Logos Assembly

blockchain_privacy_sources

8 min read

Source Citations for “The Anatomy of Exposure”

This document maps specific claims in the article to their sources. Claims are organized by article section.

Stage 2: Transaction Construction in Wallet Software

ClaimSource
MetaMask’s default provider Infura explicitly collects IP addresses and Ethereum wallet addresses when users send transactions, with data retained for at least 7 daysConsenSys privacy policy update, November 2022. Reported by The Block: https://www.theblock.co/post/189717/consensys-says-it-collects-ip-addresses-of-metamask-users-via-infura
Alchemy’s analytics dashboard maps user IP addresses geographicallyAlchemy application monitoring documentation: https://medium.com/alchemy-api/how-to-use-alchemys-application-monitoring-tools-266102feede5
MetaMask uses m/44'/60'/0'/0/{index} derivation path; Ledger uses m/44'/60'/{account}'/0/0MyEtherWallet HD Wallets explanation: https://medium.com/myetherwallet/hd-wallets-and-derivation-paths-explained-865a643c7bf2

Stage 3: Transaction Signing

ClaimSource
Hardware wallet cryptographic operations vulnerable to voltage glitching attacksLedger security research on Trezor Safe 3/5, March 2025: https://www.mitrade.com/insights/news/live-news/article-3-694391-20250313
Gnosis Safe multisig wallets reveal all signer addresses publicly on-chainGnosis Safe architecture documentation: https://medium.com/@prezzel/gnosis-safe-da50291519a8
MPC wallets - signatures appear identical to single-key transactionsCube Exchange MPC explanation: https://www.cube.exchange/what-is/mpc-multi-party-computation

Stage 4: Transaction Submission

ClaimSource
Infura’s November 2022 privacy policy states they collect IP address and Ethereum wallet addressCryptoSlate coverage: https://cryptoslate.com/consensys-updates-policy-to-collect-metamask-ip-data/ and Decrypt: https://decrypt.co/115486/infura-collect-metamask-users-ip-ethereum-addresses-after-privacy-policy-update
60% of Bitcoin connections cross just 3 ISPsCoinDesk analysis of Ethereum network data exposure, 2018: https://www.coindesk.com/markets/2018/11/08/the-little-known-ways-ethereum-reveals-user-location-data

Stage 5: Mempool Propagation

ClaimSource
Biryukov et al. (2014) demonstrated Bitcoin network deanonymization for approximately €1,500Academic paper: Biryukov, A., Khovratovich, D., & Pustogarov, I. (2014). “Deanonymisation of Clients in Bitcoin P2P Network.” ACM CCS 2014.
Princeton PERIMETER attack - 35%+ of Bitcoin clients deanonymized through passive BGP observationAcademic paper: Apostolaki, M., Zohar, A., & Vanbever, L. (2017). “Hijacking Bitcoin: Routing Attacks on Cryptocurrencies.” IEEE S&P. Extended in subsequent work on AS-level adversaries.
Blocknative maintains 15+ TB archive of over 5 billion transactions with 27 data fieldsBlocknative mempool archive documentation: https://www.blocknative.com/blog/blocknatives-historic-mempool-data
Flashbots Protect - approximately 2.1 million Ethereum accountsFlashbots writings: https://writings.flashbots.net/2m-protect-users
Flashbots Protect transactions bypass public mempool, visible only to trusted buildersFlashbots Protect documentation: https://docs.flashbots.net/flashbots-protect/overview
MEV Blocker mixes real transactions with AI-generated fakesMEV Blocker documentation: https://mevblocker.io/ and CoW Protocol docs: https://docs.cow.fi/mevblocker/concepts/order-flow-auction
Biryukov & Pustogarov (2015) Bitcoin over Tor deanonymizationAcademic paper: Biryukov, A., & Pustogarov, I. (2015). “Bitcoin over Tor isn’t a good idea.” IEEE S&P.

Stage 6: Block Building Centralization

ClaimSource
Titan Builder ~50-51% of blocksRated Network explorer (live data): https://explorer.rated.network/builders?network=mainnet&timeWindow=1d&page=1
BuilderNet ~27-35% of blocksRated Network and RelaysScan: https://www.relayscan.io/builder-profit?t=24h
Top 2 entities control ~80-85% of Ethereum blocksGate.io analysis (March 2025): https://www.gate.com/learn/articles/monopoly-in-ethereum-block-builders-and-chain-abstraction-unveiling-profit-incentives-and-innovation-opportunities-in-the-blockchain-ecosystem/7690
BuilderNet is merger of previous top builders including BeaverbuildBlockworks coverage: https://blockworks.co/news/flashbots-block-building-network-mev
MEV-Boost accounts for approximately 90% of all blocksFlashbots MEV-Boost adoption statistics, mevboost.pics
Over $7.2 billion in MEV extracted since 2020Flashbots MEV-Explore and EigenPhi MEV tracking dashboards
MEV breakdown: arbitrage (35%), sandwich attacks (30%), liquidations (25%)EigenPhi and Flashbots MEV categorization data
72,000 sandwich attacks targeted 35,000+ victims in 30-day periodEigenPhi sandwich attack tracking data
~60% of block value from private order flowsFlashbots order flow analysis
Private transactions: ~12% of volume but 54%+ of block rewardsBlocknative and Flashbots private transaction analysis
Five providers influence 50%+ of winning auctionsOrder flow auction market share analysis via MEV research
Herfindahl-Hirschman Index (HHI) ~3,892 indicating highly concentrated marketGate.io analysis: https://www.gate.com/learn/articles/monopoly-in-ethereum-block-builders-and-chain-abstraction-unveiling-profit-incentives-and-innovation-opportunities-in-the-blockchain-ecosystem/7690
Titan has highest total profit reaching ~$19.7M USDResearchGate academic paper: https://www.researchgate.net/publication/382445216_Who_Wins_Ethereum_Block_Building_Auctions_and_Why
Builder dominance and searcher dependence analysisFrontier Tech research: https://frontier.tech/builder-dominance-and-searcher-dependence

Stage 7: Post-Inclusion Surveillance Infrastructure

ClaimSource
Etherscan’s Google Analytics and Disqus integrations share user IP addresses with Facebook, Twitter, YouTubePeter Szilagyi (Ethereum core developer) documentation, 2018: https://www.coindesk.com/markets/2018/11/08/the-little-known-ways-ethereum-reveals-user-location-data
Chainalysis: 25+ blockchains, 17 million assets, 220 million bridge transactions indexedChainalysis product documentation: https://www.chainalysis.com/law-enforcement/
Chainalysis claims instrumental role in seizing $34 billion in illicit fundsChainalysis marketing materials and law enforcement case studies
Chainalysis contracts with FBI, DEA, IRS, ICE across 60+ countriesPublic contract records and Chainalysis customer documentation
Elliptic: 100 billion+ data points, 47+ blockchains, 99% market coverage by trading volumeElliptic product documentation: https://www.elliptic.co/ and https://www.elliptic.co/industries/law-enforcement
Nansen: 500+ million labeled wallet addresses across 30+ networksNansen product documentation and MEXC analysis: https://blog.mexc.com/what-is-nansen/
TRM Labs: 28+ blockchains, 74 million cross-chain swapsTRM Labs product documentation
17.9% of active EOA addresses clustered into ~340,000 entitiesAcademic paper: “Address clustering heuristics for Ethereum” - Financial Cryptography 2020: https://fc20.ifca.ai/preproceedings/31.pdf
Common Input Ownership Heuristic and address clustering techniquesWiley research paper: https://ietresearch.onlinelibrary.wiley.com/doi/full/10.1049/blc2.12014 and Nansen explanation: https://www.nansen.ai/post/what-is-transaction-clustering-in-crypto-address-analysis
ABCTracer achieves 91.75% bidirectional tracing accuracy across 12 DeFi bridgesAcademic research on cross-chain tracing
FATF Travel Rule enforced under EU MiCA since December 30, 2024EU MiCA regulation text and Crypto.com KYC documentation: https://crypto.com/en/university/what-is-kyc-in-crypto
Stealth addresses (ERC-5564)QuickNode guide: https://www.quicknode.com/guides/ethereum-development/wallets/how-to-use-stealth-addresses-on-ethereum-eip-5564

Stage 8: Frontend Infrastructure and Browser Security

Browser Extension Security Crisis (2025)

ClaimSource
Personal wallet hacks reached $713 million in 2025CryptoSlate analysis: https://cryptoslate.com/how-browser-extensions-expose-your-crypto-to-a-fatal-design-flaw-that-the-industry-ignored-bleeding-713m-in-2025/
186 malicious crypto-themed extensions out of 3,599 analyzed (~5% malicious)ACM research cited in AInvest: https://www.ainvest.com/news/growing-risk-browser-extensions-crypto-wallet-security-assessing-investment-risks-decentralized-wallet-adoption-2512/
34% increase in retail investors moving to cold storageAInvest analysis: https://www.ainvest.com/news/growing-risk-browser-extensions-crypto-wallet-security-assessing-investment-risks-decentralized-wallet-adoption-2512/
Hardware + air-gapped signing incident rates below 5% vs 15%+ for software-onlyCryptoSlate/CryptoRank analysis: https://cryptorank.io/news/feed/2207f-how-browser-extensions-expose-your-crypto-to-a-fatal-design-flaw-that-the-industry-ignored-bleeding-713m-in-2025
40+ malicious Firefox extensions targeting crypto wallets (2025)The Hacker News: https://thehackernews.com/2025/07/over-40-malicious-firefox-extensions.html
”Safery: Ethereum Wallet” fake MetaMask clone in Chrome Web StoreCryptoSlate: https://cryptoslate.com/how-browser-extensions-expose-your-crypto-to-a-fatal-design-flaw-that-the-industry-ignored-bleeding-713m-in-2025/

Trust Wallet Supply Chain Attack (December 2025)

ClaimSource
$8.5 million drained from 2,520 wallet addressesThe Hacker News: https://thehackernews.com/2025/12/trust-wallet-chrome-extension-hack.html
8.5MThe Defiant: https://thedefiant.io/news/hacks/trust-wallet-confirms-usd7m-stolen-in-browser-extension-hack and The Hacker News
Shai-Hulud supply chain attack exposed GitHub secretsThe Hacker News: https://thehackernews.com/2025/12/trust-wallet-chrome-extension-hack.html
Chrome Web Store API key leaked, bypassing standard release processTrust Wallet post-mortem cited in The Hacker News
Malicious code triggered on every unlock, not just seed importKoi Security analysis cited in The Hacker News
Malicious extension v2.68 pushed December 24, 2025TechCrunch: https://techcrunch.com/2023/12/14/supply-chain-attack-targeting-ledger-crypto-wallet-leaves-users-hacked/ (Ledger) and The Hacker News (Trust Wallet)
2,596 affected wallet addresses identifiedThe Hacker News: https://thehackernews.com/2025/12/trust-wallet-chrome-extension-bug.html
SlowMist analysis of malicious code iterating through stored walletsSlowMist analysis cited in The Defiant
CZ confirmed $7M affected, Trust Wallet will cover lossesCCN: https://www.ccn.com/education/crypto/trust-wallet-warning-6m-lost-btc-eth-sol-browser-extension/

Bybit/Safe Frontend Attack (February 2025)

ClaimSource
$1.46 billion stolen - largest single hack in Web3 historyCoinDCX report: https://coindcx.com/blog/crypto-news-global/lessons-from-bybit-hack/
Lazarus Group compromised Safe{Wallet} developer machineThe Block reporting: https://www.theblock.co/post/343530/lazarus-appears-to-compromise-safe-developer-machine-in-lead-up-to-1-5-billion-bybit-hack-report
Attack via AWS S3 bucket access, malicious JavaScript injectionIPFS blog analysis: https://blog.ipfs.tech/2025-could-ipfs-prevent-bybit-hack/
Malicious code specifically targeted Bybit’s cold wallet addressesBitcoin Ethereum News: https://bitcoinethereumnews.com/tech/bybit-1-4b-theft-originated-from-compromised-safe-ui/
Forensic analysis by Sygnia Labs and VerichainCoinDCX and The Block reporting
Safe rebuilt infrastructure, rotated all credentials post-incidentDecrypt coverage: https://decrypt.co/resources/what-is-gnosis-learn-article
Gnosis founder shared IPFS-hosted “Eternal Safe” fork after hackIPFS blog: https://blog.ipfs.tech/2025-could-ipfs-prevent-bybit-hack/

BadgerDAO Attack (December 2021)

ClaimSource
$120 million stolen via Cloudflare API key compromiseThe Block: https://www.theblockcrypto.com/post/126072/defi-protocol-badgerdao-exploited-for-120-million-in-front-end-attack and Decrypt: https://decrypt.co/87415/bitcoin-defi-project-badgerdao-hacked-120m
$54 million of stolen funds belonged to Celsius NetworkCryptoNews: https://cryptonews.net/news/security/2875857/
Malicious script injected via Cloudflare, intercepted transactionsCryptoNews and UseTheBitcoin analysis: https://usethebitcoin.com/the-decentralized-web-can-help-prevent-badgerdao-style-hacks/
Front end approval attacks can drain wallets weeks/months laterMedium DAO analysis: https://medium.com/paradigm-research/daos-badgerdao-front-end-exploit-sushiswap-dao-restructuring-proposals-updates-on-fei-rari-1ba9087a1be4

DNS Hijacking Attacks

ClaimSource
Cream Finance & PancakeSwap DNS hijacking (March 2021) via GoDaddyThe Record: https://therecord.media/two-cryptocurrency-portals-are-experiencing-a-dns-hijack-at-the-same-time
Additional GoDaddy victims: Liquid.com, NiceHash.com, Bibox.com, Celsius.network, Wirex.appThe Record coverage of 2020-2021 incidents
DNS hijacking attack vectors (BGP hijacking, social engineering, registrar vulnerabilities)arXiv paper on Web3 supply chain security: https://arxiv.org/pdf/2511.12274

Ledger ConnectKit Supply Chain Attack (December 2023)

ClaimSource
Former Ledger employee phished, NPM credentials stolenTechCrunch: https://techcrunch.com/2023/12/14/supply-chain-attack-targeting-ledger-crypto-wallet-leaves-users-hacked/ and Ledger official report: https://www.ledger.com/blog/security-incident-report
Malicious versions 1.1.5, 1.1.6, 1.1.7 publishedSlowMist analysis: https://slowmist.medium.com/supply-chain-attack-on-ledger-connect-kit-analyzing-the-impact-and-preventive-measures-520894aa1f20
Over 100 frontends affectedBlockaid report: https://www.blockaid.io/blog/attack-report-ledger-connect-kit
$600,000+ stolenThe Hacker News: https://thehackernews.com/2023/12/crypto-hardware-wallet-ledgers-supply.html and Blockworks: https://blockworks.co/news/ledger-wallet-vulnerability-connectkit
Angel Drainer malware-as-a-service identifiedLedger security incident report: https://www.ledger.com/blog/security-incident-report
Affected platforms: Zapper, Sushi, Revoke.cashBlockaid and SlowMist reporting
NPM lacked multi-authorization for publishingCycode analysis: https://cycode.com/blog/three-lessons-from-the-ledger-connect-kit-supply-chain-attack/
2FA bypassed via session token theftLedger CEO letter: https://www.ledger.com/blog/a-letter-from-ledger-chairman-ceo-pascal-gauthier-regarding-ledger-connect-kit-exploit
Malicious code live for ~5 hours, active draining window ~2 hoursLedger security incident report
Tether froze attacker’s USDTLedger security incident report
Hardware wallet users still lost funds due to browser-side compromiseCryptoSlate analysis: https://cryptoslate.com/how-browser-extensions-expose-your-crypto-to-a-fatal-design-flaw-that-the-industry-ignored-bleeding-713m-in-2025/

Radiant Capital Attack (October 2024)

ClaimSource
$58M hack via compromised signer machines, Safe frontend displayed legitimate data while malicious transactions signedBlockThreat newsletter: https://newsletter.blockthreat.io/p/blockthreat-week-42-2024

Browser Security Research

ClaimSource
Mozilla early detection system for malicious crypto extensionsThe Hacker News: https://thehackernews.com/2025/07/over-40-malicious-firefox-extensions.html
Trust Wallet 2023 “catastrophic” vulnerability identified by LedgerThe Defiant: https://thedefiant.io/news/hacks/trust-wallet-confirms-usd7m-stolen-in-browser-extension-hack
Trust Wallet 2022 entropy flaw - 32-bit entropy generator, $170,000 stolenAInvest: https://www.ainvest.com/news/growing-risk-browser-extensions-crypto-wallet-security-assessing-investment-risks-decentralized-wallet-adoption-2512/
Browser extensions as primary attack vector analysisNominis: https://www.nominis.io/insights/the-hidden-dangers-of-crypto-wallet-browser-extensions-a-growing-security-threat

Additional Context Sources

TopicSource
Ethereum privacy “HTTPS moment” - privacy as default infrastructureWuBlock Substack analysis: https://wublock.substack.com/p/ethereum-privacys-https-moment-from
Alchemy private transactions overviewAlchemy documentation: https://www.alchemy.com/overviews/ethereum-private-transactions
Crypto compliance provider comparisonTyN Magazine: https://tynmagazine.com/crypto-compliance-providers-compared-2022/
OpenZeppelin Gnosis Safe backdoor researchOpenZeppelin blog: https://blog.openzeppelin.com/backdooring-gnosis-safe-multisig-wallets
Gnosis Safe token approval risksDe.Fi blog: https://de.fi/blog/manage-revoke-gnosis-token-approvals
Titan Builder official sitehttps://www.titanbuilder.xyz/

Academic Papers Referenced (not hyperlinked)

  1. Biryukov, A., Khovratovich, D., & Pustogarov, I. (2014). “Deanonymisation of Clients in Bitcoin P2P Network.” ACM Conference on Computer and Communications Security (CCS).

  2. Apostolaki, M., Zohar, A., & Vanbever, L. (2017). “Hijacking Bitcoin: Routing Attacks on Cryptocurrencies.” IEEE Symposium on Security and Privacy.

  3. Meiklejohn, S., et al. (2013). “A Fistful of Bitcoins: Characterizing Payments Among Men with No Names.” IMC ‘13.

  4. Victor, F. (2020). “Address Clustering Heuristics for Ethereum.” Financial Cryptography and Data Security (FC 2020).

  5. Biryukov, A., & Pustogarov, I. (2015). “Bitcoin over Tor isn’t a good idea.” IEEE Symposium on Security and Privacy.

  6. “Who Wins Ethereum Block Building Auctions and Why?” (2024). ResearchGate: https://www.researchgate.net/publication/382445216_Who_Wins_Ethereum_Block_Building_Auctions_and_Why

Notes on Data Currency

  • Block builder market share figures (Titan, BuilderNet percentages) are from live dashboards and change continuously. Figures cited reflect data from rated.network and relayscan.io as of early 2025.
  • MEV extraction totals and block statistics are continuously updated. Figures cited reflect data available through Q1 2025.
  • Chain analytics company statistics (addresses labeled, blockchains covered) are from company marketing materials and may be promotional.
  • Incident financial losses are estimates that may have been revised as investigations concluded.
  • The Trust Wallet incident figures were updated from initial 8.5M following post-mortem analysis.

Graph View

Backlinks