[chii]

> move large amounts of money untraceable.

paradoxically, bitcoin is the worse at this, since addresses are completely public. Unless you, like satoshi, keep the coin in the address and never spend it, any conversion to value that you can spend, such as cash, is going to be tracible.

> Is it a legitimate want?

yes. Unless you can prove criminality, there's the assumption of innocence.

[cornholio]

> addresses are completely public.

Addresses in Bitcoin are pseudoanonymous. Many criminals have evaded prosecution for years (for example, the MtGox thieves) despite moving billions in the clear on the blockchain. You are feigning ignorance about the true nature of Bitcoin which is quite obviously designed to enable very strong privacy, as noted by even by its inventor in the original paper; let's not even discuss things like Monero and ZCash.

[ivancho]

MtGox thieves evaded prosecution because no one was doing tracing back then. Chainalysis got started specifically to link all their activity and is now a giant graph connecting all the "pseudonymous" addresses. And the thieves laundered most of their stolen coin through exchanges, not chain transactions, strange how they didn't want that very strong privacy. There's none of that left on Bitcoin, it's been indexed, clustered and mapped.

Obviously there are technologies which enable complete privacy - and like tumblers, any that prove popular will be shut down, there's just too many negative externalities.

[cornholio]

The state of bitcoin mixers was also very primitive back then, especially given this volume. Today, criminals can use things like the defunct ChipMixer, which distributes private keys funded in advance. So by definition there is nothing in the blockchain to follow, because the handover is done off chain.

The fact that ChipMixer was busted in an international law enforcement operation should indicate to you the nature of the beast. Just like in the case of SilkRoad, there are a myriad copy cats which are still online. It's a small piece of computer code anyone can run. So money laundry on bitcoin to a nearly untraceable level can be done by any service that can setup some kind of network connection and run a bit of computer code.

This is unprecedented in the history of finance and the main practical benefit of Bitcoin other than speculation.

[ivancho]

I disagree with pretty much every point here, wow. ChipMixer provided a little bit of disconnect, but there was a research paper a while back that ran something like 5 transfers through it and managed to identify their mixing transactions with 90% precision. Law enforcement is most likely constantly tracking those, similar to how the NSA runs some significant percentage of Tor entry/exit nodes. Second, recognize the enormous amount of trust required here - that the mixer will actually do proper randomization, that there will be a large number of participants, that they won't keep the logs, that they won't just up and leave with all the money. There's plenty of examples of somewhat established mixers that fail on some or all of these, and you're telling me that instead people will just send their money to be mixed by anyone that can setup a network connection and a bit of code?

[cornholio]

I'm going to need more context here on the ChipMixer claims. Let's say a tracked party deposits amount A in CM style mixer, and then receives private keys corresponding to amounts B, C, D, E, F, G, previously deposited in the blockchain, which happen to add up to A minus a random 0 to 4% mixing fee. You have full view of A and know that it's being deposited to CM with 100% confidence.

As long as nothing moves on the blockchain, and the trust requirement you mention is fulfilled, I hope you agree that, save from some bug in the implementation, you will have no idea what private keys were received by the original owner of A. It's logically impossible, since CM has already pre-deposited many more other funded private keys (in fact, the entire previous volume of their laundry) and by the definition you don't know which ones of those were disclosed to the client A. The number of combinations is a factorial of the number previous clients, the vast majority you won't know.

So the attack scenario has to be more convoluted than that, perhaps the client immediately consolidates his received keys into a single address, perhaps we assume the attacker has perfect information over all amounts A deposited, which is clearly not practical etc. But that's another discussion altogether that deals with breaking a certain implementation of finding a launderer with a certain behavior. Research papers always make bold claims to raise interest, and often deliver crypto style failures, that require "only" 2^64 attempts, so the system is "broken".

But the issue we debated above - address pseudoanonymity enabling untraceable off chain asset swaps - is already settled if you agree to the second paragraph.

[ivancho]

But we don't have to search for those keys in all of the deposits that CM ever made - only in the ones that stopped churning and mixing. Maybe they try to control the dynamics of their lots to be statistically indistinguishable from the withdrawals - but that requires a vastly larger pool of capital and continuous operational effort, and I have a hunch they do not in fact do that.

Furthermore, if you are a client, how long are you willing to keep your money in private keys that you know CM also has? Even if you don't mistrust them, you still need to worry about the exact scenario that happened - they get busted and all their private keys get seized. So chances are those amounts leave the CM network of addresses pretty quickly, even if they don't get added up in a single address. So now all that combinatorial explosion drops down to a pretty tractable k-NN classification problem.

I would advise against making strong statements like "logically impossible" about things that seem to require a lot of very narrow conditions like perfect actor behavior and strong stationarity in order to be true.