[cornholio]

The point is, if law enforcement needs for the launderer to mess up after the invisible off chain transfer, or for the mixer to betray them, you have already conceded that address pseudoanymity is a strong, sometimes unremovable layer of privacy. Forensics exist even for physical cash, you can trace banknote serial numbers, lift physical fingerprints or DNA etc. Yet, that doesn't mean it's a good idea to leave people cross borders with sacks of money, there is wide agreement in our society that cash offers a privacy that is very conducive to anti-social actions. Bitcoin privacy is much, much stronger than physical cash, and pushed to 11 for things like Monero or Zcash.

In the restricted scenario provided, it really is logically impossible to know the ownership transfer happened. Your attack requires knowing all inputs into the laundry, which you won't have in the general case, they'll look like any other transfers in the blockchain.

Even if a mixer is busted, I can be pretty sure they abide by their public claim to not keep any history older than a few hours after the mixing is complete, secret keys and all, because it's not in their interest for such evidence of crimes to exist.

[ivancho]

I have not conceded anything. Many crimes would be perfectly unsolvable if everyone did everything perfectly, and yet.. You are again using "logically impossible" while insisting on a very specific condition, "not knowing all inputs into the laundry", which is very much solvable to a high degree of certainty - CM mixes so hard that their addresses are all connected to each other - I just need to send them a single transfer, watch it tumble, then connect the dots, and then list all transactions leading into that giant hairball of connections. Just read the Justice Dept complaint against CM - it has an extensive inventory of specific customers and crime proceeds, using "Company A [..] tracking approximately 118,500 bitcoin addresses associated with ChipMixer". Now how would they do that if it was so logically impossible?

And why would having a private key to an output address that no one else has touched be an evidence to a crime? They probably only delete them after the user has transferred the funds out, if they even bother.

I don't know why you are so bought into Bitcoin privacy specifically, but it holds as much water as the privacy statements in the App Store - anyone with sufficient motivation and data analysis skills can poke right through it. Monero is likely stronger, but if it can't be cracked, then as soon as it becomes big enough it will get blocked.

[cornholio]

Ah, I see, the real ChipMixer had a major flaw. I had no idea how the entire system operated, I used it just as an example to illustrate off-chain custody handovers. My "logically impossible" scenario was that the mixer has an array of addresses on the chain funded by previous customers, and when a new customer comes in it just runs a knapsack on that set and assigns them a subset of keys. Perhaps add a single layer of coinjoins to dilute each "really bad" incoming transaction, so clients won't directly get the bitcoins laundered by kidnappers and it's transparent to the whoever is doing the tracking that the coins have been laundered.

> why would having a private key to an output address that no one else has touched be an evidence to a crime?

An address is a hash over an ECDSA public key and a public key is a computational derivation of the random private key. If you have the private key, you can derive the associated address which is publicly connected on the blockchain to known proceeds of crime that have been laundered. That they were spent or not (by an another customer than the criminal) is irrelevant, it proves that you handled them.