone will be able to detect the creation of this new output, but only Alice (the creator) will know that the output is spendable only by Bob, because only she knows that the address was generated from Bob’s public key. If Alice is an exchange, then whenever Bob withdraws money she can compile a list of all outputs she created for Bob. And she can do this for millions of users.

Alternatively, if Alice simply reports withdrawal transactions to the IRS, and a list of all outputs Alice controls (that were generated from Alice’s own public address), then the IRS can compile this list independently by going through withdrawal transactions and indexing all the outputs belonging to each user.

So the IRS, or a contractor like TRM Labs or Chainalysis, can create sets of outputs controlled by the same user for millions of exchange users.

§How cluster analysis completely kills ring privacy with astronomical certainty

Like explained in the previous section Monero’s standard decoy picking algo uses a log gamma distribution to pick decoys among all outputs present onchain and more than 80% of decoys are less than 2.4 weeks old. This is because, like explained above, Monero’s log-gamma distribution tries to follow actual user behaviors in UTXO blockchains where new outputs are exponentially more likely of being spent than old outputs. So what Monero’s wallet does is to try and mix recent outputs together for maximum deniability and noise. However, because of the high number of outputs, statistically speaking it’s almost impossible for the decoy selection algorithm to pick 2 outputs belonging to the same user as decoys in the same transaction.

Let’s look at the math to make sure it checks. Today Monero has on average 20-30k daily transactions, each transaction creates at least 2 new outputs, meaning at least 50k new outputs are created every day. This means 850,000 new outputs are created on average in 2.4 weeks on Monero today. Now let’s calculate the probability that 2 outputs both belonging to an entity such as a CEX user “Bob” are picked by chance by the decoy picking algorithm.

P(2xBob) = 1/850,000*1/850,000 = 1.384083 * 10^(-12)

That’s 1.38 trillionths. Winning a typical big lottery jackpot is around 1 in 100-300 million, this is thousands of times smaller. However, for someone who has a database with sets of outputs belonging to the same user this is an event that happens regularly on the Monero blockchain, and since it’s statistically a non event, these occurrings effectively prove that whenever 2 or more related outputs appear in the rings of the same transaction, then that’s not by chance, but they are there because they are being spent.

And this is why cluster analysis is the most fatal attack on Monero rings. Since clusters are proof that certain outputs are being spent, they allow us to compile a new list of spent outputs on top of the sets of related outputs.

Now an adversary would not only have a list of related sets of outputs, but could also compile a list of spent outputs and could also link those spent outputs to the new outputs created in the transactions where they were spent. Technically this means bulding a transaction graph, showing how money moved from A to B.

§Creating abstract sets of related outputs

Using CEX data to create sets of related outputs belonging to the same user is only one way of applying cluster analysis, and probably the most specific one. However, there are other ways of detecting related outputs onchain, even without knowing who their owners are. One way is by looking at the fee structure of the transaction that created an output. The outputs of users or service providers with unusually high or low fees would stick out.

Another very common heuristic for spotting related XMR outputs is by analyzing age bands. In other words, when outputs belonging to the same age band appear in the same transaction then again they’re most likely being spent. Especially if said outputs are not recent, because the odds of 2 old outputs being spent together in the same transaction would be extremely low otherwise.

Patterns are also leaked by the UTXO structure of the transaction that created a specific output. From Bitcoin you should know that UTXO transactions can be of different types: many-to-1 (consolidation), one to many or many to many (payouts or spam), or few-to-2 (user transactions). This distinction can come handy to filter automated/bot transactions from normal user transactions. When combined with other heuristics such as fee structure this can become an onchain footprint for specific users or service providers.

§Black Marble attack

The ultimate objective of any analysis of Monero transactions is to find patterns that allow us to spot decoys from real spends. These patterns however can take time to emerge, so if we are in a rush to trace transactions then there is a shortcut we can take: spam the network with transactions to make sure that the vast majority of decoys are picked from our own spam outputs. This would allow the spammer to deanonymize any transaction where his outputs are picked as decoys.

§Real Life Black Marble Attack Case Study: Incognito Market Shutdown

In recent years there was an instance where Monero suffered a black marble attack that was visible in its transaction volume chart.

Incognito was a DNM market that exited in early 2024 and during the shut down its admin (who was a huge fan of Monero) started extorting users by threatening to leak their data unless they paid a fee (in XMR). Probably in order to trace all these extortion transactions as quickly as possible, someone started spamming the network, as seen in that transaction count spike. Incognito’s admin was identified and arrested shortly after. He pled guilty in December 2024.

§Using other metadata to profile outputs: IP Addresses

So far we have spoken mostly of onchain metadata such as transaction fees and UTXO structure, but through network traffic surveillance we can also monitor IP addresses. The thing about IP addresses is that they have a double edged function:

1. Connect an output to a real life identity

2. Connect an output to other outputs present onchain to create a set of related outputs

If you don’t use a VPN but broadcast your transaction from your home address then an adversary monitoring traffic in the XMR network could link that output to your residential IP. Yet, what people miss, is that even if you always use a VPN IP while doing a few transactions then the outputs produced in those transactions will also be tied to the same entity “you” even if the analyst won’t know who you’re exactly because your residential IP has been hidden.

This set of related outputs can come handy to perform cluster analysis, if next time you forget to turn on your VPN and 2 of your outputs created with that VPN address form a cluster in a transaction, then an analyst will be able to prove that those VPN outputs are actually tied to your residential address and therefore you.

Or simply, even if you have impeccable opsec and never forget to use a vpn, whenever you spend/combine any of those outputs an analyst can mark them as spent and filter them out as decoys in other transactions where they appeared among rings. Therefore weakening the privacy of other users.

§Key image analysis: How Monero’s single use outputs can be exploited to completely brute force rings

So far we have seen how by exploiting deviations in real spend age distribution versus decoy age distribution (which is given by the log-gamma decoy picking algo) we can start profiling outputs as highly likely to be real spends. But if we’re a regulator or an adversary with access to data compiled by regulators or companies adjacent to them, we can also compile sets of related outputs and look for instances where they are “co spent” together, because even only 2 related outputs appearing in the same transaction are proof that they are being spent in that transaction. And if we must deanonymize a high number of transactions in a short period of time then spam attacks come handy. Because if 14 of the decoys are our own spam outputs, then we can easily find out the real spend.

The thing about Monero outputs however is that they are single use, so if we find where a specific output was spent, and we index it in some database, then we can filter out that output as decoy in 100% of the other transactions where it appears in rings.

The way Monero outputs work is that when they are spent their key image is published onchain, this is to prevent double spends in Monero. Each output has only one key image which is published only once whenever the owner of that output decides to spend it.

Because in Monero every ring has a key image attached to it that belongs to the output that is being spent in that ring, then the process of identifying the real spend (through OSPEAD, co-spend analysis, black marble or else) and indexing spent outputs whose key image has been identified, is referred to as key image analysis. Once we’ve compiled this huge database we can write a computer program to automatically filter out as decoys any outputs whose key image we have already identified. Because Monero outputs can be spent only once.

§How DNM Admins used Monero to launder profits

By going through the many public cases of arrested Monero users, like Kivimaki mentioned above, you start noticing a pattern that constitutes the backbone of any DNM profit laundering scheme that relies on Monero for privacy:

1. Receive payments in a transparent coin (BTC or LTC)

2. Take the proceeds and swap them for XMR through a non KYC swap service like FixedFloat.

3. Try to mix this Monero by sending it to an intermediary wallet or churn it.

4. Then cash out “in peace” by sending that Monero to a KYC exchange like Binance where the liquidity is good

The premise of this laundering scheme is that Monero transactions are unlinkable, because if Monero is traceable then you can tie together all transactions in the 4 stages of the process. Experience shows that this scheme, for some reason, doesn’t work and those who attempt to use Monero as a laundramat end up being caught sooner or later because Monero transactions are not unlinkable in the real world. A bit like Chinese anti-stealth radars that look good on paper but don’t work in the battlefield.

§2024-2025 DNM Takedowns

The biggest indicator that Monero doesn’t work, in my opinion, are the many successful darknet market takedowns by law enforcement in 2024-2025.

• Incognito: Incognito was the first domino to fall in 2024. Its admin used the exact laundering scheme explained above. While the official explanation states that Rui Siang Lin was identified because of some BTC he sent to a nameserver address in 2022, in reality they must have traced his Monero to prove his profits’ connection to the revenue generated by Incognito through the years.

• In October 2024 the Dutch Police took down Cannabia & Bohemia DNMs, arrested their admins around Europe and also posted a banner with the usernames of other 58 users that were also arrested as part of the operation. Since all DNM admins use the same laundering scheme, nobody sends litecoin from a DNM to Binance, then if Monero was private they shouldn’t have been caught.

  

• In June 2025 US Law Enforcement arrested a famous Monero only hacker that went by the monicker Intelbroker. The official story is that he was identified because of a BTC transaction at the very beginning of his career, but to indict him for the all the crimes that came later they had to trace his Monero.

  

• In June 2025 law enforcement also took down XMR-only DNM Archetyp, one of the biggest DNMs out there with 612,000 users and a transaction volume of over $289M (all in XMR). The Interpol press release officially stated that the take down was possible by tracing financial flows. Considering Monero’s weaknesses, the other well known cases where Monero was traced, and the fact that Archetyp was a Monero-only DNM it’s safe to say, that Monero was the weak link.

  

• In July 2025 Abacus, another DNM, shut down. Per TRM Labs: Faced with the decision between profit-seeking and self-preservation, Abacus’s admins likely chose the latter. Did they realize Monero was traceable and that it was best to close shop, especially after the take down of Archetyp?

§Rare sneak peak into real world Monero tracing capabilities: The Chainalysis 2023 IRS pitch video leak

In September 2024 a Chainalysis Academy video was leaked that showed an interesting Monero tracing case that was presented to the IRS. In that video you can see the full spectrum of techniques discussed so far being used to trace Monero for multiple hops, despite good opsec by a target user who:

1. Used a VPN to hide his IP for 3 transactions in a row after he withdrew his money from the Morph Token Swap

2. Always used non custodial wallets, never sent any money to a CEX after withdrawing from Morph Token

Despite this, his Morph token withdrawal output was still linked to an output created after 4 transactions.

By linking all these Monero outputs investigators could prove that the IP addresses of all these transactions were controlled by the same person. Since in the final fourth transaction the target had not used a VPN, and when you don’t use a VPN the IP address doxes your residence, investigators were able to tie that residential IP address back to the initial Morph token withdrawal.

I strongly recommend that you watch the full video here to visualize how powerful the tracing techniques and heuristics discussed so far are.

§Magic Grants’ conflict of interest

Monero’s development is funded, among others, through Magic Grants, a non profit whose director was also the founder of Moonstone Research, a company specializing in tracing Monero payments. Moonstone was sold to Naxo LLC in early 2025. Naxo has multiple former law enforcement investigators in its ranks.

Notably, Magic Grants recently funded Veridise’ audit of the proposed FCMP implementation. FCMP introduces full view keys in Monero which create stealth transparent pools while also opening the door to complete deanonymization of the network through non reproducible wallet implementations that leak the full view keys of users. I covered this topic in depth in my previous article here.

The same individual is (a) funding Monero development and (b) commercially monetizing Monero’s traceability weaknesses. This dual role raises questions about incentive alignment and governance transparency, particularly when public claims about Monero’s privacy properties coexist with commercial tracing capabilities.

So here is a question that keeps coming up, has Monero been pushed aggressively as the crime coin by the same people milking its weaknesses to sell tracing services to government agencies? Considering how obsolete and weak the tech is and how aggressively it’s promoted, it certainly seems so.

§