New research reveals the timing of Monero spending patterns in probabilistic form. The research could be used to improve Monero user privacy in the future. In the meantime, Monero users with extreme threat models should be aware that anti-privacy adversaries can leverage timing information to increase the probability of guessing the real spend in a ring signature to approximately 1-in-4.2 instead of 1-in-16.
Four technologies protect the privacy of Monero users. Dandelion++ protects users' IP addresses from being linked to their transactions. Confidential transactions hide the amount of value that is transferred between users. Monero's stealth address technique produces one-time-use addresses on the blockchain that cannot be linked to specific wallets without voluntary disclosure of view keys. Ring signatures obfuscate which stock of coins was spent in a transaction by combining the real spend with 15 decoy spends. This blog post discusses improvements and threats to Monero's ring signature privacy model.
As the name implies, a "decoy" serves its purpose well if it looks like the real thing. Decoys that do not match the spending patterns of real users will fail to draw the attention of an anti-privacy adversary. One of the most important spending patterns to match is the timing. The age of a stock of coins that a user spends, like units of physical paper currency circulating between consumers and merchants, forms a random probability distribution.
Monero's current decoy selection algorithm is based on research by Möser et al. (2018), which used de-anonymized transactions in the first three years of Monero's history whose real spend was known due to inadequate safeguards in the protocol. In 2017, the protocol safeguards were strengthened to thwart the techniques used by Möser et al. (2018). As a result, de-anonymized transactions could no longer be used to update the decoy selection distribution to align it with the real spend distribution. Another way forward was needed.
Several peer-reviewed research articles suggested that near-optimal privacy for a given ring size could be provided by using a decoy distribution that closely mimics the real spend distribution (Aeeneh et al. 2021; Kumar et al. 2017; Möser et al. 2018; Ronge et al. 2021). However, some of the same papers doubted that the real spend distribution could be estimated reliably when only anonymized data was available. Rucknium, a researcher with the Monero Research Lab, proposed a method to directly estimate the real spend distribution using the ring signature data on the Monero blockchain. Members of the Monero community generously donated to fund the research plan, known as Optimal Static Parametric Estimation of Arbitrary Distributions (OSPEAD).
OSPEAD works by chaining together two statistical techniques. First, the Bonhomme-Jochmans-Robin estimator separates the distribution of rings using the "standard" decoy selection algorithm from the distributions of rings that use decoy selection algorithms of "third-party" wallet software (Bonhomme, Jochmans, & Robin 2016). Next, the Patra-Sen inversion estimator is used to separate the decoy distribution from the real spend distribution (Patra & Sen 2016). Note that the OSPEAD research has not yet been formally peer-reviewed.
Producing a reliable estimate of the real spend age distribution is a double-edged sword. It provides great privacy when implemented in a decoy selection algorithm, yet it also enables an anti-privacy adversary to more easily guess the real spend when the actual decoy selection algorithm used by users is very different from the real spend distribution.
As stated above, Monero's current decoy selection algorithm is based on data from the first three years of Monero's history when the number of transactions per day was less than 10 percent of current (2025) transaction volume. Real spending patterns have changed since 2017, yet the decoy selection algorithm has changed little.
The Maximum A Postieri (MAP) Decoder attack, first described by Aeeneh et al. (2021), leverages the difference between Monero's real spend distribution and its decoy distribution. Using the MAP Decoder attack and the real spend distribution estimated in the OSPEAD research, an anti-privacy adversary has a 1-in-4.2 probability of correctly guessing the real spend at current ring size of 16.
Users should consider the following metaphor to understand the mechanics of the attack. There are 16 horses scheduled for a race. The horses are not equally fast. According to the betting markets, one of the horses has a 1-in-4.2 probability of winning. The MAP Decoder attack does not remove 12 out of the 16 horses from the race, and then randomly pick among the remaining 4 with equal probability. Instead, it always bets on the one horse that is most likely to win. It wins the bet (guesses correctly) in 1 out of 4.2 races.
Let's continue the analogy of the horse race bettor. Did they pick the winning horse (the real spend)? Unlike a normal race, we usually don't learn the outcome (if the guess was correct). This limits the impact of the attack in practice, especially since the best guess is incorrect the majority of the time, on average.
Put another way, if you guess the real spend in 4 Monero rings, you will have guessed 1 of those correctly (on average), but you don't know which of those guesses is correct. Is that useful information? That depends on the standard of evidence of the adversary.
Probabilistic guessing can create elevated privacy risk to users with extreme threat models such as those targeted by blockchain surveillance firms, especially when combined with other de-anonymizing attacks. Interested users are encouraged to read the OSPEAD GitHub repository, where code and documents are released under open source licenses.
The OSPEAD-derived decoy selection distribution could be deployed to mitigate the risk of the MAP Decoder attack. However, a Monero network upgrade (hard fork) would be required for safest deployment. A network upgrade, though necessary for major improvement to Monero, is disruptive to the Monero ecosystem. The costs may outweigh the benefits.
Currently, the next expected hard fork is set to deploy Full-Chain Membership Proofs, which eliminate the weaknesses of the ring signature privacy model.
Aeeneh, S., Chervinski, J. O., Yu, J., & Zlatanov, N. (2021), New Attacks on the Untraceability of Transactions in CryptoNote-Style Blockchains. Paper presented at 2021 IEEE International Conference on Blockchain and Cryptocurrency (ICBC).
Bonhomme, S., Jochmans, K., & Robin, J.-M. (2016). Non-parametric estimation of finite mixtures from repeated measurements, Journal of the Royal Statistical Society. Series B (Statistical Methodology), 78(1), 211–229.
Kumar, A., Fischer, C., Tople, S., & Saxena, P. (2017), A Traceability Analysis of Monero’s Blockchain. Paper presented at European Symposium on Research in Computer Security (ESORICS).
Möser, M., Soska, K., Heilman, E., Lee, K., Heffan, H., & Srivastava, S., et al. (2018). An Empirical Analysis of Traceability in the Monero Blockchain, Proceedings on Privacy Enhancing Technologies, 2018(3), 143–163.
Patra, R. K., & Sen, B. (2016). Estimation of a two-component mixture model with applications to multiple testing, Journal of the Royal Statistical Society. Series B (Statistical Methodology), 78(4), 869–893.
Ronge, V., Egger, C., Lai, R. W. F., Schröder, D., & Yin, H. H. F. (2021). Foundations of Ring Sampling, Proceedings on Privacy Enhancing Technologies, 2021(3), 265–288.
Here I will offer support to the statement that "Probabilistic guessing can create elevated privacy risk to users with extreme threat models such as those targeted by blockchain surveillance firms, especially when combined with other de-anonymizing attacks." We want to know whether blockchain surveillance firms use probabilistic techniques against Monero. According to some public and private statements, the answer is probably "Yes".
In 2022, Andy Greenberg wrote in Tracers in the Dark:
Chainalysis claimed in one slide of the presentation, for instance, that it could track Monero, the “privacy coin,” in a shockingly high number of instances, despite its anonymizing properties. “In many cases, the results can be proven far beyond reasonable doubt,” the presentation read in Italian, though it conceded that “the analysis is of a statistical nature and as such any result has a confidence level associated with it.”
The company claimed to be able to provide a “usable lead” in no less than 65 percent of cases involving Monero. In 20 percent of cases, it could determine a transaction’s sender but not a recipient, and in only 15 percent of cases did it fail to produce any leads.
In 2024, two researchers at TRM Labs published "Monero Traceability Heuristics: Wallet Application Bugs and the Mordinal-P2Pool Perspective", which analyzed many probabilistic methods of reducing Monero's privacy properties.
In its US18/337,736 patent application, Moonstone Research says:
This report may be more detailed, such as showing timestamps, suspected IP addresses (if available), information on the (if known) nature of Monero transactions details (e.g., if it is likely to be a mining-related enote or not using heuristics, or classification by another heuristic), recommended future runs of the tool based on what it learned, etc.
and
The system allows for straightforward testing of arbitrary digital records to see if they have statistically likely associations with each other.
Second revision thanks to suggestion by @SamsungGalaxyPlayer