privacy – Dust attack by Deanonymizing

A de-anonymized dust attack works by sending dust to large amounts of addresses. The assumption is: when people send transactions / consolidate in the future, dust from multiple addresses will be consolidated into a single transaction, revealing multiple addresses controlled by a single entity, because the dust would be swept by a single tx.

(This is somewhat of a simplification, since most parties interested in performing such attacks will also use other data to group multiple independent tx's).

The best way to prevent this attack is to:

  1. Never spend dust in a transaction that consumes address entries that have not yet been linked by a transaction.
  2. Do not spend dust at all.

This will lead to a utxo overhead, but if you reuse your addresses, you can skip the dust when you spend another utxo from the same address. If you do not reuse the addresses, just do not use them.

Some portfolios, such as the Samourai wallet (no affiliation), offer the possibility of marking the dust as unusable. For the systems you build, you will have to ignore these outputs yourself.