Bitcoin Wiki - User contributions [en]

MultiBit

2020-08-24T07:33:29Z

Cryptal: 💀 Multibit ☠

[[Image:MultiBit_0.4.23_screenshot_WinXP.png|right|800px|screenshot of Multibit with its Windows XP GUI and Metal theme]]
[http://multibit.org MultiBit] was a lightweight "[[Thin Client Security|thin client]]" Bitcoin wallet for Windows, MacOS and Linux based on [[BitCoinJ|bitcoinj]]. It was superseded by MultiBit HD, and the development of both stopped in 2017<ref name="acquisition">[https://www.coindesk.com/bitcoin-startup-keepkey-ends-support-multibit-wallet-software The long-running bitcoin wallet Multibit is being discontinued, the firm that bought it last year has announced]</ref> after the acquisition by ''KeepKey'', which was then bought by ''Shapeshift''.

Its main advantages over the [[Bitcoin-Qt#Criticism|original Bitcoin client]] included support for opening multiple wallets simultaneously, and not requiring the download of the entire multi-gigabyte [[block chain]] (22.5GB as of October 2014<ref>[https://blockchain.info/charts/blocks-size Bitcoin Blockchain Size]</ref>). The project was lead by UK developer Jim Burton.<ref>[http://www.youtube.com/watch?v=MnkssdmlaWw European Bitcoin Conference 2012 - Jim Burton - Multibit]</ref>

==Features==
* Multiple wallets can be open at the same time
* Synchronizes with the network in minutes
* Shows the last BTC <--> USD rate from [[VirtEx]] and other exchanges
* Import and export your private keys
* Chart of your balance over the last 30 days
* Free and open source (MIT license)
* Localized in a variety of languages

==History==
MultiBit was announced on September 12, 2011.<ref>[http://bitcointalk.org/index.php?topic=43616.0 MultiBit]</ref> Later, Multibit HD was developed, and the original MultiBit was renamed ''Multibit Classic''. On July 26, 2017, development was stopped without advance notice, due to the amount of work needed to fix bugs and keep up with Bitcoin developments.<ref name="acquisition" />

==See Also==
* [[Thin Client Security]]

==External Links==
* Abandoned [https://github.com/jim618/multibit GitHub repo]
* [https://groups.google.com/forum/?fromgroups=#!forum/bitcoin-multibit Google Group] abandoned since 2015

==References==
<references />

[[Category:Clients]]
[[Category:Open Source]]

CoinSwap

2020-08-19T08:01:53Z

Cryptal: Add HRF funding

'''CoinSwap''' is a non-custodial privacy technique for bitcoin based on the idea of [[atomic swap]]s. If Alice and Bob want to do a coinswap; then it can be understood as Alice exchanging her bitcoin for the same amount (minus [[miner fees|fees]]) of Bob's bitcoins, but done with [[Contracts|bitcoin smart contracts]] to eliminate the possibility of cheating by either side. The closely-related idea of [[atomic swap]]s has the important property of ''atomicity'', where an exchange of blockchain tokens either happens or not at all, there is no possibility of one side cheating the other.

CoinSwaps break the transaction graph between the sent and received bitcoins. On the [[block chain]] it looks like two sets of completely disconnected transactions:

Alice's Address ---> 2of2 multisig escrow address 1 ---> Bob's Address
Bob's Address ---> 2of2 multisig escrow address 2 ---> Alice's Address

Obviously Alice and Bob generate new [[address]]es each to avoid the privacy loss due to [[address reuse]].

In this example the only distinguishing mark of CoinSwap transactions is that they involve a 2-of-2 [[multisignature]] address. As 2-of-3 multisig is far more common as of 2018, CoinSwaps could be done with a 2-of-3 multisig using one fake public key, so it is really a 2-of-2 multisig between Alice and Bob. With [[script]] techniques like ECDSA-2P or [[Schnorr]] signatures it would become possible to have coinswaps that are completely indistinguishable from any other transaction on the blockchain. CoinSwap could be said to allow bitcoins to teleport undetectably to anywhere else on the blockchain. Non-CoinSwap transactions would benefit because a blockchain analyst could never be sure that ordinary transactions are not actually CoinSwaps. They also do not require much block space compared to the amount of privacy they provide.

CoinSwaps require a lot of interaction between the involved parties, which can make this kind of system tricky to design while avoiding denial-of-service. They also have a liveness requirement and non-censorship requirement, meaning that the entities taking part must always be able to freely access the bitcoin network; If the internet was down for days or weeks then half-completed CoinSwaps could end with one side having their money stolen<ref>https://joinmarket.me/blog/blog/the-half-scriptless-swap/</ref>.

== History ==

CoinSwap was first proposed by Greg Maxwell in October 2013.<ref>[https://bitcointalk.org/index.php?topic=321228.0 CoinSwap: Transaction graph disjoint trustless trading]</ref>. As of May 2020, no CoinSwap implementation has been deployed<ref>[https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-May/017898.html Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility]</ref><ref>[https://gist.github.com/chris-belcher/9144bd57a91c194e332fb5ca371d0964 Coinswap design document]</ref>, but in June 2020, the [https://en.wikipedia.org/wiki/Human_Rights_Foundation Human Rights Foundation] (a New York-based nonprofit that promotes and protects human rights globally) granted $50,000 to [https://en.bitcoin.it/wiki/User:Belcher Chris Belcher] (one of the main contributors to the [[Privacy]] page) to work on the project.<ref>[https://bitcoinmagazine.com/articles/the-human-rights-foundation-is-now-funding-bitcoin-privacy-development-starting-with-coinswap The Human Rights Foundation Is Now Funding Bitcoin Privacy Development, Starting With CoinSwap]</ref>

== External links ==
* [https://gist.github.com/chris-belcher/9144bd57a91c194e332fb5ca371d0964 CoinSwap implementation design document] by Chris Belcher, May 2020
* [https://joinmarket.me/blog/blog/coinswaps/ Technical explanation], July 2017
* [https://github.com/AdamISZ/CoinSwapCS Implementation in Python], abandoned since 2017

== See also ==

* [[Privacy]]
* [[Atomic swap]]
* [[Hash Time Locked Contracts]]
* [[CoinJoin]]

==References==
<references />

[[Category:Privacy]]

Privacy

2020-08-19T07:55:29Z

Cryptal: /* CoinSwap */ HRF Coinswap grant

While Bitcoin can support strong '''privacy''', many ways of using it are usually not very private. With proper understanding of the technology, bitcoin can indeed be used in a very private and anonymous way.

As of 2019 most casual enthusiasts of bitcoin believe it is perfectly traceable; this is completely false. Around 2011 most casual enthusiasts believed it is totally private; which is also false. There is some nuance - in certain situations bitcoin can be very private. But it is not simple to understand, and it takes some time and reading.

This article was written in February 2019. A good way to read the article is to [[#Examples and case studies|skip to the examples]] and then come back to read the core concepts.

=== Summary ===

To save you reading the rest of the article, here is a quick summary of how normal bitcoin users can improve their privacy:

* Think about what you're hiding from, what is your threat model and what is your adversary. Note that [[transaction surveillance company|transaction surveillance companies]] exist which do large-scale surveillance of the bitcoin ecosystem.
* Do not [[Address reuse|reuse addresses]]. Addresses should be shown to one entity to receive money, and never used again after the money is spent from them.
* Try to reveal as little information as possible about yourself when transacting, for example avoid AML/KYC checks and be careful when giving your real life mail address.
* Use a wallet backed by your own [[full node]] or [[client-side block filtering]], definitely not a web wallet.
* Broadcast on-chain transactions over [[Tor]], if your wallet doesn't support it then copy-paste the transaction hex data into a web broadcasting form over Tor browser.
* Use [[Lightning Network]] as much as possible.
* If lightning is unavailable, use a wallet which correctly implements [[CoinJoin]].
* Try to avoid creating change addresses, for example when funding a lightning channel spend an entire [[UTXO]] into it without any change (assuming the amount is not too large to be safe).
* If [[#Digital forensics|digital forensics]] are a concern then use a solution like [https://tails.boum.org/ Tails Operating System].

See also [[#Examples_and_case_studies|the privacy examples]] for real-life case-studies.

== Introduction ==

Users interact with bitcoin through [[software]] which may leak information about them in various ways that damages their anonymity.

Bitcoin records [[transactions]] on the [[block chain]] which is visible to all and so create the most serious damage to privacy. Bitcoins move between [[address]]es; sender [[address]]es are known, receiver [[address]]es are known, amounts are known. Only the identity of each [[address]] is not known (see first image).

The linkages between addresses made by transactions is often called the transaction graph. Alone, this information can't identify anyone because the addresses and transaction IDs are just random numbers. However, if ''any'' of the addresses in a transaction's past or future can be tied to an actual identity, it might be possible to work from that point and deduce who may own all of the other addresses. This identifying of an address might come from network analysis, surveillance, searching the web, or a variety of other methods. The encouraged practice of [[Address reuse|using a new address for every transaction]] is intended to make this attack more difficult.

[[File:Unknownaddress.png|thumb|The flow of Bitcoins is highly public.]]

=== Example - Adversary controls source and destination of coins ===

The second image shows a simple example. An adversary runs both a money exchanger and a honeypot website meant to trap people. If someone uses their exchanger to buy bitcoins and then transacts the coins to the trap website, the block chain would show:

[[File:knownaddress.png|thumb|Finding an identity of one address allows you to attack the anonymity of the transactions.]]

* Transaction of coins on address A to address B. Authorized by <signature of address A>.
* Transaction of coins on address B to address C. Authorized by <signature of address B>.

Say that the adversary knows that Mr. Doe's bank account sent the government currency which were used to buy the coins, which were then transferred to address B. The adversary also knows the trap website received coins on address C that were spent from address B. Together this is a '''very strong indication''' that address B is owned by Mr. Doe and that he sent money to the trap website. This assumption is not always correct because address B may have been an address held on behalf of Mr. Doe by a third party and the transaction to C may have been unrelated, or the two transactions may actually involve a smart contract (See [[Off-Chain Transactions]]) which effectively teleports the coins off-chain to a completely different address somewhere on the blockchain.

=== Example - Non-anonymous Chinese newspaper buying ===

In this example the adversary controls the destination and finds the source from metadata.

# You live in China and want to buy a "real" online newspaper for Bitcoins.
# You join the Bitcoin forum and use your address as a signature. Since you are very helpful, you manage to get a modest sum as donations after a few months.
# Unfortunately, you choose poorly in who you buy the newspaper from: you've chosen a government agent!
# The government agent looks at the [[transaction]] used to purchase the newspaper on the [[block chain]], and searches the web every relevant address in it. He finds your address in your signature on the Bitcoin forum. You've left enough personal information in your posts to be identified, so you are now scheduled to be "reeducated".
# A major reason this happened is because of [[address reuse]]. Your forum signature had a single bitcoin address that never changed, and so it was easy to find by searching the web.

You need to protect yourself from both forward attacks (getting something that identifies you using coins that you got with methods that must remain secret, like the scammer example) and reverse attacks (getting something that must remain secret using coins that identify you, like the newspaper example).

=== Example - A perfectly private donation ===

On the other hand, here is an example of somebody using bitcoin to make a donation that is completely anonymous.

# The aim is to donate to some organization that accepts bitcoin.
# You run a [[Bitcoin Core]] wallet entirely through [[Tor]].
# Download some extra few hundred gigabytes of data over [[Tor]] so that the total download bandwidth isn't exactly blockchain-sized.
# [[Pool vs. solo mining|Solo-mine]] a block, and have the newly-mined coins sent to your wallet.
# Send the entire balance to a donation address of that organization.
# Finally you destroy the computer hardware used.

As your [[full node]] wallet runs entirely over [[Tor]], your IP address is very well hidden. [[Tor]] also hides the fact that you're using bitcoin at all. As the coins were obtained by [[mining]] they are entirely unlinked from any other information about you. Since the transaction is a donation, there are no goods or services being sent to you, so you don't have to reveal any delivery mail address. As the entire balance is sent, there is no [[change|change address]] going back that could later leak information. Since the hardware is destroyed there is no record remaining on any discarded hard drives that can later be found. The only way I can think of to attack this scheme is to be a [https://www.torproject.org/docs/faq.html.en#AttacksOnOnionRouting global adversary] that can exploit the known weaknessness of Tor.

=== Multiple interpretations of a blockchain transaction ===

Bitcoin [[transaction]]s are made up of inputs and outputs, of which there can be one or more. Previously-created outputs can be used as inputs for later transactions. Such outputs are destroyed when spent and new unspent outputs are usually created to replace them.

Consider this example transaction:

1 btc ----> 1 btc
3 btc 3 btc

This transaction has two inputs, worth 1 btc and 3 btc, and creates two outputs also worth 1 btc and 3 btc.

If you were to look at this on the blockchain, what would you assume is the meaning of this transaction? (for example, we usually assume a bitcoin transaction is a payment but it doesn't have to be).

There are ''at least nine''' possible<ref>Bitcoin Milan Meetup 46 - Talk by Adam Gibson https://www.youtube.com/watch?v=IKSSWUBqMCM&t=2448</ref> interpretations:

# [https://en.wikipedia.org/wiki/Alice_and_Bob Alice] provides both inputs and pays 3 btc to [https://en.wikipedia.org/wiki/Alice_and_Bob Bob]. Alice owns the 1 btc output (i.e. it is a [[change]] output).
# Alice provides both inputs and pays 1 btc to Bob, with 3 btc paid back to Alice as the change.
# Alice provides 1 btc input and Bob provides 3 btc input, Alice gets 1 btc output and Bob gets 3 btc output. This is a kind of [[CoinJoin]] transaction.
# Alice pays 2 btc to Bob. Alice provides 3 btc input, gets the 1 btc output; Bob provides 1 btc input and gets 3 btc. This would be a [[PayJoin]] transaction type.
# Alice pays 4 btc to Bob (but using two outputs for some reason).
# Fake transaction - Alice owns all inputs and outputs, and is simply moving coins between her own [[address]]es.
# Alice pays Bob 3 btc and Carol 1 btc. This is a [[Techniques_to_reduce_transaction_fees#Change_avoidance|batched payment with no change address]].
# Alice pays 3, Bob pays 1; Carol gets 3 btc and David gets 1 btc. This is some kind of [[CoinJoin]]ed [[Techniques_to_reduce_transaction_fees#Change_avoidance|batched payment with no change address]].
# Alice and Bob pay 4 btc to Carol (but using two outputs).

Many interpretations are possible just from such a simple transaction. Therefore it's completely false to say that bitcoin [[transaction]]s are always perfectly traceable, the reality is much more complicated.

Privacy-relevant adversaries who analyze the blockchain usually rely on ''heuristics'' (or ''idioms of use'') where certain assumptions are made about what is plausible. The analyst would then ignore or exclude some of these possibilities. But those are only assumptions which can be wrong. Someone who wants better privacy they can intentionally break those assumptions which will completely fool an analyst.

Units of the bitcoin currency are not watermarked within a transaction (in other words they don't have little serial numbers). For example the 1 btc input in that transaction may end up in the 1 btc output or part of the 3 btc output, or a mixture of both. Transactions are many-to-many mappings, so in a very important sense it's impossible to answer the question of where the 1 btc ended up. This fungibility of bitcoin within one transaction is an important reason for the different possibility interpretations of the above transaction.

=== Threat model ===

When considering privacy you need to think about exactly who you're hiding from. You must examine how a hypothetical adversary could spy on you, what kind of information is most important to you and which technology you need to use to protect your privacy. The kind of behaviour needed to protect your privacy therefore depends on your threat model.

Newcomers to privacy often think that they can simply download some software and all their privacy concerns will be solved. This is not so. Privacy requires a change in behaviour, however slight. For example, imagine if you had a perfectly private internet where who you're communicating with and what you say are completely private. You could still use this to communicate with a social media website to write your real name, upload a selfie and talk about what you're doing right now. Anybody on the internet could view that information so your privacy would be ruined even though you were using perfectly private technology.

For details read the talk [https://www.slideshare.net/grugq/opsec-for-hackers Opsec for Hackers by grugq]. The talk is aimed mostly at political activists who need privacy from governments, but much the advice generally applies to all of us.

Much of the time plausible deniability is not good enough because lots of spying methods only need to work on a statistical level (e.g. targeted advertising).

=== Method of data fusion ===

[[File:Privacy-data-fusion-intersection-diagram.png|200px|thumb|right|Data fusion diagram showing how two different privacy leaks can damage privacy far more in combination.]]

Multiple privacy leaks when combined together can be far more damaging to privacy than any single leak. Imagine if a receiver of a [[transaction]] is trying to deanonymize the sender. Each privacy leak would eliminate many candidates for who the sender is, two different privacy leaks would eliminate ''different'' candidates leaving far fewer candidates remaining. See the diagram for a diagram of this.

[[File:Privacy-data-fusion-newspaper-buying-diagram.png|200px|thumb|right|Data fusion diagram example with newspaper buyer.]]

This is why even leaks of a small amount of information should be avoided, as they can often completely ruin privacy when combined with other leaks. Going back to the example of the non-anonymous Chinese newspaper buyer, who was deanonymized because of a combination of visible transaction information and his forum signature donation address. There are many many transactions on the blockchain which on their own don't reveal anything about the transactor's identity or spending habits. There are many donation addresses placed in forum signatures which also don't reveal much about the owners identity or spending habits, because they are just random cryptographic information. But together the two privacy leaks resulted in a trip to the reeducation camp. The method of data fusion is very important when understanding privacy in bitcoin (and other situations).

=== Why privacy ===

Financial privacy is an essential element to fungibility in Bitcoin: if you can meaningfully distinguish one coin from another, then their fungibility is weak. If our fungibility is too weak in practice, then we cannot be decentralized: if someone important announces a list of stolen coins they won't accept coins derived from, you must carefully check coins you accept against that list and return the ones that fail. Everyone gets stuck checking blacklists issued by various authorities because in that world we'd all not like to get stuck with bad coins. This adds friction and transactional costs and makes Bitcoin less valuable as a money.

Financial privacy is an essential criteria for the efficient operation of a free market: if you run a business, you cannot effectively set prices if your suppliers and customers can see all your transactions against your will. You cannot compete effectively if your competition is tracking your sales. Individually your informational leverage is lost in your private dealings if you don't have privacy over your accounts: if you pay your landlord in Bitcoin without enough privacy in place, your landlord will see when you've received a pay raise and can hit you up for more rent.

Financial privacy is essential for personal safety: if thieves can see your spending, income, and holdings, they can use that information to target and exploit you. Without privacy malicious parties have more ability to steal your identity, snatch your large purchases off your doorstep, or impersonate businesses you transact with towards you... they can tell exactly how much to try to scam you for.

Financial privacy is essential for human dignity: no one wants the snotty barista at the coffee shop or their nosy neighbors commenting on their income or spending habits. No one wants their baby-crazy in-laws asking why they're buying contraception (or sex toys). Your employer has no business knowing what church you donate to. Only in a perfectly enlightened discrimination free world where no one has undue authority over anyone else could we retain our dignity and make our lawful transactions freely without self-censorship if we don't have privacy.

Most importantly, financial privacy isn't incompatible with things like law enforcement or transparency. You can always keep records, be ordered (or volunteer) to provide them to whomever, have judges hold against your interest when you can't produce records (as is the case today). None of this requires _globally_ visible public records.

Globally visible public records in finance are completely unheard-of. They are undesirable and arguably intolerable. The Bitcoin whitepaper made a promise of how we could get around the visibility of the ledger with pseudonymous addresses, but the ecosystem has broken that promise in a bunch of places and we ought to fix it. Bitcoin could have coded your name or IP address into every transaction. It didn't. The whitepaper even has a section on privacy. It's incorrect to say that Bitcoin isn't focused on privacy. Sufficient privacy is an essential prerequisite for a viable digital currency<ref>https://bitcointalk.org/index.php?topic=334316.msg3588908#msg3588908</ref>.

== Blockchain attacks on privacy ==

Bitcoin uses a [[block chain]]. Users can [[Full node|download and verify the blockchain]] to check that all the rules of bitcoin were followed throughout its history. For example, users can check that nobody printed infinite bitcoins and that every coin was only spent with a [[OP_CHECKSIG|valid signature]] created by its [[private key]]. This is what leads to [[Bitcoin as a medium of exchange|bitcoin's unique value proposition]] as a form of electronic cash which requires [[Principles of Bitcoin#Low_trust|only small amounts of trust]]. But the same blockchain structure leads to privacy problems because every [[transaction]] must be available for all to see, forever. This section discusses known methods an adversary may use for analyzing the public blockchain.

Bitcoin uses a [[Coin analogy|UTXO model]]. [[Transaction]]s have inputs and outputs, they can have one or more of each. Previous outputs can be used as inputs for later transactions. An output which hasn't been spent yet is called an unspent transaction output (UTXO). UXTOs are often called [[Coin analogy|"coins"]]. UTXOs are associated with a bitcoin [[address]] and can be spent by creating a valid signature corresponding to the scriptPubKey of the address.

[[Address|Addresses]] are cryptographic information, essentially random numbers. On their own they do not reveal much about the real owner of any bitcoins on them. Usually an adversary will try to link together multiple addresses which they believe belong to the same wallet. Such address collections are called "clusters", "closures" or "wallet clusters", and the activity of creating them is called "wallet clustering". Once the clusters are obtained the adversary can try to link them real-world identities of entities it wants to spy on. For example, it may find wallet cluster A belonging to Alice and another wallet cluster B belonging to Bob. If a bitcoin [[transaction]] is seen paying from cluster A to cluster B then the adversary knows that Alice has sent coins to Bob.

It can be very difficult to fine-tune heuristics for wallet clustering that lead to obtaining actually correct information<ref>Neudecker, Till & Hartenstein, Hannes. (2018). Network Layer Aspects of Permissionless Blockchains. IEEE Communications Surveys & Tutorials. PP. 1-1. 10.1109/COMST.2018.2852480.</ref>.

=== [[Common-input-ownership heuristic]] ===

This is a heuristic or assumption which says that if a transaction has more than one input then all those inputs are owned by the same entity.

For example, consider this transaction with inputs A, B and C; and outputs X and Y.

A (1 btc) --> X (4 btc)
B (2 btc) Y (2 btc)
C (3 btc)

This [[transaction]] would be an indication that [[address]]es B and C are owned by the same person who owns [[address]] A.

One of the purposes of [[CoinJoin]] is to break this heuristic. Nonetheless this heuristic is very commonly true and it is widely used by [[transaction surveillance company|transaction surveillance companies]] and other adversaries as of 2019. The heuristic is usually combined with [[address reuse]] reasoning, which along with the somewhat-centralized bitcoin economy as of 2018 is why this heuristic can be unreasonably effective<ref>Harrigan, Martin & Fretter, Christoph. (2016). The Unreasonable Effectiveness of Address Clustering.</ref>. The heuristic's success also depends on the wallet behaviour: for example, if a wallet usually receives small amounts and sends large amounts then it will create many multi-input transactions.

=== [[Change]] address detection ===

Many bitcoin [[transaction]]s have [[Change|change outputs]]. It would be a serious privacy leak if the change address can be somehow found, as it would link the ownership of the (now spent) inputs with a new output. Change outputs can be very effective when combined with other privacy leaks like the [[common-input-ownership heuristic]] or [[address reuse]]. Change address detection allows the adversary to cluster together newly created address, which the [[common-input-ownership heuristic]] and [[address reuse]] allows past addresses to be clustered.

Change addresses lead to a common usage pattern called the '''peeling chain'''. It is seen after a large transactions from exchanges, marketplaces, mining pools and salary payments. In a peeling chain, a single address begins with a relatively large amount of bitcoins. A smaller amount is then peeled off this larger amount, creating a transaction in which a small amount is transferred to one address, and the remainder is transferred to a one-time [[change]] address. This process is repeated - potentially for hundreds or thousands of hops - until the larger amount is pared down, at which point (in one usage) the amount remaining in the address might be aggregated with other such addresses to again yield a large amount in a single address, and the peeling process begins again<ref>Sarah Meiklejohn, Marjori Pomarole, Grant Jordan, Kirill Levchenko, Damon McCoy, Geoffrey M. Voelker, and Stefan Savage. 2013. A fistful of bitcoins: characterizing payments among men with no names. In Proceedings of the 2013 conference on Internet measurement conference (IMC '13). ACM, New York, NY, USA, 127-140. DOI: https://doi.org/10.1145/2504730.2504747 https://cseweb.ucsd.edu/~smeiklejohn/files/imc13.pdf</ref>.

Now are listed possible ways to infer which of the outputs of a transaction is the [[change]] output:

==== Address reuse ====

If an output address has been [[Address reuse|reused]] it is very likely to be a payment output, not a change output. This is because change addresses are created automatically by wallet software but payment addresses are manually sent between humans. The [[address reuse]] would happen because the human user reused an address out of ignorance or apathy. This heuristic is probably the most accurate, as it is very hard to imagine how false positives would arise (except by intentional design of wallets). This heuristic is also called the "shadow heuristic".

Some very old software (from the 2010-2011 era which did not have [[Deterministic wallet]]s) did not use a new address change but sent the change back to the input address. This reveals the change address exactly.

Avoiding [[address reuse]] is an obvious remedy. Another idea is that those wallets could automatically detect when a payment address has been used before (perhaps by asking the user) and then use a reused address as their change address; so both outputs would be reused addresses.

Also, most reused addresses are mentioned on the internet, forums, social networks like Facebook, Reddit, Stackoverflow...etc. These addresses you can find and check on https://checkbitcoinaddress.com/ site. It's like a little bit de-anonymization of pseudo-anonymized blockchain.

==== Wallet fingerprinting ====

A careful analyst sometimes deduce which software created a certain [[transaction]], because the many different wallet softwares don't always create transactions in exactly the same way. Wallet fingerprinting can be used to detect change outputs because a change output is the one spent with the same wallet fingerprint.

As an example, consider five typical transactions that consume one input each and produce two outputs. A, B, C, D, E refer to transactions. A1, A2, etc refer to output addresses of those transactions

--> C1
A1 --> B2 --> C2
--> B2 --> D1
--> D2 --> E1
--> E2

If wallet fingerprinting finds that transactions A, B, D and E are created by the same wallet software, and the other transactions are created by other software, then the change addresses become obvious. The same transactions with non-matching addresses replaced by X is shown. The peel chain is visible, it's clear that B2, D2, E1 are change addresses which belong to the same wallet as A1.

--> X
A1 --> X --> X
--> B2 --> X
--> D2 --> E1
--> X

There are a number of ways to get evidence used for identifying wallet software:

* Address formats. Wallets generally only use one address type. If a transaction has all inputs and one output of the same address type (e.g. p2pkh), with the remaining output of a different type (p2sh), then a reasonable assumption is that the same-address-format output (p2pkh) is change and the different-address-format output (p2sh) is the payment which belongs to someone else.

* [[Script]] types. Each wallet generally uses only one [[script]]. For example, the sending wallet may be a [[P2SH]] 2-of-3 [[multisignature]] wallet, which makes a transaction to two outputs: one 2-of-3 multisignature address and the other 2-of-2 multisignature address. The different [[script]] is a strong indication that the output is payment and the other output is change.

* [[BIP_0069|BIP69]] Lexicographical Indexing of Transaction Inputs and Outputs. This BIP describes a standard way for wallets to order their inputs and outputs for privacy. Right now the wallet ecosystem has a mixture of wallets which do and don't implement the standard, which helps with fingerprinting. Note that the common one-input-two-output [[transaction]] with random ordering will follow BIP69 just by chance 50% of the time.

* Number of inputs and outputs. Different users often construct [[transaction]]s differently. For example, individuals often make [[transaction]] with just two outputs; a payment and change, while high-volume institutions like casinos or exchanges use [[Techniques_to_reduce_transaction_fees#Consolidation|consolidation]] and [[Techniques_to_reduce_transaction_fees#Payment_batching|batching]]<ref>Bitcoin Privacy: Theory and Practice - Jonas Nick (Blockstream) - Zürich, March 2016 https://www.youtube.com/watch?v=HScK4pkDNds</ref><ref>Nick, Jonas David. “Data-Driven De-Anonymization in Bitcoin.” (2015).</ref>. An output that is later use to create a batching transaction was probably not the change. This heuristic is also called the "consumer heuristic".

* Transaction fields. Values in the [[transaction]] format which may vary depending on the wallet software: [[nLockTime]] is a field in transactions set by some wallets to make [[fee sniping]] less profitable. A mixture of wallets in the ecosystem do and don't implement this feature. nLockTime can also be used as in certain privacy protocols like [[CoinSwap]]. [[Transaction#General_format_.28inside_a_block.29_of_each_input_of_a_transaction_-_Txin|nSequence]] is another example. Also the version number.

* Low-R value signatures. The DER format used to encode Bitcoin signatures requires adding an entire extra byte to a signature just to indicate when the signature’s R value is on the top-half of the elliptical curve used for Bitcoin. The R value is randomly derived, so half of all signatures have this extra byte. As of July 2018<ref>https://github.com/bitcoin/bitcoin/pull/13666</ref>[[Bitcoin Core]] only generates signatures with a low-R value that don't require this extra byte. By doing so, Bitcoin Core transactions will save one byte per every two signatures (on average). As of 2019 no other wallet does this, so a high-R signature is evidence that [[Bitcoin Core]] is not being used<ref>https://bitcoinops.org/en/newsletters/2018/08/14/</ref>.

* Uncompressed and compressed public keys. Older wallet software uses uncompressed public keys<ref>https://bitcoin.stackexchange.com/questions/3059/what-is-a-compressed-bitcoin-key</ref>. A mixture of compressed and uncompressed keys can be used for fingerprinting.

* Miner fees. Various wallet softwares may respond to block space pressure in different ways which could lead to different kinds of miner fees being paid. This might also be a way of fingerprinting wallets.

* Coin Selection. Various wallet softwares may choose which UTXOs to spend using different algorithms that could be used for fingerprinting.

If multiple users are using the same wallet software, then wallet fingerprinting cannot detect the change address. It is also possible that a single user owns two different wallets which use different software (for example a hot wallet and cold wallet) and then transactions between different softwares would not indicate a change of ownership. Wallet fingerprinting on its own is never decisive evidence, but as with all other privacy leaks it works best with data fusion when multiple privacy leaks are combined.

==== Round numbers ====

Many payment amounts are round numbers, for example 1 BTC or 0.1 BTC. The leftover change amount would then be a non-round number (e.g. 1.78213974 BTC). This potentially useful for finding the change address. The amount may be a round number in another currency. The amount 2.24159873 BTC isn't round in bitcoin but when converted to USD it may be close to $100.

==== [[Fee bumping]] ====

[[BIP 0125]] defines a mechanism for replacing an unconfirmed [[transaction]] with another transaction that pays a higher fee. In the context of the [[Miner_fees#The_market_for_block_space|market for block space]], a user may find their transaction isn't confirming fast enough so they opt to [[Fee bumping|"fee bump"]] or pay a higher miner fee. However generally the new higher miner fee will happen by reducing the change amount. So if an adversary is observing all unconfirmed transactions they could see both the earlier low-fee transaction and later high-fee transaction, and the output with the reduced amount would be the change output.

This could be mitigated by some of the time reducing the amount of both outputs, or reducing only the payment amount (in a receiver-pays-for-fee model).

==== Unnecessary input heuristic ====

Also called the "optimal change heuristic". Consider this bitcoin transaction. It has two inputs worth 2 BTC and 3 BTC and two outputs worth 4 BTC and 1 BTC.

2 btc --> 4 btc
3 btc 1 btc

Assuming one of the outputs is [[change]] and the other output is the payment. There are two interpretations: the payment output is either the 4 BTC output or the 1 BTC output. But if the 1 BTC output is the payment amount then the 3 BTC input is unnecessary, as the wallet could have spent only the 2 BTC input and paid lower [[miner fees]] for doing so. This is an indication that the real payment output is 4 BTC and that 1 BTC is the change output.

This is an issue for transactions which have more than one input. One way to fix this leak is to add more inputs until the change output is higher than any input, for example:

2 btc --> 4 btc
3 btc 6 btc
5 btc

Now both interpretations imply that some inputs are unnecessary. Unfortunately this costs more in miner fees and can only be done if the wallet actually owns other UTXOs.

Some wallets have a coin selection algorithm which violates this heuristic. An example might be because the wallets want to [[Techniques_to_reduce_transaction_fees#Consolidation|consolidate inputs]] in times of cheap miner fees. So this heuristic is not decisive evidence.

==== Sending to a different script type ====

Sending funds to a different script type than the one you're spending from makes it easier to tell which output is the change.

For example, for a transaction with 1 input spending a p2pkh coin and creating 2 outputs, one of p2pkh and one of p2sh, it is very likely that the p2pkh output is the change while the p2sh one is the payment.

This is also possible if the inputs are of mixed types (created by wallets supporting multiple script types for backwards compatibility).
If one of the output script types is known to be used by the wallet (because the same script type is spent by at least one of the inputs) while the other is not, the other one is likely to be the payment.

This has the most effect on early adopters of new wallet technology, like p2sh or segwit.
The more rare it is to pay to people using the same script type as you do, the more you leak the identity of your change output.
This will improve over time as the new technology gains wider adoption.

==== Wallet bugs ====

Some wallet software handles change in a very un-private way. For example certain old wallets would always put the change output in last place in the transaction. An old version of [[Bitcoin Core]] would add input UTXOs to the transaction until the change amount was around 0.1 BTC, so an amount of slightly over 0.1 BTC would always be change.

==== Equal-output [[CoinJoin]]====

Equal-output-[[CoinJoin]] transactions trivially reveal the change address because it is the outputs which are not equal-valued. For example consider this equal-output-coinjoin:

A (1btc)
X (5btc) ---> B (1btc)
Y (3btc) C (4btc)
D (2btc)

There is a very strong indication that output D is change belongs to the owner of input Y, while output C is change belonging to input X. However, [[CoinJoin]] breaks the [[common-input-ownership heuristic]] and effectively hides the ownership of payment outputs (A and B), so the tradeoffs are still heavily in favour of using coinjoin.

==== Cluster growth ====

Wallet clusters created by using the [[common-input-ownership heuristic]] usually grow (in number of addresses) slowly and incrementally<ref>Harrigan, Martin & Fretter, Christoph. (2016). The Unreasonable Effectiveness of Address Clustering.</ref>. Two large clusters merging is rare and may indicate that the heuristics are flawed. So another way to deduce the change address is to find which output causes the clusters to grow only slowly. The exact value for "how slowly" a cluster is allowed to grow is an open question.

=== Transaction graph heuristic ===

As described in the introduction, [[address]]es are connected together by [[transaction]]s on the [[block chain]]. The mathematical concept of a [https://en.wikipedia.org/wiki/Graph_(discrete_mathematics) graph] can be used to describe the structure where addresses are connected with transactions. [[Address]]es are vertices while [[transaction]]s are edges in this transaction graph.

This is called a heuristic because [[transaction]]s on the [[block chain]] do not necessarily correspond to real economic transactions. For example the [[transaction]] may represent someone sending bitcoins to themselves. Also, real economic transactions may not appear on the [[block chain]] but be [[Off-Chain Transactions|off-chain]]; either via a custodial entity like an exchange, or non-custodial off-chain like [[Lightning Network]].

==== Taint analysis ====

''Taint analysis'' is a technique sometimes used to study the flow of bitcoins and extract privacy-relevant information. If an address A is connected to privacy-relevant information (such as a real name) and it makes a transaction sending coins to address B, then address B is said to be ''tainted'' with coins from address A. In this way taint is spread by "touching" via transactions<ref>Meiklejohn, Sarah & Orlandi, Claudio. (2015). Privacy-Enhancing Overlays in Bitcoin. 127-141. 10.1007/978-3-662-48051-9_10. https://fc15.ifca.ai/preproceedings/bitcoin/paper_5.pdf</ref>. It is unclear how useful taint analysis is for spying, as it does not take into account transfer of ownership. For example an owner of tainted coins may donate some of them to some charity, the donated coins could be said to be tainted yet the charity does not care and could not give any information about the source of those coins. Taint analysis may only be useful for breaking schemes where someone tries to hide the origin of coins by sending dozens of fake transactions to themselves many times.

=== Amount ===

Blockchain [[transactions]] contain amount information of the transaction inputs and outputs, as well as an implicit amount of the [[Miner fees|miner fee]]. This is visible to all.

Often the payment amount of a transaction is a round number, possibly when converted to another currency. An analysis of round numbers in bitcoin transactions has been used to measure the countries or regions where payment have happened<ref>Gervais A., Ritzdorf H., Lucic M., Lenders V., Capkun S. (2016) Quantifying Location Privacy Leakage from Transaction Prices. In: Askoxylakis I., Ioannidis S., Katsikas S., Meadows C. (eds) Computer Security – ESORICS 2016. ESORICS 2016. Lecture Notes in Computer Science, vol 9879. Springer, Cham https://eprint.iacr.org/2015/496</ref>.

==== Input amounts revealing sender wealth ====

A mismatch in the sizes of available [[Transaction#input|input]] vs what is required can result in a privacy leak of the total wealth of the sender. For example, when intending to send 1 bitcoins to somebody a user may only have an [[Transaction#input|input]] worth 10 bitcoins. They create a [[transaction]] with 1 bitcoin going to the recipient and 9 bitcoins going to a [[Change|change address]]. The recipient can look at the [[transaction]] on the blockchain and deduce that the sender owned at least 10 bitcoins.

By analogy with paper money, if you hand over a 100 USD note to pay for a drink costing only 5 USD the bartender learns that your balance is at least 95 USD. It may well be higher of course, but it's at least not lower<ref>https://medium.com/@octskyward/merge-avoidance-7f95a386692f</ref>.

==== Exact payment amounts (no change) ====

Payments that send exact amounts and take no change are a likely indication that the bitcoins didn't move hands.

This usually means that the user used the "send maximum amount" wallet feature to transfer funds to her new wallet, to an exchange account,
to fund a lightning channel, or other similar cases where the bitcoins remain under the same ownership.

Other possible reasons for sending exact amounts with no change is that the coin-selection algorithm was smart and lucky enough to find a suitable set of inputs for the intended payment amount that didn't require change (or required a change amount that is negligible enough to waive), or advanced users sending donations using manual coin selection to explicitly avoid change.

=== Batching ===

[[Techniques to reduce transaction fees#Payment_batching|Payment batching]] is a technique to reduce the [[Miner fees|miner fee]] of a payment. It works by batching up several payments into one [[block chain]] [[transaction]]. It is typically used by exchanges, casinos and other high-volume spenders.

The privacy implication comes in that recipients can see the amount and address of recipients<ref>https://bitcointechtalk.com/saving-up-to-80-on-bitcoin-transaction-fees-by-batching-payments-4147ab7009fb</ref>

<blockquote>
When you receive your withdrawal from Kraken, you can look up your transaction on a block chain explorer and see the addresses of everyone else who received a payment in the same transaction. You don’t know who those recipients are, but you do know they received bitcoins from Kraken the same as you.

That’s not good for privacy, but it’s also perhaps not the worst thing. If Kraken made each of those payments separately, they might still be connected together through the change outputs and perhaps also by certain other identifying characteristics that block chain analysis companies and private individuals use to fingerprint particular spenders.

However, it is something to keep in mind if you’re considering batching payments where privacy might be especially important or already somewhat weak, such as making payroll in a small company where you don’t want each employee to learn the other employees’ salaries.
</blockquote>

=== Unusual scripts ===

Most but not all bitcoin [[Script|scripts]] are single-signature. Other scripts are possible with the most common being [[multisignature]]. A script which is particularly unusual can leak information simply by being so unique.

2-of-3 multisig is by far the most common non-single-signature script as of 2019.

=== Mystery shopper payment ===

A [[Mystery shopper payments|mystery shopper payment]] is when an adversary pays bitcoin to a target in order to obtain privacy-relevant information. It will work even if [[address reuse]] is avoided. For example, if the target is an online merchant then the adversary could buy a small item. On the payment interface they would be shown one of the merchant's bitcoin [[address]]es. The adversary now knows that this [[address]] belongs to the merchant and by watching the blockchain for later [[transaction]]s other information would be revealed, which when combined with other techniques could reveal a lot of data about the merchant. The [[common-input-ownership heuristic]] and change address detection could reveal other addresses belonging to the merchant (assuming countermeasures like [[CoinJoin]] are not used) and could give a lower-bound for the sales volume. This works because anybody on the entire internet can request one of the merchant's [[address]]es.

=== Forced address reuse ===

'''Forced [[address reuse]]''' or '''incentivized [[address reuse]]''' is when an adversary pays an (often small) amount of bitcoin to [[address]]es that have already been used on the [[block chain]]. The adversary hopes that users or their wallet software will use the payments as inputs to a larger transaction which will reveal other addresses via the the [[common-input-ownership heuristic]]. These payments can be understood as a way to coerce the address owner into unintentional [[address reuse]]<ref>https://www.reddit.com/r/Bitcoin/comments/3a1hte/psa_dust_being_sent_to_your_addresses_might_help/</ref><ref>https://www.reddit.com/r/Bitcoin/comments/9r9qud/if_you_have_recently_received_a_very_small_amount/</ref>.

This attack is sometimes incorrectly called a '''dust attack'''<ref>https://github.com/JoinMarket-Org/joinmarket-clientserver/pull/471#issuecomment-565857814</ref>.

The correct behaviour by wallets is to not spend coins that have landed on an already-used empty addresses.

=== Amount correlation ===

Amounts correlation refers to searching the entire [[block chain]] for output amounts.

For example, say we're using any black box privacy technology that breaks the [[transaction]] graph.

V --> [black box privacy tech] --> V - fee

The privacy tech is used to mix V amount of bitcoins, and it returns V bitcoins minus fees back to the user. Amount correlation could be used to unmix this tech by searching the blockchain for transactions with an output amount close to V.

A way to resist amount correlation is to split up the sending of bitcoins back to user into many transactions with output amounts (w0, w1, w2) which together add up to V minus fees.

V --> [privacy tech] --> w0
--> w1
--> w2

Another way of using amount correlation is to use it to find a starting point. For example, if Bob wants to spy on Alice. Say that Alice happens to mention in passing that she's going on holiday costing $5000 with her boyfriend, Bob can search all transactions on the blockchain in the right time period and find transactions with output amounts close to $5000. Even if multiple matches are found it still gives Bob a good idea of which bitcoin addresses belong to Alice.

=== Timing correlation ===

Timing correlation refers to using the time information of transactions on the blockchain. Similar to amount correlation, if an adversary somehow finds out the time that an interesting transaction happened they can search the blockchain in that time period to narrow down their candidates.

This can be beaten by uniform-randomly choosing a time between now and an appropriate time_period in which to broadcast the bitcoin transaction. This forces an adversary to search much more of the existing transactions; they have to equally consider the entire anonymity set between now and time_period.

== Non-blockchain attacks on privacy ==

=== Traffic analysis ===

Bitcoin [[Full node|nodes]] communicate with each other via a [[Network|peer-to-peer network]] to transmit [[transaction]]s and [[block]]s. [[Network#Standard_relaying|Nodes relay]] these packets to all their connections, which has good privacy properties because a connected node doesn't know whether the transmitted data originated from its peer or whether the peer was merely relaying it.

An adversary able to snoop on your internet connection (such as your government, ISP, Wifi provider or VPN provider) can see data sent and received by your node. This would reveal that you are a bitcoin user. Even if a connection is encrypted the adversary could still see the timings and sizes of data packets. A block being mined results in a largely synchronized burst of identically-sized traffic for every bitcoin node, because of this bitcoin nodes are very vulnerable to traffic analysis revealing the fact that bitcoin is being used.

If the adversary sees a [[transaction]] or [[block]] coming out of your node which did not previously enter, then it can know with near-certainty that the [[transaction]] was made by you or the [[block]] was mined by you. As internet connections are involved, the adversary will be able to link the IP address with the discovered bitcoin information.

A certain kind of [[Weaknesses#Sybil_attack|sybil attack]] can be used to discover the source of a [[transaction]] or [[block]] without the adversary entirely controlling the victims internet connection. It works by the adversary creating many of their own fake nodes on different IP addresses which aggressively announce themselves in an effort to attract more nodes to connect to them, they also try to connect to as many other listening nodes as they can. This high connectivity help the adversary to locate the source newly-broadcasted transactions and blocks by tracking them as they propagate through the [[network]].<ref>https://www.reddit.com/r/Bitcoin/comments/2yvy6b/a_regulatory_compliance_service_is_sybil/</ref><ref>Alex Biryukov, Dmitry Khovratovich, and Ivan Pustogarov. 2014. Deanonymisation of Clients in Bitcoin P2P Network. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS '14). ACM, New York, NY, USA, 15-29. DOI: 10.1145/2660267.2660379 https://arxiv.org/abs/1405.7418</ref><ref>Koshy, Philip & Koshy, Diana & McDaniel, Patrick. (2014). An Analysis of Anonymity in Bitcoin Using P2P Network Traffic. 8437. 469-485. 10.1007/978-3-662-45472-5_30. http://ifca.ai/fc14/papers/fc14_submission_71.pdf</ref><ref>https://github.com/bitcoin/bitcoin/issues/3828</ref>. Some wallets periodically rebroadcast their unconfirmed transactions so that they are more likely to propagate widely through the network and be [[Confirmation|mined]].

Some wallets are not [[full node]]s but are lightweight nodes which function in a different way. They generally have far worse privacy properties, but how badly depends on the details of each wallet. Some [[Lightweight node|lightweight wallets]] can be connected only to your own [[full node]], and if that is done then their privacy with respect to traffic analysis will be improved to the level of a full node.

=== Custodial Wallets ===

Some bitcoin wallets are just front-ends that connects to a back-end server run by some company. This kind of wallet has no privacy at all, the operating company can see all the user's addresses and all their transactions, most of the time they'll see the user's IP address too. Users should not use web wallets.

Main article: [[Browser-based wallet]]

=== Wallet history retrieval from third-party ===

All bitcoin wallets must somehow obtain information about their balance and history, which may leak information about which [[address]]es and [[transaction]]s belong to them.

==== Blockchain explorer websites ====

[[Block chain browser|Blockchain explorer websites]] are commonly used. Some users even search for their [[transaction]] on those websites and refresh it until it reaches 3 [[confirmation]]s. This is very bad for privacy as the website can easily link the user's IP address to their bitcoin transaction (unless [[tor]] is used), and the queries to their website reveal that the [[transaction]] or [[address]] is of interest to somebody who has certain behavioural patterns.

To get information about your [[transaction]]s it is much better to use your wallet software, not some website.

==== BIP 37 ====

Many [[Lightweight node|lightweight wallets]] use the [[BIP_0037|BIP37]] standard, which has serious design flaws leading to privacy leaks. Any wallet that uses [[BIP_0037|BIP37]] provides no privacy at all and is equivalent to sending all the wallets addresses to a random server. That server can easily spy on the wallet. Lessons from the failure of BIP37 can be useful when designing and understanding other privacy solutions, especially with the point about data fusion of combining BIP37 bloom filter leaks with blockchain transaction information leaks.

Main article: [[BIP37 privacy problems]]

==== Public Electrum servers ====

[[Electrum]] is a popular software wallet which works by connecting to special purpose servers. These servers receive hashes of the bitcoin addresses in the wallet and reply with [[transaction]] information. The Electrum wallet is fast and low-resource but by default it connects to these servers which can easily spy on the user. Some other software aside from [[Electrum]] uses the public Electrum servers. As of 2019 it is a faster and better alternative for [[Lightweight node|lightweight wallets]] than BIP37.

Servers only learn the hashes of addresses rather than addresses themselves, in practice they only know the actual address and associated transactions if it's been used on the blockchain at least once.

It is not very difficult to [[Electrum#Server_software|run your own Electrum server]] and point your wallet to use only it. This restores [[Electrum]] to have the same privacy and security properties as a [[full node]] where nobody else can see which addresses or transactions the wallet is interested in. Then [[Electrum]] becomes a [[full node]] wallet.

=== Communication eavesdropping ===

A simple but effective privacy leak. Alice gives Bob one of her [[address]]es to receive a payment, but the communication has been eavesdropped by Eve who saw the [[address]] and now knows it belongs to Alice. The solution is to encrypt addresses where appropriate or use another way of somehow hiding them from an adversary as per the threat model.

Sometimes the eavesdropping can be very trivial, for example some forum users publish a bitcoin donation address on their website, forum signature, profile, twitter page, etc where it can be picked up by search engines. In the example of the non-anonymous Chinese newspaper buyer from the introduction, his address being publicly visible on his forum signature was a crucial part of his deanonymization. The solution here is to show each potential donator a new address, for example [[Receiving_donations_with_bitcoin#Improving_privacy_by_avoiding_address_re-use|by setting up a web server to hand out unique addresses to each visitor]].

=== Revealing data when transacting bitcoin ===

Sometimes users may voluntarily reveal data about themselves, or be required to by the entity they interact with. For example many exchanges require users to undergo Anti-Money Laundering and Know-Your-Customer (AML/KYC) checks, which requires users to reveal all kinds of invasive personal information such as their real name, residence, occupation and income. All this information is then linked with the bitcoin [[address]]es and [[transaction]]s that are later used.

When buying goods online with bitcoin a delivery mail address is needed. This links the bitcoin transaction with the delivery address. The same applies to the user's IP address (unless privacy technology like [[Tor]] is used).

=== Digital forensics ===

Wallet software usually stores information it needs to operate on the disk of the computer it runs on. If an adversary has access to that disk it can extract bitcoin [[address]]es and [[transactions]] which are known to be linked with the owner of that disk. The same disk might contain other personal information (such as a scan of an ID card). Digital forensics is one reason why all good wallet software encrypts wallet files, although that can be beaten if a weak encryption password is used.

For example if you have a bitcoin wallet installed on your PC and give the computer to a repair shop to fix, then the repair shop operator could find the wallet file and records of all your transactions. Other examples might be if an old hard disk is thrown away. Other software installed on the same computer (such as malware) can also read from disk or RAM to spy on the bitcoin transactions made by the user.

For privacy don't leave data on your computer available to others. Exactly how depends on your threat model. Encryption and physical protection are options, as is using special operating systems like [https://tails.boum.org/ Tails OS] which does not read or write from the hard drive but only uses RAM, and then deletes all data on shutdown.

== Methods for improving privacy (non-blockchain) ==

=== Obtaining bitcoins anonymously ===

If the adversary has not linked your bitcoin address with your identity then privacy is much easier. Blockchain spying methods like the [[common-input-ownership heuristic]], detecting [[change]] addresses and amount correlation are not very effective on their own if there is no starting point to link back to.

Many exchanges require users to undergo Anti-Money Laundering and Know-Your-Customer (AML/KYC) checks, which requires users to reveal all kinds of invasive personal information such as their real name, residence, occupation and income. All this information is then linked with the bitcoin [[address]]es and [[transaction]]s that are later used.

Avoiding the privacy invasion of AML/KYC is probably the single most important thing an individual can do to improve their privacy. It works far better than any actual technology like [[CoinJoin]]. Indeed all the cryptography and privacy tricks are irrelevant if all users only ever transact between AML/KYC institutions<ref>https://twitter.com/waxwing__/status/983258474040774657</ref>.

==== Cash trades ====

Physical cash is an anonymous medium of exchange, so using it is a way to obtain bitcoin anonymously where no one except trading partners exchange identifying data.

This section won't list websites to find such meetups because the information can go out of date, but try searching the web with "buy bitcoin for cash <your location>". Note that some services still require ID so that is worth checking. Some services require ID only for the trader placing the advert. As of late-2018 there is at least one [[Bisq|decentralized exchange open source project]] in development which aims to facilitate this kind of trading without a needing a centralized third party at all but instead using a peer-to-peer network.

'''Cash-in-person''' trades are an old and popular method. Two traders arrange to meet up somewhere and the buyer hands over cash while the seller makes a bitcoin transaction to the buyer. This is similar to other internet phenomena like Craigslist which organize meetups for exchange. [[Secure Trading#Use_an_Escrow_Service|Escrow can be used]] to improve safety or to avoid the need to wait for [[confirmation]]s at the meetup.

'''Cash-by-mail''' works by having the buyer send physical cash through the mail. [[Secure Trading#Use_an_Escrow_Service|Escrow is always used]] to prevent scamming. The buyer of bitcoins can be very anonymous but the seller must reveal a mail address to the buyer. Cash-by-mail can work over long distances but does depend on the postal service infrastructure. Users should check with their local postal service if there are any guidelines around sending cash-by-mail. Often the cash can also be insured.

'''Cash deposit''' is a method where the buyer deposits cash directly into the seller's bank account. Again [[Secure Trading#Use_an_Escrow_Service|escrow is used]], and again the buyer of bitcoins can be near-anonymous but the seller must sign up with a bank or financial institution and share with them rather invasive details about one's identity and financial history. This method relies on the personal banking infrastructure so works over long distances.

'''Cash dead drop''' is a rarely used method. It is similar to a cash-in-person trade but the traders never meet up. The buyer chooses a location to hide the cash in a public location, next the buyer sends a message to the seller telling them the location, finally the seller picks up the cash from the hidden location. [[Secure Trading#Use_an_Escrow_Service|Escrow is a requirement]] to avoid scamming. This method is very anonymous for the buyer as the seller won't even learn their physical appearance, for the seller it is slightly less anonymous as the buyer can stalk the location to watch the seller collect the cash.

==== Cash substitute ====

Cash substitutes like gift cards, mobile phone credits or prepaid debit cards can often be bought from regular stores with cash and then traded online for bitcoin.

==== Employment ====

Bitcoins accepted as payment for work done can be anonymous if the employer does not request much personal information. This may work well in a freelancing or contracting setting. Although if your adversary is your own employer then obviously this is not good privacy.

==== Mining ====

Mining is the most anonymous way to obtain bitcoin. This applies to solo-mining as [[Pooled mining|mining pools]] generally know the hasher's IP address. Depending on the size of operation mining may use a lot of electrical power which may attract suspicion. Also the [[ASIC|specialized mining hardware]] may be difficult to get hold of anonymously (although they wouldn't be linked to the resulting mined bitcoins).

==== Stealing ====

In theory another way of obtaining anonymous bitcoin is to steal them.<ref>https://twitter.com/thegrugq/status/1062194678089404421</ref>

There is at least one situation where this happened. In May 2015 a hacker known as Phineas Fisher<ref>https://motherboard.vice.com/en_us/article/3k9zzk/hacking-team-hacker-phineas-fisher-has-gotten-away-with-it</ref> hacked a spyware company that was selling surveillance products to dictators<ref>https://motherboard.vice.com/en_us/article/nzeg5x/here-are-all-the-sketchy-government-agencies-buying-hacking-teams-spy-tech</ref>. The hacker used bitcoin stolen from other people to anonymously rent infrastructure for later attacks.

=== Spending bitcoins anonymously ===

If you give up your delivery address (which you'll have to if you're buying physical goods online) then that will be a data leak. Obviously this is unavoidable in many cases.

=== Wallet history synchronization ===

Bitcoin wallets must somehow obtain information about their balance and history. As of late-2018 the most practical and private existing solutions are to use a [[full node]] wallet (which is maximally private) and [[client-side block filtering]] (which is very good).

One issue with these technologies is that they always costs more resources (time, bandwidth, storage, etc) than non-private solutions like web wallets and centralized [[Electrum]] servers. There are measurements indicating that very few people actually use [[BIP_0037|BIP37]] because of how slow it is<ref>https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-June/016062.html</ref>, so even [[client-side block filtering]] may not be used very much.

==== Full node ====

[[Full node]]s download the entire blockchain which contains every on-chain [[transaction]] that has ever happened in bitcoin. So an adversary watching the user's internet connection [[Full node#Privacy|will not be able to learn]] which transactions or addresses the user is interested in. This is the best solution to wallet history synchronization with privacy, but unfortunately it costs a significant amount in time and bandwidth.

==== Private information retrieval ====

In cryptography, a private information retrieval (PIR) protocol is a protocol that allows a user to retrieve an item from a server in possession of a database without revealing which item is retrieved. This has been proposed as a way to private synchronize wallet history but as PIR is so resource-intensive, users who don't mind spending bandwidth and time could just run a [[full node]] instead.

==== Client-side block filtering ====

[[Client-side block filtering]] works by having filters created that contains all the [[address]]es for every [[transaction]] in a [[block]]. The filters can test whether an element is in the set; false positives are possible but not false negatives. A lightweight wallet would download all the filters for every block in the blockchain and check for matches with its own addresses. [[Block]]s which contain matches would be downloaded in full from the [[Network|peer-to-peer network]], and those blocks would be used to obtain the wallet's history and current balance.

==== Address query via onion routing ====

Wallet histories can be obtained from centralized servers (such as [[Electrum]] servers) but using a new Tor circuit for each address. A closely-related idea is to connect together [[Electrum]] servers in an onion-routing network<ref>https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-July/009510.html</ref>. When creating such a scheme, care should be taken to avoid timing correlation linking the addresses together, otherwise the server could use the fact that the addresses were requested close to each other in time.

=== Countermeasures to traffic analysis ===

[[Bitcoin Core]] and its forks have countermeasures against [[Weaknesses#Sybil_attack|sybil attack]] and eclipse attacks. Eclipse attacks are sybil attacks where the adversary attempts to control all the peers of its target and block or control access to the rest of the network<ref>https://bitcoin.stackexchange.com/questions/61151/eclipse-attack-vs-sybil-attack</ref>. Such attacks have been extensively studied in a 2015 paper [https://eprint.iacr.org/2015/263.pdf Eclipse Attacks on Bitcoin’s Peer-to-Peer Network] which has led to new code written for [[Bitcoin Core]] for mitigation.<ref>https://github.com/bitcoin/bitcoin/pull/8282</ref><ref>https://github.com/bitcoin/bitcoin/pull/5941</ref><ref>https://github.com/bitcoin/bitcoin/pull/9037</ref><ref>https://github.com/bitcoin/bitcoin/pull/8594</ref><ref>https://github.com/bitcoin/bitcoin/pull/12626</ref>

[[Bitcoin Core]] and its forks use an algorithm known as trickling when relaying unconfirmed transactions, with the aim of making it as difficult as possible for sybil attackers to find the source IP address of a [[transaction]]. For each peer, the node keeps a list of transactions that it is going to [[Network#Messages|inv]] to it. It sends [[Network#Messages|inv's]] for transactions periodically with a random delay between each [[Network#Messages|inv]]. Transactions are selected to go into the [[Network#Messages|inv]] message somewhat randomly and according to some metrics involving fee rate. It selects a limited number of transactions to [[Network#Messages|inv]]. The algorithm creates the possibility that a peered node may hear about an unconfirmed transaction from the creator's neighbours rather than the creator node itself<ref>https://bitcoin.stackexchange.com/questions/83018/transaction-relay-and-trickling-in-bitcoin</ref><ref>https://github.com/bitcoin/bitcoin/issues/13298</ref><ref>https://github.com/bitcoin/bitcoin/pull/7125</ref><ref>https://github.com/bitcoin/bitcoin/pull/7840</ref>. However adversaries can still sometimes obtain privacy-relevant information.

Encrypting messages between peers as in [https://github.com/bitcoin/bips/blob/master/bip-0151.mediawiki BIP 151] would make it harder for a passive attacker such as an ISP or Wifi provider to see the exact messages sent and received by a bitcoin node.

==== Tor and tor broadcasting ====

If a connection-controlling adversary is a concern, then bitcoin can be run entirely over [[tor]]. [[Tor]] is encrypted and hides endpoints, so an ISP or Wifi providers won't even know you're using bitcoin. The other connected bitcoin nodes won't be able to see your IP address as [[tor]] hides it. [[Bitcoin Core]] and its forks have features to make setting up and using [[tor]] easier. Some [[Lightweight node|lightweight wallets]] also run entirely over [[tor]].

Running entirely over [[tor]] has the downside that synchronizing the node requires downloading the entire blockchain over tor, which would be very slow. Downloading [[block]]s over Tor only helps in the situation where you want to hide the fact that bitcoin is even being used from the internet service provider<ref>https://bitcointalk.org/index.php?topic=7.msg264#msg264</ref>. It is possible to download [[blocks]] and unconfirmed [[transaction]]s over clearnet but broadcast your own [[transaction]]s over [[tor]], allowing a fast clearnet connection to be used while still providing privacy when broadcasting.

[[Bitcoin Core]] being configured with the option <code>walletbroadcast=0</code> will stop [[transaction]]s belonging to the user from being broadcast and rebroadcast, allowing them to be broadcast instead via [[tor]] or another privacy-preserving method<ref>https://github.com/bitcoin/bitcoin/pull/5951</ref>.

==== Dandelion ====

Dandelion is another technology for private transaction broadcasting. The main idea is that transaction propagation proceeds in two phases: first the "stem" phase, and then "fluff" phase. During the stem phase, each node relays the transaction to a ''single'' peer. After a random number of hops along the stem, the transaction enters the fluff phase, which behaves just like ordinary transaction flooding/diffusion. Even when an attacker can identify the location of the fluff phase, it is much more difficult to identify the source of the stem.<ref>https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-June/014571.html</ref><ref>https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-September/015030.html</ref><ref>https://bitcoinmagazine.com/articles/anatomy-anonymity-how-dandelion-could-make-bitcoin-more-private/</ref><ref>https://www.youtube.com/watch?v=XORDEX-RrAI&t=7h34m35s</ref>

==== Interactive peer broadcasting ====

Some privacy technologies like [[CoinJoin]] and [[CoinSwap]] require interactivity between many bitcoin entities. They can also be used to broadcast transactions with more privacy, because peers in the privacy protocols can send each other unconfirmed transactions using the already-existing protocol they use to interact with each other.

For example, in [[JoinMarket]] market takers can send [[transaction]]s to market makers who will broadcast them and so improve the taker's privacy. This can be a more convenient for the taker than setting up [[Tor]] for use with [[#Tor_and_tor_broadcasting|tor broadcasting]].

==== Receiving bitcoin data over satellite ====

At least one bitcoin company offers a satellite bitcoin service<ref>https://blockstream.com/satellite/</ref>. This is a free service where satellites broadcast the bitcoin blockchain to nearly anywhere in the world. If users set up a dish antenna pointing at a satellite in space, then they can receive bitcoin blocks needed to run a [[full node]]. As the satellite setups are receive-only nobody can detect that the user is even running bitcoin, and certainly not which [[address]]es or [[transaction]]s belong to them.

As of 2019 the company offers a paid-for API which allows broadcasting any data to anywhere in the world via satellite, which seems to be how they make their money. But it appears the base service of broadcasting the blockchain will always be free.

Main article: https://blockstream.com/satellite/

== Methods for improving privacy (blockchain) ==

This section describes different techniques for improving the privacy of [[transaction]]s related to the permanent record of transactions on the blockchain. Some techniques are trivial and are included in all good bitcoin wallets. Others have been implemented in some open source projects or services, which may use more than one technique at a time. Other techniques have yet to be been implemented. Many of these techniques focus on breaking different heuristics and assumptions about the blockchain, so they work best when combined together.

=== Avoiding [[address reuse]] ===

[[Address]]es being used more than once is very damaging to privacy because that links together more blockchain [[transaction]]s with proof that they were created by the same entity. The most private and secure way to use bitcoin is to send a brand new address to each person who pays you. After the received coins have been spent the address should never be used again. Also, a brand new bitcoin address should be demanded when sending bitcoin. All good bitcoin wallets have a user interface which discourages [[address reuse]].

It has been argued that the phrase "bitcoin address" was a bad name for this object because it implies it can be reused like an email address. A better name would be something like "bitcoin invoice".

Bitcoin isn't anonymous but pseudonymous, and the pseudonyms are bitcoin addresses. Avoiding [[address reuse]] is like throwing away a pseudonym after its been used.

[[Bitcoin Core]] 0.17 includes an update to improve the privacy situation with [[address reuse]]<ref>https://github.com/bitcoin/bitcoin/blob/master/doc/release-notes/release-notes-0.17.0.md#partial-spend-avoidance</ref>. When an address is paid multiple times the coins from those separate payments can be spent separately which hurts privacy due to linking otherwise separate addresses. A -avoidpartialspends flag has been added (default=false), if enabled the wallet will always spend existing UTXO to the same address together even if it results in higher fees. If someone were to send coins to an address after it was used, those coins will still be included in future coin selections.

==== Avoiding [[#Forced_address_reuse|forced address reuse]] ====

The easiest way to avoid the privacy loss from [[#Forced_address_reuse|forced address reuse]] to not spend coins that have landed on an already-used and empty addresses. Usually the payments are of a very low value so no relevant money is lost by simply not spending the coins.

Dust-b-gone is an old project<ref>https://github.com/petertodd/dust-b-gone</ref> which aimed to safely spend forced-address-reuse payments. It signs all the UTXOs together with other people's and spends them to miner fees. The [[transaction]]s use rare [[OP_CHECKSIG]] sighash flags so they can be easily eliminated from the adversary's analysis, but at least the forced address reuse payments don't lead to further privacy loss.

=== Coin control ===

Coin control is a feature of some bitcoin wallets that allow the user to choose which [[Coin analogy|coins]] are to be spent as inputs in an outgoing [[transaction]]. Coin control is aimed to avoid as much as possible [[transaction]]s where privacy leaks are caused by amounts, change addresses, the transaction graph and the [[common-input-ownership heuristic]]<ref>https://medium.com/@octskyward/merge-avoidance-7f95a386692f</ref><ref>https://medium.com/@nopara73/coin-control-is-must-learn-if-you-care-about-your-privacy-in-bitcoin-33b9a5f224a2</ref>.

An example for avoiding a transaction graph privacy leak with coin control: A user is paid bitcoin for their employment, but also sometimes buys bitcoin with cash. The user wants to donate some money to a charitable cause they feel passionately about, but doesn't want their employer to know. The charity also has a publicly-visible donation address which can been found by web search engines. If the user paid to the charity without coin control, his wallet may use [[Coin analogy|coins]] that came from the employer, which would allow the employer to figure out which charity the user donated to. By using coin control, the user can make sure that only [[Coin analogy|coins]] that were obtained anonymously with cash were sent to the charity. This avoids the employer ever knowing that the user financially supports this charity.

=== Multiple transactions ===

Paying someone with more than one on-chain [[transaction]] can greatly reduce the power of amount-based privacy attacks such as amount correlation and round numbers. For example, if the user wants to pay 5 BTC to somebody and they don't want the 5 BTC value to be easily searched for, then they can send two transactions for the value of 2 BTC and 3 BTC which together add up to 5 BTC.

Privacy-conscious merchants and services should provide customers with more than one bitcoin [[address]] that can be paid.

=== Change avoidance ===

Change avoidance is where transaction inputs and outputs are carefully chosen to not require a change output at all. Not having a change output is excellent for privacy, as it breaks change detection heuristics.

Change avoidance is practical for high-volume bitcoin services, which typically have a large number of inputs available to spend and a large number of required outputs for each of their customers that they're sending money to. This kind of change avoidance also lowers [[miner fees]] because the transactions uses less block space overall.

Main article: [[Techniques_to_reduce_transaction_fees#Change_avoidance]]

Another way to avoid creating a change output is in cases where the exact amount isn't important and an entire UTXO or group of UTXOs can be fully-spent. An example is when opening a [[Lightning Network]] [[payment channel]]. Another example would be when sweeping funds into a [[cold storage]] wallet where the exact amount may not matter.

=== Multiple change outputs ===

If [[#Change_avoidance|change avoidance]] is not an option then creating more than one change output can improve privacy. This also breaks change detection heuristics which usually assume there is only a single change output. As this method uses more block space than usual, change avoidance is preferable.

=== Script privacy improvements ===

The [[Script|script]] of each bitcoin output leaks privacy-relevant information. For example as of late-2018 around 70% of bitcoin addresses are single-signature and 30% are [[multisignature]]<ref>https://p2sh.info/</ref>. Much research has gone into improving the privacy of scripts by finding ways to make several different script kinds look the same. As well as improving privacy, these ideas also improve the scalability of the system by reducing storage and bandwidth requirements.

'''ECDSA-2P''' is a cryptographic scheme which allows the creation of a 2-of-2 [[multisignature]] scheme but which results in a regular single-sig [[Elliptic Curve Digital Signature Algorithm|ECDSA]] signature when included on the blockchain<ref>Scaling Bitcoin conference 2018 Tokyo. Conner Fromknecht (Lightning Labs)
Instantiating [Scriptless] 2P-ECDSA: Fungible 2-of-2 MultiSigs for Today's Bitcoin. https://www.youtube.com/watch?v=3mJURLD2XS8&t=3623 https://diyhpl.us/wiki/transcripts/scalingbitcoin/tokyo-2018/scriptless-ecdsa/</ref>. It doesn't need any consensus changes because bitcoin already uses [[Elliptic Curve Digital Signature Algorithm|ECDSA]].

'''[[Schnorr]]''' is a digital signature scheme which has many benefits over the status-quo [[Elliptic Curve Digital Signature Algorithm|ECDSA]]<ref>https://medium.com/cryptoadvance/how-schnorr-signatures-may-improve-bitcoin-91655bcb4744</ref><ref>https://bitcoincore.org/en/2017/03/23/schnorr-signature-aggregation/</ref>. One side effect is that any N-of-N<ref>https://blockstream.com/2018/01/23/musig-key-aggregation-schnorr-signatures/</ref> and M-of-N [[multisignature]] can be easily made to look like a single-sig when included on the blockchain. Adding [[Schnorr]] to bitcoin requires a [[Softfork]] consensus change. As of 2019 a design for the signature scheme has been proposed<ref>https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki</ref>. The required [[softfork]] consensus change is still in the design stage as of early-2019.

'''[[Scriptless scripts]]''' are a set of cryptographic protocols which provide a way of replicating the logic of [[script]] without actually having the script conditions visible, which increases privacy and scalability by removing information from the blockchain<ref>https://bitcoinmagazine.com/articles/scriptless-scripts-how-bitcoin-can-support-smart-contracts-without-smart-contracts/</ref><ref>https://download.wpsoftware.net/bitcoin/wizardry/mw-slides/2017-03-mit-bitcoin-expo/slides.pdf</ref><ref>https://joinmarket.me/blog/blog/flipping-the-scriptless-script-on-schnorr/</ref><ref>https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-April/001221.html</ref>. This is generally aimed at protocols involving [[Hash Time Locked Contracts]] such as [[Lightning Network]] and [[CoinSwap]].

With scriptless scripts, nearly the only thing visible is the public keys and signatures. More than that, in multi-party settings, there will be a single public key and a single signature for all the actors. Everything looks the same-- [[Lightning Network|lightning]] [[payment channels]] would look the same as single-sig payments, escrows, [[atomic swap]]s, or sidechain federation pegs. Pretty much anything you think about that people are doing on bitcoin in 2019, can be made to look essentially the same<ref>http://diyhpl.us/wiki/transcripts/layer2-summit/2018/scriptless-scripts/</ref>.

'''MAST''' is short for Merkelized Abstract Syntax Tree, which is a scheme for hiding unexecuted branches of a [[script]] contract. It improves privacy and scalability by removing information from the blockchain<ref>https://bitcointechtalk.com/what-is-a-bitcoin-merklized-abstract-syntax-tree-mast-33fdf2da5e2f</ref><ref>https://bitcoinmagazine.com/articles/the-next-step-to-improve-bitcoin-s-flexibility-scalability-and-privacy-is-called-mast-1476388597/</ref>.

'''Taproot''' is a way to combine Schnorr signatures with MAST<ref>https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-January/015614.html</ref>. The Schnorr signature can be used to spend the coin, but also a MAST tree can be revealed only when the user wants to use it. The schnorr signature can be any N-of-N or use any scriptless script contract. The consequence of taproot is a much larger anonymity set for interesting smart contracts, as any contract such as [[Lightning Network]], [[CoinSwap]], [[multisignature]], etc would appear indistinguishable from regular single-signature on-chain transaction.

The taproot scheme is so useful because it is almost always the case that interesting scripts have a logical top level branch which allows satisfaction of the contract with nothing other than a signature by all parties. Other branches would only be used where some participant is failing to cooperate.

'''Graftroot''' is a smart contract scheme similar to taproot. It allows users to include other possible [[script]]s for spending the coin but with less resources used even than taproot. The tradeoff is that interactivity is required between the participants<ref>https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-February/015700.html</ref><ref>https://www.reddit.com/r/Bitcoin/comments/7vcyip/graftroot_private_and_efficient_surrogate_scripts/</ref><ref>https://bitcoinmagazine.com/articles/graftroot-how-delegating-signatures-allows-near-infinite-spending-variations/</ref>.

'''[[nLockTime]]''' is a field in the serialized [[transaction]] format. It can be used in certain situations to create a more private [[timelock]] which avoids using [[script]] opcodes.

=== ECDH addresses ===

[[ECDH address]]es can be used to improve privacy by helping avoid [[address reuse]]. For example, a user can publish a [[ECDH address]] as a [[Receiving donations with bitcoin|donation address]] which is usable by people who want to donate. An adversary can see the ECDH donation address but won't be able to easily find any [[transaction]]s spending to and from it.

However [[ECDH address]]es do not solve all privacy problems as they are still vulnerable to [[Mystery_shopper_payments|mystery shopper payments]]; an adversary can donate some bitcoins and watch on the blockchain to see where they go afterwards, using heuristics like the [[common-input-ownership heuristic]] to obtain more information such as donation volume and final destination of funds.

ECDH addresses have [[ECDH address|some practicality issues]] and are very closely equivalent to [[Receiving_donations_with_bitcoin#Improving_privacy_by_avoiding_address_re-use|running a http website which hands out bitcoin addresses to anybody who wants to donate]] except without an added step of interactivity. It is therefore unclear whether ECDH are useful outside the use-case of non-interactive donations or a self-contained application which sends money to one destination without any interactivity.

=== Centralized mixers ===

This is an old method for breaking the [[#Transaction graph|transaction graph]]. Also called "tumblers" or "washers". A user would send bitcoins to a [[mixing service]] and the service would send different bitcoins back to the user, minus a fee. In theory an adversary observing the blockchain would be unable to link the incoming and outgoing [[transaction]]s.

There are several downsides to this. The mixer it must be trusted to keep secret the linkage between the incoming and outgoing transactions. Also the mixer must be trusted not to steal coins. This risk of stealing creates reputation effects; older and more established mixers will have a better reputation and will be able to charge fees far above the marginal cost of mixing coins. Also as there is no way to sell reputation, the ecosystem of mixers will be filled with occasional exit scams.

There is a better alternative to mixers which has essentially the same privacy and custody risks. A user could deposit and then withdraw coins from any regular bitcoin website that has a hot wallet. As long as the bitcoin service doesn't require any other information from the user, it has the same privacy and custody aspects as a centralized mixer and is also much cheaper. Examples of suitable bitcoin services are bitcoin casinos, bitcoin poker websites, tipping websites, altcoin exchanges or online marketplaces<ref>https://gist.github.com/chris-belcher/00255ecfe1bc4984fcf7c65e25aa8b4b#worked-example-for-tumbler-replacement</ref>.

The problem of the service having full knowledge of the transactions could be remedied by cascading several services together. A user who wants to avoid tracking by passive observers of the blockchain could first send coins to a bitcoin casino, from them withdraw and send directly to an altcoin exchange, and so on until the user is happy with the privacy gained.

Main article: [[Mixing service]]

=== CoinJoin ===

[[CoinJoin]] is a special kind of bitcoin transaction where multiple people or entities cooperate to create a single transaction involving all their inputs. It has the effect of breaking the [[common-input-ownership heuristic]] and it makes use of the [[Coin_analogy#Fungibility|inherent fungibility of bitcoin within transactions]]. The [[CoinJoin]] technique has been possible since the very start of bitcoin and cannot be blocked except in the ways that any other bitcoin [[transaction]]s can be blocked. Just by looking at a transaction it is not possible to tell for sure whether it is a coinjoin. CoinJoins are non-custodial as they can be done without any party involved in a coinjoin being able to steal anybody else's bitcoins<ref>https://www.reddit.com/r/joinmarket/comments/3c7hnm/joinmarket_is_smart_contracts/</ref>.

==== Equal-output CoinJoin ====

Say this transaction is a [[CoinJoin]], meaning that the 2 BTC and 3 BTC inputs were actually owned by different entities.

2 btc --> 3 btc
3 btc 2 btc

This transaction breaks the [[common-input-ownership heuristic]], because its inputs are not all owned by the same person but it is still easy to tell where the bitcoins of each input ended up. By looking at the amounts (and assuming that the two entities do not pay each other) it is obvious that the 2 BTC input ends up in the 2 BTC output, and the same for the 3 BTC. To really improve privacy you need [[CoinJoin]] transaction that have a more than one equal-sized output:

2 btc --> 2 btc
3 btc 2 btc
1 btc

In this [[transaction]] the two outputs of value 2 BTC cannot be linked to the inputs. They could have come from either input. This is the crux of how [[CoinJoin]] can be used to improve privacy, not so much breaking the transaction graph rather fusing it together. Note that the 1 BTC output has not gained much privacy, as it is easy to link it with the 3 BTC input. The privacy gain of these CoinJoins is compounded when the they are repeated several times.

As of late-2018 [[CoinJoin]] is the only decentralized bitcoin privacy method that has been deployed. Examples of (likely) [[CoinJoin]] transactions IDs on bitcoin's blockchain are <code>402d3e1df685d1fdf82f36b220079c1bf44db227df2d676625ebcbee3f6cb22a</code> and <code>85378815f6ee170aa8c26694ee2df42b99cff7fa9357f073c1192fff1f540238</code>. Note that these coinjoins involve more than two people, so each individual user involved cannot know the true connection between inputs and outputs (unless they collude).

==== PayJoin ====

The type of [[CoinJoin]] discussed in the previous section can be easily identified as such by checking for the multiple outputs with the same value. It's important to note that such identification is always deniable, because somebody could make fake [[CoinJoin]]s that have the same structure as a coinjoin transaction but are made by a single person.

PayJoin (also called pay-to-end-point or P2EP)<ref>https://blockstream.com/2018/08/08/improving-privacy-using-pay-to-endpoint/</ref><ref>https://medium.com/@nopara73/pay-to-endpoint-56eb05d3cac6</ref><ref>https://gist.github.com/AdamISZ/4551b947789d3216bacfcb7af25e029e</ref> is a special type of [[CoinJoin]] between two parties where one party pays the other. The [[transaction]] then doesn't have the distinctive multiple outputs with the same value, and so is not obviously visible as an equal-output [[CoinJoin]]. Consider this transaction:

2 btc --> 3 btc
5 btc 4 btc

It could be interpreted as a simple transaction paying to somewhere with leftover change (ignore for now the question of which output is payment and which is [[change]]). Another way to interpret this transaction is that the 2 BTC input is owned by a merchant and 5 BTC is owned by their customer, and that this transaction involves the customer paying 1 BTC to the merchant. There is no way to tell which of these two interpretations is correct. The result is a coinjoin transaction that breaks the [[common-input-ownership heuristic]] and improves privacy, but is also undetectable and indistinguishable from any regular bitcoin transaction.

If PayJoin [[transaction]]s became even moderately used then it would make the [[common-input-ownership heuristic]] be completely flawed in practice. As they are undetectable we wouldn't even know whether they are being used today. As [[transaction surveillance company|transaction surveillance companies]] mostly depend on that heuristic, as of 2019 there is great excitement about the PayJoin idea<ref>https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-August/016340.html</ref>.

=== CoinSwap ===
{{Main|CoinSwap}}
'''CoinSwap''' is a non-custodial privacy technique for bitcoin based on the idea of [[atomic swap]]s<ref>https://joinmarket.me/blog/blog/coinswaps/</ref>. If Alice and Bob want to do a coinswap; then it can be understood as Alice exchanging her bitcoin for the same amount (minus fees) of Bob's bitcoins, but done with [[Contracts|bitcoin smart contracts]] to eliminate the possibility of cheating by either side.

[[CoinSwap]]s break the transaction graph between the sent and received bitcoins. On the [[block chain]] it looks like two sets of completely disconnected transactions:

Alice's Address ---> escrow address 1 ---> Bob's Address
Bob's Address ---> escrow address 2 ---> Alice's Address

Obviously Alice and Bob generate new [[address]]es each to avoid the privacy loss due to [[address reuse]].

It is possible to have CoinSwaps that are completely indistinguishable from any other transaction on the blockchain. They could be said to allow bitcoins to teleport undetectably to anywhere else on the blockchain. Non-CoinSwap transactions would benefit because a large-scale analyst of the blockchain like a [[transaction surveillance company]] could never be sure that ordinary transactions are not actually [[CoinSwap]]s. They also do not require much block space compared to the amount of privacy they provide.

CoinSwaps require a lot of interaction between the involved parties, which can make this kind of system tricky to design while avoiding denial-of-service attacks. They also have a liveness requirement and non-censorship requirement, meaning that the entities taking part must always be able to freely access the bitcoin network; If the internet was down for days or weeks then half-completed CoinSwaps could end with one side having their money stolen.

As of May 2020, no CoinSwap implementation has been deployed<ref>[https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-May/017898.html Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility]</ref><ref>[https://gist.github.com/chris-belcher/9144bd57a91c194e332fb5ca371d0964 Coinswap design document]</ref>, but in June 2020, the [https://en.wikipedia.org/wiki/Human_Rights_Foundation Human Rights Foundation] (a New York-based nonprofit that promotes and protects human rights globally) granted $50,000 to [https://en.bitcoin.it/wiki/User:Belcher Chris Belcher] (one of the main contributors to this very page) to work on the project.<ref>[https://bitcoinmagazine.com/articles/the-human-rights-foundation-is-now-funding-bitcoin-privacy-development-starting-with-coinswap The Human Rights Foundation Is Now Funding Bitcoin Privacy Development, Starting With CoinSwap]</ref>

=== CoinJoinXT ===

CoinJoinXT is non-custodial privacy technique which is closely related to [[CoinJoin]]<ref>https://joinmarket.me/blog/blog/coinjoinxt/</ref>. It allows for any number of entities to between them create a so-called ''proposed transaction graph'' (PTG) which is a list of connected transactions. In the PTG the bitcoins belonging to the entities are sent to and fro in all the transactions, but at the end of the PTG they are all returned to their rightful owners. The system is set up so that the process of the PTG being mined is atomic, so either the entire PTG is [[Confirmation|confirmed]] on the blockchain or none of it is, this means none of the participating entities can steal from each other.

The ''proposed transaction graph'' has the freedom to be any list of transactions that obfuscate the transaction graph. For best results the PTG would perfectly mimic the natural transaction graph due to normal economic activity in bitcoin, and so an adversary would not know where the PTG started or ended, resulting in a massive privacy gain.

Like [[CoinJoin]], CoinJoinXT is easy to make DOS-resistant and doesn't require a prohibitive number of interaction steps. Unlike [[CoinSwap]] there is no liveness or non-censorship requirement so funds are secure even if bitcoin is under temporary censorship. However CoinJoinXT uses a lot of block space compared the privacy gain. And CoinJoinXT requires a malleability fix so all the transactions in the PTG have to be [[Segregated Witness|segwit]]-only. As of 2019 only around 40% of transactions are segwit, so an observer of the blockchain could easily eliminate non-PTG transactions by checking whether they are legacy or segwit.

=== TumbleBit ===

[[TumbleBit]] is privacy technology which is non-custodial and where the coordinating server cannot tell the true linkage between input and output. This is achieved by a cryptographic construct where the server facilitates a private exchange of digital signatures. The protocol is very interesting to any privacy and bitcoin enthusiast.

From the point of view of an observer of the blockchain, TumbleBit transactions appear as two transactions with many (800 in the author's example) outputs and all transaction outputs must be of the same amount.

=== Off-chain transactions ===

Off-chain transactions refer to any technology which allows bitcoin transactions on a layer above the blockchain. Bitcoin payments done off-chain are not broadcast to every node in the network and are not mined and stored forever on a public blockchain, this automatically improves privacy because much less information is visible to most adversaries. With [[Off-Chain Transactions]] there are no public addresses, no address clusters, no public transactions, no transaction amounts or any other privacy-relevant attacks that happen with on-chain transactions.

Main article: [[Off-Chain Transactions]]

'''[[Lightning Network]]''' is a huge topic in bitcoin privacy so it is [[#Lightning_Network|discussed in its own section]].

==== Blinded bearer certificates ====

This is another way of doing [[Off-Chain Transactions]] which is based on blind signatures. The payments through such a system would be very very private. It has been known about since 1983. But the system is custodial so as the issuing server is a central point of failure which can steal all the money. However the concept may still be useful in certain situations where Lightning is not, for example blinded bearer certificates support payments where the receiver is offline.

Main article: [[Blinded bearer certificates]]

==== Sidechains ====

[[Sidechain]]s are when another blockchain is created which uses bitcoins as its currency unit. Bitcoins can be moved from the main bitcoin blockchain onto the sidechain which allows them to transact following different consensus rules. Sidechains can have different and better privacy properties than the regular bitcoin blockchain.

Main article: [[Sidechain]]

=== Confidential transactions ===

[[Confidential transactions]] (CT) is a cryptographic protocol which results in the amount value of a transaction being encrypted. The encryption is special because it is still possible to verify that no bitcoins can been created or destroyed within a [[transaction]] but without revealing the exact transaction amounts. Confidential transactions requires a [[softfork]] consensus change to be added to bitcoin, although they could be added to a [[sidechain]] too.

Main article: [[Confidential transactions]]

=== Discussion ===

==== Privacy vs scalability ====

Many of the previously-mentioned privacy technologies work by adding extra data to the bitcoin blockchain which is used to hide privacy-relevant information. This has the side-effect of degrading the scalability of bitcoin by adding more data which must be handled by system. This harms privacy because [[full node]]s become more resource-costly to run and they are the most private way for a user to learn their history and balance. Adding data to blocks also [[Full_node#Economic_strength|degrades the security of the system]], and there isn't much point in having a private bitcoin if the poor security leads to it being successfully attacked and destroyed. The resource cost of using more block space is shown to the user as a higher [[Miner fees|miner fee]]; so privacy technology which uses too much block space may not even be used much if users find the fees too expensive. During the [[Miner_fees#The_market_for_block_space|period of high block space demand]] in late-2017, low-value [[JoinMarket]] CoinJoin transactions mostly disappeared (as did most low-valued bitcoin transactions).

[[Off-Chain Transactions]] are one way to avoid this trade-off between privacy and scalability. These kind of solutions improve privacy by entirely removing data from the blockchain, not by adding more decoy data. [[#Change avoidance|Change avoidance]] and [[#Script privacy improvements|Script privacy improvements]] also reduce costs to the system while improving privacy. [[CoinJoinXT]], equal-output [[CoinJoin]], [[TumbleBit]] use a lot of block space relative to the privacy gain. [[PayJoin]] does not use much extra block space over making an ordinary transaction; relative to the gain of breaking the [[common-input-ownership heuristic]] it is very space-efficent. [[CoinSwap]] uses very little block space relative to privacy, as it can be understood as an [[Off-Chain Transactions|off-chain transaction]] system which makes a single transaction and then comes back on-chain. [[Confidential transactions]] requires a lot of block space along with associated bandwidth and CPU costs, but its privacy gain is substantial, so the debate on that topic could go either way.

In the long term as bitcoin [[miner fees]] go up, resource-costly privacy technologies will be priced out and replaced by resource-efficient ones.

==== Steganography ====

Steganography is used in cryptography to mean the act of hiding the fact that something is being hidden. For example the content of an encrypted message cant be read by an eavesdropper but it still shows that something is being hidden. Steganographic encryption of a message can be done by embedding an encrypted message into an audio file or image which hides the message in the noise.

An equal-output [[CoinJoin]] hides the source and destination of a certain coin, but the structure of the transactions reveals that something is being hidden. So even though coinjoin breaks the [[common-input-ownership heuristic]], the fact that equal-output coinjoins can be detected (even if the detection is imperfect) allows them to be excluded from by the adversary's analysis. Also the distinguishability of the coinjoins may attract suspicion and prompt more investigation.

The idea of steganography is a good thing to aim for<ref>https://joinmarket.me/blog/blog/the-steganographic-principle/</ref>. It greatly increases the privacy because the transactions made by such technology cannot be distinguished from regular transactions. Also it improves the privacy of users who don't even use the technology, as their transactions can always be confused with actual private transactions. [[Scriptless scripts]] are a great example of a steganographic privacy technology where the privacy-relevant information is hidden in the random numbers of the digital signatures. [[PayJoin]], [[CoinSwap]] and [[CoinJoinXT]] are good steganographic privacy technologies because they can be made indistinguishable from regular bitcoin transactions. Equal-output coinjoins and [[TumbleBit]] are not steganographic. Also it is usually easy to see when a centralized [[Mixing service]] is being used with [[common-input-ownership heuristic]] analysis, but depositing and then withdrawing from a high-volume bitcoin website like a casino or altcoin exchange is better because its possible that the user simply wanted to gamble.

== Lightning Network ==

[[Lightning Network]] is an [[Off-Chain Transactions|off-chain transaction]] technology based on [[payment channels]]. It has nearly the same security model as bitcoin on-chain transactions. It is not an overstatement to say that Lightning Network is a revolution for bitcoin. See the previous section on [[#Off-chain transactions]].

As well as greatly improving privacy, [[Lightning Network]] transactions are also much faster (usually instant) and cheaper than on-chain transactions. Lightning nodes create two-way [[payment channels]] between them, and lightning transactions are routed from one node to another. The source and destination node don't need to have a payment channel directly between them as transactions can be routed over many intermediate nodes.

As [[Lightning Network]] transactions happen off-chain, they are not broadcast to every node in the network and are not stored forever in a publicly-visible blockchain. Adversaries cannot look at a public permanent record of all transactions because there isn't one. Instead adversaries would possibly have to run intermediate nodes and possibly extract information that way. On-chain privacy attacks like the [[common-input-ownership heuristic]], [[address reuse]], change address detection, input amounts revealing sender wealth or mystery shopper payments fundamentally don't work because there are no [[address]]es or transaction inputs/outputs that work in the same way.

However [[Lightning Network]] may introduce other privacy problems, mostly due to how the network is made up of nodes having [[Payment channel|connections]] between them<ref>https://www.reddit.com/r/Bitcoin/comments/7t1q5x/deanonymization_risks_on_lightning_network/</ref>. The parts of this network which can be intermediate routing nodes are usually public, and this network information could be overlaid with information about routed packets such as their amount. Lightning nodes also reveal their IP addresses unless run over Tor, and the payment channels are made up of on-chain transactions which could be analyzed using regular blockchain analysis techniques. Payment channels look like 2-of-2 [[multisignature]] on the blockchain. Bilaterial closing transactions look like the 2-of-2 outputs have been spent, but unilateral close transactions have a complicated [[Hash Time Locked Contracts|HTLC]] [[script]]s that is visible on the blockchain.

As of 2019 Lightning is in beta and development continues; the development community is still studying all its privacy properties. Certainly its privacy is better than the privacy of on-chain [[transaction]]s.

=== Onion routing ===

The Lightning protocol uses onion routing<ref>https://github.com/lightningnetwork/lightning-rfc/blob/master/04-onion-routing.md
</ref><ref>https://diyhpl.us/wiki/transcripts/scalingbitcoin/milan/onion-routing-in-lightning/</ref> to improve privacy from the intermediate routing notes. The protocol is aimed to prevent intermediate nodes along a payment route learning which other nodes, besides their predecessor or successor, are part of the packet's route; it also aims to hide the length of the route and the node's position within it.

==== Onion routing overlaid with network topology ====

Lightning Network's onion routing is usually compared with [[Tor]] onion routing. However, Tor's network is fully-connected; every node on Tor is directly connected (or has the potential to directly connect) with every other node, meaning that an onion-routed packet can be relayed from and to potentially any other node. This is not so in the Lightning Network, where [[payment channels]] do not fully-connect the entire network, and where the network topology is publicly known for routing nodes. Data fusion of the network topology and the small amount of information from onion-routed packets may still be enough to uncover information in certain cirumstances<ref>https://www.reddit.com/r/Bitcoin/comments/7rrjp3/is_onion_routing_appropriate_for_lightning_network/</ref><ref>https://www.reddit.com/r/Bitcoin/comments/8hwzbh/chainalysis_on_the_ln/</ref>. For example, if a Lightning node wallet has only a single [[payment channel]] connection going to one intermediate node, then any payments sent to and from the node wallet will have to pass through the intermediate node, which would be able to obtain a lot of information about the wallet node's payments regardless of the onion-routing used.

A mitigation to this topology problem may be that the entire topology of the Lightning Network is not known. Only nodes which intend to route transactions need to be publicly announced. It is possible for "private channels" to exist which are [[payment channels]] that exist, but whose existence is not published.

This doesn't mean the onion routing used by [[Lightning Network]] is useless, far from it, but the privacy is not as strong as with [[Tor]].

==== Rendez-vous routing ====

Onion routing from the sender still requires that the destination Lightning node is known to the sender (along with all associated information like channel UTXO). This would mean that a user cannot receive Lightning payments without revealing one or more UTXOs associated with their [[payment channel]]s. A solution is rendez-vous routing<ref>https://github.com/lightningnetwork/lightning-rfc/wiki/Rendez-vous-mechanism-on-top-of-Sphinx</ref><ref>https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-November/001498.html</ref>, also called Hidden Destinations<ref>https://bitcoinops.org/en/newsletters/2018/11/20/</ref>, which allow Lightning payments to be sent from a source node to destination node without either the source or destination needing to reveal their nodes and associated information.

A good analogy is that source onion routing is like a [[Tor]] connection going via a Tor exit node to its destination, and rendez-vous onion routing is like a Tor connection going to a Tor hidden service.

=== Atomic Multipath Payments ===

Atomic Multipath Payments (AMP) is a protocol in Lightning which allows a single payment to be routed over multiple lightning network transactions<ref>https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-February/000993.html</ref>. For example if a user has five channels each with balance 2 btc, they can send a single payment of 7 btc using the AMP protocol over multiple lightning network paths. In terms of privacy, AMP would result in intermediate nodes not observing the full payment amount of 7 btc but only the partial payment amounts of 2 btc or 1 btc (or any other combination). This is positive for privacy as routed payments would no longer leak the exact payment amount, but only a lower bound.

=== Common hashlock value ===

For non-AMP payments, the payment hash is the same for all nodes along the route of a payment. This could allow multiple nodes if they co-operate to know that they routed the same payment based on this common hash value. Although this could also be done using the timestamp of each routed payment.

[[Scriptless scripts]] used as a replacement to explicit [[Hash Time Locked Contracts|hash time locked contracts]] can be used to solve the common hashlock problem. It is possible to add a different random tweak value to the committed random value at each step, as a result there can be a multi-hop path through payment channels in which individual participants in the path wouldn't be able to tell that they're in the same path unless they're directly connected because of this re-blinding<ref>Lightning in Scriptless Scripts Andrew Poelstra 20 Mar 2017 https://lists.launchpad.net/mimblewimble/msg00086.html</ref><ref>L2 Summit Hosted by MIT DCI and Fidelity Labs, Boston 2018, Andrew Poelstra talk on Scriptless Scripts http://diyhpl.us/wiki/transcripts/layer2-summit/2018/scriptless-scripts/</ref>.

A 2017 paper called Concurrency and Privacy with Payment-Channel Networks<ref>Giulio Malavolta, Pedro Moreno-Sanchez, Aniket Kate, Matteo Maffei, and Srivatsan Ravi. 2017. Concurrency and Privacy with Payment-Channel Networks. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS '17). ACM, New York, NY, USA, 455-471. DOI: https://doi.org/10.1145/3133956.3134096 https://eprint.iacr.org/2017/820.pdf</ref><ref>https://diyhpl.us/wiki/transcripts/scalingbitcoin/stanford-2017/concurrency-and-privacy-with-payment-channel-networks/</ref> writes about a scheme using zero-knowledge proofs which would allow each hash value in the payment route to be different. The scheme is much more expensive in terms of computation, but it may still be practical.

=== Custodial wallets ===

Lightning-enabled wallets can be of the custodial type, where the wallet is just a front-end that connects to a back-end server run by some company. This is the same situation for web wallets in the on-chain bitcoin ecosystem.

This kind of setup would result in all the user's [[Lightning Network]] transactions being visible to that company and so they would have no privacy, in the same way that using a web wallet has no privacy for the on-chain bitcoin space. As of 2019 Zap Wallet and Lightning Peach work on this model. Peach wallet actually has checkboxes in its GUI saying "I agree to the privacy policy" and looking through the privacy policy reveals the wallet tracks all kinds of privacy-relevant stuff. Needless to say a privacy-conscious user shouldn't use these kind of lightning wallets but use non-custodial lightning wallets instead<ref>See first 20 minutes of this: https://www.youtube.com/watch?v=H1yPkPXLDVc</ref>.

Lightning-enabled wallets still need to interface with the underlying bitcoin network, which can leak privacy-relevant information if done incorrectly. For example, if the wallet obtains blockchain transaction information from a centralized server then that server can spy on all the channel opening and closing transaction. Privacy-aware lightweight wallets usually make use of [[Client-side block filtering]] which is a very good fit for [[Lightning Network]]-enabled wallets.

=== Private script types ===

Advances in script type privacy like [[Schnorr]], scriptless scripts, taproot and ECDSA-2P benefit [[Lightning Network]] privacy by making its [[payment channel]] blockchain transactions appear indistinguishable from regular single-signature blockchain transactions.

=== Probing payments to reveal channel states ===

The balance state of each channel is hidden from the public and is only known to the two entities making up the [[payment channel]]. This provides a lot of privacy, as amounts and changes of the amounts are not visible to all. A possible way to defeat this privacy is for an active adversary to send probing payments until the balance is obtained. Such attack has been proved possible, as described in a paper from the beginning of 2019<ref>Jordi Herrera-Joancomartí, Guillermo Navarro-Arribas, Alejandro Ranchal-Pedrosa, Cristina Pérez-Solà, Joaquin Garcia-Alfaro (2019), "On the Difficulty of Hiding the Balance of Lightning Network Channels" IACR Cryptology ePrint Archive: https://eprint.iacr.org/2019/328</ref>, due to the level of detail that lightning implementations provide about routing errors. Although it would seem that such attack would need to pay the routing fees for the probing payments, the attacker may provide a fake invoice, so even when the payment passes through all the route, the last node will send back an error message and will not be able to execute the payment. So the cost for such attack is reduced to the fees needed to open and close the channels used for the attack.

Such an attack can be used for disclosing the balances of a single or a selected group of nodes of the network and even on a large scale to obtain the balance of each channel in the network. In case the adversary repeats this procedure for every [[payment channel]] in the entire [[Lightning Network]] and continues probing very frequently, then by watching the change in channel states, they could observe payment being routed around the network. A possible way to remedy this attack would be for routing nodes to randomly (for example 1-out-of-20 times) return a routing error even if the channel balance state is actually adequate. This likely would not degrade the user experience of [[Lightning Network]] much, but would impose a serious cost on the attacker.

== Existing privacy solutions ==

This section is about bitcoin software which implements privacy features as its main goal, especially avoiding the privacy leaks due to the blockchain.

Privacy cannot be easily separated from any other aspect of bitcoin. It is unusual to have entirely separate solutions only for privacy, the dream is that one day all bitcoin wallets will include privacy tech already built in. But as of late-2018 many privacy implementations are separate applications.

=== Lightning Network ===

There are several implementations of [[Lightning Network]] as of early-2019; such as [[LND]], [[c-lightning]], [[eclair]], etc.

The network itself can be used on bitcoin mainnet and several merchants and other projects accept it. It is still not usable by the general public. It is expected that one day every bitcoin wallet will be able to send and receive lightning network transactions and so the massive privacy benefits will be included in how regular users use bitcoin all the time.

[[Lightning Network]] wallets usually the standard privacy tech like [[Deterministic wallet]]s and warnings against [[address reuse]].

Some LN wallets such as Zap Wallet and Lightning Peach are actually custodial, they are backed by a centralized server which can spy on everything the user does, so they should be avoided.

=== Handmade CoinJoin ===

[[CoinJoin]] transactions can be hand-made without a special wallet just using [[Raw Transactions]]. This can be very flexible as the coinjoins can take any number of forms. It might be practical in between bitcoin merchants, several of whom might decide to coinjoin together some of their transactions so that the [[common-input-ownership heuristic]] would imply they are all the same wallet cluster.

=== JoinMarket ===

[[JoinMarket]] is an implementation of [[CoinJoin]] where the required liquidity is paid for in a market. In JoinMarket terminology there are ''liquidity taker'' users who can create a coinjoin for whatever amount they want at any time, they also pay a small coinjoin fee. ''Liquidity makers'' are online 24 hours a day and are ready to create a coinjoin at any time for any amount they can, in return they earn coinjoin fees from liquidity takers. Because of this market for coinjoins, JoinMarket users can create coinjoins at any time and for any amount (up to a limit based on available liquidity).

Other people are always available for coinjoining because they earn fees, and coinjoins can be of any amount and happen at any time. [[JoinMarket]] can also be a small source of income for operators of liquidity maker bots, who earn coinjoin fees by allowing other people to create coinjoins with their bitcoins.

Privacy is greatly improved by repeating coinjoins many times, for this reason the [[JoinMarket]] project includes the tumbler script where coinjoins are automatically created at random times and for random amounts. Bitcoins can be deposited into the JoinMarket [[Deterministic wallet|HD wallet]] and the tumbler script will send them via many coinjoins to three or more destination [[address]]es. This feature of using more than one destination address is required to beat amount correlation. For example a user who wants to deposit coins into an exchange would make use of the ''Generate New Deposit Address'' button to obtain more than one destination [[address]], the exchange may then combine those coins with deposits from other customers which should resist any tracking based on amounts.

JoinMarket can interface with a [[Bitcoin Core]] full node in order to privately obtain the history of its own wallet. There is also an option to use [[Electrum]] server, but users are discouraged from using it. There are plans to replace the Electrum interface with one that uses [[Client-side block filtering]].

The software is an open source project with a community based around it. Unfortunately JoinMarket can be difficult to install for people not used to Linux or the command line interface. It is hoped one day there may be work done to make this easier, but as all development is done by volunteers there can be no roadmap for this.

Main article: [[JoinMarket]]

=== Wasabi Wallet ===

[[Wasabi Wallet]] is a wallet that implements [[CoinJoin]]. It is open source and written in C#, .NET Core. The package includes Tor and all traffic between the clients and the server goes through it, so IP addresses are hidden. It is easy to install and use. The wallet includes all standard privacy tech like a Hierarchical [[Deterministic wallet]] and [[address reuse]] avoidance, as well as mandatory coin control. The wallet uses [[Client-side block filtering]] to obtain its own transaction history in a private way.

CoinJoins happen between users without any liquidity provider middlemen. As of the beginning of 2019, coinjoins happen approximately once every hour and a half.

Users' wallets connect to a server which coordinates the [[CoinJoin]]. The wallet uses schnorr blind signatures (which is similar to the cryptography used in chaumian blind signatures and [[blinded bearer certificates]]) so that this server or anyone else does not learn the linkage between the mixed transaction inputs and outputs. The server is run by the zkSNACKs company which has developed Wasabi Wallet, the company makes its income by taking a fee (0.17% per participant as of 2019) from each coinjoin transaction.

Main article: [[Wasabi Wallet]]

=== Samourai Wallet ===

Samourai Wallet is a smartphone wallet which implements some privacy features. Stowaway is an implementation of [[PayJoin]]. Stonewall is a scheme which creates transactions that look like [[CoinJoin]]s but actually involve only one person; these fake coinjoins are intended to create false positives in algorithms used by a hypothetical [[transaction surveillance company]]. PayNyms are an implementation of [[ECDH address]]es. The wallet also has a feature called like-type change outputs where it generates a [[change]] address which is of the same type as the payment address; this avoids [[#Wallet_fingerprinting|wallet fingerprinting]] using address types which leads to change address detection.

By default, Samourai Wallet obtains information about the user's history and balance by querying their own server. This server knows all the user's addresses and transactions, and can spy on them. Therefore using the default configuration of Samourai Wallet is only useful in a threat model where the adversary can analyze the blockchain but cannot access this server. In June 2019 with the release and open sourcing of the Samourai Wallet server, Dojo, users may now host their own server privately and direct their Samourai Wallet to connect to it.

=== Liquid sidechain ===

As of 2018 the Liquid [[sidechain]] implements Confidential Transaction (CT) which allows bitcoins to be transferred on that sidechain while keeping the transaction amounts hidden. The product is developed by the Blockstream company and is aimed at exchanges and traders. It allows fast transfer of bitcoin in a very private way.

As Liquid is a federated sidechain, users generally need to pass AML checks and give up their personal data in order to use it. Its security model is quite close to having bitcoins on an exchange, because if enough of the functionaries get hacked then all the bitcoins on the sidechain could be stolen. However within that security model you get excellent of privacy, and the [[sidechain]] itself is marketed towards traders and hedgers who certainly want to keep their trading activities private to stop other traders front-running them.

== Examples and case studies ==

Privacy is a very multifaceted and practical topic, it is helpful to follow examples to better understand how all the concepts are related.

=== Bad privacy example - Exchange front running ===
# You are a trader and have an account on a bitcoin [[exchange]].
# You want to deposit some bitcoins to sell.
# You send bitcoins to the same exchange deposit address you have used in the past.
# Because of the [[address reuse]], its easy to see on the blockchain that some bitcoins are being sent to the exchange.
# The exchange requires 3 [[confirmation]]s before crediting your account, but in that time the price has already moved against you as other traders become aware of your deposit transaction.
# You sell the bitcoins for a less attractive price than you otherwise would have.
# This is easily avoided by clicking the '''Generate New Deposit Address''' button on the exchange's website and depositing there.

Lesson: [[Address reuse]] is terrible for privacy.

=== Bad privacy example - Savings revealed with [[address reuse]] ===
# You save in bitcoin, using a [[Paper Wallet|single-address paper wallet]] which results in [[address reuse]].
# All your bitcoin savings to this same address, let's say it contains $1 million worth.
# You buy a small amount of bitcoins to add to your savings, depositing in the paper wallet.
# The person who sold you the bitcoins follows their trail on the blockchain and finds your paper wallet containing $1 million.
# He mentions it to someone in a cafe or bar.
# Word gets around. A burglar raids your home and holds you hostage until $1 million in bitcoin is handed over<ref>https://github.com/jlopp/physical-bitcoin-attacks</ref>.

Lesson: [[Address reuse]] is terrible for privacy.

=== Bad privacy example - Savings revealed with data collection ===

# You save in bitcoin. Trading on an exchange which you [[#Revealing_data_when_transacting_bitcoin|reveal all your data to]].
# Mostly you buy coins but sometimes you sell. You only ever use this one exchange.
# Regardless of any blockchain privacy technology you use, the exchange still knows all your trades and can find exactly how much bitcoin you hold at any time.

=== Example - Evading sanctions ===
# You live in a country that is under international trade sanctions from other countries.
# Because of this you cannot buy the online newspaper you want.
# You navigate to the newspaper website with Tor so that they can't tell your origin country from your IP address.
# You buy bitcoins with cash and send them to wallet software on your computer, then use the bitcoins to buy the newspaper.
# Bitcoin transactions don't have geographical information about them, so your payment is not discovered as coming from a sanctioned country.

=== Example - Transacting with your online poker buddies without revealing your real name ===
# You play online poker with some people (for real money).
# You win big. Lots of money goes to you and your buddies are annoyed.
# The stakes are in bitcoin which you receive. You sell the coins for cash or via an [[exchange]], or use them to directly buy goods and services.
# Your irritated poker buddies can't find your real name.

This example has a very mild threat model where the adversary can't access the exchange's AML/KYC records (if you didn't trade with cash), and they are not your ISP so cannot easily link your bitcoin addresses with your IP address (in the case that you used a [[lightweight node]] instead of a [[full node]]).

=== Example - Donation without your employer knowing ===
# You earn money in bitcoin, your employer has sent you bitcoins as salary.
# You want to support X charity or political group with a donation of 0.1 BTC, but don't want your employer knowing.
# Deposit 0.3 BTC into a bitcoin casino, altcoin exchange or another bitcoin service website that allows anonymous bitcoin deposit and withdrawals from the general public.
# Withdraw 0.1 BTC and put the desired donation address as the withdrawal address.
# Withdraw the remaining 0.2 BTC back into your own wallet (to a brand new address, avoiding [[address reuse]]).

If your employer casually analyses the blockchain they will think you are a gambler instead of a supporter of group X. The bitcoin casino doesn't care who you donate to. The employer also can't correlate the amounts, because they see you deposit 0.3 BTC but only 0.1 BTC is sent to the group. Privacy comes from mixing your coins with the coins of everybody else who uses that casino in the time period that your coins were deposited.

=== Example - Donation without anyone knowing ===
# You want to support X charity or political group without anyone knowing.
# Download and install a wallet which is backed by a [[full node]] such as [[Bitcoin Core]].
# Buy the exact amount of bitcoin for cash (get slightly more because of transaction fees and volatility), have the coins sent to your wallet.
# Send the coins to the group to donation. The [[transaction]] should be broadcasted over [[Tor]].

Instead of direct cash trading, the user could have also bought a cash substitute like a gift card and traded it online for bitcoin that wasn't link to their identity.

The [[full node]] is required in this threat model, because otherwise your ISP or another adversary could likely spy on [[lightweight node]] communications and discover the user's bitcoin addresses. Broadcasting the transaction over Tor is required to stop your ISP or a [[transaction surveillance company]] from learning that your IP address broadcast the transaction.

=== Example - Receiving donations privately ===
# You have a [[Address_reuse|single]] donation address for your group or project, anybody can see all donations and their amounts by putting your donation address into a blockchain explorer.
# You want to spend the donations without anyone on the internet knowing.
# The donation address is part of a wallet backed by a [[full node]] such as [[Armory]].
# Broadcast a transaction over [[Tor]] to deposit the donation money into a bitcoin website which allows anonymous deposits and withdrawals.
# Withdraw the money straight into another similar bitcoin service website.
# Take care to use different transactions in order to stop the amounts being correlated.
# Make sure to wait a little while to stop the timings being used to link together transactions
# Repeat this for many different bitcoin websites<ref>https://gist.github.com/chris-belcher/00255ecfe1bc4984fcf7c65e25aa8b4b#worked-example-for-tumbler-replacement</ref> before finally sending the coins back to your own wallet.

Take an example with 1 BTC. Each arrow -> is a new withdrawal transaction.

Wallet Casino1 Altcoin Exchange Casino2 Futures Exchange Wallet
1btc -> 1addrA 1btc -> 1addrB 0.1btc -> 1addrE 0.1btc -> 1addrG 0.4btc -> 1addrH 0.25btc
-> 1addrC 0.2btc -> 1addrF 0.9btc -> 1addrF 0.6btc -> 1addrI 0.25btc
-> 1addrD 0.7btc -> 1addrJ 0.25btc
-> 1addrK 0.25btc

As before the [[full node]] wallet allows your wallet to learn its own history privately, while Tor broadcasting hides your IP address used when sending a [[transaction]]. Using many different amounts stops [[#Amount correlation|amount correlation]] from providing clues that can ruin your privacy. Using multiple bitcoin websites means a single website which co-operates with the adversary won't be enough to completely ruin your privacy. There is custodial risk as each website has the power to steal your money, but in this example the bitcoin amount is relatively low so the risk is acceptable.

=== Example - Storing savings privately ===
# You want to [[Bitcoin as an investment|store value in bitcoin]] without anybody else knowing what you do with that value, or even that you own bitcoin.
# Buy the coins in some way and have them sent to your [[JoinMarket]] wallet which you've configured to use your own [[full node]], all of which run entirely over [[Tor]].
# Run JoinMarket's tumbler script which has it create many [[CoinJoin]] transactions with the aim to break the link between addresses.
# Have the coins sent to another wallet which will be used for [[Storing bitcoins|storing the bitcoins]] long term. The wallet should be backed by a [[full node]] such as [[Electrum]] pointed to your own [[Electrum#Server_software|Electrum server]].

Note that bitcoin privacy technology like [[JoinMarket]] can hide private-relevant information from your [[transactions]] but it cant add privacy in other places; for example if you buy the bitcoins in a non-anonymous way such as using an AML/KYC exchange then that exchange will know that your real-life identity bought bitcoins at that time.

Using [[JoinMarket]] is non-custodial unlike the previous method which sends bitcoin through many bitcoin service websites, so it is useful where the custody risk is unacceptably high (such as where you're anonymizing all your hard-earned savings). All the wallets are backed by [[full node]]s in this example to stop a third-party service being able to link together your addresses or link them with your IP address. The full node is run entirely over [[Tor]] to stop your internet service provider or any network-level adversary from seeing that you run a bitcoin node.

=== Example - Stopping incoming payments from different sources from being linked together ===
# If you had both payments in the same wallet they may be linked together with the [[common-input-ownership heuristic]].
# You have a job as a nurse, you also moonlight as a stripper for extra income. Both jobs pay in bitcoin and you don't want them to be linked together.
# You send the nurse income into one [[JoinMarket]] mixdepth and the stripper income into another mixdepth.
# You run the JoinMarket tumbler script which will combine both balances without linking them together.

Another way to do this (but with custodial risk) is to deposit the nurse income into a bitcoin service website (like a casino) and then deposit the stripper income but to a different deposit address. After you withdraw both with be combined with all the other deposits of other users of the casino. Probably the best way to do this is to receive one or both of the income streams over [[Lightning Network]].

=== Example - Withdrawing casino winnings to a bitcoin exchange without either entity knowing the source or destination of funds ===
# You have won 10 BTC at a bitcoin casino, you want withdraw them to a bitcoin exchange to sell without either party knowing (maybe because online gambling is blocked in your jurisdiction).
# Install [[JoinMarket]] and point it at your own [[full node]].
# Have the casino winnings sent to your JoinMarket wallet in three different payments of 5btc + 2btc + 3btc, they should go to seperate mixdepths.
# Run the JoinMarket tumbler script to mix the coins and have them sent to three different deposit address of the exchange with amounts (for example) 1btc + 2btc + 7btc.
# Then neither the online casino nor the exchange can use amount correlation to figure out the source or destination. The coinjoin transactions stop them using the [[common-input-ownership heuristic]], and the other JoinMarket features stop [[address reuse]] and analysis of the transaction graph<ref>https://www.reddit.com/r/joinmarket/comments/7614ea/how_to_properly_spend_tumbled_coins/</ref>.

=== Bad privacy example - Using a blockchain explorer ===
# You receive a payment of bitcoin at one of your [[address]]es.
# You copy and paste the address into a [[Block chain browser|blockchain explorer website]] and press ''Refresh'' until the incoming transaction reaches 3 [[confirmation]]s.
# The blockchain explorer website now knows that your IP address is very interested in that particular bitcoin address.
# This is best avoided by using your own bitcoin wallet (backed by a [[full node]]) to tell you when payments have arrived and how many [[confirmation]]s they have, without any other entity knowing.

This privacy break can be almost entirely fixed by navigating to the blockchain explorer website over [[Tor]]. It still reveals that ''somebody'' is interested in that [[address|bitcoin address]] but doesn't reveal their IP address, and does not reveal any other bitcoin addresses controlled by the same user.

=== Bad privacy example - Privacy altcoin mixing failing due to amount correlation ===
# You own 1.456225 BTC for which some privacy-relevant information has been leaked (maybe you bought it from a AML/KYC exchange) and want to send it to another address while breaking the link between the two.
# You trade the bitcoins for an altcoin which implements some blockchain privacy technology, a so-called "privacy coin", then you trade the altcoin back to bitcoin after making a few altcoin transactions.
# You send the bitcoins back to your wallet in one transaction.
# Because the transaction amount is very close to the initial 1.456225 BTC, its not very hard for an adversary to search the entire blockchain and link the two similar-amount transaction going into and out of the altcoin exchange you used.

Lesson: Transactions have amounts visible to all which must be treated with care for privacy.

=== Example - Privacy altcoin mixing ===
# Similar to the previous example, you have bitcoins you want to mix. You trade into and out of a privacy altcoin to do it.
# When trading back into bitcoin you deposit the privacy altcoin into an exchange to sell, you use several transactions so that the exchange and any observer of the blockchain cannot easily use amounts to link together the before and after addresses.

This method may still fail because privacy altcoins have fewer transactions than bitcoin by a factor of a few hundred, so the anonymity set may be lower. Also there are custodial risks with using exchanges so this method may not be appropriate for large amounts of coin. As privacy altcoins are usually much less scalable than bitcoin, their [[full node]] wallets may be more resources-costly to run than bitcoin's. Privacy altcoins are likely to have a more volatile price than bitcoin which increases the risk of losing part of the money due to price movements.

=== Example - Daily commerce with Lightning Network ===
# You have some bitcoin and want to spend it on regular goods and services. (Coffee, phone credit, VPN, hosting, hotel and apartment rentals, flights, food, drinks, clothes, etc etc) and you want to be as private as possible.
# You download and install a [[Lightning Network]] wallet and use that for all purchases.
# Privacy attacks like [[common-input-ownership heuristic]], [[address reuse]] and change address detection fundamentally don't work on any [[Off-Chain Transactions]] technology.

=== Bad privacy example - Sending to a static donation address without precautions ===
# You own bitcoin and keep it in a custodial wallet.
# You want to donate to charity or political group X.
# You create a [[transaction]] on the custodial wallet's website sending some money to the group's donation address.
# The custodial wallet server can see where you're sending it (especially easily if the group uses a static donation address).
# They disagree with your views and then they close your account.

Lesson: Using a custodial wallet is bad for privacy because the custodian can see everything you do. [[Address reuse]] is harmful to privacy (but common with donation addresses).

=== Bad privacy example - Receiving donations spied on with [[Mystery_shopper_payments|mystery shopper payments]] ===
# You want to accept bitcoin donations but don't want to reveal the total donated amount.
# You set up a web server to give out unique addresses for each visitor.
# An adversary who wants to get an idea of your total donation income donates a small amount of bitcoin to you.
# You combine all donations to use as inputs one transaction, thereby linking them together with the [[common-input-ownership heuristic]].
# The adversary now has a good idea of your total donation income.

Lesson: [[Mystery_shopper_payments|mystery shopper payments]] can be used to spy on people, even then they avoid [[address reuse]]. Be mindful of what is being revealed with the [[common-input-ownership heuristic]].

=== Real life example - Bitcoin-stealing malware using static addresses ===
# You are a creator of stealware (malware that steals money from its victim).
# You hardcode some bitcoin address into your malware where the ill-gottens are sent to.
# Any malware researcher can now see how many bitcoins you have stolen simply by putting the addresses into a blockchain explorer.

This has been done in many cases including: the Wannacry malware<ref>https://twitter.com/msuiche/status/863082346014224385</ref><ref>https://bitcointalk.org/index.php?topic=1916199.0</ref> and Electrum stealware<ref>https://www.reddit.com/r/Bitcoin/comments/anycg2/electrum_targeted_phishing_malware_warning/</ref><ref>https://twitter.com/GossiTheDog/status/1078308649158664194</ref>

=== Bad privacy example - Bitcoin-stealing malware spied on with [[mystery shopper payments]] ===
# You are an infosec researcher studying bitcoin-stealing malware.
# The malware author has coded a [[ECDH address|ECDH address scheme]] into their malware.
# Your analysis of the malware only reveals the ECDH public key rather than bitcoin [[address]]es, so the malware author thinks he is private.
# You send a small amount of bitcoin to an [[address]] derived from the ECDH public key as a [[Mystery shopper payments|mystery shopper payment]].
# The malware author sends all their received stolen coins to an exchange in one [[transaction]], including your payment.
# You can now look on the blockchain and use the [[common-input-ownership heuristic]] to get an idea of total amount of bitcoins stolen by the malware.
# Also you can now contact the exchange who will tell you the real life identity of the malware author, who can now be put in jail.

Lesson: [[Mystery_shopper_payments|mystery shopper payments]] along with the [[common-input-ownership heuristic]] can be used to deanonymize even people who avoid [[address reuse]].

=== Example - Single-use lightweight wallet over Tor ===
# You want to anonymously buy something or donate to something online.
# You install [[Electrum]] wallet and configure it to use [[Tor]], or use [https://tails.boum.org Tails OS].
# You buy bitcoins anonymously with cash and have them sent to your Electrum wallet.
# You spend the entire balance of bitcoins buying or donating to the thing you want.
# After you're done you delete the wallet and never use it again.

Your [[Electrum]] wallet used a third-party server which can see all your bitcoin addresses and transaction. As you've connected to it over [[Tor]], the server does not learn your real IP address. As you only use a single bitcoin [[address]] once and never again, the server isn't able to cluster together any other addresses. As you spent the entire balance there is no [[Change|change address]] which can leak information. This setup actually results in strong privacy even though a third-party server is used.

=== Bad privacy example - Lightweight wallet over Tor used multiple times ===
Very similar to the previous example, but more than one [[address]] and [[transaction]] is used.

# You want to use bitcoin for more than one use-case, for example buying a novelty hat and paying for a VPN.
# You install [[Electrum]] wallet and configure it to use [[Tor]].
# You pay for the novelty hat and have it sent to your mail address.
# You pay for the VPN to improve your web browsing privacy.
# As the Electrum wallet queries a third-party Electrum server, that server can link together the two transactions and knows which address is the [[Change|change address]].
# Therefore the server can easily see that the same person who bought the hat also paid for the VPN. As the hat purchase required revealing your mail address, your mail address can now be linked with the VPN account. So much for anonymous web browsing!

Lesson: The third-party Electrum server was able to link together your two [[transaction]]s. Avoid this by [[Electrum#Server_software|running your own Electrum server]] which is backed by your own [[full node]].

Lesson 2: Note that [https://tails.boum.org TailsOS] as of 2018 uses this privacy model for Electrum(!)

=== Real life example - Public donation address combined with the [[common-input-ownership heuristic]] ===
# Go to a website which accepts bitcoin donations like the [https://tails.boum.org/donate/ Tails OS donation page].
# Take their donation address (in this case <code>1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2</code>) and search it in the www.walletexplorer.com site.
# The site uses the [[common-input-ownership heuristic]], [[address reuse]] and possibly other techniques to cluster together addresses.
# We can see the amount and volume of donations to the Tails OS project: https://www.walletexplorer.com/wallet/04d3d17f766c4e53?from_address=1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2 The amounts look realistic so we're probably on the right lines.

=== Real life example - [[#Digital forensics|Digital forensics]] aids with investigation of the MtGox exchange ===
# [[Mt. Gox]] is a now-defunct bitcoin exchange which shut down in 2013 due to insolvency.
# Its internal database was leaked in March 2014, from which it was possible to build up a near-complete picture of the deposits and withdrawals of its wallets.
# [[Address reuse]] was also a big factor. The [[common-input-ownership heuristic]] was less of a factor because that heuristic was broken by mtgox's import private key feature.
# Analysis information was also cross-checked by searching the web for all forum posts where a customer writes something like: ''Help! I made a deposit to MtGox of amount 0.12345 BTC. As I write my transaction has 20 [[confirmation]]s but the deposit hasn't appeared in the exchange.'' The forum posts include a date and time. These posts include enough information to search for the corresponding blockchain [[transaction]].
# The analysis revealed that there were multiple thefts from mtgox and the exchange was insolvent for most of its existence.

Full talk: [https://www.youtube.com/watch?v=l70iRcSxqzo Breaking Bitcoin 2017 conference. Kim Nilsson - Cracking MtGox] [https://breaking-bitcoin.com/slides/CrackingMtGox.pdf Slides].

=== Real life example - Flawed use of the [[common-input-ownership heuristic]] exaggerates donation income ===
# Go to a website which accepts bitcoin donations like ThePirateBay.
# Take their donation address (in this case <code>1z8Tep4BNS79W3kYH8CHA8tWj6nuHYcCM</code>) and search it in the www.walletexplorer.com site.
# The site uses the [[common-input-ownership heuristic]], [[address reuse]] and possibly other techniques to cluster together addresses.
# We can see most of the amount and volume of donations to ThePirateBay: https://www.walletexplorer.com/wallet/00005c945dba011c?from_address=1z8Tep4BNS79W3kYH8CHA8tWj6nuHYcCM
# The results indicate that ThePirateBay is making hundreds of millions of dollars in donations per day, which is not believable.
# A possible explanation of what's actually happening is ThePirateBay accepts donations straight into its account at a bitcoin [[exchange]], which would result that analysis based on the [[common-input-ownership heuristic]] gives highly exaggerated figures because it actually finds all deposits to that entire exchange. This has a danger for ThePirateBay that the custodial exchange could block or censor incoming donations.
# Another possibility is that ThePirateBay is using [[CoinJoin]].

=== Real life example - Incorrect clusters found by the [[common-input-ownership heuristic]] ===
# The www.walletexplorer.com website uses the [[common-input-ownership heuristic]], [[address reuse]] and possibly other techniques to cluster together addresses.
# It has a big named cluster called [https://www.walletexplorer.com/wallet/MtGoxAndOthers MtGoxAndOthers] which has 8.6 million transactions and 3.6 million addresses associated with it as of January 2019.
# The old [[Mt. Gox]] exchange had a feature where users could import bitcoin private keys from their personal wallet straight into the website<ref>https://twitter.com/LaurentMT/status/1078638385256902656</ref>. There it would be merged with UTXOs from MtGox's own wallet.
# It seems some [[CoinJoin]] transactions have also ended up in the cluster<ref>https://www.reddit.com/r/Bitcoin/comments/2ww4eb/how_does_wallet_explorer_know_which_wallets/</ref>.
# For example the transaction <code>5ac0210febf7ce07a737bae8c32f84c1c54d131c21a16ca6b02b6f1edcad15c3</code> which is probably a [[JoinMarket]] transaction belongs to the MtGoxAndOthers cluster<ref>https://www.walletexplorer.com/txid/5ac0210febf7ce07a737bae8c32f84c1c54d131c21a16ca6b02b6f1edcad15c3</ref>.
# Another example is the transaction <code>52757ed33a235ce8e48aeaabab7f6dd9cd3445c3642630123103b154ee59f3f5</code> which is a coinjoin created by the old SharedCoin centralized service<ref>https://www.coinjoinsudoku.com/</ref>, it is also in the MtGoxAndOthers cluster according to walletexplorer.

=== Real life example - Handmade coinjoin mislead a bitcoin analyist ===
# The inventor of [[CoinJoin]] Greg Maxwell posted a thread on [https://bitcointalk.org/index.php?topic=139581.0 bitcointalk forums called "I taint rich!"] which aimed to demonstrate coinjoin and how the [[common-input-ownership heuristic]] is not always correct.
# The thread invited forum readers to create [[CoinJoin]]s by hand with Greg Maxwell's vanity [[address]], which he hopes would be a strong demonstration of the flaws of the [[common-input-ownership heuristic]].
# Many years later, a bitcoin [[transaction]] worth 40000 BTC was broadcasted and mined which caused some [https://www.reddit.com/r/Bitcoin/comments/6tvwr5/someone_moved_40000_btc_is_it_from_silkroad/ speculation on bitcoin forums]. The handmade coinjoins caused some to come to the wrong conclusion that Greg Maxwell was the owner of the 40000 BTC.
# A quote from the analyst:
<blockquote>
''Originally looks like they were owned by someone with the vanity address of GMaxweLL: 14947302eab0608fb2650a05f13f6f30b27a0a314c41250000f77ed904475dbb''

''If you follow the 40k from that transaction (click the outputs), you get to the transaction you linked to. It's a short series of transactions.''

''Basically, someone who owns that address was able to unlock coins from that address, as well as another address that held the 40,000, in the same transaction. So they must have owned both (at least 4 years ago anyway).''
</blockquote>

Lesson: The [[common-input-ownership heuristic]] isn't always right.

=== Real life example - The QuadrigaCX exchange wallet analysis ===

# In early 2019 the exchange QuadrigaCX shut down and many of its customers were left unable to access their bitcoin deposits, likely forever.
# A customer wanted to analyze the blockchain to find information about QuadrigaCX's wallet.
# They asked on internet forums for other customers to reveal their deposit [[address]]es and [[transaction]]s, many customers did so.
# Using www.walletexplorer.com the analyst was able to find a big wallet cluster containing all those addresses, it is likely this is the QuadrigaCX hot wallet. The hot wallet made many transactions, often involve [[Address reuse|reused addresses]] and didn't use [[CoinJoin]]; so it's likely that this analysis is correct.
# The walletexplorer cluster called MtGoxAndOthers mislead the analyst into believing the QuadrigaCX had something to do with MtGox, when in reality that cluster arises because of [[CoinJoin]].
# The analyst was unable to find a single cluster with a significant amount of bitcoins which could be the [[cold storage]] wallet. However cold storage wallets are likely to create few transactions and never reuse addresses; so its possible such a cluster would never appear on walletexplorer.com which uses the [[common-input-ownership heuristic]]. However its also possible that the exchange is insolvent and so there is no [[cold storage]] wallet.

Main article: https://blog.zerononcense.com/2019/02/04/quadrigacx-chain-analysis-report-pt-1-bitcoin-wallets/

Reddit comments: https://www.reddit.com/r/Bitcoin/comments/amut05/investigation_proves_an_exchange_quadriga_ran_a/

=== Real life example - Stopping Bustabit casino customers getting banned from Coinbase.com ===

# Coinbase.com is a bitcoin [[exchange]]. Bustabit is an online casino that uses bitcoin.
# In the United States online gambling is illegal (although state government often operates their own lotteries, and meatspace gambling like in Vegas is legal). Coinbase.com enforces this policy by warning and ultimately banning their customers who use online bitcoin casinos.
# Some of Bustabit's customers were being warned and banned by Coinbase.com.
# Bustabit implemented [[Techniques_to_reduce_transaction_fees#Change_avoidance|change avoidance]]<ref>https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-January/015606.html</ref> so many of their withdrawal transactions did not have a change output.
# Bustabit also imported many thousands of [[Address reuse|re-used addresses]] into [[JoinMarket]] and made them be used as inputs in many [[CoinJoin]] transactions.
# No more Bustabit customers were ever warned or banned
# It seems the combination of both methods broke the [[common-input-ownership heuristic]] and reduced the privacy-relevant information leaked by change outputs, enough that Coinbase.com's [[transaction surveillance company]] partner was unable to identify Bustabit's wallet addresses anymore.

=== Real life example - Rare multisignature scripts ===
# As of January 2019 [[multisignature]] contracts are visible to any observer of the blockchain.
# This includes their m-of-n values, the most common by far are 2-of-3 multisig<ref>https://p2sh.info/dashboard/db/p2sh-repartition-by-type?orgId=1</ref>.
# Some very unusual scripts such as 12-of-14 multisignature has been used a handful of times on the blockchain. These are easily visible as someone's wallet who received some money and then spent it.
# The bitcoin vault of the Xapo company used a 3-of-5 multisignature scheme. At one point when they moved it which resulted in 90% of the coins held on 3-of-5 multisig addresses moving on the blockchain. This revealed the amount of bitcoin in Xapo's wallet<ref>https://www.youtube.com/watch?v=Tiyvrh53Yp8</ref>.
# In 2016 the exchange Bitfinex was hacked and part of its wallet was stolen. Bitfinex used 2-of-3 multisignature addresses to store its coins. As the thief moved the hacked coins to regular non-multisignature addresses, the movement of 120,000 bitcoins out of 2-of-3 multisig was visible on the blockchain, and it revealed the size of the theft<ref>https://www.reddit.com/r/Bitcoin/comments/4vupa6/p2shinfo_shows_movement_out_of_multisig_wallets/</ref>.

=== Real life example - Freelance IT contractor has his co-workers figure out his salary ===

# A user posted on the bitcoin reddit forum<ref>https://web.archive.org/web/20170309231819/https://www.reddit.com/r/Bitcoin/comments/4v28jl/how_have_fungiblity_problems_affected_you_in/</ref> about his experience with co-workers figuring out his salary because of [[address reuse]].
# ''"As a freelance IT contractor, I had one incident where an on-site specialist found out my daily rate. Surely, he was a bit upset and complained to his manager about the lack of his own compensation. My agency fined me for 50% of the monthly rate. Needless to say, I now create a unique receive address for every invoice, and use another set of addresses for the daily personal-use expenditure."''

Lesson: [[Address reuse]] is terrible for privacy.

=== Real life example - Hacker hides destination of 445 btc with [[CoinJoin]] ===

# In May 2017 a reddit user posted a thread saying they kept 445 btc on blockchain.info's web wallet, and their coins were stolen<ref>https://www.reddit.com/r/Bitcoin/comments/69duq9/50_bounty_for_anybody_recovering_445_btc_stolen/</ref>.
# They offered a 50% bounty for any help or information leading to finding their bitcoins again
# The stolen coins turned out to have been mixed through [[JoinMarket]]. It seems the hacker put the coins in a JoinMarket yield generator script and allowed them to be used for coinjoins a large number of times. A CoinJoin peeling chain can be seen.
# All traces are lost from what anybody has been able to tell.

For good advice on how to store bitcoins without having them stolen by hackers see the [[Storing bitcoins]] article on this wiki.

=== Bad privacy example - Data fusion of blockchain data and web cookies when online shopping with Bitcoin ===

# Online shopping has several potential privacy leaks. Examples are third-party tracking cookies (such as from sites Doubleclick, Google Analytics or Facebook), or data given intentionally to merchants such as name, delivery address or email address.
# Bitcoin's blockchain leaks a lot of privacy-relevant information.
# Data fusion of these two categories of leaks can reveal a lot of information about people using Bitcoin for online shopping. This is the topic of a 2018 paper called When The Cookie Meets The Blockchain<ref>Goldfeder, S., Kalodner, H., Reisman, D., & Narayanan, A. (2018). When the cookie meets the blockchain: Privacy risks of web payments via cryptocurrencies, Proceedings on Privacy Enhancing Technologies, 2018(4), 179-199. doi: https://doi.org/10.1515/popets-2018-0038</ref>.
# For example, if a bitcoin user buys a novelty hat and has it shipped to their home and then later the same bitcoin wallet donates to Wikileaks, then the hat merchant and third-party trackers (who know the user's real name and mail address) can figure out that the same user donated to Wikileaks.

This is example of the power of data fusion, where two or more privacy leaks which when combined reveal far more information than each individual leak.

The privacy problems of third-party web tracking cookies have been known for nearly a decade but the situation has not improved much. Privacy can be regained in practice in this situation by 1) Using browser extensions such as uBlock Origin, Adblock Plus or Ghostery to block third-party tracking cookies, and/or 2) Using [[Off-Chain Transactions|off-chain transaction methods]] to make payments where much less privacy-relevant information is leaked. Most practically as of 2019 would be using [[Lightning Network]] for online shopping.

=== Bad privacy example - Centralized mixers being easily unmixed with amount correlation ===

# BitcoinFog is a centralized bitcoin mixer, it charges 1-3% for a mix.
# Someone on reddit easily unmixes many BitcoinFog mixes using [[#Amount_correlation|Amount correlation]]<ref>https://web.archive.org/web/20150607131623/http://www.reddit.com/r/DarkNetMarkets/comments/2rhaqc/deanonimyzing_bitcoinfog_and_other_tumblers/</ref>

=== Bad privacy example - Data fusion of blockchain data and IP address transaction broadcasting data ===

# A 2018 paper<ref>Juhász PL, Stéger J, Kondor D, Vattay G (2018) A Bayesian approach to identify Bitcoin users. PLOS ONE 13(12): e0207000. https://doi.org/10.1371/journal.pone.0207000</ref> uses blockchain analysis and the tracking of transaction broadcasts to deanonymize bitcoin users.
# The researchers use [[address reuse]] and the [[common-input-ownership heuristic]] (the paper authors do not mention the possibility of [[CoinJoin]])
# The researchers connect to every single listening bitcoin node, and attempt to track transactions as they broadcast. This gives them an idea of the originating IP address.
# The paper identifies about 22,000 bitcoin users by linking their IP address and bitcoin [[address]]es. About 20,000 of these users come from one IP address which is probably a popular web wallet.
# The paper collected data during late-2013, but the Bitcoin Core transaction relay algorithm has been changed significantly in the meantime to improve privacy. So the method used should work less well today.

Lesson: Private transaction broadcasting (for example over [[tor]]) is necessary for privacy.

=== Real life example - 2018 paper on analysis of bitcoin ransomware transactions ===

# A 2018 paper uses tracking techniques to study bitcoin ransomware<ref>D. Y. Huang et al., "Tracking Ransomware End-to-end," 2018 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, 2018, pp. 618-631. doi: 10.1109/SP.2018.00047 https://www.youtube.com/watch?v=H5bPmzsVLF8</ref>.
# Some ransomware uses static addresses (which implies [[address reuse]]) while other ransomware requires victims to connect to a http server that hands out new bitcoin addresses.
# To find ransomware [[address]]es the researchers found online reports by victims and reverse-engineered ransomware binaries to find addresses within.
# They also used [[Mystery_shopper_payments|mystery shopper payments]], sending 0.001 BTC to ransomware addresses and watching where that coin is sent to. Two ransomware operators (Cerber and Locky) took the bait but one operator (Sage) did not and so his cluster was never found.
# The researchers use the [[common-input-ownership heuristic]] to find clusters of [[address]]es. They know that [[CoinJoin]] breaks this assumption and so search for detectable [[CoinJoin]] transactions within the clusters which would indicate a break. This was before the invention or implementation of [[PayJoin]] so it is assumed that all coinjoins can be detected.
# The researchers try to match incoming payments to the ransomware clusters with spikes in Google searches for that ransomware, and uploads of the ransomware binary to malware-tracking websites. If there are spikes in google searches or binary uploads without a corresponding increase in incoming bitcoin payments, then that indicates that the researchers have missed some clusters belonging to the ransomware wallets. This is [[#Timing correlation|Timing correlation]] in use. The researchers conclude they are in fact missing most clusters for CryptoDefense, CryptoLocker, and CryptoWall, but probably have all the clusters for the other ransomware they study.
# A [[transaction surveillance company]] called Chainalysis is used to find the ownership of certain addresses. It works particularly well for exchanges which share their data with Chainalysis. With this the destination of ransomware funds can be tracked. The largest known destination is the BTC-E, a now-shut-down Russian bitcoin exchange with lax controls that was widely known to be used by criminals. However the vast majority of funds is sent to Unknown destinations. One ransomware called CryptoXXX is ~95% sent to Unknown, WannaCry had 100% unknown. The researchers write BTC-E in the paper's abstract and conclusion because that's the biggest destination they could find, but in reality most of the ransomware money could not be tracked

The paper is an excellent example of transaction tracking. The researchers take great care in their conclusions, as in blockchain analysis it is sometimes easy to trick yourself into thinking you know more than you do. It is worth reading by anyone interested in bitcoin privacy.

Ransomware is a threat. Always keep good backups of your important data.

==See also==

* [[Common-input-ownership heuristic]]
* [[Address reuse]]
* [[CoinJoin]]
* [[PayJoin]]
* [[Transaction surveillance company]]
* [[Client-side block filtering]]
* [[Full node#Privacy]]
* [[Lightning Network]]

==References==
<references />

[[Category:Privacy]]

Debit cards

2020-08-12T04:17:04Z

Cryptal: Add Jubiter scam, sort

This page lists cryptocurrency-fueled debit cards.

Created: April 2020.
Last update: August 2020.

Sources include [https://docs.google.com/spreadsheets/d/1DRbTeMCzb4UeXI0YlAzBxMc2u2i0cN_17Ql6eMngK6E/edit#gid=0 this spreadsheet], this [https://www.cryptowisser.com/debit-cards/ simplistic table], this [https://bitcointalk.org/index.php?topic=5223719.0 Bitcointalk discussion] and others. '''Please contribute any edits here''', as those other sources are not actively maintained, less trustworthy, and/or more superficial.

Whenever possible, link to the source. KYC requirements you've personally experienced may lack links, though links to screenshots ([https://imgur.com/a/vGFwSCj like this]) or forum/reddit/etc posts would be helpful.

Legend / notes:
* ''DL'' = Driver License
* ''Est.'' = Established, (Mon) YYYY
* ''POA'' = Proof of Address. Some are strict, e.g. utility bill, others less strict, e.g. bank statement or government correspondence
* ''SoF'' = Source of Funds, requested by some companies before or during using the card
* ''tx'' = transaction
* HQ links may point to the contact page, to save space
* Card cost may include issuance and shipping/delivery cost; add links for details
* Maintenance fees are independent of withdrawals or purchases; they are required to keep the card active
* "Fee structure" should '''link''' to a page detailing the maintenance (though usually 0), [https://wirexapp.com/fees-and-limits deposit, transfer, exchange, transaction, and/or issuance fees], though due to the volatility of crypto, they're rather meaningless. The issuance fee/cost can also be explicitly stated in the "Card cost" column.
* Limits indicate withdrawal, maximum balance, or other limits. Always link to the source.
* non-custodial = you hold your funds, not the card company
* Given the fluctuations of crypto, rewards are generally insignificant, so there's no column for them. Link to the rewards page in the "Notes" if you want.
* All KYC requires at least an identification document (Passport, Driver's License, Identity Card), so only ''other'' KYC measures will be mentioned in the KYC column. They can be more or less invasive (e.g. live video verification w/ ID, vs. just a selfie).

{| class="wikitable sortable"
|- style="text-align: center; background-color: #f0f0ff;"
! Company
! Status
! HQ
! Est.
! Available to residents of
! KYC process
! Card cost
! Coins accepted
! Fee structure
! Limits
! Physical card?
! Virtual card?
! Web app?
! Notes
|-
! {{rh}} | [http://advcash.com AdvCash]
| {{Yes|active}}
| [https://advcash.gi/en/contacts/ GI]
|  [https://bitcointalk.org/index.php?topic=1011381.0 2015]
|  EU, Turkey, Israel. Upcoming [https://bitcointalk.org/index.php?topic=1011381.msg54232912#msg54232912 Russia] + World, [US](https://advcash.gi/en/faq/) currently banned.
|  ID, address, phone number
|  [https://advcash.gi/en/solutions/card $/€7.99 virtual, $/€14.99 physical]
|  [https://advcash.gi/en/fees/ BTC, ETH, LTC, BCH, XRP, ZEC, TRX?]
|  Free maintenance, [https://advcash.gi/en/fees/ fees for deposit & withdrawal]
|  [https://advcash.gi/en/faq/ Verified]: $50k/day, $300k/mo
|  {{Yes}}
|  {{Yes}}
|  {{Yes}}
|  Cards available only to verified users. [https://bitcointalk.org/index.php?topic=1011381.0 Extensive Bitcointalk thread]. Possible KYC [https://advcash.gi/en/faq/ even for non-verified operations].
|-
! {{rh}} | [https://bitpay.com/card/ BitPay]
|  {{Yes}}
|  ?
|  2011
|  [https://support.bitpay.com/hc/en-us/articles/115005033763-Where-is-the-BitPay-Card-available- USA only] [https://support.bitpay.com/hc/en-us/articles/115003003743-Where-can-I-use-my-BitPay-Card- can't be used in some countries]
|  {{No|[https://support.bitpay.com/hc/en-us/articles/115003003463-What-kind-of-information-will-you-need-from-me-for-a-BitPay-Card-order- SSN]}}, SMS verification [https://support.bitpay.com/hc/en-us/articles/115003014446-Is-a-Credit-Check-Required-for-Me-to-Obtain-a-Card- no credit check], DL photo files from app [https://support.bitpay.com/hc/en-us/articles/360037486651-How-do-I-complete-the-BitPay-ID-process- separate BitPay ID] for [https://bitcointalk.org/index.php?topic=5173083.0 larger tx]
|  $10
|  BTC, BCH, ETH, XRP; [https://support.bitpay.com/hc/en-us/articles/115003028206-How-do-I-add-funds-to-my-BitPay-Card- ACH, direct deposit]
|  [https://support.bitpay.com/hc/en-us/articles/115002990663-What-fees-will-I-pay-to-use-the-BitPay-Card- 3% currency conversion]
|  [https://support.bitpay.com/hc/en-us/articles/115003013586-What-are-the-ATM-withdrawal-limits-on-my-Card- $1500/day ATM], [https://support.bitpay.com/hc/en-us/articles/115003014306-How-Much-Money-Can-I-Load-onto-My-Card-What-Is-My-Daily-Spending-Limit- $10k/day, max $25k balance]
|  {{Yes|Mastercard}} issued by Metropolitan Commercial Bank
|  {{Yes|After KYC, before activating physical card}}
|  {{Yes|[https://support.bitpay.com/hc/en-us/articles/115003013546-How-can-I-check-my-BitPay-Card-balance-and-review-transactions- Yes]}}, [https://support.bitpay.com/hc/en-us/articles/360031288111-How-to-Navigate-in-the-BitPay-Dashboard Dashboard]
|  [https://bitcointalk.org/index.php?topic=4355205.0 Antibitpay]. Wallet app can hold stablecoins: PAX, USDC, USDG, BUSD.
|-
! {{rh}} | [https://card.binance.com/en/ Binance]
|  {{No}}
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
| 
|-
! {{rh}} | [https://www.bitsacard.com Bitsa]
| {{Yes|active}}
| [https://bitsa.zendesk.com/hc/en-150/articles/360005955378-Where-will-my-money-be-is-it-safe- ES?]
|  [https://bitcointalk.org/index.php?topic=5211795.0 Dec 2019]
|  [https://bitsa.zendesk.com/hc/en-150/articles/360005955038-In-which-countries-is-Bitsa-card-available- EU countries] / [https://bitsa.zendesk.com/hc/en-150/articles/360005965177-Which-are-the-requirements-to-open-a-Bitsa-account- SEPA zone]
|  [https://bitsa.zendesk.com/hc/en-150/articles/360005965477-How-do-I-perform-the-identity-verification- ID] + selfie w/ ID
|  [https://bitsa.zendesk.com/hc/en-150/articles/360005955278-How-much-does-it-cost-to-have-a-Bitsa-account- 0]
|  "Top it up by card, transfer, cash or blockchain tokens."
|  [https://bitsa.zendesk.com/hc/en-150/articles/360005963558-What-is-the-maintenance-fee- 0 maint. fee]
|  [https://bitsa.zendesk.com/hc/en-150/articles/360005968837-How-much-can-I-withdraw-in-cash- 450€/day, 2500-5000€/mo]
|  {{Yes|[https://bitsa.zendesk.com/hc/en-150/articles/360005965677-How-do-I-add-physical-card-to-my-account- Yes]}}
|  {{Yes|[https://bitsa.zendesk.com/hc/en-150/articles/360005965677-How-do-I-add-physical-card-to-my-account- Yes]}}
|  {{No|[https://bitsa.zendesk.com/hc/en-150/articles/360005954998-Can-I-login-to-my-Bitsa-account-from-a-computer- Not yet]}}
|  [https://bitsa.zendesk.com/hc/en-150/articles/360005967758-Does-my-card-have-associated-a-wallet-to-reload-it-with-cryptocurrencies- Non-custodial funds]. [https://bitcointalk.org/index.php?topic=5211795.0 Minimal Bitcointalk presence]. [https://bitsa.zendesk.com/hc/en-150/articles/360005975877-Can-I-make-a-transfer-to-top-up-my-Bitsa-from-the-account-of-a-family-member-or-friend- Odd English].
|-
! {{rh}} | [https://www.bitwala.com/card/ Bitwala]
|  {{Yes}}
|  Germany
|  [https://support.bitwala.com/hc/en-gb/articles/360000382040-When-was-Bitwala-founded- 2015]
|  [https://support.bitwala.com/hc/en-gb/articles/360000650360-Who-can-open-a-Bitwala-account- EEA, .ch] [https://support.bitwala.com/hc/en-gb/articles/360000377840 no US persons]
|  {{No|[https://support.bitwala.com/hc/en-gb/articles/360002220519-What-is-a-Proof-of-Address-POA-document- POA] during [https://support.bitwala.com/hc/en-gb/articles/360010537939-Why-is-video-identification-necessary- video call] with [https://support.bitwala.com/hc/en-gb/articles/360000377980-What-is-IDnow- IDnow], [https://support.bitwala.com/hc/en-gb/articles/360010427400-Why-do-we-check-transactions-and-ask-for-the-source-of-funds- SoF and routine checks], [https://support.bitwala.com/hc/en-gb/articles/360010427560-Why-has-my-account-been-closed- unexplained terminations]}}
|  [https://support.bitwala.com/hc/en-gb/articles/360000609180-What-are-the-Bitwala-account-fees- 0]
|  [https://support.bitwala.com/hc/en-gb/articles/360001489000-How-to-top-up-my-account- Bitcoin, SEPA]
|  [https://www.bitwala.com/pricing/ 1% crypto]
|  [https://support.bitwala.com/hc/en-gb/articles/360000670079-What-is-the-maximum-purchase-amount- €15k/tx], [https://support.bitwala.com/hc/en-gb/articles/360000658660-What-are-the-trading-limits- €30k/wk]
|  {{Yes|[https://support.bitwala.com/hc/en-gb/articles/360000872680-What-is-the-Bitwala-debit-card- Mastercard]}}
|  {{No|[https://support.bitwala.com/hc/en-gb/articles/360000381720-Do-you-offer-virtual-cards- No]}}
|  ?
| 
|-
! {{rh}} | [https://crypto.com Crypto.com]
|  {{Yes}}
|  ?
|  ?
|  [https://help.crypto.com/en/articles/1341663-when-will-i-get-my-mco-visa-card USA, Singapore, APAC, EU]
|  ?
|  ?
|  ?
|  ?
|  ?
|  {{Yes|5 MCO VISA cards}}
|  ?
|  {{No}}
| 
|-
! {{rh}} | [https://www.jubiter.com/card Jubiter]
|  {{No|[https://bitcointalk.org/index.php?topic{{urlencode:=}}5223719.msg54333083#msg54333083 Likely KYC scam]}}
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  [https://bitcointalk.org/index.php?topic=5223719.msg54333083#msg54333083 Possible scam] asking for KYC documentation, then claiming they've just stopped offering cards. [https://bitcointalk.org/index.php?topic=6047196 Doesn't support bech32 withdrawals].
|-
! {{rh}} | [https://monolith.xyz Monolith]
| {{Yes|active}}
|  UK
|  ?
|  [https://support.monolith.xyz/hc/en-us/articles/360007239698-Which-countries-are-supported-by-Monolith- EEA], AFTA, special member territories
|  ID photo, [https://imgur.com/a/vGFwSCj POA photo], selfie
|  [https://support.monolith.xyz/hc/en-us/articles/360001403598-What-are-the-fees-associated-with-Monolith-Visa-Debit-Card- 0]
|  ETH
|  [https://support.monolith.xyz/hc/en-us/articles/360001403598-What-are-the-fees-associated-with-Monolith-Visa-Debit-Card- Fees]
|  ?
|  {{Yes|[https://support.monolith.xyz/hc/en-us/articles/360001345338-What-is-the-Monolith-Visa-Debit-Card- VISA]}}
|  ?
|  {{No}}
|  Non-custodial wallet. Formerly "TokenCard". [https://github.com/tokencard/contracts Open source]. Sleek website. App needs minimal permissions.
|-
! {{rh}} | [https://wirexapp.com Wirex]
| {{Yes|active}}
|  UK
|  [https://bitcointalk.org/index.php?topic=1392468.0 May 2016]
|  [https://wirexapp.com/help/article/the-list-of-supported-countries-0027 EEA, APAC etc, no USA]
|  {{No|[https://wirexapp.com/help/article/why-you-need-to-verify-your-source-of-funds-and-how-to-do-it-0013 Verify source of funds, random re-verification]}}
|  [https://wirexapp.com/fees-and-limits 0], except APAC
|  ?
|  [https://wirexapp.com/fees-and-limits Fees]
|  [https://wirexapp.com/fees-and-limits Limits]
|  {{Yes|VISA by Contis}}
|  ?
|  {{Yes|[https://wirexapp.com/help/article/how-do-i-order-a-wirex-card-0028 Yes]}}
|  [https://wirexapp.com/fees-and-limits Rewards]. [https://bitcointalk.org/index.php?topic=1392468.0 Extensive Bitcointalk thread].
|-
! Company !! Status !! HQ !! Established || Available to residents of !! KYC process !! Card cost !! Coins accepted !! Fee structure !! Limits !! Physical card? || Virtual card? || Web app? || Notes
|}

To add a card, copy the section below at the bottom of the table above the last (footer) row. Whenever possible, link to references.

<pre>
|-
! {{rh}} | [https://... Company name]
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
| 
</pre>

User:Cryptal

2020-08-12T04:10:22Z

Cryptal: Delete ancient stuff

Hi, check out my crypto [[debit cards]] comparison.

Debit cards

2020-04-30T02:39:38Z

Cryptal: BitPay (US only)

This page lists cryptocurrency-fueled debit cards, current as of April 2020.

Sources include [https://docs.google.com/spreadsheets/d/1DRbTeMCzb4UeXI0YlAzBxMc2u2i0cN_17Ql6eMngK6E/edit#gid=0 this spreadsheet] and [https://bitcointalk.org/index.php?topic=5223719.0 this Bitcointalk discussion]. '''Please contribute any edits here''', as those other sources are not actively maintained. Links may contain referral codes, to reward both new users, and the maintainers of this comparison table. Feel free to remove them from the URL before navigating.

Whenever possible, link to the source. KYC requirements you've personally experienced may lack links, though links to screenshots ([https://imgur.com/a/vGFwSCj like this]) would be helpful.

Legend / notes:
* ''Est.'' = Established, (Mon) YYYY
* ''POA'' = Proof of Address
* ''SoF'' = Source of Funds, requested by some companies before or during using the card
* ''tx'' = transaction
* HQ links may point to the contact page, to save space
* Card cost may include issuance and shipping/delivery cost; add links for details
* Maintenance fees are independent of withdrawals or purchases; they are required to keep the card active
* "Fee structure" should '''link''' to a page detailing the maintenance (though usually 0), [https://wirexapp.com/fees-and-limits deposit, transfer, exchange, transaction, and/or issuance fees], though due to the volatility of crypto, they're rather meaningless. The issuance fee/cost can also be explicitly stated in the "Card cost" column.
* Limits indicate withdrawal, maximum balance, or other limits. Always link to the source.
* non-custodial = you hold your funds, not the card company
* Given the fluctuations of crypto, rewards are generally insignificant, so there's no column for them. Link to the rewards page in the "Notes" if you want.

{| class="wikitable sortable"
|- style="text-align: center; background-color: #f0f0ff;"
! Company
! Status
! HQ
! Est.
! Available to residents of
! KYC process
! Card cost
! Coins accepted
! Fee structure
! Limits
! Physical card?
! Virtual card?
! Web app?
! Notes
|-
! {{rh}} | [https://monolith.xyz Monolith]
| {{Yes|active}}
|  UK
|  ?
|  [https://support.monolith.xyz/hc/en-us/articles/360007239698-Which-countries-are-supported-by-Monolith- EEA], AFTA, special member territories
|  ID photo, [https://imgur.com/a/vGFwSCj POA photo], selfie
|  [https://support.monolith.xyz/hc/en-us/articles/360001403598-What-are-the-fees-associated-with-Monolith-Visa-Debit-Card- 0]
|  ETH
|  [https://support.monolith.xyz/hc/en-us/articles/360001403598-What-are-the-fees-associated-with-Monolith-Visa-Debit-Card- Fees]
|  ?
|  {{Yes|[https://support.monolith.xyz/hc/en-us/articles/360001345338-What-is-the-Monolith-Visa-Debit-Card- VISA]}}
|  ?
|  {{No}}
|  Non-custodial wallet. Formerly "TokenCard". [https://github.com/tokencard/contracts Open source]. Sleek website. App needs minimal permissions.
|-
! {{rh}} | [http://wallet.advcash.com/referral/f7c5bd21-c60f-4d80-b8d0-2766e261fbc6 AdvCash]
| {{Yes|active}}
| [https://advcash.gi/en/contacts/ GI]
|  [https://bitcointalk.org/index.php?topic=1011381.0 2015]
|  EU, Turkey, Israel, upcoming [https://bitcointalk.org/index.php?topic=1011381.msg54232912#msg54232912 Russia] + World
|  ID, address, phone number
|  ?
|  ?
|  ?
|  ?
|  {{Yes}}
|  ?
|  {{Yes}}
|  [https://bitcointalk.org/index.php?topic=1011381.0 Extensive Bitcointalk thread].
|-
! {{rh}} | [https://www.bitsacard.com Bitsa]
| {{Yes|active}}
| [https://bitsa.zendesk.com/hc/en-150/articles/360005955378-Where-will-my-money-be-is-it-safe- ES?]
|  [https://bitcointalk.org/index.php?topic=5211795.0 Dec 2019]
|  [https://bitsa.zendesk.com/hc/en-150/articles/360005955038-In-which-countries-is-Bitsa-card-available- EU countries] / [https://bitsa.zendesk.com/hc/en-150/articles/360005965177-Which-are-the-requirements-to-open-a-Bitsa-account- SEPA zone]
|  [https://bitsa.zendesk.com/hc/en-150/articles/360005965477-How-do-I-perform-the-identity-verification- ID] + selfie w/ ID
|  [https://bitsa.zendesk.com/hc/en-150/articles/360005955278-How-much-does-it-cost-to-have-a-Bitsa-account- 0]
|  "Top it up by card, transfer, cash or blockchain tokens."
|  [https://bitsa.zendesk.com/hc/en-150/articles/360005963558-What-is-the-maintenance-fee- 0 maint. fee]
|  [https://bitsa.zendesk.com/hc/en-150/articles/360005968837-How-much-can-I-withdraw-in-cash- 450€/day, 2500-5000€/mo]
|  {{Yes|[https://bitsa.zendesk.com/hc/en-150/articles/360005965677-How-do-I-add-physical-card-to-my-account- Yes]}}
|  {{Yes|[https://bitsa.zendesk.com/hc/en-150/articles/360005965677-How-do-I-add-physical-card-to-my-account- Yes]}}
|  {{No|[https://bitsa.zendesk.com/hc/en-150/articles/360005954998-Can-I-login-to-my-Bitsa-account-from-a-computer- Not yet]}}
|  [https://bitsa.zendesk.com/hc/en-150/articles/360005967758-Does-my-card-have-associated-a-wallet-to-reload-it-with-cryptocurrencies- Non-custodial funds]. [https://bitcointalk.org/index.php?topic=5211795.0 Minimal Bitcointalk presence]. [https://bitsa.zendesk.com/hc/en-150/articles/360005975877-Can-I-make-a-transfer-to-top-up-my-Bitsa-from-the-account-of-a-family-member-or-friend- Odd English].
|-
! {{rh}} | [https://wirexapp.com Wirex]
| {{Yes|active}}
|  UK
|  [https://bitcointalk.org/index.php?topic=1392468.0 May 2016]
|  [https://wirexapp.com/help/article/the-list-of-supported-countries-0027 EEA, APAC etc, no USA]
|  {{No|[https://wirexapp.com/help/article/why-you-need-to-verify-your-source-of-funds-and-how-to-do-it-0013 Verify source of funds, random re-verification]}}
|  [https://wirexapp.com/fees-and-limits 0], except APAC
|  ?
|  [https://wirexapp.com/fees-and-limits Fees]
|  [https://wirexapp.com/fees-and-limits Limits]
|  {{Yes|VISA by Contis}}
|  ?
|  {{Yes|[https://wirexapp.com/help/article/how-do-i-order-a-wirex-card-0028 Yes]}}
|  [https://wirexapp.com/fees-and-limits Rewards]. [https://bitcointalk.org/index.php?topic=1392468.0 Extensive Bitcointalk thread].
|-
! {{rh}} | [https://card.binance.com/en/... Binance]
|  {{No}}
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
| 
|-
! {{rh}} | [https://www.bitwala.com/card/ Bitwala]
|  {{Yes}}
|  Germany
|  [https://support.bitwala.com/hc/en-gb/articles/360000382040-When-was-Bitwala-founded- 2015]
|  [https://support.bitwala.com/hc/en-gb/articles/360000650360-Who-can-open-a-Bitwala-account- EEA, .ch] [https://support.bitwala.com/hc/en-gb/articles/360000377840 no US persons]
|  {{No|[https://support.bitwala.com/hc/en-gb/articles/360002220519-What-is-a-Proof-of-Address-POA-document- POA] during [https://support.bitwala.com/hc/en-gb/articles/360010537939-Why-is-video-identification-necessary- video call] with [https://support.bitwala.com/hc/en-gb/articles/360000377980-What-is-IDnow- IDnow], [https://support.bitwala.com/hc/en-gb/articles/360010427400-Why-do-we-check-transactions-and-ask-for-the-source-of-funds- SoF and routine checks], [https://support.bitwala.com/hc/en-gb/articles/360010427560-Why-has-my-account-been-closed- unexplained terminations]}}
|  [https://support.bitwala.com/hc/en-gb/articles/360000609180-What-are-the-Bitwala-account-fees- 0]
|  [https://support.bitwala.com/hc/en-gb/articles/360001489000-How-to-top-up-my-account- Bitcoin, SEPA]
|  [https://www.bitwala.com/pricing/ 1% crypto]
|  [https://support.bitwala.com/hc/en-gb/articles/360000670079-What-is-the-maximum-purchase-amount- €15k/tx], [https://support.bitwala.com/hc/en-gb/articles/360000658660-What-are-the-trading-limits- €30k/wk]
|  {{Yes|[https://support.bitwala.com/hc/en-gb/articles/360000872680-What-is-the-Bitwala-debit-card- Mastercard]}}
|  {{No|[https://support.bitwala.com/hc/en-gb/articles/360000381720-Do-you-offer-virtual-cards- No]}}
|  ?
| 
|-
! {{rh}} | [https://bitpay.com/card/ BitPay]
|  ?
|  ?
|  ?
|  [https://support.bitpay.com/hc/en-us/articles/115005033763-Where-is-the-BitPay-Card-available- USA only] [https://support.bitpay.com/hc/en-us/articles/115003003743-Where-can-I-use-my-BitPay-Card- can't be used in some countries]
|  {{No|[https://support.bitpay.com/hc/en-us/articles/115003003463-What-kind-of-information-will-you-need-from-me-for-a-BitPay-Card-order- SSN]}}, PoA, phone [https://support.bitpay.com/hc/en-us/articles/115003014446-Is-a-Credit-Check-Required-for-Me-to-Obtain-a-Card- no credit check] [https://support.bitpay.com/hc/en-us/articles/360037486651-How-do-I-complete-the-BitPay-ID-process- separate BitPay ID] for [https://bitcointalk.org/index.php?topic=5173083.0 larger tx]
|  ?
|  [https://support.bitpay.com/hc/en-us/articles/203076826-What-fees-will-I-pay-when-I-pay-a-BitPay-merchant-with-bitcoin-or-load-the-BitPay-Card- BTC, ETH]; [https://support.bitpay.com/hc/en-us/articles/115003028206-How-do-I-add-funds-to-my-BitPay-Card- ACH, direct deposit]; [https://bitcointalk.org/index.php?topic=5190045.0 Ripple?]
|  [https://support.bitpay.com/hc/en-us/articles/115002990663-What-fees-will-I-pay-to-use-the-BitPay-Card- 3% currency conversion]
|  [https://support.bitpay.com/hc/en-us/articles/115003013586-What-are-the-ATM-withdrawal-limits-on-my-Card- $1500/day ATM], [https://support.bitpay.com/hc/en-us/articles/115003014306-How-Much-Money-Can-I-Load-onto-My-Card-What-Is-My-Daily-Spending-Limit- $10k/day, max $25k balance]
|  {{Yes|VISA}}
|  ?
|  {{Yes|[https://support.bitpay.com/hc/en-us/articles/115003013546-How-can-I-check-my-BitPay-Card-balance-and-review-transactions- Yes]}}, [https://support.bitpay.com/hc/en-us/articles/360031288111-How-to-Navigate-in-the-BitPay-Dashboard Dashboard]
|  [https://bitcointalk.org/index.php?topic=4355205.0 Antibitpay]
|-
! Company !! Status !! HQ !! Established || Available to residents of !! KYC process !! Card cost !! Coins accepted !! Fee structure !! Limits !! Physical card? || Virtual card? || Web app? || Notes
|}

To add a card, copy the section below at the bottom of the table above the last (footer) row. Whenever possible, link to references.

<pre>
|-
! {{rh}} | [https://... Company name]
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
| 
</pre>

Debit cards

2020-04-30T02:14:21Z

Cryptal: Binance, Bitwala

This page lists cryptocurrency-fueled debit cards, current as of April 2020.

Sources include [https://docs.google.com/spreadsheets/d/1DRbTeMCzb4UeXI0YlAzBxMc2u2i0cN_17Ql6eMngK6E/edit#gid=0 this spreadsheet] and [https://bitcointalk.org/index.php?topic=5223719.0 this Bitcointalk discussion]. '''Please contribute any edits here''', as those other sources are not actively maintained. Links may contain referral codes, to reward both new users, and the maintainers of this comparison table. Feel free to remove them from the URL before navigating.

Whenever possible, link to the source. KYC requirements you've personally experienced may lack links, though links to screenshots ([https://imgur.com/a/vGFwSCj like this]) would be helpful.

Legend:
* Est. = Established, (Mon) YYYY
* POA = Proof of Address
* SoF = Source of Funds, requested by some companies before or during using the card
* HQ links may point to the contact page, to save space
* Card cost may include issuance and shipping/delivery cost; add links for details
* Maintenance fees are independent of withdrawals or purchases; they are required to keep the card active
* "Fee structure" should '''link''' to a page detailing the maintenance (though usually 0), [https://wirexapp.com/fees-and-limits deposit, transfer, exchange, transaction, and/or issuance fees], though due to the volatility of crypto, they're rather meaningless. The issuance fee/cost can also be explicitly stated in the "Card cost" column.
* Limits indicate withdrawal, maximum balance, or other limits. Always link to the source.
* non-custodial = you hold your funds, not the card company
* Given the fluctuations of crypto, rewards are generally insignificant, so there's no column for them. Link to the rewards page in the "Notes" if you want.

{| class="wikitable sortable"
|- style="text-align: center; background-color: #f0f0ff;"
! Company
! Status
! HQ
! Est.
! Available to residents of
! KYC process
! Card cost
! Coins accepted
! Fee structure
! Limits
! Physical card?
! Virtual card?
! Web app?
! Notes
|-
! {{rh}} | [https://monolith.xyz Monolith]
| {{Yes|active}}
|  UK
|  ?
|  [https://support.monolith.xyz/hc/en-us/articles/360007239698-Which-countries-are-supported-by-Monolith- EEA], AFTA, special member territories
|  ID photo, [https://imgur.com/a/vGFwSCj POA photo], selfie
|  [https://support.monolith.xyz/hc/en-us/articles/360001403598-What-are-the-fees-associated-with-Monolith-Visa-Debit-Card- 0]
|  ETH
|  [https://support.monolith.xyz/hc/en-us/articles/360001403598-What-are-the-fees-associated-with-Monolith-Visa-Debit-Card- Fees]
|  ?
|  {{Yes|[https://support.monolith.xyz/hc/en-us/articles/360001345338-What-is-the-Monolith-Visa-Debit-Card- VISA]}}
|  ?
|  {{No}}
|  Non-custodial wallet. Formerly "TokenCard". [https://github.com/tokencard/contracts Open source]. Sleek website. App needs minimal permissions.
|-
! {{rh}} | [http://wallet.advcash.com/referral/f7c5bd21-c60f-4d80-b8d0-2766e261fbc6 AdvCash]
| {{Yes|active}}
| [https://advcash.gi/en/contacts/ GI]
|  [https://bitcointalk.org/index.php?topic=1011381.0 2015]
|  EU, Turkey, Israel, upcoming [https://bitcointalk.org/index.php?topic=1011381.msg54232912#msg54232912 Russia] + World
|  ID, address phone number
|  ?
|  ?
|  ?
|  ?
|  {{Yes}}
|  ?
|  {{Yes}}
|  [https://bitcointalk.org/index.php?topic=1011381.0 Extensive Bitcointalk thread].
|-
! {{rh}} | [https://www.bitsacard.com Bitsa]
| {{Yes|active}}
| [https://bitsa.zendesk.com/hc/en-150/articles/360005955378-Where-will-my-money-be-is-it-safe- ES?]
|  [https://bitcointalk.org/index.php?topic=5211795.0 Dec 2019]
|  [https://bitsa.zendesk.com/hc/en-150/articles/360005955038-In-which-countries-is-Bitsa-card-available- EU countries] / [https://bitsa.zendesk.com/hc/en-150/articles/360005965177-Which-are-the-requirements-to-open-a-Bitsa-account- SEPA zone]
|  [https://bitsa.zendesk.com/hc/en-150/articles/360005965477-How-do-I-perform-the-identity-verification- ID] + selfie w/ ID
|  [https://bitsa.zendesk.com/hc/en-150/articles/360005955278-How-much-does-it-cost-to-have-a-Bitsa-account- 0]
|  "Top it up by card, transfer, cash or blockchain tokens."
|  [https://bitsa.zendesk.com/hc/en-150/articles/360005963558-What-is-the-maintenance-fee- 0 maint. fee]
|  [https://bitsa.zendesk.com/hc/en-150/articles/360005968837-How-much-can-I-withdraw-in-cash- 450€/day, 2500-5000€/mo]
|  {{Yes|[https://bitsa.zendesk.com/hc/en-150/articles/360005965677-How-do-I-add-physical-card-to-my-account- Yes]}}
|  {{Yes|[https://bitsa.zendesk.com/hc/en-150/articles/360005965677-How-do-I-add-physical-card-to-my-account- Yes]}}
|  {{No|[https://bitsa.zendesk.com/hc/en-150/articles/360005954998-Can-I-login-to-my-Bitsa-account-from-a-computer- Not yet]}}
|  [https://bitsa.zendesk.com/hc/en-150/articles/360005967758-Does-my-card-have-associated-a-wallet-to-reload-it-with-cryptocurrencies- Non-custodial funds]. [https://bitcointalk.org/index.php?topic=5211795.0 Minimal Bitcointalk presence]. [https://bitsa.zendesk.com/hc/en-150/articles/360005975877-Can-I-make-a-transfer-to-top-up-my-Bitsa-from-the-account-of-a-family-member-or-friend- Odd English].
|-
! {{rh}} | [https://wirexapp.com Wirex]
| {{Yes|active}}
|  UK
|  [https://bitcointalk.org/index.php?topic=1392468.0 May 2016]
|  [https://wirexapp.com/help/article/the-list-of-supported-countries-0027 EEA, APAC etc, no USA]
|  {{No|[https://wirexapp.com/help/article/why-you-need-to-verify-your-source-of-funds-and-how-to-do-it-0013 Verify source of funds, random re-verification]}}
|  [https://wirexapp.com/fees-and-limits 0], except APAC
|  ?
|  [https://wirexapp.com/fees-and-limits Fees]
|  [https://wirexapp.com/fees-and-limits Limits]
|  {{Yes|VISA by Contis}}
|  ?
|  {{Yes|[https://wirexapp.com/help/article/how-do-i-order-a-wirex-card-0028 Yes]}}
|  [https://wirexapp.com/fees-and-limits Rewards]. [https://bitcointalk.org/index.php?topic=1392468.0 Extensive Bitcointalk thread].
|-
! {{rh}} | [https://card.binance.com/en/... Binance]
|  {{No}}
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
| 
|-
! {{rh}} | [https://www.bitwala.com/card/ Bitwala]
|  {{Yes}}
|  Germany
|  [https://support.bitwala.com/hc/en-gb/articles/360000382040-When-was-Bitwala-founded- 2015]
|  [https://support.bitwala.com/hc/en-gb/articles/360000650360-Who-can-open-a-Bitwala-account- EEA, .ch] [https://support.bitwala.com/hc/en-gb/articles/360000377840 no US persons]
|  {{No|[https://support.bitwala.com/hc/en-gb/articles/360002220519-What-is-a-Proof-of-Address-POA-document- POA] during [https://support.bitwala.com/hc/en-gb/articles/360010537939-Why-is-video-identification-necessary- video call] with [https://support.bitwala.com/hc/en-gb/articles/360000377980-What-is-IDnow- IDnow], [https://support.bitwala.com/hc/en-gb/articles/360010427400-Why-do-we-check-transactions-and-ask-for-the-source-of-funds- SoF and routine checks], [https://support.bitwala.com/hc/en-gb/articles/360010427560-Why-has-my-account-been-closed- unexplained terminations]}}
|  [https://support.bitwala.com/hc/en-gb/articles/360000609180-What-are-the-Bitwala-account-fees- 0]
|  [https://support.bitwala.com/hc/en-gb/articles/360001489000-How-to-top-up-my-account- Bitcoin, SEPA]
|  [https://www.bitwala.com/pricing/ 1% crypto]
|  [https://support.bitwala.com/hc/en-gb/articles/360000670079-What-is-the-maximum-purchase-amount- €15k/tx], [https://support.bitwala.com/hc/en-gb/articles/360000658660-What-are-the-trading-limits- €30k/wk]
|  {{Yes|[https://support.bitwala.com/hc/en-gb/articles/360000872680-What-is-the-Bitwala-debit-card- Mastercard]}}
|  {{No|[https://support.bitwala.com/hc/en-gb/articles/360000381720-Do-you-offer-virtual-cards- No]}}
|  ?
| 
|-
! Company !! Status !! HQ !! Established || Available to residents of !! KYC process !! Card cost !! Coins accepted !! Fee structure !! Limits !! Physical card? || Virtual card? || Web app? || Notes
|}

To add a card, copy the section below at the bottom of the table above the last (footer) row. Whenever possible, link to references.

<pre>
|-
! {{rh}} | [https://... Company name]
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
|  ?
| 
</pre>

Debit cards

2020-04-30T00:51:32Z

Cryptal: Shoulda learnt this Mediawiki format from the getgo

Currency exchange

2020-04-29T11:13:36Z

Cryptal: /* See also */ Merge redirects

Bitcoin currency exchanges work in a manner similar to banks. One first deposits amounts of money in the currencies supported by the exchange, to his own account in the exchange, uses these balances to trade with other users of the exchange and then withdraws that money. Unlike over-the-counter transactions, there is no risk of losing money due to people not fulfilling their part of the deal, as long as the exchange itself does not commit fraud or withhold money.

Exchanging is done by placing "buy" or "sell" orders, which the exchange system software then matches with each other. "Buy" orders (or "bids") are offers to buy bitcoins in exchange for another currency at a maximum price-per-bitcoin which is set by the offerer. "Sell" orders (or "asks") are offers to sell bitcoins at a minimum price-per-bitcoin. If the bid price of a buy order is higher than the ask price of a sell order, an exchange can be performed and either the bid order, the sell order or both can be removed from the "order book". Thus, at any given time, there is a price above which there are no more buy orders and a slightly higher price below which there are no more sell orders.

Communication with the Bitcoin currency exchanges is commonly done using a standard web browser, over a secure SSL connection.

=="Soft currencies" and chargebacks==

Exchanging bitcoins for other forms of currency brings up some issues regarding chargeback fraud. Specifically, payment methods such as credit cards, and PayPal, can be reversed up to 90 days after the transaction took place. In contrast, bitcoin is a "hard currency", once you spend bitcoins, you cannot get them back by 'pulling' from your side. Thus, when you trade bitcoin for a 'soft' currency like paypal or credit card, you open yourself up to the risk of chargeback after you send bitcoin. The buyer may initiate a chargeback by claiming non-receipt of goods, or if a stolen account was used, the real account owner will initiate the process once he notices a charge he didn't make. As a result, it is strongly recommended to not trade 'soft' currency for 'hard' currency with people you do not know or trust.

In January, 2010, an open source currency exchange platform was released by the founder of [[Bitcoin Central]].

The two major exchanges at the time, [[Bitcoin Market]] and [[MtGox]], were hit with a wave of PayPal scams in October 2010, where one or a group of individuals used stolen PayPal accounts to fund their exchange accounts to buy bitcoins. This has caused the freezing of the Mtgox paypal account, and a suspension of new user registration on [[Bitcoin Market]]. These account freezes caused a temporary liquidity problem for the bitcoin economy, as it became more difficult to exchange dollars for bitcoins.

==Exchange Rates and Market Forces==

Early in the life of Bitcoin, the currency showed some major fluctuations in exchange value, ranging from under $50 to $266 US. The exchange rate of Bitcoin has shown relatively stable growth since the beginning of 2013. According to Currency.Wiki <ref>[http://www.currency.wiki/bitcoin What is a Bitcoin converter?]</ref>, as of February 01, 2014, the current exchange rate for bitcoins is at $959.58 US. The all time high for the value of a single bitcoin was on November 17th, 2013 when it reached $1216.73 US on the Mt. Gox exchange.

Bitcoin has been criticized by economists for bubbling up around itself, similar to the housing market in the US before the crash and it is true that Bitcoin has shown a tendency for rapid rises and crashes in price. However, given the instability of the global economy, Bitcoin has proven to be a reliable investment compared to many other popular currencies. In particular the European debt crisis gave rise to a large amount of currency being converted to bitcoin to keep it safe from the falling value of the Euro. These investments in turn drove up the value of the bitcoin thanks to its unique production method.

Despite the growing popularity of bitcoin transactions and the generally rising price, several events have shown an inability to withstand major blows to its reputation. The FBI seizure of around 26,000 bitcoins from the drug distribution website Silk Road more than halved the value of individual bitcoins. Technical errors have also proven to be a difficulty for speculators on the exchange value of the BTC. In April of 2013, a backlog of transactions shut down the Mt. Gox website, causing a drop in value from $266 to $77 US.

While it has become easier to buy and sell bitcoins with the influx of bitcoin exchanges <ref>[https://bitcoinx.io Bitcoin Exchanges]</ref> across the world over the past couple of years, the availability of access to the currency has been one of the greatest sources of variability in its exchange rate. Because of looming government regulations, most notably the U.S., it has been a challenge to convert your local currency into Bitcoin, which has led to highly variable prices based on geography, which, for a currency which is designed to be borderless, has proven to be an issue, given that so many bitcoin users treat their bitcoins more like an asset than a currency. That is to say, they intend to hold onto their BTC until they decide to convert back into their local currency, rather than spend it online for anonymous transactions.

==See also==

* [[:Category:Exchanges|Exchanges]]
* [[Trading bitcoins]]
* [[Secure Trading]]

==References==
<references/>

[[Category:Exchanges]]

Trading bitcoins

2020-04-29T11:12:53Z

Cryptal: Sell bitcoins via debit card

Bitcoins can be bought and sold on a number of exchanges. Take a look at the [[Comparison of exchanges]] for more information.

==See also==

* [[Debit cards]]

{{Exchanges}}

Debit cards

2020-04-29T10:54:38Z

Cryptal: Add Wirex

Debit cards

2020-04-29T10:41:07Z

Cryptal: Create page with Monolith, AdvCash, Bitsa

This page lists cryptocurrency-fueled debit cards, current as of April 2020.

Source include [https://docs.google.com/spreadsheets/d/1DRbTeMCzb4UeXI0YlAzBxMc2u2i0cN_17Ql6eMngK6E/edit#gid=0 this spreadsheet] and [https://bitcointalk.org/index.php?topic=5223719.0 this Bitcointalk discussion]. '''Please contribute any edits here''', as those other sources are not actively maintained. Links may contain referral codes, to reward both new users, and the maintainer of this comparison table. Feel free to remove them from the URL before navigating.

Legend:
* POA = Proof of Address
* HQ links may point to the contact page, to save space
* non-custodial = you hold your funds, not the card company

{| class="wikitable sortable"
|- style="text-align: center; background-color: #f0f0ff;"
! Company !! Status !! HQ !! Established || Available to residents of !! KYC process !! Card cost !! Maint. fees !! Coins accepted !! Physical card? || Virtual card? || Web app? || Notes
|-
| [https://monolith.xyz Monolith] || {{Yes|active}} || UK || {{?}} || [https://support.monolith.xyz/hc/en-us/articles/360007239698-Which-countries-are-supported-by-Monolith- EEA], AFTA, special member territories || ID photo, POA photo, selfie || [https://support.monolith.xyz/hc/en-us/articles/360001403598-What-are-the-fees-associated-with-Monolith-Visa-Debit-Card- 0] || [https://support.monolith.xyz/hc/en-us/articles/360001403598-What-are-the-fees-associated-with-Monolith-Visa-Debit-Card- 0] || ETH || {{Yes|[https://support.monolith.xyz/hc/en-us/articles/360001345338-What-is-the-Monolith-Visa-Debit-Card- VISA]}} || {{?}} || {{No}} || Non-custodial wallet. Formerly "TokenCard". [https://github.com/tokencard/contracts Open source]. Sleek website. App needs minimal permissions.
|-
| [http://wallet.advcash.com/referral/f7c5bd21-c60f-4d80-b8d0-2766e261fbc6 AdvCash] || {{Yes|active}} || [https://advcash.gi/en/contacts/ GI] || [https://bitcointalk.org/index.php?topic=1011381.0 2015] || EU, Turkey, Israel, upcoming [https://bitcointalk.org/index.php?topic=1011381.msg54232912#msg54232912 Russia] + World || ID, address phone number || {{?}} || {{?}} || {{?}} || {{Yes}} || {{?}} || {{Yes}} || [https://bitcointalk.org/index.php?topic=1011381.0 Extensive Bitcointalk thread].
|-
| [https://www.bitsacard.com Bitsa] || {{Yes|active}} || [https://bitsa.zendesk.com/hc/en-150/articles/360005955378-Where-will-my-money-be-is-it-safe- ES?] || [https://bitcointalk.org/index.php?topic=5211795.0 Dec 2019] || [https://bitsa.zendesk.com/hc/en-150/articles/360005955038-In-which-countries-is-Bitsa-card-available- EU countries] / [https://bitsa.zendesk.com/hc/en-150/articles/360005965177-Which-are-the-requirements-to-open-a-Bitsa-account- SEPA zone] || [https://bitsa.zendesk.com/hc/en-150/articles/360005965477-How-do-I-perform-the-identity-verification- ID only] apparently || [https://bitsa.zendesk.com/hc/en-150/articles/360005955278-How-much-does-it-cost-to-have-a-Bitsa-account- 0] || [https://bitsa.zendesk.com/hc/en-150/articles/360005963558-What-is-the-maintenance-fee- 0] || "Top it up by card, transfer, cash or blockchain tokens." || {{Yes|[https://bitsa.zendesk.com/hc/en-150/articles/360005965677-How-do-I-add-physical-card-to-my-account- Yes]}} || {{Yes|[https://bitsa.zendesk.com/hc/en-150/articles/360005965677-How-do-I-add-physical-card-to-my-account- Yes]}} || {{No|[https://bitsa.zendesk.com/hc/en-150/articles/360005954998-Can-I-login-to-my-Bitsa-account-from-a-computer- Not yet]}} || [https://bitsa.zendesk.com/hc/en-150/articles/360005967758-Does-my-card-have-associated-a-wallet-to-reload-it-with-cryptocurrencies- Non-custodial funds]. [https://bitcointalk.org/index.php?topic=5211795.0 Minimal Bitcointalk presence]. [https://bitsa.zendesk.com/hc/en-150/articles/360005975877-Can-I-make-a-transfer-to-top-up-my-Bitsa-from-the-account-of-a-family-member-or-friend- Odd English].
|}

Transaction accelerator

2017-12-21T00:49:06Z

Cryptal: Update

=What to Do if Your Bitcoin Transaction Gets "Stuck"=

The number of transactions on the Bitcoin network has steadily increased over the years. This means more blocks are filling up. And as not all transactions can be included in the blockchain straight away, backlogs form in miners’ “mempools” (a sort of “transaction queue.”)

Miners typically pick the transactions that pay the most fees and include these in their blocks first. Transactions that include lower fees are “outbid” on the so called “fee market,” and remain in miners’ mempools until a new block is found. If the transaction is outbid again, it has to wait until the next block.

This can lead to a suboptimal user experience. Transactions with too low a fee can take hours or even days to confirm, and sometimes never confirm at all.

But there are PAID and Free bitcoin transaction acceleration services available now which you can use to keep your own transaction from getting stuck.

==Bitcoin transaction accelerators==

* https://pushtx.btc.com: This service is provided by BTC.com in cooperation with several main mining pools. The fee was around 70 USD on December 20, 2017 and the transaction was confirmed within 3 hours. You can pay by BCH or country-specific methods and they estimate the fee based on the transaction size. They promise a chance of 75% for including transactions in the next block within one hour. Within 4 hours the chance is claimed to be at 98%. They guarantee that if the transaction isn’t confirmed in 12 hours, the fees will be fully refunded to your card within 10 ~ 15 days. This policy is not applicable to the transactions which are removed or double-spent during the acceleration process.

* [https://pool.viabtc.com/tools/txaccelerator/ ViaBTC] - overloaded as of December 20, 2017. ViaBTC implemented this service to protest against the prior 1MB limitation of the Bitcoin network. ViaBTC gives priority to user-submitted transactions for the next mined blocks by the ViaBTC pool. The only requirement is the transaction must include a minimum fee of 0.0001BTC/KB.The free-to-use nature of the service may have made it widely popular as every hour, the number of transaction requested reaches its limit and it is common to be presented with the message “Submissions are beyond limit. Please try later.” on the top middle of the page. This means one must wait for the next block to try a new submission. After submitting a transaction, there is a wait for the next block to be mined by ViaBTC Pool.

* https://Confirmtx.com: The service asks for payment but there's no button to pay. Old note: "Warning This website turned into a big scam."

Bitcoin symbol

2013-06-15T04:45:44Z

Cryptal: /* Currency sign */ Fix typos, move the de-facto standard first

== Currency code ==
The [https://secure.wikimedia.org/wikipedia/en/wiki/ISO_4217 currency code] for Bitcoin is '''BTC'''. However, at the moment it is an [https://secure.wikimedia.org/wikipedia/en/wiki/ISO_4217#Without_currency_code unofficial code] according to the ISO 4217 standard but the official code according to the Bitcoin community.

A [https://bitcointalk.org/index.php?topic=7205.msg112577 request] has been made at the [http://www.six-group.com/ organization] maintaining the currency codes in the ISO 4217 standard to support BTC. This has been declined mainly on bases that organizations such as [https://secure.wikimedia.org/wikipedia/en/wiki/Reuters Reuters] and [https://secure.wikimedia.org/wikipedia/en/wiki/Bloomberg Bloomberg] are not reporting on the Bitcoin currency. When this changes, a request can be resubmitted.

== Currency sign ==

B⃦ has been the standard currency sign for BTC for a long time. Some existing Unicode symbols have been proposed but also serious work is being done on creating a custom Bitcoin sign with its own official [https://secure.wikimedia.org/wikipedia/en/wiki/Unicode Unicode] that is recognized by the [https://secure.wikimedia.org/wikipedia/en/wiki/Unicode_Consortium Unicode Consortium]. Note that a currency sign is more complex than creating a logo as will be explained below.

[[File:Example-unicode-reference-currency-signs.png|256px|thumb|right|Examples of Unicode currency sign reference glyphs]]

=== New Unicode symbol ===

In some discussions [https://bitcointalk.org/index.php?topic=41.0 41], [https://bitcointalk.org/index.php?topic=369.0 369] and [https://bitcointalk.org/index.php?topic=7215.0 7215] on the Bitcoin forum several designs of an official Bitcoin sign have been proposed. This section on the Wiki is intended to streamline the process of arriving at an official Bitcoin currency sign with its own Unicode character code.

==== Goal ====
Having a unique Bitcoin currency sign will allow typographers to add their currency sign design in their fonts. This is similar as implementing support for the euro sign. Each font has its own version of the euro sign that fits with the style observed in the characters in the rest of the fonts of their typefaces. Note that the Unicode Consortium does not endorse Bitcoin in any way by assigning a Unicode character code, however, having a Unicode for the Bitcoin sign will also be good for PR and help having Bitcoin be taken more seriously.

==== Requirements and criteria ====

A reference Bitcoin sign could/should/must be:
* recognizable as a [https://secure.wikimedia.org/wikipedia/en/wiki/Currency_sign currency sign] such as $ € ¥ £ ¢ (e.g. with one or two vertical or horizontal bars)
* distinct from existing currency signs such as the Thai Baht, ฿
* built from recognizable existing characters found on most [https://secure.wikimedia.org/wikipedia/en/wiki/Keyboard_layout#United_States QWERTY keyboards] such as bar |, minus -, hash # and/or capital B referring to currencies and '''B'''itcoin
* easy to use in handwriting
* easy to compose with one or more [https://help.ubuntu.com/community/GtkComposeTable#The%20Gtk%20Compose%20Table compose sequences] that are still free and refer to the elements recognizable in the sign (for example the euro sign can be composed from = and C even though the = and C are not part of how it is pronounced)
* ''possible'' to implement in [https://secure.wikimedia.org/wikipedia/en/wiki/Serif serif and sans-serif] (Most of the [http://www.unicode.org/charts/PDF/U20A0.pdf Unicode reference implementations] are made with serifs but sans-serif also exist in sans-serif fonts. So a reference implementation in serif to what is found in the PDF is preferred.)
* ''possible'' to implement in regular, italic, bold and bold italic (for sans-serif the italic will simply be a slanted version)
* in [https://secure.wikimedia.org/wikipedia/en/wiki/SVG SVG] and use this [http://pastebin.com/raw.php?i=FVY8W1W3 template] (save as <tt>bitcoin-sign-20110719-template.svg</tt>) with updated metadata and public domain or similar free/open/libre license

Note that a reference Bitcoin sign will only be used as a reference by the Unicode Consortium and it is up to typographers to implement their version matching the style of their typefaces and fonts.

==== Submissions====

It is possible to submit proposals for a '''reference implementation''' below until (community must determine date). They will be judged by (community must form committee for this). If you have problems submitting your design, ask someone with knowledge on editing Wikipedia for help.

{| class="wikitable sortable"
|-
! Preview !! Handwritten !! Associations !! Compose sequence(s) !! Designer !! Link to SVG file !! Notes
|-
| [[File:Bitcoin-sign-20110719.png|128px]]
|| [[file:Img075.jpg|128px]]
|| double barred dollar sign ($), capital b (B)
|| B|, |B, B=, =B
|| Pander
|| [http://pastebin.com/raw.php?i=XYsc9DeS bitcoin-sign-20110719.svg]
|| example submission based on [[File:F33980a445.png]]
|-
| [[File:Bitcoin-proposal-1.png|128px]]
|| [[File:Hashbtc.jpg|128px]]
|| hash (#), numeral three (3)
|| B#, #B, 3#, #3
|| Wareen
|| [http://pastebin.com/raw.php?i=MRfcm0Cn Bitcoin-proposal-1.svg]
|| proposal based on original design idea from [https://bitcointalk.org/index.php?topic=41.msg348274#msg348274 RylandAlmanza] and [https://bitcointalk.org/index.php?topic=25102.msg325489#msg325489 netrin]
|}

=== Existing Unicode symbol ===

There is a discussion over [https://bitcointalk.org/index.php?topic=369.0 which Unicode symbol might be the best suited] for Bitcoin.

To type Unicode characters, refer to:

* [[Microsoft Windows Unicode Input]]
* [[How to easily type the circled B symbol on a Mac]]

It has led to the following options:

{| class="wikitable sortable"
|-
! Proposed character !! Description & Pros & Cons !! Unicode name !! Unicode decimal input !! Unicode hex input
|-
|<center><big>฿</big></center> ||
* Pros: Displayed correctly on all known OSes
* Cons: It is already used as the Thai Baht (THB) symbol
|| THAI CURRENCY SYMBOL BAHT || || Alt +0E3F
|-
|<center><big>Ƀ</big></center>||
*Pros: Displayed correctly on all known OSes; standard Latin Extended-B character; [http://www.ecogex.com/bitcoin/ See the project Ƀ Another Bitcoin identity]
|| LATIN CAPITAL LETTER B WITH STROKE || ||Alt +0243
|-
|<center><big>ᗸ</big></center>|| Resembles the struck B while being different from Baht symbol ||CANADIAN SYLLABICS CARRIER KHEE || || Alt +15F8
|-
|<center><big>B⃦</big></center>||
*Pros: Similar to current bitcoin.org logo
|| LATIN CAPITAL LETTER B + COMBINING DOUBLE VERTICAL STROKE OVERLAY || || U+0042 U+20E6
|-
|<center><big>B⃫</big></center>||
|| LATIN CAPITAL LETTER B + COMBINING LONG DOUBLE SOLIDUS OVERLAY || || U+0042 U+20EB
|-
|<center><big>Ⓑ</big></center>||
*Pros: Similar to current bitcoin.org logo
|| CIRCLED LATIN CAPITAL LETTER B || || Alt +24B7
|-
|<center><big>ⓑ</big></center>||
*Pros: Small b represent the unit bit in computer where capital B is Byte
* Cons: Small fonts are harder to read
|| CIRCLED LATIN SMALL LETTER B || ||Alt +24D1
|-
|<center><big>ᴃ</big></center>|| || LATIN LETTER SMALL CAPITAL BARRED B || ||Alt +1D03
|-
|<center><big>␢</big></center>|| || (Unicode Block: Control Pictures) BLANK SYMBOL (graphic for space) || || Alt +2422
|-
|<center><big>β</big></center>||
*Pros: Fluid look and easy to write; Lowercase 
*Cons: Languages that use this character don't consider it a B. in Greek it's a V, and the German character it resembles is a hard S.
|| GREEK SMALL LETTER BETA || ||Alt +03B2
|-
|<center><big>∆</big></center>|| delta for "digital" || Greek capital Delta. (In Greek it's pronounced as the "th" in "then" and not like "d" in "digital". || || U+0394
|-
|<center><big>ɸ</big></center>|| contains 0 and I || Greek small Phi || || U+0278
|-
|<center><big>币</big></center>|| pronounced "bi", combines "b", turned "c" and "T", many Chinese users, also 网民币 - Wangminbi, "The Netizen's Currency" (pun on Renminbi) || Chinese for "Currency" || || U+5E01
|-
|<center><big>¤</big></center>|| || CURRENCY SIGN ||Alt 0164 ||Alt +00A4
|-
|<center><big>Ƅ</big></center>|| || LATIN CAPITAL LETTER TONE SIX || ||Alt +0184
|-
|<center><big>∄</big></center>|| || (Unicode Block: Mathematical Operators) THERE DOES NOT EXIST || ||Alt +2204
|-
|<center><big>≡</big></center>|| three bars like three bits
* Cons: this resembles the letter ksi (Ξ) in Greek and it sounds like "x" in "axiom".
|| (Unicode Block: Mathematical Operators) IDENTICAL TO || || U+2261
|-
|<center><big>ઘ</big></center>|| || GUJARATI LETTER GHA (Indo-Aryan language) || ||Alt +0A98
|-
|<center><big>ϭ</big></center>|| || (Unicode Block: Greek and Coptic) COPTIC SMALL LETTER SHIMA || ||Alt +03ED
|-
|<center><big>ⓢ</big></center>|| Purposed as a smaller unit of bitcoin. E.g. A hundredth of a bitcoin || CIRCLED LATIN SMALL LETTER S || || Alt +24E2
|-
|<center><big>◪</big></center>|| || (Unicode Block: Geometric Shapes) SQUARE WITH LOWER RIGHT DIAGONAL HALF BLACK || || Alt +25EA
|-
|<center><big>㋡</big></center>|| ||CIRCLED KATAKANA TU' (Japanese)|| || Alt +32E1
|-
|<center>[[Image:Bat.png|24px|alt=The b'at]] 
the b'at</center>
||
* Pros: Is round like a coin. Contains the B for Bitcoin. Borrows a style widely associated with the Internet. Not used for other meanings.
* Cons: Does not exist in the Unicode standard
* Cons: Very similar to the existing trademarked logo of [http://www.broad.com Broad]
|| n/a || ||
|-
|<center>[[Image:Bitcoin Symbol Suggestion circled struck-through B.png|24px]]</center>||
* Cons: Does not exist in the Unicode standard
|| n/a || ||
|-
|<center>[[Image:Bitcoin Symbol Suggestion rotated power.png|24px]]</center>||
* Cons: Does not exist in the Unicode standard
|| n/a || ||
|-
|<center>A 'C' with '1' and '0' inside [[http://img829.imageshack.us/img829/8840/bitcoinlogodraft.png]]</center>||
* Cons: Does not exist in the Unicode standard
|| n/a || ||
|-
|<center>A 'C' with a 'circle' and 'dot' inside [[http://img836.imageshack.us/img836/6006/bitcoinlogodraftii.png]]</center>||
* Cons: Does not exist in the Unicode standard
|| n/a || ||
|-
|<center>B-T-C monogram [[http://hosting11.imagecross.com/image-hosting-61/2381unicode1s.png]][[http://hosting11.imagecross.com/image-hosting-61/162bitcoin_uni_s.png]]</center>||
* Cons: Does not exist in the Unicode standard
|| n/a || ||
|}

==See Also==

* [[Promotional graphics]]

[[Category:Introduction]]

Category:History

2013-04-30T11:33:26Z

Cryptal: /* 2013 */ Add the FinCEN regulation announcement

== Important milestones of the Bitcoin project ==
=== 2008 ===
{| style="text-align: left"
|-
! width="8em" | August 18
|| Domain name "bitcoin.org" registered<ref>[https://bitcointalk.org/index.php?topic=103369.msg1135218#msg1135218 According to theymos], Satoshi registered bitcoin.org via https://www.anonymousspeech.com/ which allows to anonymously register domains.</ref>.
|-
! October 31
|| [http://article.gmane.org/gmane.comp.encryption.general/12588/ Bitcoin design paper] published
|-
! November 09
|| Bitcoin project registered at SourceForge.net
|}

=== 2009 ===
{| style="text-align: left"
|-
! width="8em" | January 3
|| [http://www.BlockExplorer.com/b/0 Genesis block] established at 18:15:05 GMT
|-
! January 11
|| Bitcoin v0.1 released and announced on the [http://www.mail-archive.com/cryptography@metzdowd.com/msg10152.html cryptography mailing list]
|-
! January 12
|| First Bitcoin transaction, [http://www.BlockExplorer.com/b/170 in block 170] - from [[Satoshi]] to Hal Finney<ref>[http://bitcointalk.org/index.php?topic=91806.msg1012234#msg1012234 Earliest Block With A Spend]</ref>.
|-
! October 5
|| Exchange rates [http://newlibertystandard.wetpaint.com/page/2009+Exchange+Rate published] by New Liberty Standard. $1 = 1,309.03 BTC (and [[User:theymos|theymos]] thought NLS was overcharging<ref>[http://bitcointalk.org/index.php?topic=104287.msg1143955#msg1143955 Historical Price Data for 2009]</ref>)
|-
! October 9
|| #bitcoin-dev channel registered on freenode IRC.
|-
! December 16
|| Bitcoin v0.2 released
|-
! December 30
|| First difficulty increase at 06:11:04 GMT
|}

=== 2010 ===
{| style="text-align: left"
|-
! width="8em" | February 6
|| [[Bitcoin Market]] established
|-
! May 21
|| laszlo first to buy pizza with Bitcoins agreeing upon paying 10,000 BTC for ~$25 worth of pizza courtesy of jercos<ref>[https://bitcointalk.org/index.php?topic=137.msg1195#msg1195 bitcointalk post] where laszlo confirmed having bought pizza</ref>
|-
! July 7
|| Bitcoin v0.3 released
|-
! July 11
|| Bitcoin v0.3 release mentioned on slashdot<ref>[http://news.slashdot.org/story/10/07/11/1747245/Bitcoin-Releases-Version-03 slashdot] metiones Bitcoin</ref>, bringing a large influx of new bitcoin users.
|-
! July 12
|| Beginning of a 10x increase in exchange value over a 5 day period, from about $0.008/BTC to $0.08/BTC
|-
! July 17
|| [[MtGox]] established
|-
! July 18
|| ArtForz generated his first block after establishing his personal OpenCL GPU hash farm
|-
! August 15
|| Bug in the bitcoin code allows a bad transaction into block 74638. Users quickly adopt fixed code and the "good" block chain overtook the bad one at a block height of 74691, 53 blocks later ([[Incidents#Value_overflow]]).
|-
! September 14
|| jgarzik [https://bitcointalk.org/index.php?topic=133.msg12921#msg12921 offered] 10,000 BTC (valued at ~$600-650) to puddinpop to open source their windows-based CUDA client
|-
! September 14
|| Block [http://blockexplorer.com/b/79764 79,764] is first to be mined using split allocation of the generation reward.
|-
! September 18
|| puddinpop [https://bitcointalk.org/index.php?topic=133.msg13135#msg13135 released] source to their windows-based CUDA client under MIT license
|-
! September 29
|| kermit [https://bitcointalk.org/index.php?topic=1306.0 discovered] a microtransactions exploit which precipitated the Bitcoin v0.3.13 release
|-
! October 01
|| First public OpenCL miner released
|-
! October 04
|| Original Bitcoin History wiki page (this page) established (ooh so meta) on Bitcoin.org's wiki.
|-
! October 07
|| Exchange rate started climbing up from $0.06/BTC after several flat months.
|-
! October 16
|| First recorded escrowed bitcoin trade conducted, between nanotube and Diablo-D3, escrowed by theymos.
|-
! October 17
|| [[Bitcoin_OTC|#bitcoin-otc]] trading channel established on freenode IRC.
|-
! October 28
|| First bitcoin short sale transaction initiated, with a loan of 100 BTC by nanotube to [[User:Kiba|kiba]], facilitated by the [[Bitcoin-otc|#bitcoin-otc]] market.
|-
! November 6
|| The [https://bitcointalk.org/index.php?topic=1672 Bitcoin economy passed US $1 million]. The MtGox price touched USD $0.50/BTC.
|-
! December 7
|| Bitcoind was compiled for the Nokia N900 mobile computer by doublec. The following day, ribuck sent him 0.42 BTC in the first portable-to-portable Bitcoin transaction.
|-
! December 9
|| The generation difficulty passed 10,000.
|-
|
|| First bitcoin call option contract sold, from nanotube to [[User:Sgornick|sgornick]], via the [[Bitcoin-otc|#bitcoin-otc]] market.
|-
! December 16
|| [http://mining.bitcoin.cz/ Bitcoin Pooled Mining], operated by slush, found its first block
|}

=== 2011 ===
{| style="text-align: left"
|-
! width="8em" | January 2
|| [[Tonal Bitcoin]] units standardized.
|-
! January 8
|| [[History of Bitcoin]] page (this page) created after replicating from original Bitcoin History page on Bitcoin.org.
|-
|
|| Bitcoin Pooled Mining reached a total of 10,000 Mhash/s
|-
! January 27
|| Largest numeric value ever traded for bitcoins thus far occurred on this date. Three currency bills from Zimbabwe, known as Zimdollars, were traded on [[Bitcoin-otc|#bitcoin-otc]] at the rate of 4 BTC for each of the one-hundred trillion dollar ($100,000,000,000,000) Zimbabwe notes<ref>Serial numbers for Zimdollars sold: AA1669317, AA1669318 and AA1669319</ref>
|-
! January 28
|| Block 105000 was generated. This means that 5.25 million bitcoins have been generated, which is just over one-quarter of the eventual total of nearly 21 million.
|-
! February 9
|| Bitcoin reached parity with the US dollar, touching $1 per BTC at [[MtGox]].
|-
! February 10
|| Bitcoin.org website struggles to handle [https://bitcointalk.org/index.php?topic=3444.0 traffic] resulting from mentions on Slashdot<ref>[http://news.slashdot.org/story/11/02/10/189246/Online-Only-Currency-BitCoin-Reaches-Dollar-Parity Online-Only Currency BitCoin Reaches Dollar Parity]</ref>, Hacker News and Twitter following the news that parity had been reached.
|-
! February 14
|| A vehicle was, for the first time, offered in exchange for a certain number of bitcoins<ref>[https://bitcointalk.org/index.php?topic=3485.0 Car for Sale - Australia]</ref>.
|-
! March 6
|| Total Bitcoin network computation speed for a short time reached a new high of almost 900Ghash/sec, dropping to 500Ghash/sec soon after. Some speculate that this was due to some supercomputer or bot-net that joined the network ([http://bitcoin.atspace.com/mysteryminer.html mystery miner]).
|-
! March 18
|| BTC/USD exchange rate reaches a 6-week low point at almost $0.70/BTC, after what appeared to be a short burst of, possibly automated, BTC sales at progressively lower prices. BTC price had been declining since the February 9 high.
|-
! March 25
|| Difficulty decreased nearly 10%. A decrease has only occurred once before, and this decrease of nearly 10% was the largest.
|-
! March 27
|| The first market for exchanging bitcoins to and from the British Pound Sterling BTC/GBP, [[Britcoin]], opens.
|-
! March 31
|| The first market for exchanging bitcoins to and from Brazilian Reals, [[Bitcoin Brazil]], opens.
|-
! April 5
|| The first market for exchanging bitcoins to and from the Polish złoty, [[BitMarket.eu]], opens.
|-
! April 12
|| First bitcoin put option contract sold via the [[Bitcoin-otc|#bitcoin-otc]] market.
|-
! April 16
|| TIME does [http://techland.time.com/2011/04/16/online-cash-bitcoin-could-challenge-governments/ an article on Bitcoin].
|-
! April 23
|| BTC/USD exchange rate reaches and passes parity with the Euro (EUR) on [[MtGox]] exchange.
|-
|
|| BTC/USD exchange rate reaches and passes parity with the British Sterling Pound (GBP) on [[MtGox]] exchange.
|-
|
|| Value of the Bitcoin money stock at current exchange rate passes $10 million USD threshold.
|-
! April 27
|| [[VirWoX]] opens first market to trade bitcoins against a virtual currency on BTC/SL (Second Life Lindens) exchange.
|-
! April 30
|| The generation difficulty passed 100,000.
|-
! June 2
|| The exchange rate at [[MtGox]] touched 10 USD per BTC.
|-
! June 3
|| [[Tonal Bitcoin]] reached parity with the US cent, touching 1¢ per TBC at [[Bitcoin Market]].
|-
! June 8
|| The [[MtGox]] exchange rate peaked at 31.91 USD, at a "market capitalization" of about $206 M [http://bitcoin.stackexchange.com/questions/2047/market-capitalization-over-time].
|-
! June 12
|| The [[MtGox]] exchange rate briefly dropped to near 10 USD four days after the peak, in its largest percentage price retreat to date.
|-
! June 13
|| Forum user allinvain claimed to have had [http://forum.bitcoin.org/index.php?topic=16457.0 25,000 BTC stolen] from his Bitcoin wallet (approx. USD equivalent $375,000).
|-
! June 19
|| The MtGox database was compromised and the user table was leaked, containing details of 60,000 usernames, email addresses and password hashes, some of which were based on a highly vulnerable hashing algorithm.
|-
! June 19
|| Someone was able to access an admin account at MtGox and issue sell orders for hundreds of thousands of fake bitcoins, forcing the MtGox price down from $17.51 per bitcoin to $0.01. MtGox announced that these trades would be reversed. Trading was halted at MtGox for 7 days (and also briefly at TradeHill and Britcoin while their security was reviewed).
|-
! June 19
|| Some of the users on the leaked MtGox database had used the same username at MyBitcoin and had their passwords hacked. About 600 of them had their balance [http://forum.bitcoin.org/index.php?topic=22221.msg279396#msg279396 stolen from their MyBitcoin accounts]. One user lost over 2000 BTC.
|-
! June 20
|| The EFF announced that it was no longer accepting Bitcoin donations due to legal uncertainties.
|-
! June 24
|| The generation difficulty passed 1,000,000 with Block [http://blockexplorer.com/b/133056 133056].
|-
! July 19
|| "Let it go on record that at 4:05pm CET [19 July 2011], my manager Tadek was the first person in the world to receive [testnet] Bitcoins via NFC ;)" - Mike Hearn
|-
! July 22
|| [[BitCoins Mobile]], the first Bitcoin application for iPad was released by [http://www.intervex.net Intervex Digital].
|-
! July 30
|| [http://pastebin.com/raw.php?i=BUB3dygQ Tribute to Len Sassaman] included in the blockchain<ref>[http://bitcointalk.org/index.php?topic=33618.msg420597#msg420597 A Tribute to Len "rabbi" Sassama]</ref>.
|-
! August 20
|| First Bitcoin Conference and World Expo held, in NYC.<ref>[http://bitcoinme.com/index.php/conference/ New York Conference 2011]</ref>
|-
! August 23
|| [[P2Pool]], the first P2P decentralized pool, mines its first Bitcoin mainnet block (Block [http://blockexplorer.com/b/142312 142,312]).
|-
! August 30
|| Difficulty adjustment at block [http://blockexplorer.com/b/143136 143,136] marks the first back-to-back drop.
|-
! November 15
|| First CVE (CVE-2011-4447) assigned to a Bitcoin client exploit.
|-
! November 25
|| First European Bitcoin Conference in Prague, Czech Rep.<ref>[http://bitgroups.org/ Prague Conference 2011]</ref>
|-
! December 12
|| Largest amount of fees, to-date, in a single transaction, and most fees in a single block. A [http://blockexplorer.com/tx/1d7749c65c90c32f5e2c036217a2574f3f4403da39174626b246eefa620b58d9 transaction] paid 171 BTC in fees in [http://blockexplorer.com/b/157235 block 157235]<ref>[http://bitcointalk.org/index.php?topic=88423.msg973509#msg973509 Largest fee ever?]</ref>.
|}

=== 2012 ===
{| style="text-align: left"
|-
! width="8em" | March 1
|| Largest theft of bitcoins to-date occurred (near 50K BTC) after security breach at web host Linode.
|-
! width="8em" | April 1
|| Pay-to-script-hash ([[P2SH]]) as defined through [[BIP 0016]] goes live.
|-
! May 08
|| A single service, [[SatoshiDICE]] becomes responsible for over half the transaction volume on the Bitcoin blockchain.
|-
! June 3
|| Largest block (most transactions), to-date (June 3), is [http://BlockExplorer.com/b/181919 block 181919] with 1322 transactions<ref>[http://bitcointalk.org/index.php?topic=85353.msg939859#msg939859 Largest block to date]</ref>.
|-
! July 22
|| One millionth topic reply was posted on the unofficial [[Bitcoin Forum]] <ref>[https://bitcointalk.org/index.php?topic=94608.0 Topic about one millionth forum post]</ref>.
|-
! September 15-16
|| Bitcoin Conference in London <ref>[http://bitcoin2012.com/ London Conference 2012]</ref>.
|-
! September 27
|| Formation of the [[Bitcoin Foundation]].
|-
! November 28
|| Halving day. [http://blockexplorer.com/b/210000 Block 210,000] is the first with a block reward subsidy of only 25 BTC.
|-
! December 6
|| First Bitcoin exchange [https://bitcointalk.org/index.php?topic=129461.0 licensed "as a bank" in europe] (actually a PSP which is like a bank, without debt-money issuing).
|}

=== 2013 ===
{| style="text-align: left"
|-
! width="8em" | February 19
|| Bitcoin Client v0.8 released featuring improved download speed and [https://en.wikipedia.org/wiki/Bloom_filter Bloom Filtering]
|-
! February 28
|| The [[MtGox]] exchange rate broke the June 8 2011 peak of 31.91 USD. The first all time high since 601 days
|-
! March 12
|| A previously undiscovered protocol rule results in a [http://bitcoin.org/chainfork.html hard fork of the 0.8.0 reference client].
|-
! March 18
|| The United States federal agency charged with enforcing laws against money laundering (FinCEN) declares that Bitcoin users are not subjects to its regulations. Miners who sell bitcoins for fiat currency must register as Money Service Business.<ref>[http://arstechnica.com/tech-policy/2013/03/us-regulator-bitcoin-exchanges-must-comply-with-money-laundering-laws/ US regulator: Bitcoin exchanges must comply with money-laundering laws]</ref>
|-
! March 28
|| Total Bitcoin value passes $1 billion. <ref>http://spectrum.ieee.org/computing/networks/bitcoin-hits-1billion</ref>
|-
! April 1
|| Bitcoin price breaks 100 USD on [[MtGox]] and other major exchanges.
|-
|}

==See Also==

* [[Bitcoin Firsts]]
* [[Press]]

==References==
<references />

Paytunia

2013-04-28T22:24:58Z

Cryptal: Document the hack

'''Paytunia''' is a web and mobile [[browser-based wallet]] developed by [[Paymium]]. The mobile and web clients are front-ends to a hosted Bitcoin wallet. Paymium also operates the [[Bitcoin-Central]] exchange and all exchange accounts are accessible through Paytunia's web and mobile wallet as well.

==API==
A [https://github.com/paytunia/paytunia Ruby gem] and [https://github.com/paytunia/api-documentation well-documented API] are available.

==History==

* 2012-Apr-05 - [[Paymium]] announces the service.<ref>[http://bitcointalk.org/index.php?topic=75550.0 Paytunia Bitcoin wallet released today!]</ref>

* 2013-Apr-01 - Paytunia was suspended due to a security breach. User funds were safe. On April 5, the service was announced to resume operation. However, as of April 28, the website still only displays the security announcements.<ref>[http://archive.is/VJnQO Mirror of Paytunia.com announcing the security breach]</ref>

==See Also==

* [[Bitcoin-Central]]

==External Links==

* [http://www.Paytunia.com Paytunia] website
* [https://play.google.com/store/apps/details?id=paymium.paytunia Paytunia for Android] on Google Play
* [http://paytunia.com/s/api Paytunia API] documentation

==References==
<references />

[[Category:Mobile]]
[[Category:EWallets]]

Bitcoin-Central

2013-04-28T22:10:26Z

Cryptal: Euro compliance, features, security, link to operator

'''Bitcoin-Central.net''' is a [[currency exchange]] based in France and operated by [[Paymium]], that allows trading between bitcoins (BTC) and a number of currencies, each with its own trading market. It is notably the first exchange to operate within the framework of European regulation and to guarantee the fiat deposits of its users.<ref name="euroreg">[https://bitcointalk.org/index.php?topic=129461.0 Bitcoin-Central, first exchange licensed to operate with a bank. This is HUGE]</ref>

==Features==
On December 6, 2012, Bitcoin-Central announced that:<ref name="euroreg" />

* User funds would be held at Aqoba's partner financial institution under the user's name, separately from [[Paymium]]'s funds
* User accounts will be individually protected up to 100,000 EUR by the [https://en.wikipedia.org/wiki/Deposit_insurance#By_EU_country Garantie des dépôts], the French equivalent of the American [https://en.wikipedia.org/wiki/Federal_Deposit_Insurance_Corporation FDIC]
* Each account would in a few months after launch get its very own IBAN number, enabling its use as any other bank account, e.g. for salary deposits with optional automatic conversion to Bitcoin
* Each user would soon be able to order their own debit card, accessing their EUR and BTC balance
* All incoming and outgoing transfers would be 100% automated via direct access to the banking networks
* Corporations would have access to an actual financial institution if they wish to start accepting Bitcoin and be safe from a regulatory point of view

Paymium hopes to have a much better legal standing and a much higher attractiveness for second and third-round investors.

==Deposits==

===BTC===
Bitcoins funds are added to the account after a manual confirmation process.

===EUR===
EUR bank transfers (SEPA) are accepted for deposits at no charge by the exchange.

===GBP===
GBP bank transfers are accepted for deposits at no charge by the exchange.

===LRUSD===
[[Liberty Reserve]] USD funds are added at no additional charge from the exchange (normal 1% transaction fees from LR will still occur)

===LREUR===
[[Liberty Reserve]] EUR funds are added at no additional charge from the exchange (normal 1% transaction fees from LR will still occur)

===International wire===
Any currency may be sent as an international wire transfer. Currency conversion fees apply.

==Withdrawals==
===BTC===
Bitcoins funds can be withdrawn at no charge.

===EUR===
EUR bank transfers (SEPA) are sent and incur a wire fee.

===GBP===
GBP bank transfers are sent and incur a bank transfer fee.

===LRUSD===
[[Liberty Reserve]] USD funds can be withdrawn (normal 1% transaction fees from LR will still occur)

===LREUR===
[[Liberty Reserve]] EUR funds can be withrawn (normal 1% transaction fees from LR will still occur)

==Security==

Accounts can be secured for two-factor authentication using Google Authenticator OTP or Yubico's Yubikey.

On April 25, 2013, Bitcoin-Central was hacked<ref name="hack2013-Apr">{{cite web |url=http://archive.is/yu7qW |date=2013-04-25 |accessdate=2013-04-28 |title=Mirror page of the hacked and suspended Bitcoin-Central}}</ref> in a very similar attack to the one used against ''Slush's'' mining pool<ref>[https://bitcointalk.org/index.php?topic=66916.0 Hacked Linode & coins stolen]</ref> on Linode: its current VPS provider, OVH, had its management interface compromised, which enabled the attacker to reset the password, log into the Bitcoin-Central machine, and steal the hot wallet. Coincidentally, Slush's pool on OVH was hacked again in the same attack.<ref>[https://bitcointalk.org/index.php?topic=1976.msg1925445#msg1925445 The pool has been hacked.]</ref>

==Mobile==

Though there is no option for trading through Bitcoin-Central using a mobile app, the account's eWallet can be accessed for depositing and withdrawals (for spending) using the [[Paytunia]] mobile app or the Paytunia website.

==History==

* The site was launched on December 29, 2010.<ref>[https://bitcointalk.org/index.php?topic=2519.0 Announcing bitcoin-central.net - trade USD and EUR for free!]</ref>
* On January 3rd, 2011 it was announced<ref>[http://www.bitcoin.org/smf/index.php?topic=2585.0 Bitcoin Central going open source ! Open your own trading site for free !]</ref> that the source for Bitcoin Central will be released as a public open source project on February 1st, 2011.
* On January 28, 2011 it was announced<ref>[http://www.bitcoin.org/smf/index.php?topic=2519.msg42133#msg4213 Announcement of Transfer Feature]</ref> that transferring of funds from one account to another had become available.
* On May 5, 2011 the operator described plans for improving service.<ref>[http://www.bitcoin.org/smf/index.php?topic=6965.msg108116#msg108116 bitcoin central update]</ref>.
* On April 5, 2012, the [[Paytunia]] e-wallet was announced. Exchange accounts can be accessed using Paytunia's web and mobile clients.<ref>[https://bitcointalk.org/index.php?topic=75550.0 Paytunia Bitcoin wallet released today!]</ref>
* On October 24, 2012 BTC/GBP trading launched<ref>[http://bitcointalk.org/index.php?topic=120228.msg1294930 Bitcoin-Central launches new GBP market!]</ref>.
* On December 6, 2012, it was announced that Bitcoin-Central was the first exchange licensed to operate within the framework of European regulations.<ref name="euroreg" />
* On April 25, 2013, the exchange was hacked and several hundred BTC were stolen.<ref name="hack2013-Apr" />

==See Also==

* [[Buying bitcoins]]
* [[Selling bitcoins]]

==External Links==

* [https://bitcoin-central.net/ Bitcoin-Central.net]
* [http://github.com/davout/bitcoin-central Bitcoin-Central project on Github]

==References==
<references/>

[[Category:Exchanges]]
[[Category:eWallets]]
[[Category:Free Software]]
[[Category:License/AGPL]]
[[Category:Open Source]]

Paymium

2013-04-28T22:00:19Z

Cryptal: Genesis

'''Paymium''' is a company headquartered in Paris, France, specializing in alternative money services. These include the [[Bitcoin-Central]] exchange and the [[Paytunia]] lightweight wallet.

==External links==
* [http://paymium.com Paymium] website

Bitfloor

2013-04-21T10:23:03Z

Cryptal: Transform into historical article

'''Bitfloor''' was a FinCEN-registered Bitcoin [[currency exchange]] and trading platform site headquartered in the state of New York, USA. In September 2012, Bitfloor was hacked, with 24,000 bitcoins being stolen.<ref name="24k-hack-verge">[http://www.theverge.com/2012/9/5/3293375/bitfloor-bitcoin-exchange-suspended-theft Bitcoin exchange BitFloor suspends operations after $250,000 theft]</ref> On April 17, 2013 the exchange halted operations after its bank would reportedly close Bitfloor's bank account.<ref>[http://news.cnet.com/8301-1023_3-57580163-93 Bitcoin exchange BitFloor halts operations, shuts down]</ref>

==Funding==
Bitfloor was praised for the ease of accepting USD cash deposits through [[LocalTill]], which at the date of the closing, supported [[Bank of America]] and charged a 1%-4% fee to process the deposit. Other funding options included bank wire transfers (%15 fee) and CapitalOne 360 P2p (formerly ING Person2Person), with no fee. Withdrawals were done via ACH and took 1 to 3 business days. Withdrawals required uploading a copy of the user's government-issued ID. This was the only point at which the identity of the user was required; otherwise, Bitfloor's privacy policies did not ask for any identification information.<ref>[https://bitfloor.com/docs/#privacy Bitfloor privacy]</ref>

BTC deposits and withdrawals could be made at no fee. Large withdrawals were processed manually, due to Bitfloor storing most bitcoins in offline [[Cold storage|cold wallets]].

==Trading==
Trades could be done via a web interface, or by using the REST API or FIX ([[Wikipedia:Financial_Information_eXchange|Financial Information eXchange]]) order entry gateway.<ref>[http://bitcointalk.org/index.php?topic=66045.0 FIX gateway available on bitfloor.com]</ref>.

===Fees===
Bitfloor employed a fee structure designed to incentivise market makers. Market orders, that execute immediately, incurred a 0.4% fee. Orders that don't execute immediately received a 0.1% rebate, to encourage liquidity providers to offer information about their market expectations.

==Anonymity==
Bitfloor allowed access through Tor and did not require any personally identifiable information until the user wished to withdraw money using ACH. Cash deposits could be made via [[LocalTill]] -> Bank of America. No ID or personal information is required, and bank tellers do not ask for the reason the deposit is made.

==History==
The exchange had been operating since 2011 with its first publicity occurring in February 2012<ref>[http://www.youtube.com/watch?v=F7SsavHX6tc The Bitcoin Show - 056 - Roman Shtylman of Bitfloor.com]</ref>.

On September 4, 2012 the operator of BitFloor reported a security breach that resulted in the exchange's wallet with '''24K BTC being stolen'''.<ref name="24k-hack-verge" /> The site was shuttered and access to customer funds denied as the exchange's reserves were insufficient to accommodate all funds deposited. As of March 8, 2013, 3 months had passed since the last repayment (December 2012), and the operator had been unresponsive.<ref>[https://bitcointalk.org/index.php?topic=144509.msg1599788#msg1599788 It's been 3 months since the first BTC re-payment in early December.]</ref>

On April 3, 2012, the website was down for several minutes.<ref>[https://bitcointalk.org/index.php?topic=166254.0 bitfloor down?!]</ref>

BitFloor became a Money Service Business (MSB) registered with FinCEN (#31000005224108) on March 15, 2012.<ref>[http://www.fincen.gov/financial_institutions/msb/msbstateselector.html FinCEN search]</ref>

On April 17, 2013 the exchange halted operations after its bank announced it would close its account. While no official reason for the closure has been communicated, it has been hypothesized that the likely cause was the nature of the transactions (relatively large amounts going in and out rapidly), which triggered an elevated risk profile, rather than money laundering suspicions.<ref>[https://bitcointalk.org/index.php?topic=179135.msg1869466#msg1869466 Bitcointalk.org thread on possible reasons for closure]</ref>

==See Also==

* [[Buying bitcoins]]
* [[Selling bitcoins]]

==External Links==

* [https://bitfloor.com BitFloor] website
* [https://github.com/bitfloor github] page
* [http://bitcoincharts.com/charts/chart.png?width=940&m=bitfloorUSD&SubmitButton=Draw&r=60&i=&c=0&s=&e=&Prev=&Next=&t=S&b=&a1=&m1=10&a2=&m2=25&x=0&i1=&i2=&i3=&i4=&v=1&cv=0&ps=0&l=0&p=0& Chart]

==References==
<References />

Satoshi Nakamoto

2013-04-19T04:57:56Z

Cryptal: Improved references

'''Satoshi Nakamoto''' is the pseudonymous person or group of people who designed and created the original [[Bitcoin]] software, currently known as [[Bitcoin-Qt]].

His involvement in the original [[Bitcoin]] software does not appear to extend past mid-2010.

==Identity==

There are no records of Nakamoto's identity or identities prior to the creation of [[Bitcoin]]. On his [[P2P foundation]] profile, Nakamoto claimed to be an individual male at the age of 37 and living in Japan, which was met with great skepticism due to his use of English and his Bitcoin [[software]] not being documented nor labeled in Japanese.

British formatting in his written work implies Nakamoto is of British origin. However, he also sometimes used American spelling, which may indicate that he was intentionally trying (but failed) to mask his writing style, or that he is more than one person.

The first release of his original [[Bitcoin]] software is speculated to be of a collaborative effort, leading some to claim that Satoshi Nakamoto was a collective pseudonym for a group of people.

Investigations into the real identity of Satoshi Nakamoto have been attempted by ''The New Yorker'' and ''Fast Company''. ''The New Yorker'' arrived at Michael Clear, a young graduate student in cryptography at Trinity College in Dublin, who was named the top computer-science undergraduate at Trinity in 2008. The next year, he was hired by Allied Irish Banks to improve its currency-trading software, and he co-authored an academic paper on peer-to-peer technology.<ref>[http://betabeat.com/2011/10/did-the-new-yorkers-joshua-davis-nail-the-identity-of-bitcoin-creator-satoshi-nakamoto/ The New Yorker’s Joshua Davis Attempts to Identify Bitcoin Creator Satoshi Nakamoto]</ref>

''Fast Company'''s investigation brought up circumstantial evidence that indicated a link between an encryption patent application filed by Neal King, Vladimir Oksman and Charles Bry on 15 August 2008, and the bitcoin.org domain name which was registered 72 hours later. The [http://www.google.com/patents/US20100042841 patent application] contained networking and encryption technologies similar to Bitcoin's. After textual analysis, the phrase "...computationally impractical to reverse" was found in both the patent application and bitcoin's whitepaper.<ref name="whitepaper">{{cite web |last= Nakamoto |first= Satoshi |title= Bitcoin: A Peer-to-Peer Electronic Cash System |url= http://bitcoin.org/bitcoin.pdf |date= 24 May 2009}}</ref> All three inventors explicitly denied being Satoshi Nakamoto.<ref>{{cite web|last= Penenberg |first= Adam |title= The Bitcoin Crypto-Currency Mystery Reopened |url= http://www.fastcompany.com/1785445/bitcoin-crypto-currency-mystery-reopened |publisher= FastCompany |accessdate= 16 February 2013}}</ref><ref>{{cite web|last= Greenfield |first= Rebecca |title= The Race to Unmask Bitcoin's Inventor(s) |url= http://www.theatlanticwire.com/technology/2011/10/race-unmask-bitcoins-inventors/43535/ |publisher= The Atlantic |date=11 October 2011|accessdate= 16 February 2013}}</ref>

==Work==

Nakamoto has claimed that he has been working on Bitcoin since 2007. In 2008, he published a paper on The Cryptography Mailing List at metzdowd.com describing the Bitcoin digital currency. In 2009, he released the first [[Bitcoin]] software that launched the network and the first units of the Bitcoin [[currency]].

Version 0.1 was for Windows only and had no command-line interface. It was compiled using Microsoft Visual Studio. The code was elegant in some ways and inelegant in others. The code does not appear to have been written by either a total amateur or a professional programmer; some people speculate based on this that Satoshi was an academic with a lot of theoretical knowledge but not much programming experience. Version 0.1 was remarkably complete. If Satoshi truly only worked on it alone for two years, he must have spent a massive amount of time on the project.

Nakamoto was active in making modifications to the Bitcoin software and posting technical information on the [[Bitcoin Forum]] until his contact with other Bitcoin developers and the community gradually began to fade in mid-2010. Until a few months before he left, almost all modifications to the source code were done by Satoshi -- he accepted contributions relatively rarely. Just before he left, he set up [[Gavin Andresen]] as his successor by giving him access to the Bitcoin SourceForge project and a copy of the [[Alerts|alert key]].

==Motives==

Nakamoto's work appears to be politically motivated, as quoted:

"Yes, [we will not find a solution to political problems in cryptography,] but we can win a major battle in the arms race and gain a new territory of freedom for several years. Governments are good at cutting off the heads of a centrally controlled networks like Napster, but pure P2P networks like Gnutella and Tor seem to be holding their own." - Satoshi Nakamoto

"[Bitcoin is] very attractive to the libertarian viewpoint if we can explain it properly. I'm better with code than with words though." - Satoshi Nakamoto

In the Bitcoin network's transaction database, the original entry has a note by Nakamoto that reads as:

"The Times 03/Jan/2009 Chancellor on brink of second bailout for banks"

Some claim this quote implies Nakamoto had great concern or contempt for the current [[central banking]] system.

==Influence==
The smallest unit of the [[Bitcoin]] currency (1/100,000,000) has been named "satoshi" in collective homage to his founding of [[Bitcoin]].

==References==
<references/>
*[http://www.wired.com/magazine/2011/11/mf_bitcoin/ The Rise and Fall of Bitcoin]
*[http://www.newyorker.com/reporting/2011/10/10/111010fa_fact_davis The Crypto-Currency: Bitcoin and its mysterious inventor]
*[http://www.mail-archive.com/search?l=cryptography@metzdowd.com&q=from:%22Satoshi+Nakamoto%22 Satoshi's posts to Cryptography mailing list]

[[Category:Pseudonyms]]
[[de:Satoshi Nakamoto]]
[[es:Satoshi Nakamoto]]

[[Category:Individuals]]

Satoshi Nakamoto

2013-04-19T03:03:15Z

Cryptal: /* Identity */ Add the ''The New Yorker'' and ''Fast Company'' investigations

'''Satoshi Nakamoto''' is the pseudonymous person or group of people who designed and created the original [[Bitcoin]] software, currently known as [[Bitcoin-Qt]].

His involvement in the original [[Bitcoin]] software does not appear to extend past mid-2010.

==Identity==

There are no records of Nakamoto's identity or identities prior to the creation of [[Bitcoin]]. On his [[P2P foundation]] profile, Nakamoto claimed to be an individual male at the age of 37 and living in Japan, which was met with great skepticism due to his use of English and his Bitcoin [[software]] not being documented nor labeled in Japanese.

British formatting in his written work implies Nakamoto is of British origin. However, he also sometimes used American spelling, which may indicate that he was intentionally trying (but failed) to mask his writing style, or that he is more than one person.

The first release of his original [[Bitcoin]] software is speculated to be of a collaborative effort, leading some to claim that Satoshi Nakamoto was a collective pseudonym for a group of people.

Investigations into the real identity of Satoshi Nakamoto have been attempted by ''The New Yorker'' and ''Fast Company''. ''The New Yorker'' arrived at Michael Clear, a young graduate student in cryptography at Trinity College in Dublin, who was named the top computer-science undergraduate at Trinity in 2008. The next year, he was hired by Allied Irish Banks to improve its currency-trading software, and he co-authored an academic paper on peer-to-peer technology.<ref>[http://betabeat.com/2011/10/did-the-new-yorkers-joshua-davis-nail-the-identity-of-bitcoin-creator-satoshi-nakamoto/ The New Yorker’s Joshua Davis Attempts to Identify Bitcoin Creator Satoshi Nakamoto]</ref>

''Fast Company'''s investigation brought up circumstantial evidence that indicated a link between an encryption patent application filed by Neal King, Vladimir Oksman and Charles Bry on 15 August 2008, and the bitcoin.org domain name which was registered 72 hours later. The [http://patent.ipexl.com/U2S/20100042841.html #20100042841 patent application] contained networking and encryption technologies similar to Bitcoin's. After textual analysis, the phrase "...computationally impractical to reverse" was found in both the patent application and bitcoin's whitepaper.<ref name="whitepaper">{{cite web |last= Nakamoto |first= Satoshi |title= Bitcoin: A Peer-to-Peer Electronic Cash System |url= http://bitcoin.org/bitcoin.pdf |date= 24 May 2009}}</ref> All three inventors explicitly denied being Satoshi Nakamoto.<ref>{{cite web|last= Penenberg |first= Adam |title= The Bitcoin Crypto-Currency Mystery Reopened |url= http://www.fastcompany.com/1785445/bitcoin-crypto-currency-mystery-reopened |publisher= [[FastCompany]] |accessdate= 16 February 2013}}</ref><ref>{{cite web|last= Greenfield |first= Rebecca |title= The Race to Unmask Bitcoin's Inventor(s) |url= http://www.theatlanticwire.com/technology/2011/10/race-unmask-bitcoins-inventors/43535/ |publisher= [[The Atlantic]] |date=11 October 2011|accessdate= 16 February 2013}}</ref>

==Work==

Nakamoto has claimed that he has been working on Bitcoin since 2007. In 2008, he published a paper on The Cryptography Mailing List at metzdowd.com describing the Bitcoin digital currency. In 2009, he released the first [[Bitcoin]] software that launched the network and the first units of the Bitcoin [[currency]].

Version 0.1 was for Windows only and had no command-line interface. It was compiled using Microsoft Visual Studio. The code was elegant in some ways and inelegant in others. The code does not appear to have been written by either a total amateur or a professional programmer; some people speculate based on this that Satoshi was an academic with a lot of theoretical knowledge but not much programming experience. Version 0.1 was remarkably complete. If Satoshi truly only worked on it alone for two years, he must have spent a massive amount of time on the project.

Nakamoto was active in making modifications to the Bitcoin software and posting technical information on the [[Bitcoin Forum]] until his contact with other Bitcoin developers and the community gradually began to fade in mid-2010. Until a few months before he left, almost all modifications to the source code were done by Satoshi -- he accepted contributions relatively rarely. Just before he left, he set up [[Gavin Andresen]] as his successor by giving him access to the Bitcoin SourceForge project and a copy of the [[Alerts|alert key]].

==Motives==

Nakamoto's work appears to be politically motivated, as quoted:

"Yes, [we will not find a solution to political problems in cryptography,] but we can win a major battle in the arms race and gain a new territory of freedom for several years. Governments are good at cutting off the heads of a centrally controlled networks like Napster, but pure P2P networks like Gnutella and Tor seem to be holding their own." - Satoshi Nakamoto

"[Bitcoin is] very attractive to the libertarian viewpoint if we can explain it properly. I'm better with code than with words though." - Satoshi Nakamoto

In the Bitcoin network's transaction database, the original entry has a note by Nakamoto that reads as:

"The Times 03/Jan/2009 Chancellor on brink of second bailout for banks"

Some claim this quote implies Nakamoto had great concern or contempt for the current [[central banking]] system.

==Influence==
The smallest unit of the [[Bitcoin]] currency (1/100,000,000) has been named "satoshi" in collective homage to his founding of [[Bitcoin]].

==References==
*[http://bitcoin.org/bitcoin.pdf Bitcoin: A Peer-to-Peer Electronic Cash System by Satoshi Nakamoto]
*[http://www.wired.com/magazine/2011/11/mf_bitcoin/ The Rise and Fall of Bitcoin]
*[http://betabeat.com/2011/10/did-the-new-yorkers-joshua-davis-nail-the-identity-of-bitcoin-creator-satoshi-nakamoto/ The New Yorker’s Joshua Davis Attempts to Identify Bitcoin Creator Satoshi Nakamoto]
*[http://www.newyorker.com/reporting/2011/10/10/111010fa_fact_davis The Crypto-Currency: Bitcoin and its mysterious inventor]
*[http://www.fastcompany.com/1785445/bitcoin-crypto-currency-mystery-reopened The Bitcoin Crypto-Currency Mystery Reopened]
*[http://www.mail-archive.com/search?l=cryptography@metzdowd.com&q=from:%22Satoshi+Nakamoto%22 Satoshi's posts to Cryptography mailing list]

[[Category:Pseudonyms]]
[[de:Satoshi Nakamoto]]
[[es:Satoshi Nakamoto]]

[[Category:Individuals]]

Contingency plans

2013-04-19T03:02:24Z

Cryptal: /* Alerts */ Better link to alerts

The purpose of this page is to create plans for the first few days after a catastrophic failure of the network in order to save time should any such failure actually occur.

Only failures that would not allow much time for discussion will be covered here. ''Preventing'' future problems will not be discussed.

Once the plans themselves are well-accepted, code implementing the plans can be written and tested in case the code is ever required.

==Getting the word out==

===Alerts===
These people have [[alerts|alert keys]] and should be contacted ASAP in case of emergencies:
* Satoshi
* Gavin
* theymos
Email Satoshi, even though he is believed to be gone. A serious issue may "bring him out of retirement", which would be helpful.

Because alerts are known to be very secure, all information related to an emergency should be sent with alerts. For example, hashes of new releases should be included in alerts.

The most important part of alert messages should be put at the front, since the remaining text might get cut off. A good way to begin would be: "EMERGENCY: DO NOT ACCEPT OR SEND PAYMENTS".

===Pools===
The owners of all pools must be contacted, as changes will be required of them.

===IRC===
All of the IRC channels should have their topics updated to spread info about the emergency.

===Forum===
A topic should be posted in "development and technical discussion", and a sticky locked topic pointing to the main topic should be created in all other sections. The main topic should not be sticky, as this makes it more difficult to see and it will be bumped to the top constantly, anyway.

===Sites===
The owners of all big sites, especially exchanges and banks, should be contacted.

===Stock message===
Here is a message that could be used to spread the word. Preferably it would be updated to reflect specifics and signed by some trusted people.

A critical bug has been discovered in Bitcoin. Transactions must be considered REVERSIBLE for the time being. Do not send payments, and do not trust payments that you receive.

If you run a Bitcoin-related site, shut down the site and replace it with this message.

[Note: The following paragraph only applies to certain attacks and may need to be removed.]

If you are solo mining or running a pool, you must stop mining until you upgrade to the latest version (which may not be released quite yet). If you are mining in a pool, shut down your miner until your pool upgrades. If you continue mining, any blocks you solve will end up being rejected eventually, and you will be working against the legitimate chain.

Look to your favorite HTTPS-enabled Bitcoin sites for more news. Before running any software, check that a consensus exists among several sites. Do not trust information from Google, as it can be manipulated by the attacker. Other sites, such as bitcoin.org, can likewise be manipulated, though with more difficulty. The most trustworthy source of information is the text that appears at the bottom of the graphical Bitcoin client.

==Coordination==

During an emergency, coordination will take place on the #bitcoin-dev channel on chat.freenode.net. All decisions will take place there. Possibly additional channels will be created if there is too much discussion happening for one channel, though #bitcoin-dev is where all developers will naturally go, and it is therefore best if general discussion about the emergency takes place there.

Channel mode "+q $~a" should be set in order to prevent unregistered users from speaking. The last thing we want is an impersonator or a spam flood. People should also be identified with [[gribble]] if possible. Mode +m may also need to be set if there is too much spam.

===Backup communication methods===
It is not impossible for an attacker to make #bitcoin-dev unusable, either through abuse or denial-of-service attacks. There must be several backup methods of communication.

====IRC====

If #bitcoin-dev becomes unusable due to flooding or other abuse that the Freenode IRC operators are unable/unwilling to handle, then moving #bitcoin-dev to irc.lfnet.org will be useful. The operators of LFnet are Bitcoin users who will be very helpful in fighting abuse.

If Freenode is taken down by a denial-of-service attack, #bitcoin-dev can be moved to one of the larger networks, which will (presumably) be more resistant to attacks.

So if the regular #bitcoin-dev is broken, try #bitcoin-dev on these networks:
* LFnet
* IRCnet
* EFnet
* Undernet
* Any other IRC networks you know of

Gribble can be moved to any network in order to facilitate GPG identification.

====Other real-time chat====

In case all IRC networks are made unusable, Google+ multi-user chat might work well, and it is unlikely to be brought down by denial-of-service attacks.

(A distributed chat network where every participant needs to send his message directly to all other participants would be best, as this would be difficult to attack. Does something like this exist?)

====Non-realtime communication====

The SourceForge mailing list can be used for non-realtime communication. In case this list is brought down, participants can send emails manually to a list of people.

===Issuing statements===
When it has been decided by the developers that action is required by Bitcoin users, a statement will be issued. All statements should contain text encouraging people to distribute the statement. Statements should be numbered sequentially from the start of the incident.

Statements should be PGP signed by a few people present at the time and then emailed to owners of big sites and posted on bitcoin.org and the forums.

An alert summarizing the statement will probably need to be issued, as well.

===Emergency versions===
Emergency versions of Bitcoin should preferably be based on the latest stable version instead of the very latest code in order to avoid introducing new bugs.

Source releases should be made as soon as a fix is available, even if it can't yet be hosted on SourceForge. In most cases, binary releases can wait for the people who normally build binaries to do it. If source releases are available without binary releases, statements should encourage users to either compile themselves or wait for official binary releases built using the standard [[release process]] (instead of using binaries provided by third-parties).

==Contingencies==
===Many historical blocks replaced===

Situation: 6+ historical blocks have been replaced by new versions all at once, allowing confirmed transactions to be invalidated.

====Impact====

* People who have received payments from the attacker might have these payments reversed.
* The double-spent versions of these transactions might immediately get 6+ confirmations. So people receiving the attacker's stolen coins might accept them.
* Other transactions may become unconfirmed again.

====Response====

* Alert users to stop accepting payments, as an attacker clearly has too much control over the network. The network will be unusable for weeks or more while the issue is straightened out.

If more than a few BTC was stolen by the attacker, then the transaction ordering may need to be manually modified. This is done by adding new block checkpoints and/or hardcoding transaction ordering [note: code should be prepared for hardcoded transaction ordering].

A lot of time should be taken to decide whether and how to re-order the transactions. It may be a very complex issue, as restoring the original versions of transactions could cause damage many times larger than the original transaction reversal. The network will need to be offline for a week or more after an incident of this scale, anyway.

===SHA-256 is broken===
Situation: Severe, 0-day failure of SHA-256. First/second preimage resistance or collision resistance can be defeated with only a few days of work.

====Impact====

* Attacker may be able to defeat OP_CHECKSIG, which hashes transactions before signing.
* Attacker may be able to split the network by creating identical transactions or blocks with the same hashes.
* Attacker may be able to create blocks very quickly.
* The alert system may be compromised.

====Response====

* Users will be notified to shut down their clients. Note that the attacker may be able to send valid alerts, which could disrupt notification efforts.
* OP_CHECKSIG will be changed to use some other hash outside of old blocks.
* All addresses in the version-1 chain that have a known public key and at least one unspent output will have their public keys hardcoded into the client. When a version-2 transaction spends one of these version-1 outputs, the hardcoded public key will be used instead of the hash.
* The version-1 chain will be securely hashed into a hash tree. At least the root of the version-1 tree will be hardcoded into the client.
* All hashing Bitcoin does will use the new hashing algorithm.

[Code for all of this should be prepared.]

===ECDSA is broken===
Situation: an attacker can sign for a public key that he does not own the private key for in only a few days of work.

====Impact====
* Attacker can spend money that is not his in a large number of cases. Transactions to addresses that have never been used before may be protected if SHA-256 and RIPEMD-160 are still strong.
* Alert system may be compromised.

====Response====

If the attacker can't get the private key from the public key easily and a stronger algorithm that can use ECDSA keys is available:
* Switch to the stronger algorithm.
* Get users to update. Alerts will be compromised.

Otherwise:
* OP_CHECKSIG should use some other signing algorithm.
* As soon as the new version of Bitcoin is run, it should automatically send all old transactions somewhere else using the new algorithm.
* Get users to update immediately. Alerts will be compromised.

[Code for all of this should be prepared.]

===Remote attacker can execute arbitrary code===
Situation: Due to a bug in Bitcoin, a remote attacker is able to run arbitrary code on the machines of some/all Bitcoin users.

====Impact====
* Attacker can install malware, which could be used to steal private keys from wallets that are decrypted while the malware is installed.

====Response====
* Issue an alert telling people to shut down their clients immediately and look for updates elsewhere. Put special effort into alerting people through other means.
* Remove critical powers (git push, bitcoin.org update, IRC op, etc.) from people who do not need them, as all Bitcoin users are at a high risk of having their passwords compromised. Trust GPG signatures a bit less than usual.

Stock alert message: "EMERGENCY: SHUT DOWN YOUR CLIENT RIGHT NOW! Look for updates on popular Bitcoin sites. A bug has been discovered that can allow a remote attacker to install malware on your computer through Bitcoin."

Stock statement:

A bug has been discovered in Bitcoin that can allow a remote attacker to execute arbitrary code. The attacker could install malware onto your computer, which could steal your wallet. Shut down Bitcoin now. Under no circumstances should you enter your wallet passphrase until this incident is resolved and you have made absolutely sure that there is no malware on your computer. If possible, carefully copy your wallet to some offline safe location and then securely delete the copy on your computer.

Look to your favorite HTTPS-enabled Bitcoin sites for more news. Before running any software, check that a consensus exists among several sites. Do not trust information from Google, as it can be manipulated by the attacker. Other sites, such as bitcoin.org, can likewise be manipulated, though with more difficulty.

===Emergency rule change===
Situation: A core network rule in Bitcoin is broken and needs to be changed ASAP. Like the [[Incidents#CVE-2010-5139|overflow incident]].

====Response====
* Issue an alert. Tell people to stop mining.
* After the issue is fixed, get people to update.

It is preferable to make a rule more restrictive than to relax a rule. In the former case, only miners need update.

Bitcoin Wiki:Administrator nominations

2013-04-16T02:51:17Z

Cryptal: /* ThePiachu */ Comment

Is is [[User:Ripper234|my]] belief that the wiki is currently under-moderated, and that a few more wiki admins are needed.

This page will contain serious nominations to the role of wiki admins.
Anyone can nominate anybody else or himeself, but the page will be kept clean and people without significant contribution or acknowledgement to Bitcoin will be removed from it.

== ThePiachu ==
I, ripper234, nominate ThePiachu as a wiki admin.

* His contribution to Bitcoin is significant (it includes an academic paper about Bitcoin)
* I trust him with the role of admin
* I believe he has shown interest in the role
<hr/>

* I, regretfully, oppose at this time. ThePiachu has been almost completely inactive here and so I cannot point to any work he'd be engaging in which would be facilitated by making him an administrator at this time. --[[User:Gmaxwell|Gmaxwell]] ([[User talk:Gmaxwell|talk]]) 20:10, 29 March 2013 (GMT)
*: I don't believe that an active wiki participation is a requirement for the role, but rather is a "nice to have" feature that should be considered along with other traits. ThePiachu is very active on Reddit on Stack Exchange. [[User:Ripper234|Ripper234]] ([[User talk:Ripper234|talk]]) 14:06, 13 April 2013 (GMT)
*:: The important work of administration on a Wiki does not generally require administrative access. Administrative access gains you the ability to block users, delete pages, and set page protection— all of which should be options of last resort, especially in an environment like this one where paid access kills spam, vandalism, and sock-puppetry mostly dead. These last recourse actions can be handled by a small number of people with access, but they need to have had enough involvement to know when they're being applied appropriately. Someone who hasn't demonstrated that they're willing to contribute to operation in less-than-last-resort-ways is an unknown quantity, doing so may promote anti-community and anti-consensus administration styles that tend too much to last-resorts, and granting them adminship while not granting it to more activity contributors can leave people feeling disenfranchised. --[[User:Gmaxwell|Gmaxwell]] ([[User talk:Gmaxwell|talk]]) 22:09, 14 April 2013 (GMT)
*::: ''Comment'': The [https://en.bitcoin.it/w/index.php?title=Special:RecentChanges&limit=500 Recent Changes] page shows an astonishing amount of spam users registering on an ongoing basis. The payment system does prevent them from making edits, but with the falling value of Bitcoin, 0.01BTC is less than a dollar, and sock-puppetry is not prevented.

== Cryptal ==

I would like to nominate myself for the limited role of moderator. I've recently come out of lurking to join the Bitcoin community, but I've been a Wikipedia editor since 2006, and I'm very familiar with MediaWiki markup, encyclopedic style, Wikipedia policies, and dispute resolution.

Thank you,
-- [[User:Cryptal|Cryptal]] ([[User talk:Cryptal|talk]]) 08:45, 15 April 2013 (GMT)

LocalTill

2013-04-16T02:44:38Z

Cryptal: Add image, create sections

[[File:Bank of America deposit to LocalTill.jpg|320px|thumb|right|Bank of America customer receipt for LocalTill cash deposit]]

'''LocalTill''' is an anonymous merchant cash processing service based in the state of New York, that identifies deposits based on a unique code embedded in last digits of the deposit amount by adding a variable fee between 1% and 4%.

For example, a 500 USD deposit with a merchant may require the user to deposit 509.21 USD at a bank, whereby "9.21" is interpreted as a unique identifier for the deposit.

Localtill is used by [[Bitfloor]] in the USA, allowing users to make cash deposits (towards bitcoin purchases) at [[Bank of America]] branches using an "out of state deposit" slip. Deposits are usually credited within 30 minutes, as long as they are made before 5pm Eastern Time.

==Anonymity==
LocalTill does not request any data identifying the user who makes the deposit. Bank of America does not require identification when making cash deposits, but CCTV footage is likely recorded. The bank teller may ask for a phone number "for reference", which is in actuality not used.

==Fees==
LocalTill's fee serves as a deposit identified and is generated randomly when requesting the deposit. It is possible to get lower fees by repeatedly initiating deposit requests.

File:Bank of America deposit to LocalTill.jpg

2013-04-16T02:25:43Z

Cryptal: /* Summary */ terminology

== Summary ==
Scan of a Bank of America cash deposit customer receipt. Deposit was made to [[LocalTill]] for funding a [[Bitfloor]] account.

== Licensing ==
{{self|Cc-zero}}

File:Bank of America deposit to LocalTill.jpg

2013-04-16T02:24:16Z

Cryptal: Scan of a Bank of America cash deposit confirmation slip. Deposit was made to LocalTill for funding a Bitfloor account.

== Summary ==
Scan of a Bank of America cash deposit confirmation slip. Deposit was made to [[LocalTill]] for funding a [[Bitfloor]] account.
== Licensing ==
{{self|Cc-zero}}

User:Kiba

2013-04-15T08:47:26Z

Cryptal: Fix formatting

Contributors Award participant: 14ySrd81yHFEXCT4xsgdEuE5xgLxHik5HN

Here is what I can do:

# Programming in Ruby, and Javascript. I spent much of my time in those two languages. Other languages I could handle: Python, java. Other language, I barely touch: C. I am perfectly suitable for creating small scripts, little web projects, and anything that's not too aglorithmtic or required advanced mathematics.
# Writing. I recently got paid for an article. Might be worth hiring.
# Art. So-so.

==External Links==

* [http://www.bitcoin.org/smf/index.php?topic=2815.0 Looking for Jobs]

[[Category:Freelancers]]
[[Category:Freelancers-Fine Art]]

Bitcoin Wiki:Administrator nominations

2013-04-15T08:45:21Z

Cryptal: Nominating myself

Is is [[User:Ripper234|my]] belief that the wiki is currently under-moderated, and that a few more wiki admins are needed.

This page will contain serious nominations to the role of wiki admins.
Anyone can nominate anybody else or himeself, but the page will be kept clean and people without significant contribution or acknowledgement to Bitcoin will be removed from it.

== ThePiachu ==
I, ripper234, nominate ThePiachu as a wiki admin.

* His contribution to Bitcoin is significant (it includes an academic paper about Bitcoin)
* I trust him with the role of admin
* I believe he has shown interest in the role
<hr/>

* I, regretfully, oppose at this time. ThePiachu has been almost completely inactive here and so I cannot point to any work he'd be engaging in which would be facilitated by making him an administrator at this time. --[[User:Gmaxwell|Gmaxwell]] ([[User talk:Gmaxwell|talk]]) 20:10, 29 March 2013 (GMT)
*: I don't believe that an active wiki participation is a requirement for the role, but rather is a "nice to have" feature that should be considered along with other traits. ThePiachu is very active on Reddit on Stack Exchange. [[User:Ripper234|Ripper234]] ([[User talk:Ripper234|talk]]) 14:06, 13 April 2013 (GMT)
*:: The important work of administration on a Wiki does not generally require administrative access. Administrative access gains you the ability to block users, delete pages, and set page protection— all of which should be options of last resort, especially in an environment like this one where paid access kills spam, vandalism, and sock-puppetry mostly dead. These last recourse actions can be handled by a small number of people with access, but they need to have had enough involvement to know when they're being applied appropriately. Someone who hasn't demonstrated that they're willing to contribute to operation in less-than-last-resort-ways is an unknown quantity, doing so may promote anti-community and anti-consensus administration styles that tend too much to last-resorts, and granting them adminship while not granting it to more activity contributors can leave people feeling disenfranchised. --[[User:Gmaxwell|Gmaxwell]] ([[User talk:Gmaxwell|talk]]) 22:09, 14 April 2013 (GMT)

== Cryptal ==

I would like to nominate myself for the limited role of moderator. I've recently come out of lurking to join the Bitcoin community, but I've been a Wikipedia editor since 2006, and I'm very familiar with MediaWiki markup, encyclopedic style, Wikipedia policies, and dispute resolution.

Thank you,
-- [[User:Cryptal|Cryptal]] ([[User talk:Cryptal|talk]]) 08:45, 15 April 2013 (GMT)

Bitcoin Church

2013-04-15T08:32:17Z

Cryptal: fixes, links

The '''Church of Bitcoin''' was founded on October 25th 2012 in order to grant Bitcoin users a non regional spiritual outlet and to escape oppression by existing religious groups. Its homepage may be at [http://bitprayer.com/ bitprayer.com]

The Church of Bitcoin is guided by eleven commandments:

# Praise Satoshi.
# Honor the blockchain.
# Thou shalt not fork thine own family.
# Keep the network holy.
# Thou should not covet another man's wallet.
# Do unto others as you would have them DDoS you.
# Thou shalt not swear unto another man that thine payment hath not been received until all of the blockchain hath been downloadeth.
# Salt thine passwords.
# Hack thine planet.
# Keep thine woman, [https://twitter.com/brucewagner Bruces] and [https://bitcointalk.org/index.php?topic=98695 Atlases] in separate camps if they are unclean.
# Troll harder.

[[Category:Satire]]

LocalTill

2013-04-15T07:54:17Z

Cryptal: genesis

'''LocalTill''' is an anonymous merchant cash processing service that authenticates deposits based on a unique code embedded in last digits of the deposit by adding a variable fee between 1% and 4%.

For example, a 500 USD deposit with a merchant may require the user to deposit 509.21 USD at a bank, whereby "9.21" is interpreted as a unique identifier for the deposit. No personal data is requested of the user who makes the deposit.

Localtill is used by [[Bitfloor]] in the USA, allowing users to make cash deposits (towards bitcoin purchases) at [[Bank of America]] branches using an out of state deposit slip. No identification is required. Bank of America tellers may ask for a phone number "for reference", which is actuality never used.

User:Cryptal

2013-04-15T07:39:57Z

Cryptal: genesis

I'm [https://bitcointalk.org/index.php?action=profile;u=94937 cryptal on Bitcointalk] and here's my [http://bitcoin-otc.com/viewratingdetail.php?nick=cryptal OTC rating].

Contingency plans

2013-04-12T23:26:22Z

Cryptal: /* Alerts */ link to what alerts are

The purpose of this page is to create plans for the first few days after a catastrophic failure of the network in order to save time should any such failure actually occur.

Only failures that would not allow much time for discussion will be covered here. ''Preventing'' future problems will not be discussed.

Once the plans themselves are well-accepted, code implementing the plans can be written and tested in case the code is ever required.

==Getting the word out==

===Alerts===
These people have [[protocol specification#alert|alert keys]] and should be contacted ASAP in case of emergencies:
* Satoshi
* Gavin
* theymos
Email Satoshi, even though he is believed to be gone. A serious issue may "bring him out of retirement", which would be helpful.

Because alerts are known to be very secure, all information related to an emergency should be sent with alerts. For example, hashes of new releases should be included in alerts.

The most important part of alert messages should be put at the front, since the remaining text might get cut off. A good way to begin would be: "EMERGENCY: DO NOT ACCEPT OR SEND PAYMENTS".

===Pools===
The owners of all pools must be contacted, as changes will be required of them.

===IRC===
All of the IRC channels should have their topics updated to spread info about the emergency.

===Forum===
A topic should be posted in "development and technical discussion", and a sticky locked topic pointing to the main topic should be created in all other sections. The main topic should not be sticky, as this makes it more difficult to see and it will be bumped to the top constantly, anyway.

===Sites===
The owners of all big sites, especially exchanges and banks, should be contacted.

===Stock message===
Here is a message that could be used to spread the word. Preferably it would be updated to reflect specifics and signed by some trusted people.

A critical bug has been discovered in Bitcoin. Transactions must be considered REVERSIBLE for the time being. Do not send payments, and do not trust payments that you receive.

If you run a Bitcoin-related site, shut down the site and replace it with this message.

[Note: The following paragraph only applies to certain attacks and may need to be removed.]

If you are solo mining or running a pool, you must stop mining until you upgrade to the latest version (which may not be released quite yet). If you are mining in a pool, shut down your miner until your pool upgrades. If you continue mining, any blocks you solve will end up being rejected eventually, and you will be working against the legitimate chain.

Look to your favorite HTTPS-enabled Bitcoin sites for more news. Before running any software, check that a consensus exists among several sites. Do not trust information from Google, as it can be manipulated by the attacker. Other sites, such as bitcoin.org, can likewise be manipulated, though with more difficulty. The most trustworthy source of information is the text that appears at the bottom of the graphical Bitcoin client.

==Coordination==

During an emergency, coordination will take place on the #bitcoin-dev channel on chat.freenode.net. All decisions will take place there. Possibly additional channels will be created if there is too much discussion happening for one channel, though #bitcoin-dev is where all developers will naturally go, and it is therefore best if general discussion about the emergency takes place there.

Channel mode "+q $~a" should be set in order to prevent unregistered users from speaking. The last thing we want is an impersonator or a spam flood. People should also be identified with [[gribble]] if possible. Mode +m may also need to be set if there is too much spam.

===Backup communication methods===
It is not impossible for an attacker to make #bitcoin-dev unusable, either through abuse or denial-of-service attacks. There must be several backup methods of communication.

====IRC====

If #bitcoin-dev becomes unusable due to flooding or other abuse that the Freenode IRC operators are unable/unwilling to handle, then moving #bitcoin-dev to irc.lfnet.org will be useful. The operators of LFnet are Bitcoin users who will be very helpful in fighting abuse.

If Freenode is taken down by a denial-of-service attack, #bitcoin-dev can be moved to one of the larger networks, which will (presumably) be more resistant to attacks.

So if the regular #bitcoin-dev is broken, try #bitcoin-dev on these networks:
* LFnet
* IRCnet
* EFnet
* Undernet
* Any other IRC networks you know of

Gribble can be moved to any network in order to facilitate GPG identification.

====Other real-time chat====

In case all IRC networks are made unusable, Google+ multi-user chat might work well, and it is unlikely to be brought down by denial-of-service attacks.

(A distributed chat network where every participant needs to send his message directly to all other participants would be best, as this would be difficult to attack. Does something like this exist?)

====Non-realtime communication====

The SourceForge mailing list can be used for non-realtime communication. In case this list is brought down, participants can send emails manually to a list of people.

===Issuing statements===
When it has been decided by the developers that action is required by Bitcoin users, a statement will be issued. All statements should contain text encouraging people to distribute the statement. Statements should be numbered sequentially from the start of the incident.

Statements should be PGP signed by a few people present at the time and then emailed to owners of big sites and posted on bitcoin.org and the forums.

An alert summarizing the statement will probably need to be issued, as well.

===Emergency versions===
Emergency versions of Bitcoin should preferably be based on the latest stable version instead of the very latest code in order to avoid introducing new bugs.

Source releases should be made as soon as a fix is available, even if it can't yet be hosted on SourceForge. In most cases, binary releases can wait for the people who normally build binaries to do it. If source releases are available without binary releases, statements should encourage users to either compile themselves or wait for official binary releases built using the standard [[release process]] (instead of using binaries provided by third-parties).

==Contingencies==
===Many historical blocks replaced===

Situation: 6+ historical blocks have been replaced by new versions all at once, allowing confirmed transactions to be invalidated.

====Impact====

* People who have received payments from the attacker might have these payments reversed.
* The double-spent versions of these transactions might immediately get 6+ confirmations. So people receiving the attacker's stolen coins might accept them.
* Other transactions may become unconfirmed again.

====Response====

* Alert users to stop accepting payments, as an attacker clearly has too much control over the network. The network will be unusable for weeks or more while the issue is straightened out.

If more than a few BTC was stolen by the attacker, then the transaction ordering may need to be manually modified. This is done by adding new block checkpoints and/or hardcoding transaction ordering [note: code should be prepared for hardcoded transaction ordering].

A lot of time should be taken to decide whether and how to re-order the transactions. It may be a very complex issue, as restoring the original versions of transactions could cause damage many times larger than the original transaction reversal. The network will need to be offline for a week or more after an incident of this scale, anyway.

===SHA-256 is broken===
Situation: Severe, 0-day failure of SHA-256. First/second preimage resistance or collision resistance can be defeated with only a few days of work.

====Impact====

* Attacker may be able to defeat OP_CHECKSIG, which hashes transactions before signing.
* Attacker may be able to split the network by creating identical transactions or blocks with the same hashes.
* Attacker may be able to create blocks very quickly.
* The alert system may be compromised.

====Response====

* Users will be notified to shut down their clients. Note that the attacker may be able to send valid alerts, which could disrupt notification efforts.
* OP_CHECKSIG will be changed to use some other hash outside of old blocks.
* All addresses in the version-1 chain that have a known public key and at least one unspent output will have their public keys hardcoded into the client. When a version-2 transaction spends one of these version-1 outputs, the hardcoded public key will be used instead of the hash.
* The version-1 chain will be securely hashed into a hash tree. At least the root of the version-1 tree will be hardcoded into the client.
* All hashing Bitcoin does will use the new hashing algorithm.

[Code for all of this should be prepared.]

===ECDSA is broken===
Situation: an attacker can sign for a public key that he does not own the private key for in only a few days of work.

====Impact====
* Attacker can spend money that is not his in a large number of cases. Transactions to addresses that have never been used before may be protected if SHA-256 and RIPEMD-160 are still strong.
* Alert system may be compromised.

====Response====

If the attacker can't get the private key from the public key easily and a stronger algorithm that can use ECDSA keys is available:
* Switch to the stronger algorithm.
* Get users to update. Alerts will be compromised.

Otherwise:
* OP_CHECKSIG should use some other signing algorithm.
* As soon as the new version of Bitcoin is run, it should automatically send all old transactions somewhere else using the new algorithm.
* Get users to update immediately. Alerts will be compromised.

[Code for all of this should be prepared.]

===Remote attacker can execute arbitrary code===
Situation: Due to a bug in Bitcoin, a remote attacker is able to run arbitrary code on the machines of some/all Bitcoin users.

====Impact====
* Attacker can install malware, which could be used to steal private keys from wallets that are decrypted while the malware is installed.

====Response====
* Issue an alert telling people to shut down their clients immediately and look for updates elsewhere. Put special effort into alerting people through other means.
* Remove critical powers (git push, bitcoin.org update, IRC op, etc.) from people who do not need them, as all Bitcoin users are at a high risk of having their passwords compromised. Trust GPG signatures a bit less than usual.

Stock alert message: "EMERGENCY: SHUT DOWN YOUR CLIENT RIGHT NOW! Look for updates on popular Bitcoin sites. A bug has been discovered that can allow a remote attacker to install malware on your computer through Bitcoin."

Stock statement:

A bug has been discovered in Bitcoin that can allow a remote attacker to execute arbitrary code. The attacker could install malware onto your computer, which could steal your wallet. Shut down Bitcoin now. Under no circumstances should you enter your wallet passphrase until this incident is resolved and you have made absolutely sure that there is no malware on your computer. If possible, carefully copy your wallet to some offline safe location and then securely delete the copy on your computer.

Look to your favorite HTTPS-enabled Bitcoin sites for more news. Before running any software, check that a consensus exists among several sites. Do not trust information from Google, as it can be manipulated by the attacker. Other sites, such as bitcoin.org, can likewise be manipulated, though with more difficulty.

===Emergency rule change===
Situation: A core network rule in Bitcoin is broken and needs to be changed ASAP. Like the [[Incidents#CVE-2010-5139|overflow incident]].

====Response====
* Issue an alert. Tell people to stop mining.
* After the issue is fixed, get people to update.

It is preferable to make a rule more restrictive than to relax a rule. In the former case, only miners need update.

Bitfloor

2013-04-11T09:05:29Z

Cryptal: /* Anonymity */ Add Tor

'''Bitfloor''' is a FinCEN-registered Bitcoin [[currency exchange]] and trading platform site headquartered in the state of New York, USA.

==Adding Funds==
Bitfloor accepts USD and BTC deposits.

===BTC===

* Adding bitcoins to the account balance is free, and the bitcoins will be deposited in the user's online wallet.

===USD===

* In-person cash deposits are free and can be made through [[LocalTill]], which as of April 2013, supports [[Bank of America]] and will charge a 1%-4% fee to process the deposit
* Bank wire transfer - %15 fee
* CapitalOne 360 P2p (formerly ING Person2Person) - no fee

==Withdrawing Funds==

===BTC===

* There are no fees for Bitcoin withdrawals. Large withdrawal are processed manually, due to Bitfloor storing most bitcoins in offline [[Cold storage|cold wallets]].

===USD===

* ACH Bank withdrawal (Direct deposit) takes 1 to 3 business days and requires uploading a copy of the user's government-issued ID. This is the only point at which the identity of the user is required; otherwise, Bitfloor's privacy policies do not ask for any identification information.<ref>[https://bitfloor.com/docs/#privacy Bitfloor privacy]</ref>

==Trading==

Trades can be done via a web interface, or by using the API. Open-source automated trading software written in Python and JavaScript is provided [https://github.com/bitfloor on GitHub].

===Fees===
Market orders, that execute immediately, incur a 0.4% fee. Orders that don't execute immediately receive a 0.1% rebate, to encourage liquidity providers to offer information about their market expectations.

==Features==
The exchange offers automated trading capabilities via a simple REST API, and via a FIX ([[Wikipedia:Financial_Information_eXchange|Financial Information eXchange]]) order entry gateway.<ref>[http://bitcointalk.org/index.php?topic=66045.0 FIX gateway available on bitfloor.com]</ref>.

==Anonymity==
Bitfloor allows access through Tor and does not require any personally identifiable information until the user wishes to withdraw money using ACH. Deposits can be made via [[LocalTill]] -> Bank of America, by depositing cash. No ID or personal information is required, and bank tellers do not ask for the reason the deposit is made.

==History==

The exchange had been operating since 2011 with its first publicity occurring in February 2012<ref>[http://www.youtube.com/watch?v=F7SsavHX6tc The Bitcoin Show - 056 - Roman Shtylman of Bitfloor.com]</ref>.

On September 4, 2012 the operator of BitFloor reported a security breach that resulted in the exchange's wallet with '''24K BTC being stolen'''. The site was shuttered and access to customer funds denied as the exchange's reserves were insufficient to accommodate all funds deposited. As of March 8, 2013, 3 months had passed since the last repayment (December 2012), and the operator had been unresponsive.<ref>[https://bitcointalk.org/index.php?topic=144509.msg1599788#msg1599788 It's been 3 months since the first BTC re-payment in early December.]</ref>

On April 3, 2012, the website was down for several minutes.<ref>[https://bitcointalk.org/index.php?topic=166254.0 bitfloor down?!]</ref>

BitFloor became a Money Service Business (MSB) registered with FinCEN (#31000005224108) on March 15, 2012.<ref>[http://www.fincen.gov/financial_institutions/msb/msbstateselector.html FinCEN search]</ref>

==See Also==

* [[Buying bitcoins]]
* [[Selling bitcoins]]

==External Links==

* [https://bitfloor.com BitFloor] website
* [https://github.com/bitfloor github] page
* [http://bitcoincharts.com/charts/chart.png?width=940&m=bitfloorUSD&SubmitButton=Draw&r=60&i=&c=0&s=&e=&Prev=&Next=&t=S&b=&a1=&m1=10&a2=&m2=25&x=0&i1=&i2=&i3=&i4=&v=1&cv=0&ps=0&l=0&p=0& Chart]

==References==
<References />

[[Category:Exchanges]]
[[Category:EWallets]]

Bitfloor

2013-04-11T09:03:03Z

Cryptal: clarify funding options, detail fees, add API link, add anonymity section

'''Bitfloor''' is a FinCEN-registered Bitcoin [[currency exchange]] and trading platform site headquartered in the state of New York, USA.

==Adding Funds==
Bitfloor accepts USD and BTC deposits.

===BTC===

* Adding bitcoins to the account balance is free, and the bitcoins will be deposited in the user's online wallet.

===USD===

* In-person cash deposits are free and can be made through [[LocalTill]], which as of April 2013, supports [[Bank of America]] and will charge a 1%-4% fee to process the deposit
* Bank wire transfer - %15 fee
* CapitalOne 360 P2p (formerly ING Person2Person) - no fee

==Withdrawing Funds==

===BTC===

* There are no fees for Bitcoin withdrawals. Large withdrawal are processed manually, due to Bitfloor storing most bitcoins in offline [[Cold storage|cold wallets]].

===USD===

* ACH Bank withdrawal (Direct deposit) takes 1 to 3 business days and requires uploading a copy of the user's government-issued ID. This is the only point at which the identity of the user is required; otherwise, Bitfloor's privacy policies do not ask for any identification information.<ref>[https://bitfloor.com/docs/#privacy Bitfloor privacy]</ref>

==Trading==

Trades can be done via a web interface, or by using the API. Open-source automated trading software written in Python and JavaScript is provided [https://github.com/bitfloor on GitHub].

===Fees===
Market orders, that execute immediately, incur a 0.4% fee. Orders that don't execute immediately receive a 0.1% rebate, to encourage liquidity providers to offer information about their market expectations.

==Features==
The exchange offers automated trading capabilities via a simple REST API, and via a FIX ([[Wikipedia:Financial_Information_eXchange|Financial Information eXchange]]) order entry gateway.<ref>[http://bitcointalk.org/index.php?topic=66045.0 FIX gateway available on bitfloor.com]</ref>.

==Anonymity==
Bitfloor does not require any personally identifiable information until the user wishes to withdraw money using ACH. Deposits can be made via [[LocalTill]] -> Bank of America, by depositing cash. No ID or personal information is required, and bank tellers do not ask for the reason the deposit is made.

==History==

The exchange had been operating since 2011 with its first publicity occurring in February 2012<ref>[http://www.youtube.com/watch?v=F7SsavHX6tc The Bitcoin Show - 056 - Roman Shtylman of Bitfloor.com]</ref>.

On September 4, 2012 the operator of BitFloor reported a security breach that resulted in the exchange's wallet with '''24K BTC being stolen'''. The site was shuttered and access to customer funds denied as the exchange's reserves were insufficient to accommodate all funds deposited. As of March 8, 2013, 3 months had passed since the last repayment (December 2012), and the operator had been unresponsive.<ref>[https://bitcointalk.org/index.php?topic=144509.msg1599788#msg1599788 It's been 3 months since the first BTC re-payment in early December.]</ref>

On April 3, 2012, the website was down for several minutes.<ref>[https://bitcointalk.org/index.php?topic=166254.0 bitfloor down?!]</ref>

BitFloor became a Money Service Business (MSB) registered with FinCEN (#31000005224108) on March 15, 2012.<ref>[http://www.fincen.gov/financial_institutions/msb/msbstateselector.html FinCEN search]</ref>

==See Also==

* [[Buying bitcoins]]
* [[Selling bitcoins]]

==External Links==

* [https://bitfloor.com BitFloor] website
* [https://github.com/bitfloor github] page
* [http://bitcoincharts.com/charts/chart.png?width=940&m=bitfloorUSD&SubmitButton=Draw&r=60&i=&c=0&s=&e=&Prev=&Next=&t=S&b=&a1=&m1=10&a2=&m2=25&x=0&i1=&i2=&i3=&i4=&v=1&cv=0&ps=0&l=0&p=0& Chart]

==References==
<References />

[[Category:Exchanges]]
[[Category:EWallets]]

Bitcoin Firsts

2013-04-11T08:31:59Z

Cryptal: add important milestones: FinCEN, 100 USD, halving day

First examples of bitcoins being accepted for various goods and services and other notable first occurrences. See discussion for more regarding what is suitable here.

{| class="wikitable"
!  Event Date 
! Event
|-
| 2009-01-12
| First bitcoin transaction<ref>[http://blockexplorer.com/b/170 Block 170 with the first transaction ever]</ref> on the network. From Satoshi to Hal Finney<ref>[https://bitcointalk.org/index.php?topic=91806.msg1012234#msg1012234 Earliest Block With A Spend]</ref>.
|-
| 2010-05-17
| First recorded purchase of a good (pizza). Cost 10,000 BTC.<ref>[http://www.bitcointalk.org/index.php?topic=137.0 Pizza]</ref>
|-
|2011-03-21
| First travel using only Bitcoin to survive<ref>[http://www.bitcointalk.org/index.php?topic=4752.0 Plato's road trip]</ref>
|-
| 2011-01-06
| Guy pays random guy for work performed (holding a sign on a busy intersection)<ref>[http://www.bitcoinblogger.com/2011/01/power-of-bitcoins.html Mobile marketing gig]</ref>
|-
| 2011-05-09
| First physical bitcoins<ref>[[Bitbills]]</ref>
|-
|2011-05-12
|First room for rent for Bitcoin<ref>[http://www.bitcointalk.org/index.php?topic=8174.msg119235#msg119235 Room for rent]</ref>
|-
|2011-05-17
|First stripper being tipped bitcoin<ref>[http://therealplato.com/post/5568777157 Tipped a stripper Bitcoins] </ref>
|-
|2011-05-27
|Buying aircraft for BTC<ref>[http://www.bitcointalk.org/index.php?topic=10210.0 Buying aircraft for BTC]</ref>
|-
|2011-06-01
|SF Chiropractor accepts BTC for office visits<ref>[http://www.bitcointalk.org/index.php?topic=11178.0 SF Chiropractor accepts BTC for office visits]</ref>
|-
|2011-06-04
|First real estate offered for Bitcoin. A beach condo<ref>[http://www.bitcointalk.org/index.php?topic=12185.0 Beach Condo]</ref> and a house<ref>[http://forum.bitcoin.org/index.php?topic=12466.0 House]</ref> were offered within hours of each other.
|-
|2011-10-30
|First Bitcoin mining on an in-flight airplane using wifi. Unknown if any Bitcoins were actually created in flight<ref>[http://bitcointalk.org/index.php?topic=50379.0 Mining at 18,000 feet]</ref>
|-
|2011-12-19
|First TV story based on Bitcoin<ref>[http://www.cbspressexpress.com/cbs-entertainment/releases/view?id=30177 CBS' "THE GOOD WIFE" episode]</ref>
|-
|2012-02-16
|Auto title loan for bitcoins requested<ref>[http://bitcointalk.org/index.php?topic=64199 Auto title loan for bitcoins requested]</ref>
|-
|2012-03-07
|First [http://blockchain.info/tx/9c08a4d78931342b37fd5f72900fb9983087e6f46c4a097d8a1f52c74e28eaf6 transaction] including a [[P2SH]]-compatible address.
|-
|2012-03-24
|First property management accepts bitcons for rent<ref>[http://bitcointalk.org/index.php?topic=73712.0 Property management accept bitcons for rent]</ref>. Over 100 commercial and residential properties
|-
|2012-03-27
|First printed Bitcoin magazine is announced and then followed by photos<ref>[https://bitcointalk.org/index.php?topic=74346.0 first photos of Coineer]</ref><ref>[https://coineer.com Coineer - The Bitcoin Magazine available in print]</ref>
|-
|2012-03-28
|Amateur Adult Entertainers use Bitcoin for tips<ref>[http://reddit.com/r/GirlsGoneBitcoin Amateur Adult Entertainers use Bitcoin for tips]</ref>
|-
|2012-03-29
|Bitcoin-only Credit Default Swap (CDS)<ref>[http://bitcointalk.org/index.php?topic=74552.0 Bitcoin-only Credit Default Swap (CDS)] </ref>
|-
|2012-04-19
|US Based exchange gets Federally licensed as a MSB<ref>[http://payglo.be/2012/04/19/bitinstant-federally-licensed-bitcoin-exchange/ US Based exchange gets Federally licensed as a MSB]</ref><ref>[https://bitcointalk.org/index.php?topic=77194.msg857699#msg857699 US Based exchange gets Federally licensed as a MSB 2]</ref>
|-
|2012-04-20
|Bitcoinica.com gets licensed as a MSB<ref>[http://bitcoinmedia.com/first-licensed-advanced-trading-platform-for-bitcoin/ Bitcoinica.com gets licensed as a MSB]</ref>
|-
|2012-04-25
|First Music album sold for bitcoins exclusively – Before being sold on iTunes<ref>[https://www.coindl.com/page/item/127 Music album sold for bitcoins exclusively]</ref>
|-
|2012-04-26
|First WebCam site to accept Bitcoins<ref>[http://ptvheaven.com WebCam site to accept Bitcoins]</ref>. Bitcoins accepted as an alternative payment. Entertainer payouts are not in Bitcoin.
|-
|2012-04-29
|First Bitcoin only live webcam site<ref>[http://www.cam4btc.co.cc/ Bitcoin only live webcam site]</ref>. Bitcoin tips go directly to entertainers. Site operates on tips.
|-
|2012-05-01
|Bitcoin Magazine<ref>[[Bitcoin Magazine]]</ref><ref>[http://bitcoinmagazine.net/bitcoin-magazine-press-release/ Press release] as first issue goes to print</ref>
|-
|2012-05-01
|Race horse named after Satoshi<ref>[http://www.satoshisdaemon.com/ Race horse named after Satoshi]</ref><ref>http://www.thebitcointrader.com/2012/04/bitcoin-horse-to-run-first-race-on-may.html</ref>
|-
| 2012-05-09
| First formal risk assessment by a government agency<ref>[http://bitcointalk.org/index.php?topic=80173.0 Discussion of Leaked FBI Report on Bitcoin- April 2012]</ref>
|-
| 2012-05-09
|Sold San Francisco Bridge<ref>[https://bitcointalk.org/index.php?topic=80485.msg890710#msg890710 Sold San Francisco Bridge]</ref>. Another traditional first for a new currency. (likely not authentic)
|-
| 2012-05-18
|First Bitcoin class in a public school<ref>[https://bitcointalk.org/index.php?topic=82046.msg908451#msg908451 Bitcoin taught in a public school]</ref>. It was a 4th grade class
|-
| 2012-06-06
|First Bitcoin donations to contribute to a successful anti-corrupt local government political campaign<ref>[https://bitcointalk.org/index.php?topic=74219.msg945392#msg945392 Bitcoin donations contribute to successful anti-corrupt local government political campaign]</ref>. Travis Kiger, running against a Fullerton City counsel that turned a blind eye to the death of Kelly Thomas at the hands of their local police department, promoted the use of Bitcoin to fund his campaign and won the councel seat for his district.
|-
| 2012-07-23
| First car producers offer their vehicle for Bitcoin<ref>[https://bitcointalk.org/index.php?topic=94820.msg1048706#msg1048706 Automaker offers their vehicle for Bitcoin]</ref>. WikiSpeed is a Seattle based corporation that manufactures open source modular cars that get 100 MPG and accept Bitcoin as payment
|-
| 2012-08-06
| First Bitcoin lawsuit<ref>[https://docs.google.com/file/d/0B_ECG6JRZs-7dTZ5QS0xcUkxQjQ/edit?pli=1# Bitcoin lawsuit]</ref>. Brian Cartmell filed a lawsuit against [[Bitcoinica]], a former Bitcoin margin trading platform that got hacked and hasen't returned customers' funds.
|-
| 2012-08-24
| First private medical practice accepts Bitcoin<ref>[http://meidanklinikka.fi Private medical practice accepts Bitcoin]</ref>. It's a dentist in Finland.
|-
| 2012-09-14
| First warrant to seize Bitcoins<ref>[http://www.americanbanker.com/bankthink/plot-thickens-in-bizarre-bitcoin-blackmail-caper-1054312-1.html First warrant to seize Bitcoin]</ref>. U.S. Secret Service seizing Michael M. Brown's bitcoins in the Romney Taxes For Ransom case.
|-
| 2012-09-26
| First Taxi service accepts Bitcoin<ref>[http://www.taxizen.co.uk Taxi service accepts Bitcoin]</ref> (in Herefordshire, UK.)
|-
| 2012-11-15
| First big<ref>[http://www.alexa.com/siteinfo/wordpress.com Wordpress.com at Alexa.com]</ref> website<ref>[http://en.blog.wordpress.com/2012/11/15/pay-another-way-bitcoin/ Wordpress accepts Bitcoin]</ref> accepts Bitcoin. It's [http://www.wordpress.com wordpress.com]
|-
| 2012-11-28
| Bitcoin celebrates first halving day - every roughly 4 years, the reward for mining a new block, initially 50 BTC will be halved.<ref>[http://www.prlog.org/12032578-bitcoin-community-celebrates-halving-day.html Bitcoin Community Celebrates "Halving Day"]</ref>
|-
| 2013-02-15
| Reddit begins accepting bitcoins for [http://techcrunch.com/2013/02/14/reddit-starts-accepting-bitcoin-for-reddit-gold-purchases-thanks-to-partnership-with-coinbase purchases of Reddit Gold].
|-
| 2013-02-18
| Kim DotCom's successor to MegaUpload, Mega to [http://www.bbc.co.uk/news/technology-21496977 accept bitcoins for payment].
|-
| 2013-02-19
| Silver parity reached. Bitcoin exchange rate at $29.65 is higher than an ounce of silver.
|-
| 2013-03-18
| The United States federal agency charged with enforcing laws against money laundering (FinCEN) declares that Bitcoin users are not subjects to its regulations. Miners who sell bitcoins for fiat currency must register as Money Service Business.<ref>[http://arstechnica.com/tech-policy/2013/03/us-regulator-bitcoin-exchanges-must-comply-with-money-laundering-laws/ US regulator: Bitcoin exchanges must comply with money-laundering laws]</ref>
|-
| 2013-04-01
| Bitcoin surpasses 100 USD.<ref>[http://venturebeat.com/2013/04/01/bitcoin-value-above-100-bubble/ Bitcoin value surpasses $100 — is this another bubble?]</ref>
|}

==See Also==

* [[History]]

==References==
<references />

[[Category:Introduction]]