pith. sign in

arxiv: 2606.25926 · v1 · pith:QUEZP2LXnew · submitted 2026-06-24 · 💻 cs.CR

A Tattered Cloak of Invisibility: Measuring Anonymity Loss in Railgun on Ethereum

Kanan Huseynov , Ali Shahzaib , Istv\'an Andr\'as Seres , J\'anos Tapolcai This is my paper

Pith reviewed 2026-06-25 20:12 UTC · model grok-4.3

classification 💻 cs.CR
keywords anonymity lossrailgunethereummixersprivacyheuristicsknapsackblockchain
0
0 comments X

The pith

Five heuristics link 17.65% of Railgun withdraw transactions to their deposits on Ethereum.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper examines how user behavior and transaction patterns erode the anonymity provided by Railgun, a privacy mixer on Ethereum. Even though the cryptographic protocol is strong, things like when people transact, reusing addresses, amounts that stand out, and how transactions connect in the graph can reveal which deposit matches which withdrawal. The authors develop five specific heuristics to estimate these links and find that they can uniquely identify matches for nearly one in five withdrawals. A knapsack algorithm further quantifies an average anonymity loss of about 3.42 bits per withdrawal. This matters because it shows that practical privacy depends on both the math and how people actually use the system.

Core claim

Our five heuristics are able to uniquely link 17.65% of Railgun withdraw transactions to deposit transactions. We also applied a knapsack solver algorithm that was able to produce a 3.42 bit median anonymity loss for withdraw transactions.

What carries the argument

Five heuristics based on timing patterns, address reuse, transaction graph proximity, amount fingerprints, and knapsack matches to link deposits and withdrawals.

If this is right

  • Even cryptographically secure mixers lose anonymity due to observable user patterns.
  • Unique linking is possible for 17.65% of transactions using these methods.
  • Knapsack matching reveals a median 3.42 bit anonymity loss.
  • Better understanding of practical privacy limits points toward safer usage practices and design principles for mixers.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Similar leakage patterns likely appear in other blockchain privacy tools beyond Railgun.
  • Users could reduce their risk by randomizing amounts and timings more carefully.
  • Future mixer designs might need to add noise or restrictions to counter these specific heuristics.

Load-bearing premise

The observed patterns in timing, address reuse, graph proximity, amount fingerprints, and knapsack matches indicate that a deposit and withdrawal belong to the same user rather than occurring independently.

What would settle it

A large number of false positive links when applying the heuristics to unrelated transactions or a statistical test showing that the observed matches occur at rates no higher than random chance.

Figures

Figures reproduced from arXiv: 2606.25926 by Ali Shahzaib, Istv\'an Andr\'as Seres, J\'anos Tapolcai, Kanan Huseynov.

Figure 8
Figure 8. Figure 8 [PITH_FULL_IMAGE:figures/full_fig_p006_8.png] view at source ↗
Figure 20
Figure 20. Figure 20 [PITH_FULL_IMAGE:figures/full_fig_p006_20.png] view at source ↗
Figure 3
Figure 3. Figure 3: In addition, we also collected every transaction sent from all [PITH_FULL_IMAGE:figures/full_fig_p007_3.png] view at source ↗
Figure 6
Figure 6. Figure 6: If a transaction occurs in either [PITH_FULL_IMAGE:figures/full_fig_p009_6.png] view at source ↗
Figure 22
Figure 22. Figure 22 [PITH_FULL_IMAGE:figures/full_fig_p014_22.png] view at source ↗
Figure 9
Figure 9. Figure 9: Distribution of deposit and withdrawal amounts by the first three fractional digits. given withdraw amount amt(wj ). We count how many times each deposit di appears in the candidate solutions produced by Pisinger’s algorithm. We convert these frequencies into a probability distribution and take its Shannon entropy to measure the reduced anonymity guarantees provided by our knapsack solver algorithm. For in… view at source ↗
read the original abstract

From a user's perspective, perhaps the most significant difference between traditional banking services and widely used blockchain-based financial systems is that, in the latter, transactions and, either directly or indirectly, account balances and transaction histories are publicly observable. Therefore, a growing number of cryptographic solutions have been proposed to add a privacy layer to such systems. However, the privacy that users actually obtain does not depend solely on the security of the underlying cryptographic protocol: user behavior, transaction amount patterns, and timing decisions can substantially reduce anonymity. In this work, we study behavioral leakage in cryptocurrency mixers, focusing on Railgun on Ethereum. We aim to heuristically estimate the probability that a given deposit and withdrawal transaction belong to the same user. We consider five sources of leakage: characteristic timing patterns, address reuse, proximity in the transaction graph induced by prior public transactions, amount fingerprints that preserve distinctive digit patterns across transaction values, and knapsack type matches in which groups of transaction amounts add up in revealing ways. Our results show that even cryptographically strong privacy systems may suffer substantial anonymity loss due to user behavior and transaction patterns. Our five heuristics are able to uniquely link 17.65% of Railgun withdraw transactions to deposit transactions. We also applied a knapsack solver algorithm that was able to produce a 3.42 bit median anonymity loss for withdraw transactions. This work contributes to a better understanding of the practical privacy limits of mixers and anonymity pools, and points toward safer usage practices and design principles.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 0 minor

Summary. The paper empirically studies behavioral anonymity leakage in the Railgun privacy mixer on Ethereum. It develops five heuristics (timing patterns, address reuse, transaction-graph proximity, amount fingerprints, and knapsack matches) and reports that they uniquely link 17.65% of observed withdraw transactions to deposits while a knapsack solver produces a median anonymity loss of 3.42 bits.

Significance. If the measurements prove robust, the work would usefully quantify how user behavior and transaction patterns erode the anonymity of even cryptographically sound mixers, supplying concrete evidence that can guide safer usage practices and protocol design. The purely empirical, data-driven approach on live Ethereum transactions is a methodological strength.

major comments (2)
  1. [Abstract] Abstract: the headline results (17.65% unique links; 3.42-bit median loss) are stated without any description of the underlying dataset (number of Railgun transactions examined, observation window, data source or scraping method), heuristic definitions, or statistical validation. This is load-bearing because the central claim is that the observed patterns indicate same-user pairings rather than chance matches.
  2. [Methods / Results] Methods / Results sections (wherever the heuristics and knapsack solver are described): no false-positive controls, permutation tests, or baseline comparisons against shuffled pairings that preserve marginal distributions of amounts, times, and graph structure are reported. Without such controls the reported percentages cannot be distinguished from artifacts of the transaction corpus itself.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback highlighting the need for greater transparency in the abstract and stronger statistical controls in the methods. We address each major comment below and will revise the manuscript accordingly to improve clarity and rigor without altering the core empirical findings.

read point-by-point responses

  1. Referee: [Abstract] Abstract: the headline results (17.65% unique links; 3.42-bit median loss) are stated without any description of the underlying dataset (number of Railgun transactions examined, observation window, data source or scraping method), heuristic definitions, or statistical validation. This is load-bearing because the central claim is that the observed patterns indicate same-user pairings rather than chance matches.

    Authors: We agree that the abstract is too concise and should include key contextual details to support the headline claims. The full manuscript describes the heuristics and knapsack solver in the Methods section and reports results from Ethereum mainnet data, but the abstract omits the observation window, transaction counts, and data provenance. In revision we will expand the abstract to note the data source (public Ethereum blockchain records), the collection period, approximate scale of Railgun transactions examined, and brief heuristic characterizations, while retaining the length constraints of an abstract. We will also clarify that validation relies on uniqueness of matches under the defined heuristics. revision: yes

  2. Referee: [Methods / Results] Methods / Results sections (wherever the heuristics and knapsack solver are described): no false-positive controls, permutation tests, or baseline comparisons against shuffled pairings that preserve marginal distributions of amounts, times, and graph structure are reported. Without such controls the reported percentages cannot be distinguished from artifacts of the transaction corpus itself.

    Authors: The referee correctly notes the absence of explicit false-positive controls. Our heuristics were constructed with conservative thresholds (e.g., requiring distinctive amount patterns or tight timing windows) intended to limit spurious matches, and the knapsack results are presented as median anonymity loss rather than definitive links. However, we did not perform permutation tests or shuffled baselines that preserve marginal distributions. We will add these in the revised Methods and Results sections by generating null models via shuffling and reporting the resulting baseline match rates to quantify how far the observed linkages exceed chance. revision: yes

Circularity Check

0 steps flagged

No circularity: purely empirical heuristic measurements on transaction data

full rationale

The paper reports direct empirical counts (17.65% unique links via five heuristics) and a median (3.42 bits via knapsack solver) obtained by applying timing, reuse, graph, amount, and knapsack patterns to observed Railgun transactions. No equations, fitted parameters, self-definitional relations, or load-bearing self-citations appear in the provided text. Results are presented as measurements of the data corpus itself rather than derivations that reduce to inputs by construction. The absence of any mathematical chain or ansatz means the work is self-contained against external benchmarks and receives the default non-circularity finding.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

Based solely on the abstract; the central claim rests on the domain assumption that the listed patterns indicate same-user activity. No free parameters or invented entities are mentioned.

axioms (1)
  • domain assumption The five patterns (characteristic timing, address reuse, transaction graph proximity, amount fingerprints, knapsack matches) reliably indicate same-user deposit-withdrawal pairs.
    The reported linkage percentage and anonymity loss are produced by applying these patterns as linking rules.

pith-pipeline@v0.9.1-grok · 5820 in / 1250 out tokens · 26968 ms · 2026-06-25T20:12:25.223340+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

21 extracted references · 1 canonical work pages

  1. [1]

    Privacy aspects and subliminal channels in zcash

    3 Alex Biryukov, Daniel Feher, and Giuseppe Vitto. Privacy aspects and subliminal channels in zcash. InProceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pages 1813–1830,

    2019

  2. [2]

    Deanonymisation of clients in Bitcoin P2P network

    4 Alex Biryukov, Dmitry Khovratovich, and Ivan Pustogarov. Deanonymisation of clients in Bitcoin P2P network. InProceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 15–29. ACM,

    2014

  3. [3]

    Stealth address and key management techniques in blockchain systems

    6 Nicolas T Courtois and Rebekah Mercer. Stealth address and key management techniques in blockchain systems. InICISSP 2017-Proceedings of the 3rd International Conference on Information Systems Security and Privacy, pages 559–566,

    2017

  4. [5]

    9 Steven Goldfeder, Harry Kalodner, Dillon Reisman, and Arvind Narayanan

    URL: https://arxiv.org/abs/2510.17284. 9 Steven Goldfeder, Harry Kalodner, Dillon Reisman, and Arvind Narayanan. When the cookie meets the blockchain: Privacy risks of web payments via cryptocurrencies. InProceedings on Privacy Enhancing Technologies (PoPETs), pages 179–199,

    arXiv

  5. [6]

    Reducibility among combinatorial problems

    13 Richard M Karp. Reducibility among combinatorial problems. In50 Years of Integer Programming 1958-2008: from the Early Years to the State-of-the-Art, pages 219–241. Springer,

    1958

  6. [7]

    URL: https://bitcointalk.org/index.php?topic=279249.0

    BitcoinTalk forum post. URL: https://bitcointalk.org/index.php?topic=279249.0. 16 Sarah Meiklejohn and Rebekah Mercer. Möbius: Trustless tumbling for transaction privacy. Proceedings on Privacy Enhancing Technologies, 2018(2):105–121,

    2018

  7. [8]

    A fistful of bitcoins: characterizing payments among men with no names

    17 Sarah Meiklejohn, Marjori Pomarole, Grant Jordan, Kirill Levchenko, Damon McCoy, Geof- frey M Voelker, and Stefan Savage. A fistful of bitcoins: characterizing payments among men with no names. InProceedings of the 2013 conference on Internet measurement conference, pages 127–140,

    2013

  8. [9]

    An empirical analysis of traceability in the monero blockchain.Proceedings on Privacy Enhancing Technologies, 2018(3):143–163,

    19 Malte Möser, Kyle Soska, Ethan Heilman, Kevin Lee, Henry Heffan, Shashvat Srivastava, Kyle Hogan, Jason Hennessey, Andrew Miller, Arvind Narayanan, et al. An empirical analysis of traceability in the monero blockchain.Proceedings on Privacy Enhancing Technologies, 2018(3):143–163,

    2018

  9. [10]

    21 Thai-Thanh Pham and Sungroh Lee

    URL: https://tornado.cash. 21 Thai-Thanh Pham and Sungroh Lee. Anomaly detection in bitcoin network using unsupervised learning methods.arXiv preprint arXiv:1611.03942,

    Pith/arXiv arXiv

  10. [11]

    Mixeth: efficient, trustless coin mixing service for ethereum

    25 István András Seres, Dániel A Nagy, Chris Buckland, and Péter Burcsi. Mixeth: efficient, trustless coin mixing service for ethereum. InInternational Conference on Blockchain Eco- nomics, Security and Protocols (Tokenomics 2019). Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik,

    2019

  11. [12]

    Towards an information theoretic metric for anonymity

    CVIT 2016 23:22A Tattered Cloak of Invisibility:Measuring Anonymity Loss in Railgun on Ethereum 26 Andrei Serjantov and George Danezis. Towards an information theoretic metric for anonymity. InInternational Workshop on Privacy Enhancing Technologies, pages 41–53. Springer,

    2016

  12. [14]

    29 Rainer Stütz, Johann Stockinger, Pedro Moreno-Sanchez, Bernhard Haslhofer, and Matteo Maffei

    URL: https://arxiv.org/abs/2109.10229. 29 Rainer Stütz, Johann Stockinger, Pedro Moreno-Sanchez, Bernhard Haslhofer, and Matteo Maffei. Adoption and actual privacy of decentralized coinjoin implementations in bitcoin. In Proceedings of the 4th ACM Conference on Advances in Financial Technologies, pages 254–267,

    arXiv

  13. [15]

    30 Petr Svenda, Jiří Gavenda, Vasilios Mavroudis, and Chris Hicks. Coinjoin ecosystem insights for wasabi 1.x, wasabi 2.x and whirlpool coordinator-based privacy mixers.Proceedings on Privacy Enhancing Technologies, 2026(2):557–592, 2026.doi:10.56553/popets-2026-0061. 31 Yajin Tang, Chenxu Xu, Chao Zhang, Yajin Wu, and Liehuang Zhu. Analysis of address li...

    work page doi:10.56553/popets-2026-0061 2026

  14. [16]

    Blockchain censorship

    36 Anton Wahrstätter, Jens Ernstberger, Aviv Yaish, Liyi Zhou, Kaihua Qin, Taro Tsuchiya, Se- bastian Steinhorst, Davor Svetinovic, Nicolas Christin, Mikolaj Barczentewicz, et al. Blockchain censorship. InProceedings of the ACM Web Conference 2024, pages 1632–1643,

    2024

  15. [17]

    Time tells all: Deanonymization of blockchain rpc users with zero transaction fee

    37 Shan Wang, Ming Yang, Yu Liu, Yue Zhang, Shuaiqing Zhang, Zhen Ling, Jiannong Cao, and Xinwen Fu. Time tells all: Deanonymization of blockchain rpc users with zero transaction fee. InProceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security, pages 3490–3504,

    2025

  16. [18]

    On how zero-knowledge proof blockchain mixers improve, and worsen user privacy

    38 Zhipeng Wang, Stefanos Chaliasos, Kaihua Qin, Liyi Zhou, Lifeng Gao, Pascal Berrang, Benjamin Livshits, and Arthur Gervais. On how zero-knowledge proof blockchain mixers improve, and worsen user privacy. InProceedings of the ACM Web Conference 2023, pages 2022–2032,

    2023

  17. [19]

    Pay less for your privacy: Towards cost-effective on-chain mixers

    39 Zhipeng Wang, Marko Cirkovic, Duc V Le, William Knottenbelt, and Christian Cachin. Pay less for your privacy: Towards cost-effective on-chain mixers. In5th Conference on Advances in Financial Technologies (AFT 2023), pages 16–1. Schloss Dagstuhl–Leibniz-Zentrum für Informatik,

    2023

  18. [20]

    Tutela: An Huseynov et al

    42 Mike Wu, Will McTighe, Kaili Wang, Istvan A Seres, Nick Bax, Manuel Puebla, Mariano Mendez, Federico Carrone, Tomás De Mattey, Herman O Demaestri, et al. Tutela: An Huseynov et al. 23:23 open-source tool for assessing user-privacy on ethereum and tornado cash.arXiv preprint arXiv:2201.06811,

    arXiv

  19. [21]

    Alt-coin traceability

    43 Claire Ye, Chinedu Ojukwu, Anthony Hsu, and Ruiqi Hu. Alt-coin traceability. Cryptology ePrint Archive, Report 2020/593,

    2020

  20. [22]

    44 Zuoxia Yu, Man Ho Au, Jiangshan Yu, Rupeng Yang, Qiuliang Xu, and Wang Fat Lau

    URL: https://eprint.iacr.org/2020/593. 44 Zuoxia Yu, Man Ho Au, Jiangshan Yu, Rupeng Yang, Qiuliang Xu, and Wang Fat Lau. New empirical traceability analysis of CryptoNote-style blockchains. InFinancial Cryptography and Data Security (FC 2019), pages 133–149. Springer,

    2020

  21. [23]

    A Additional Measurements Due to space constraints, we enclose many of our measurements in this section. ETHD→W ETHW→D ERC-20D→W ERC-20W→D 0 1,000 2,000 3,000 4,000 3,139 3,620 789 1,253 2,864 3,568 735 1,187 Asset and direction #Transactions All-time (baseline) Post-2023 sensitivity Figure 12The prevalence of transactions across depositor (D) and withdra...

    2023