"deanonymizing transactions"

as someone posted back in may . . . 
 
Date: Tue, 27 May 2025 09:52:15 +0000 

Message-Id: <20250527.095215.9aa06e66@yamn.paranoici.org>
References: <64664778e2937035506b5458a5e1f21158b75aa8@i2pn2.org>
Newsgroups: alt.privacy.anon-server 
...

I proposed long ago to the Nym developers to support Monero.
<https://nym.com/blog/new-mixnet-integration-nym-for-monero>

 
<https://dl.acm.org/doi/10.1016/j.cose.2019.101684>
And what works for Tor and Bitcoin ... 
<https://dl.acm.org/doi/abs/10.1145/3589335.3651487>
Nym is a scam and a honeypot.  Though they try hard
to make big money with their snake oil they'll fail. 

 
which seemed worth looking up, especially in the context of what could 
possibly be motivating these "tuta-tor/mini-tor/mini-mailer" promoters
beyond their _eternal september_ onslaught against anonymous remailers,
could these troll farm operatives be enticed by perks, fringe benefits,
rewards for their unwavering allegiance to the almighty powers that be 
(a significant portion of their vast troll farm apparatus must be a.i.)
 
over three decades of non-stop continual belligerence against anything
indicates pathological contempt, financial gain, or more probably both
i.e. at least where their mere mortal humantm work force are concerned 
(and the bible explains that no one can have their cake and eat it too) . . .
 
(using Tor Browser 14.5.4) 
https://dl.acm.org/doi/10.1016/j.cose.2019.101684

Deanonymizing Tor hidden service users through Bitcoin transactions analysis 
Published: 01 February 2020 Publication History
ACM Digital Library
Abstract
With the rapid increase of threats on the Internet, people are continuously seeking
privacy and anonymity. Services such as Bitcoin and Tor were introduced to provide
anonymity for online transactions and Web browsing. Due to its pseudonymity model, 
Bitcoin lacks retroactive operational security, which means historical pieces of
information could be used to identify a certain user. By exploiting publicly available
information, we show how relying on Bitcoin for payments on Tor hidden services could
lead to deanonymization of these services� users. Such linking is possible by finding
at least one past transaction in the Blockchain that involves their publicly declared  
Bitcoin addresses.
To demonstrate the consequences of this deanonymization approach, we carried out a
real-world experiment simulating a passive, limited adversary. We crawled 1.5K hidden
services and collected 88 unique and active Bitcoin addresses. We then crawled 5B 
tweets and 1M BitcoinTalk forum pages and collected 4.2K and 41K unique Bitcoin
addresses, respectively. Each user address was associated with an online identity along
with its public profile information. By analyzing the transactions in the Blockchain,
we were able to link 125 unique users to 20 hidden services, including sensitive ones, 
such as The Pirate Bay and Silk Road. We also analyzed two case studies in detail to
demonstrate the implications of the information leakage on users anonymity. In
particular, we confirm that Bitcoin addresses should be considered exploitable, as they
can be used to deanonymize users retroactively. This is especially important for Tor
hidden service users who actively seek and expect privacy and anonymity. 
References
...

https://dl.acm.org/doi/abs/10.1145/3589335.3651487 

Deanonymizing Transactions Originating from Monero Tor Hidden Service Nodes
Published: 13 May 2024 Publication History
Get Access
WWW '24: Companion Proceedings of the ACM Web Conference 2024
Deanonymizing Transactions Originating from Monero Tor Hidden Service Nodes
Pages 678 - 681
ACM Digital Library
Abstract 
Monero is a privacy-focused cryptocurrency that incorporates anonymity networks (such
as Tor and I2P) and deploys the Dandelion++ protocol to prevent malicious attackers
from linking transactions with their source IPs. However, this paper highlights a
vulnerability in Monero's integration of the Tor network, which allows an attacker to 
successfully deanonymize transactions originating from Monero Tor hidden service nodes
at the network-layer level. 
Our approach involves injecting malicious Monero Tor hidden service nodes into the
Monero P2P network to correlate the onion addresses of incoming Monero Tor hidden
service peers with their originating transactions. And by sending a signal watermark
embedded with the onion address to the Tor circuit, we establish a correlation between
the onion address and IP address of a Monero Tor hidden service node. Ultimately, we
correlate transactions and IPs of Monero Tor hidden service nodes. 
Through experimentation on the Monero testnet, we provide empirical evidence of the
effectiveness of our approach in successfully deanonymizing transactions originating
from Monero Tor hidden service nodes.
Supplemental Material 
MP4 File
Supplemental video
Download   7.23 MB
 https://dl.acm.org/doi/suppl/10.1145/3589335.3651487/suppl_file/shp4046.mp4
References
...

[end quoted excerpts]
 
found this while searching bitmessage, monero, tor, backdoor, etc . . . 
 
(using Tor Browser 14.5.4)
https://cybersecurity88.com/news/new-backdoor-malware-exploits-pybitmessage-p2p-protocol/

New backdoor malware exploits PyBitmessage P2P protocol
May 22, 2025
The AhnLab Security Intelligence Center (ASEC) has discovered a new backdoor
malware strain bundled with a Monero cryptocurrency miner. Unlike other malware
that uses HTTP or IP-based communication, this malware uses PyBitmessage library 
to communicate over a peer-to-peer (P2P) network, encrypting its traffic between
endpoints.
What is PyBitmessage?
Bitmessage is a protocol designed for anonymity and decentralization, preventing
interception and masking both sender and receiver identities. The attackers
exploit PyBitmessage, a Python-based implementation of this protocol, to exchange
encrypted packets disguised as regular network traffic to evade detection.
Attack Chain
The Monero miner and backdoor are embedded in the top-level executable�s
resources and encrypted using XOR. Upon execution, the malware decrypts these
components and stores three key files
 config.json
 WinRing0x64.sys
 idle_maintenance.exe
in the %Temp%\3048491484896530841649 directory.
Monero is commonly used in such attacks due to its strong privacy features, 
allowing attackers to profit anonymously by hijacking system resources for mining.
Upon launch, the PowerShell-based backdoor installs PyBitmessage to handle POST 
requests via localhost port 8442. It attempts to download PyBitmessage from its
GitHub release page, or from a Russian-based file hosting service likely linked
to the attacker. 
PowerShell script
The PyBitmessage package, bundled via PyInstaller, creates .pyc, .pyd, and
related module files in the %TEMP%\_MEI~~ directory upon execution. 
Among them is QtGui4.dll, which appears to be patched (with a specific offset 
zeroed out) to disable its standard functionality, potentially as an evasion 
technique. 
After setup, the malware initializes multiple files and directories needed for 
operation and waits for further instructions from the attacker. These 
instructions are delivered as encrypted messages, saved locally, and executed as
PowerShell scripts from a hidden path (.\s).
The Bottom Line  
Evidence points to Russian or Russian-speaking threat actors based on backup 
file hosting site�s Russian language interface and geographic hosting location.
This malware demonstrates how cybercriminals are weaponizing legitimate privacy 
tools, creating detection challenges that require fundamental shifts in security 
monitoring approaches from traditional signature-based to behavioral analysis 
methods.
Source: hxxps[://]asec[.]ahnlab[.]com/en/88109/

         ^^^^^     ^^^^   ^^^^^^   ^^^ ^^ ^^^^^ 

Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
Did you like the post? Share it in your media 
...
https://asec.ahnlab.com/en/88109/ 
PyBitmessage Backdoor Malware Installed with CoinMiner
May 20 2025
...

[end quoted text]  
 
i'm only an amateur user of anonymous remailers . . . but for those that work  
inside the system, it looks very much like spy vs. spy, good guys v good guys