By now, savvy cryptocurrency users looking to cover their tracks are well aware that Bitcoin and blockchain systems like it are far from anonymous. Law enforcement officials can trace transactions and even identify who is making them.

Some users believed they’d found a way around this. They thought investigators could only track transactions within blockchains, so they could stay anonymous by moving from one blockchain to another. A number of startups have sprung up that offer exactly this service. Well, blockchain sleuths may have this avenue covered now too.

The hypothesis used to be that criminals using Bitcoin would eventually try to cash out into fiat currency, using an exchange. In 2013, Sarah Meiklejohn, now an associate professor of cryptography and security at University College London, helped pioneer blockchain tracking methods that rely on this theory.

The details of the approach are technical, but at a high level it involves creating network maps based on the movement of coins between addresses, the strings of numbers and letters that identify every Bitcoin account on the blockchain. “Clusters” of addresses that frequently send coins between each other can be tied to individuals (using multiple addressees is a common practice) or organizations, like exchanges. Law enforcement officials now use similar approaches to track coins as they move between addresses and eventually to an exchange, which they can subpoena for more information.

But the cryptocurrency scene has changed dramatically since 2013, when there were very few coins besides Bitcoin. Now there are around 2,500 cryptocurrencies, and as of this writing 14 are worth north of a billion dollars. This has given people trying to maintain their anonymity opportunities to be more creative, says Meiklejohn, whose team has published a new research paper exploring how to track users across blockchains in addition to within them. 

As more crypto users grew aware that Bitcoin isn’t so private, some switched to alternative currencies that claimed to offer anonymity—most prominently Zcash, Monero, and Dash. These three networks use different privacy-enhancing technologies, but in each case, researchers have shown that it’s possible to de-anonymize users.

Anyone wanting to avoid leaving traces soon had another tool, however. Remember WannaCry? In 2017, the global ransomware attack hit hundreds of thousands of computers all over the world, making them inaccessible and demanding that their owners pay a ransom in Bitcoin to regain access. The perpetrators then tried to launder around $143,000 worth of Bitcoin by using a service called ShapeShift to change them into Monero.

ShapeShift and services like it are automated systems that allow users to convert one currency directly into another, via a minutes-long process that doesn’t require the service to ever take custody of the coins. A user simply tells ShapeShift what currency to exchange for what: say, Bitcoin for Dogecoin. ShapeShift then provides an exchange rate and an address to which the user is to send the Bitcoin. The user sends the Bitcoin to that address and, for a fee, gets the equivalent value back in Dogecoin. Criminals using this strategy are banking on investigators’ inability to follow the transactions anymore once they leave the original chain.

But according to the new research, their assumption is wrong.

Using ShapeShift’s application programming interface (API), the researchers gathered detailed information about its users’ transactions, spanning eight different blockchains, for nearly 13 months between late 2017 and late 2018. They combined this information with previously established techniques to identify many “cross-chain” transactions. This meant they could document both the first transaction, in which money moves from the user to ShapeShift, and the second one, on a different blockchain, in which ShapeShift sends coins to the user.

The researchers then went a step further, cataloguing distinct patterns of what could be anonymity-seeking behaviors linked to specific addresses. Besides simple “pass-throughs” to a different currency, many users engaged in what the researchers call “U-turns,” changing currencies and then immediately switching back to the original, and “roundtrips,” which are  more complicated combinations of the other two. The main take-away: given the information ShapeShift makes public via API, the service is not anonymous. “By moving from one chain to another, you’re not really doing anything more than you can do within the chains anyway,” Meiklejohn says. 

It should be noted that although ShapeShift is the most popular service of this type, copycats have cropped up too, and not all offer the same level of detailed transaction information via their APIs. Though it is still possible to track transactions across chains without using this kind of information to help link them, it’s much more difficult, says Meiklejohn. 

Either way, it’s not clear that the promise of anonymity—false as it may be—is the only or main reason people use ShapeShift or similar services, she says. For instance, her team concluded that some of the behaviors they observed could have reflected traders switching back and forth between currencies in an attempt to profit from price movements.

Whoever ShapeShift’s users are, there are apparently a lot fewer now than there were before October 2018. That’s when ShapeShift made a big change to its policy: it stopped letting users trade without providing identification information, a move made to comply with anti-money-laundering regulations. Erik Voorhees, the company’s CEO, recently said the change “essentially gutted” its customer base.

Even if users flock to copycats that don’t require personal information, though, Meiklejohn’s team's research suggests they would be wise not to assume they are anonymous.