JoinMarket release 0.2.0 ameliorates this snooping attack. It is a protocol-breaking change so everyone must update which we anticipate may take some time.
https://github.com/JoinMarket-Org/joinmarket/blob/master/doc/release-notes-0.2.0.md
Looks like enough people have updated and there's plenty of liquidity now.
Waxwing has another blog post discussing this issue too: https://reyify.com/blog/racing-against-snoopers-in-joinmarket-0.2
09/06/2016
JoinMarket is a young project, there are some possible vunerabilities which could be exploited to spy on every user.
Recently people have noticed that one such attack seems to actually be happening. The attack has the possibility of degrading the privacy of all JoinMarket coinjoins.
All JoinMarket users must be aware of this, and may want to not use JoinMarket until the issue is resolved.
This vulnerability can probably be fixed with a protocol update to JoinMarket, but it doesn't exist yet and needs to be written.
The vulnerability (known henceforth as issue #156) was first written about in July 2015. It's named after the issue number of github.
Read through this issue to gain an understanding of what the attack is and how it works. JoinMarket-Org/joinmarket#156
It means that an attacker for free can learn what UTXOs belong to which maker, and can eliminate them when analysing coinjoins on the blockchain. It's not trivial to actually obtain all the UTXOs from a maker, but even learning a proportion of them is enough to spy on a large amount of coinjoins.
JoinMarket is still private to everyone who isn't this #156 spy. Different people use JoinMarket and bitcoin for many different reasons, if their privacy requirements are lower then they can still use JoinMarket. Without JoinMarket, bitcoin transactions can be analyzed in more detail forever in the future because they are recorded on the permanant public blockchain.
We have a pretty good idea how to fix this. See the github issue for details. Also see waxwing's blog post. It generally involves limiting spy takers ability to get maker's UTXOs for free.
JoinMarket's sendpayment script probably can't be replaced. There's no other way I know of which immediately creates a bitcoin transcation like sendpayment.
JoinMarket's tumbler script (which aims to break the link between addresses) probably can be substituted by something else. The best way is probably to piggyback off the hot wallets of various bitcoin websites.
We'll pick some bitcoin websites that don't require an identity to deposit and withdraw coins, and send the bitcoin through them. We must remember to split up the amounts and use different deposit addresses to stop amount correlation. Between each transaction make sure to wait a while to help stop timing analysis.
Say we want to break the link between 1btc we have and send it to our cold storage wallet. Each arrow -> is a new bitcoin withdrawal transaction.
LocalBitcoins.com NitrogenSports.eu ChangeTip.com BitFinex.com cold storage wallet
1btc -> 1addrA 1btc -> 1addrB 0.1btc -> 1addrE 0.1btc -> 1addrG 0.4btc -> 1addrH 0.25btc
-> 1addrC 0.2btc -> 1addrF 0.9btc -> 1addrF 0.6btc -> 1addrI 0.25btc
-> 1addrD 0.7btc -> 1addrJ 0.25btc
-> 1addrK 0.25btc