Monero privacy model

By Elena Marsh · Senior Cybersecurity Researcher ·

Monero is the default payment currency on the DarkMatter market and on most contemporary darknet marketplaces. That is not an accident. XMR's protocol hides the sender, recipient, and transaction amount at the chain level, which makes blockchain analysis orders of magnitude harder than on Bitcoin or Litecoin. This page explains how that works.

Bitcoin's transparency problem

Every Bitcoin transaction is a public record. The blockchain stores the sender's address, the recipient's address, and the exact amount transferred, permanently and for anyone to read. Bitcoin is pseudonymous, not anonymous: addresses are strings of characters rather than names, but the link between an address and a person can be established through exchanges, IP address leaks, or spending pattern analysis.

Chain analysis firms like Chainalysis and Elliptic built their entire business on this transparency. They map clusters of addresses to entities, trace funds through transaction graphs, and sell the results to law enforcement and compliance teams. By 2020, the tooling was mature enough that Bitcoin was a liability for anyone who needed financial privacy.

Darknet markets noticed. Silk Road (2011-2013) was Bitcoin-only. AlphaBay (2014-2017) added Monero as an option alongside Bitcoin. By 2022, most new markets were either XMR-first or XMR-only. DarkMatter launched with Monero as its default currency and Bitcoin deliberately excluded from its payment stack.

Ring signatures: hiding the sender

Monero ring signatures diagram showing how XMR mixes real and decoy keys to hide the sender's identity on darknet markets
Visual representation of a Monero ring signature mixing the true signer with multiple protocol-selected decoys.

When you send Monero, your wallet does not sign the transaction with just your key. It creates a ring signature that mixes your real key with several decoy public keys pulled from other transactions on the blockchain. As of the 2022 hard fork, the ring size is fixed at 16: one real signer and fifteen decoys.

A verifier looking at the transaction can confirm that one of the 16 keys signed it. They cannot determine which one. The math behind this is a variant of Rivest-Shamir-Tauman ring signatures, adapted by the CryptoNote protocol that Monero inherited and then heavily modified.

Think of it this way: you are in a room with 15 other people, and all 16 of you hold up a signed card. An outside observer can verify that one of the signatures is real, but cannot tell whose it is. The 15 decoys did not participate or consent. Their public keys were selected from the blockchain automatically.

The decoy selection algorithm matters. If decoys are chosen poorly (say, only very old outputs), a chain analyst can sometimes eliminate unlikely candidates and narrow the ring. Monero's developers have revised the selection distribution multiple times, most recently adopting a gamma distribution that more closely matches real spending patterns. The goal is to make the real output statistically indistinguishable from the decoys.

Stealth addresses: hiding the recipient

Ring signatures hide who sent the transaction. Stealth addresses hide who received it.

When someone sends you Monero, their wallet generates a one-time address derived from your public key using Elliptic Curve Diffie-Hellman (ECDH). This one-time address appears on the blockchain, but it is not your public address. It is a unique string that only you can link to your wallet, because only you hold the corresponding private key.

Every incoming transaction gets a different stealth address. An observer looking at the blockchain sees thousands of one-time addresses, each used exactly once, with no way to group them by recipient. Two payments sent to the same person look identical to two payments sent to two different people.

The recipient's wallet scans the blockchain by attempting to derive the private key for each transaction output using its view key. If the derivation succeeds, that output belongs to the wallet. This scan is computationally light but required for wallet synchronization, which is why Monero wallets take longer to sync than Bitcoin wallets.

RingCT: hiding the amount

Ring signatures hide the sender. Stealth addresses hide the recipient. But until January 2017, the transaction amount was still visible on the Monero blockchain. RingCT (Ring Confidential Transactions) closed that gap.

RingCT uses Pedersen commitments to encode the transaction amount. A Pedersen commitment is a cryptographic construction that lets you commit to a number without revealing it, while still allowing a verifier to confirm that the inputs and outputs of a transaction balance (no Monero created out of thin air, no Monero destroyed).

Here is the rough idea. Instead of writing "Alice sends 3.5 XMR to Bob" on the blockchain, the transaction records a commitment: a point on an elliptic curve that encodes 3.5 along with a random blinding factor. Anyone can verify that the sum of input commitments equals the sum of output commitments (proving no inflation), but nobody can extract the actual number from the commitment without the blinding factor, which only the participants know.

Bulletproofs (introduced in 2018) and Bulletproofs+ (2022) replaced the original range proofs with more compact versions. Range proofs are needed to prove that committed amounts are non-negative, a constraint without which someone could commit to a negative amount and effectively create Monero from nothing. The newer proof systems reduced transaction sizes by roughly 80%, which brought down fees and improved throughput.

Where Monero's privacy has been tested

Monero's privacy is strong but not absolute. Researchers and chain analysis firms have probed it from multiple angles over the years.

Decoy selection heuristics. A 2017 paper by researchers at Princeton and Carnegie Mellon showed that pre-RingCT transactions (before January 2017) could often be traced because ring sizes were small (as few as 4) and decoy selection was biased toward recent outputs. Modern Monero (ring size 16, gamma distribution, mandatory RingCT) has addressed both issues, but older transactions remain vulnerable to retrospective analysis.

Timing analysis. If a transaction appears on the network and one of the 16 ring members was created very recently while the others are older, a statistician might guess that the recent one is the real spend. The gamma distribution in current decoy selection is designed to make this guess less reliable, but it is a known attack surface.

CipherTrace claims (2020). The analytics firm CipherTrace announced a Monero tracing tool developed under a DHS contract. Independent researchers have been skeptical of its claimed capabilities. No public demonstration has shown transaction-level tracing of post-RingCT Monero at scale. The consensus in the research community is that statistical heuristics can sometimes narrow down candidates but cannot reliably identify specific senders in the way that Bitcoin tracing can.

Poisoned outputs (EAE attack). An adversary who controls both the sender and recipient of a transaction can mark the real output, then watch for it to appear as a ring member in a future transaction. If all 15 other ring members are also controlled outputs, the real spend is identified by elimination. This requires the attacker to generate a large number of transactions, which is expensive but not impossible for a well-funded adversary.

None of these attacks break Monero's privacy categorically. They chip away at it probabilistically, and the Monero developers have responded to each with protocol changes. The arms race continues, which is normal for any privacy system.

Why darknet markets moved from Bitcoin to Monero

The migration happened gradually, driven by real prosecution cases.

Silk Road (2013) was shut down using a combination of operational security mistakes and Bitcoin tracing. AlphaBay (2017) was seized after law enforcement traced Bitcoin transactions to the operator's personal accounts. Hansa (2017) was taken over by Dutch police who ran it as a honeypot for weeks, collecting Bitcoin payment data that linked buyers to shipping addresses.

Hydra (2022), the largest Russian-language darknet market, was seized by German BKA with assistance from US authorities. Bitcoin tracing was part of the investigation. By this point, the pattern was unmistakable: Bitcoin's transparent ledger was a consistent source of evidence in darknet market prosecutions.

Markets that survived and new markets that launched after 2020 generally adopted Monero as their primary or exclusive currency. DarkMatter, which launched in late 2022, made XMR its default and excluded Bitcoin entirely. The choice was pragmatic rather than ideological: Monero's privacy properties make chain analysis substantially harder, which reduces the risk for all parties involved.

For more on how DarkMatter handles Monero payments, escrow, and multisig, see the payments section on the homepage.

View keys: selective transparency

Monero's privacy is not all-or-nothing. Every Monero wallet has two key pairs: a spend key (needed to send funds) and a view key (needed to see incoming transactions). The wallet owner can share the view key without sharing the spend key.

This is useful for auditing. A marketplace operator could share a view key with a third party to prove that escrow addresses received specific deposits, without giving the third party the ability to move funds. It is also how Monero handles compliance in jurisdictions that require financial disclosure: the user can prove incoming funds without exposing their entire transaction history to the public chain.

View keys do not reveal outgoing transactions. For full transparency (both incoming and outgoing), the wallet owner would need to share both keys, which is equivalent to handing over the wallet entirely.

Further reading

The payments section on the homepage covers how DarkMatter uses Monero in its escrow system, including the direct-payment model and 2-of-3 multisig option. The status page monitors the reachability of the DarkMatter onion URL and its mirrors.

For Monero's own documentation, the best starting point is getmonero.org/resources/research-lab, which publishes the MRL research papers covering ring signatures, Bulletproofs, and the CLSAG signature scheme that replaced the older MLSAG in 2020.

For editorial standards and corrections, see the about page.

Primary sources & further reading

  1. Monero Research Lab — getmonero.org/resources/research-lab — original MRL bulletins on ring signatures, Bulletproofs, and CLSAG
  2. Noether, S. et al. (2016). Ring Confidential Transactions. IACR ePrint Archive. eprint.iacr.org/2016/1098
  3. Bünz, B. et al. (2018). Bulletproofs: Short Proofs for Confidential Transactions. IEEE S&P 2018. eprint.iacr.org/2017/1066
  4. Monero Project. Monero: the secure, private, untraceable cryptocurrency. getmonero.org/resources/about

About the author

Elena Marsh

Independent cybersecurity researcher specialising in darknet market infrastructure, privacy-preserving cryptography, and Tor network architecture. Elena has observed and documented DarkMatter and its predecessors since the platform's launch in 2022. Her work focuses on harm reduction — giving readers accurate, verifiable information rather than speculation.