Doxxing your crypto wallet: dangerous, easier than you think (and how to avoid)
The DeFi world is being built upon web3; a new, decentralized version of the internet. This allows us much more privacy when compared to the traditional financial world, which is built on web2 (the modern day, centralized version of the internet).
But your privacy isn’t guaranteed in the world of DeFi and Web3. In fact, exposing sensitive personal financial information about yourself is easier than you think. You might have already done so without even knowing.
Below, we will discuss three main topics:
- The dangers of something called ‘doxxing’
- How you might have already doxxed yourself
- What you can do today to maintain your privacy.
Upon reading this article, you’ll be able to access the privacy you desire when operating in the world of DeFi.
‘Doxxing’ is short for ‘dropping dox’ which means ‘dropping documents on the internet.’ It occurs when sensitive information about a person or company is made public somewhere online.
The origins of doxxing can be found in the first internet chat rooms of the early 90s. Heated discussions often turned into debates which sometimes escalated to the point where some users would ‘doxx’ each other as a form of retaliation.
Unfortunately doxxing is used mostly as a weapon for evil when it comes to the crypto space. A notable, recent example was when hardware wallet brand Ledger had its customers’ personal data hacked and doxxed on the dark web. This information made its way into the wrong hands (i.e. scammers) and made life a living hell for the victims of the data breach.
So doxxing is an attack on privacy, and a loss of privacy is the ultimate taboo in the crypto space. You may have noticed how crypto enthusiasts go to great lengths to stay private online. Browse crypto twitter and you’ll notice that many accounts operate under aliases, just one tactic to stay private.
But first you must ask yourself how anonymous you really are in crypto?
You are not anonymous in crypto. You are pseudonymous
Biggie Smalls famously said: “Mo money, mo problems.” If he was here for the blockchain revolution he might have said it differently: “Mo money, [no privacy] mo problems”
Consider how much personal information you must forfeit to open a bank account or invest in traditional equities like $AAPL or $AMZN . You’ll have to include your: name, address, phone number, social security number, mothers maiden name, etc. Your transactions are linked to your identity, thereby eroding your privacy.
Blockchain tech allows users to operate in decentralized financial markets with more privacy when compared to the legacy system, but it soon becomes obvious that in the world of crypto we are not anonymous; we are pseudonymous.
To open an account or interact in the DeFi space, all you need is an internet connection and a crypto wallet. Your personal details are not required and, hence, your identity is kept private.
But your crypto wallet address is public. Therefore, your wallet becomes your pseudonym.
Most of DeFi is built on public blockchains. This means anyone can use a blockchain explorer (like Etherscan) to look up and see all transactions of a given wallet. But they can’t see to whom that wallet belongs, because it’s identified by its public address, rather than personal details.
If you’re doxxed, however, your cover is blown because your wallet address (your pseudonym) is directly linked to your personal identity. When this happens, you lose your privacy. This is bad because a loss of privacy can lead to a loss of security.
How does this happen, you ask? Let’s run through a thought experiment!
A scenario: How a loss of privacy can lead to a loss of security
Imagine you have a million dollars worth of crypto, but you’ve been doxxed and your wallet is tied to your name.
This information is dangerous in the wrong hands.
Let’s first get the obvious out of the way. The government probably already knows your wallet address because they are working with blockchain forensics companies to build wallet maps and figure out which wallets belong to whom. Depending on your country, this could be a terrible, dire circumstance, but that is a topic for another article.
Let’s imagine, for example, this information lands in the hands of a burglar. You become your own bank in crypto, but when compared to a traditional bank, your personal crypto bank is much easier to rob. Burglars know this.
Consider how hard it would be to steal your million dollars if it were held in a traditional bank. Firstly, your financial information is private. Only the bank (and the government) should be able to verify that you have a million dollars.
And even if a burglar knew that you had a million dollars, how would he/she steal it? Your money isn’t physically sitting in a vault in the bank’s basement. Not to mention, the number you see on your online banking dashboard is just a confirmation of an internal bank ledger. This can’t be hacked.
Sure, a physical attack is still possible. You could be kidnapped and forced to transfer your money to your abductor’s account. But any such attempt would be futile because you have a daily transfer limit, and the funds would be frozen and traced the moment you notified the bank of the crime.
Now consider the relative ease of stealing your million dollars when it’s held in your self-custodial crypto wallet.
This burglar can now verify that you have one million dollars of crypto in your possession, by simply using a blockchain explorer to look up and confirm your address. He/she can also comb through your transaction history in order to reveal all sorts of information about your spending. Since the ‘bank of you’ has no security department, just a private key, the chance of a successful heist becomes much, much greater.
With all of this information, cyber attacks become more dangerous because the more information a scammer has about you, the more likely his/her scams will work. As mentioned, the hacker can look up your wallet’s transaction history to see your spending information. When this information is combined with the rest of your online personal data (found with a simple google search or through your social media profiles), things get worrying.
Physical attacks have become more of an unfortunate reality too, because your wallet transactions might reveal your habits, routines, and schedule. For instance, your wallet’s activity might reveal that you buy coffee using crypto at your local cafe every morning at 9am. Now, all that stands between a robber and a one million dollar payday is a trip to the coffee shop and a $5 wrench.
…or a knife, a gun, a kidnapping, or worse.
Think this would never happen to you? Neither did this Dutch crypto holder who was tortured with a drill, this trader from Hong Kong who was robbed at knife point, or this Norwegian man who jumped from his balcony to escape a crypto-related home invasion.
You can avoid all of this danger by keeping your wallet and your identity separate and secret. In some ways this is obvious, however, doxxing yourself is much easier than you think. In fact, you might have already done so!
Doxxing yourself: it’s easier than you think
Let’s get the obvious stuff out of the way first.
If you use social media to talk crypto, do so under a pseudonym. If you must use your real name, never post your wallet address on any social media channels, don’t boast about how much crypto you own, and make sure your crypto security is on point.
Dont flex your newfound crypto wealth via a ‘MR BTC’ license plate or by listing the tokens you hold on your tinder profile (Yes, people do this and there are consequences).
And, for the love of God; please don’t publish your main wallet address on Twitter under your real name when you see a crypto giveaway. This is a great way to publicly doxx yourself; anyone on twitter can now see your wallet. Even scammers.
Now for the less obvious self-doxxing mistakes. Did you know you could doxx yourself by simply sending crypto to someone who knows you?
Here’s an example. Let’s say you use crypto to pay Simon, a freelance web designer for services rendered, using your main, self-custodial wallet. You just doxxed yourself.
Note: this doesn’t apply to centralized exchange wallets, which we talk above below
Hopefully Simon is a decent fellow with no intention of snooping into your finances. But how well do you know Simon? What if he tells one of his friends and that friend decides to keep an eye on you? You just never know. Per the linked articles above, stranger things have happened.
Many industries already accept crypto payments, and this will only increase with broader cryptocurrency adoption.
Don’t take any chances. Here are a few simple tips to help you not doxx your wallet.
How NOT to doxx your crypto wallet
You’re doxxed when you send crypto from your main, self-custodial wallet when your identity is known. Like in the example above with Simon.
Here are a few ways to avoid this.
Create a ‘doxx-friendly’ wallet and fund it using your crypto exchange
It’s unrealistic to try and always keep every wallet separate from your identity when using crypto, especially as the space grows.
So plan ahead by setting up a wallet for situations and transactions where you know you’ll be doxxed.
This wallet is tied to your identity, but that’s OK because you’re going to take a few extra security precautions:
- Only hold small amounts of crypto in this wallet
- Use this wallet specifically for transactions where your identity might be known (like with the example above involving Simon)
- Never send or receive transactions from this wallet to your main wallet because this creates a link, thereby doxxing your main wallet.
Read that last point again. Never, ever link your doxxed wallet to your private wallet by sending transactions between them.
Instead, fund your doxxed wallet using your crypto exchange:
[bobby ong tweet image]
What this will look like:
Exchange wallet → doxx-friendly wallet
It’s important to note that you can still use your exchange to fund your private wallet, and there won’t be any link between your wallets
Exchange wallet → doxx-friendly wallet
❌ ↑ ↓ ❌
Exchange wallet → private wallet
Why does this work? Can’t someone use a blockchain explorer to look up your exchange wallet and see the outflows, thereby seeing all of your wallets?
No, because when you don’t have an individual public wallet at your exchange; you’re using the exchange’s shared wallet system, meaning the blockchain explorer will show something general like “Binance 16”.
This means if someone uses a blockchain explorer to reverse engineer your doxx-friendly wallet, all they can see is that it was funded using an exchange like Binance, which is common practice.
But in DeFi we like decentralization; meaning leaving crypto sitting on an exchange is a no-no. What if you did the right thing and transferred your crypto from your exchange to your wallet immediately after purchasing?
How do you get some crypto from your private wallet to your doxx-friendly wallet if you can’t link them?
Again, you can use your exchange. Simply send your crypto back to your exchange’s wallet, and then onto your doxxed wallet from there:
Private wallet → exchange wallet → doxx-friendly wallet
Sending crypto via the exchange will break the on-chain link between your wallets, and only you know the true path. Essentially you are using an exchange to obfuscate the flow of your crypto.
- You already have a crypto exchange
- Easy; you’ve already done deposits and withdrawals using an exchange
- Certain exchanges (like FTX.com) offer free deposits and withdrawals if you hold their native token, making this process free.
- Crypto exchanges are centralized, meaning they have custody of your crypto
- For most exchange; withdrawal fees apply
- Transactions to and from exchanges are not instant
Using an exchange works, but if you’re working with large amounts of capital you might not be so keen on the idea of engaging with a centralized company. Or, maybe you don’t like the idea of having a doxx-friendly wallet at all.
The next few options are for you.
Related: safest cryptocurrency exchanges
Use a decentralized mixing service like Tornado Cash
The easiest way to move crypto from one wallet to another in a fully decentralized manner, privately, is to use a mixing service like Tornado Cash.
Tornado Cash is a decentralized app on the ethereum blockchain designed to break the on-chain link between a source and destination address, thereby improving transaction privacy.
Check out this video if you want to learn the specifics of how Tornado Cash works, by this is a good start:
In theory, this is how it works: you send funds from your main wallet (wallet A) to a shared smart contract operated by Tornado Cash, which many other wallets have also deposited to. Then, you’ll withdraw those funds, to a completely new wallet address (wallet B) that you own.
Once you’ve sent funds from your main wallet (A) to a new, unlinked wallet (B) via Tornado Cash, the on-chain link between your wallets has been broken, so you can send funds onwards from this new wallet to anyone without the risk of doxxing your main wallet.
- Fully decentralized with no reliance on a centralized third party like an exchange
- No need to sign up to a crypto exchange and provide customer information. Just connect your wallet and send the transaction
- You can still reveal the full transaction if the tax office comes knocking
- Can be expensive when ethereum gas prices are high. You’ll need to send larger transactions to make it worthwhile
- Takes some time and is not instant. To fully break the on-chain link when using Tornado Cash, you cannot withdraw your funds immediately upon deposit
- To completely anonymize yourself, you need to use a VPN since websites like MetaMask and Etherscan collect your internet IP geolocation data (won’t dox you, but could be a breadcrumb)
Use a Private Wallet like Blank Wallet
Tornado Cash has a few drawbacks that affect a user’s overall experience. Fully anonymization requires you to use a VPN and wait a certain amount of time before withdrawing. On top of these inconveniences, you have to cop whatever gas fees are at the time (these are usually high, especially as of late).
A new Ethereum wallet in the space called Blank wallet aims to solve these problems. The company is self-proclaimed as: “The most private, non-custodial Ethereum browser wallet”
Blank wallet operates in a similar manner to Tornado Cash. You deposit funds into a shared smart contract, and you withdraw your funds to a new wallet address, thereby breaking the on-chain link between both wallets.
But Blank wallet excels, for a few reasons.
First of all you won’t need a VPN because Blank wallet doesn’t track your geolocation data. This is one less hoop to jump through and one less cost to cover.
When it’s time to withdraw funds to a new wallet, Blank automatically creates a new, unconnected wallet address for you, and the ‘partial withdraw’ feature means you can withdraw immediately. This makes using the blank wallet easier and faster when compared to Tornado Cash.
Finally, when using Blank wallet you have the option of holding Blank token, which offers a few benefits (e.g. one of them is a reduction in transaction fees). I don’t want a discount on ethereum transaction fees, said nobody, ever.
Check out the Blank wallet Medium page to find out more about the wallet, the team, and the Blank token.
- Hides your IP address and browsing data, so there is no need for a VPN
- Partial withdraw feature means you can withdraw instantly
- Holding the blank token offers additional benefits
- A relatively new project meaning there is no track record as of yet (but at least the team is public)
- You can’t currently connect your blank wallet with a hardware wallet…yet
Use a private blockchain like the SCRT Network
The above options offer a high level of privacy, but you’ll still need to follow strict network level practices to stay completely private. Given all the steps we’ve run through, this can be a hassle.
For the ultimate in privacy, consider using a private blockchain like the SCRT Network. An easy way to think of the SCRT network is that it is like Ethereum, but completely private.
Watch this video to understand how the SCRT Network works as a deep dive is beyond he scope of this article.
To pay someone who is also using the SCRT Network is as straightforward as sending funds from one wallet to another.
However, what if you need to pay someone who is using another blockchain, like Ethererum?
You’ll need to bridge Ethereum from your secret wallet (which is called secretETH) straight into the destination wallet using the SCRT network bridge. This will be untraceable.
- Complete privacy
- No need to rely on dapps or extra wallets as privacy is in-built
- Must use a bridge when transferring out of the secret blockchain (extra step)
- New blockchain; learning curve
Privacy is a human right. After reading this piece, I hope that you now have a few extra tools at your disposal to keep your crypto holdings as private as possible.
Most importantly, you know how to avoid doxxing yourself, because as mentioned, it can happen without you ever realizing.
If when reading you have just realized that you have already doxxed yourself in some way, simply use one of the strategies above to move your crypto into a new wallet and your pseudonymity is again restored.