The bitcoin dust attack: how to mitigate?

What is and how to detect

One of the most popular and dangerous attacks to Bitcoin privacy is the “dust attack“. It is becoming more and more used and many people are affected. This attack may be a great problem for your privacy. Let’s see what this is and how it is performed.

The term dust therefore refers to those amounts of cryptocurrency (bitcoin in this case) that cannot be transferred individually either because their amount is lower than the transaction fees of the blockchain, or because they are lower than the minimum transferable amount of an exchange, thus remaining locked in the account wallet and can be spent only into a transaction that spends multiple coins together with the dust itself. 

The attack consists in sending and peppering through the network little micro transactions with a very small amount of satoshis to bitcoin addresses. This small amount, called dust, is so small that difficult to notice if your wallet is not showing single utxos. For example many mobile phone wallets dont show all the utxos. So when you spend and amount of bitcoin it’s easy that the dust is included as input into one transaction.

The goal of attacked is infact this: If you spend the dust within a transaction of yours, it is therefore easy for the attacker to gather informations about you, your transactions and your addresses, by simply following the dust movements.

So it’s you that unintentionally “publish” all informations by including the malicious dust inside your transactions. The dust therefore is deanonymizing you and it is a serious threat to your privacy.

Even an exchanger can do such an attack in a raffinate way. how?: an exchanger that offers you let’s say $30 to register, after KYC, is basically carrying out a dust attack. In that way it can perform a very efficient tracking of your UTXO. So be very very careful.

How to mitigate dust attack

If you use a wallet which does not show the utxos separately and allows you to spend them specifically, you could be hit easily by this attack. Infact in this case, being the amount of dust too small, you are not able to get aware that you received such a small amount from somewhere. At first transaction after received the dust, your wallet will include the small amount of malicious satoshi into a transaction and so you blew your privacy.

So the first important thing is to be able to see all the utxos separately in your wallet and have all the utxo marked with a label. In such a way you know where each utxo comes from and you can also easily detect a suspect dust incoming utxo.

When a dust utxo is detected, you should immediately tag it with a label and mark it as unspendable.

When you send a transaction you should always manually select which utxo to spend. So you have to choose manually the utxo to spend and labelling also the outbound transaction. In such a way there is no way to unintentionally include malicious satoshis into a transaction.

Wallets as wasabi or electrum for example give you the view of all the utxo available in your wallet and makes possible to single spend each of them, making easy to get aware of such issues.

Another very important stronghold: never spend together anonymous coins (that you have for example purchased by cash or that you have mixed) to non-private ones. By doing this you are blowing up privacy and the whole set of coins.  

When you send a new transaction you should always manually select which coins to spend and tag transaction with specific labels.