We show how third-party web trackers can deanonymize users of cryptocurrencies. We present two distinct but complementary attacks. On most shopping websites, third party trackers receive information about user purchases for purposes of advertising and analytics. We show that, if the user pays using a cryptocurrency, trackers typically possess enough information about the purchase to uniquely identify the transaction on the blockchain, link it to the user’s cookie, and further to the user’s real identity. Our second attack shows that if the tracker is able to link two purchases of the same user to the blockchain in this manner, it can identify the user’s cluster of addresses and transactions on the blockchain, even if the user employs blockchain anonymity techniques such as CoinJoin. The attacks are passive and hence can be retroactively applied to past purchases. We discuss several mitigations, but none are perfect.
 Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, and Claudia Diaz. The web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of ACM Conference on Computer and Communications Security, 2014.
 Elli Androulaki, Ghassan O Karame, Marc Roeschlin, Tobias Scherer, and Srdjan Capkun. Evaluating user privacy in bitcoin. In Financial Cryptography and Data Security, 2013.
 Julia Angwin and Jennifer Valentino-Devries. Google’s iphone tracking. Wall Street Journal, 2012.
 K Atlas. Weak privacy guarantees for sharedcoin mixing service, 2014.
 Eli Ben-Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer, and Madars Virza. Zerocash: Decentralized Anonymous Payments from Bitcoin. In IEEE Symposium on Security and Privacy, 2014.
 Alex Biryukov, Dmitry Khovratovich, and Ivan Pustogarov. Deanonymisation of clients in bitcoin p2p network. In Proceedings of ACM Conference on Computer and Communications Security, 2014.
 Alex Biryukov and Ivan Pustogarov. Bitcoin over tor isn’t a good idea. In IEEE Symposium on Security and Privacy, 2015.
 George Bissias, A Pinar Ozisik, Brian N Levine, and Marc Liberatore. Sybil-resistant mixing for bitcoin. In Proceedings of WPES. ACM, 2014.
 Joseph Bonneau, Andrew Miller, Jeremy Clark, Arvind Narayanan, Joshua A. Kroll, and Edward W. Felten. Research perspectives and challenges for bitcoin and cryptocurrencies. In IEEE Symposium on Security and Privacy, 2015.
 Joseph Bonneau, Arvind Narayanan, Andrew Miller, Jeremy Clark, Joshua A. Kroll, and Edward W. Felten. Mixcoin: Anonymity for bitcoin with accountable mixes. In Financial Cryptography and Data Security. 2014.
 Justin Brookman, Phoebe Rouge, Aaron Alva Alva, and Christina Yeung. Cross-device tracking: Measurement and disclosures. 2018.
 Ceren Budak, Sharad Goel, Justin Rao, and Georgios Zervas. Understanding emerging threats to online advertising. In Proceedings of the ACM Conference on Economics and Computation, 2016.
 Peter Eckersley. How unique is your web browser? 2010.
 Steven Englehardt and Arvind Narayanan. Online tracking: A 1-million-site measurement and analysis. In Proceedings of ACM Conference on Computer and Communications Security, 2016.
 Steven Englehardt, Dillon Reisman, Christian Eubank, Peter Zimmerman, Jonathan Mayer, Arvind Narayanan, and Edward W Felten. Cookies that give you away: The surveillance implications of web tracking. In Proceedings of the Conference on World Wide Web, 2015.
 Giulia Fanti and Pramod Viswanath. Anonymity properties of the bitcoin p2p network. arXiv preprint arXiv:1703.08761, 2017.
 Arthur Gervais, Alexandros Filios, Vincent Lenders, and Srdjan Capkun. Quantifying web adblocker privacy. IACR Cryptology ePrint Archive, 2016.
 Arthur Gervais, Hubert Ritzdorf, Mario Lucic, and Srdjan Capkun. Quantifying location privacy leakage from transaction prices. ESORICS, 2016.
 Ethan Heilman, Leen Alshenibr, Foteini Baldimtsi, Alessandra Scafuro, and Sharon Goldberg. Tumblebit: An untrusted bitcoin-compatible anonymous payment hub. NDSS, 2016.
 Ethan Heilman, Foteini Baldimtsi, and Sharon Goldberg. Blindly signed contracts: Anonymous on-blockchain and offblockchain bitcoin transactions. In Financial Cryptography Workshops, 2016.
 Matthias Hellwig and Alexander Souza. Approximation algorithms for generalized and variable-sized bin covering. In Approximation, Randomization, and Combinatorial Optimization. Algorithms and Techniques, pages 194–205. 2012.
 Jordi Herrera-Joancomartí and Cristina Pérez-Solà. Privacy in bitcoin transactions: new challenges from blockchain scalability solutions. In Modeling Decisions for Artificial Intelligence, pages 26–44. Springer, 2016.
 Philip Koshy, Diana Koshy, and Patrick D. McDaniel. An analysis of anonymity in bitcoin using P2P network traffic. In Financial Cryptography and Data Security.
 Balachander Krishnamurthy, Konstantin Naryshkin, and Craig Wills. Privacy leakage vs. protection measures: the growing disconnect. In W2SP, 2011.
 Balachander Krishnamurthy and Craig E Wills. On the leakage of personally identifiable information via online social networks. In Proceedings of the ACM workshop on Online social networks, 2009.
 Katharina Krombholz, Aljosha Judmayer, Matthias Gusenbauer, and Edgar Weippl. The other side of the coin: User experiences with bitcoin security and privacy. In Financial Cryptography and Data Security, 2016.
 Amrit Kumar, Clément Fischer, Shruti Tople, and Prateek Saxena. A traceability analysis of monero’s blockchain. IACR Cryptology ePrint Archive, 2017.
 Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints. In IEEE Symposium on Security and Privacy, 2016.
 Adam Lerner, Anna Kornfeld Simpson, Tadayoshi Kohno, and Franziska Roesner. Internet jones and the raiders of the lost trackers: An archaeological study of web tracking from 1996 to 2016. In Proceedings of the USENIX Security Symposium, 2016.
 Timothy Libert. Exposing the invisible web: An analysis of third-party http requests on 1 million websites. International Journal of Communication, 9:18, 2015.
 Giulio Malavolta, Pedro Moreno-Sanchez, Aniket Kate, Matteo Maffei, and Srivatsan Ravi. Concurrency and privacy with payment-channel networks. 2017.
 Gregory Maxwell. CoinJoin: Bitcoin Privacy for the Real World, 2013.
 Jonathan R Mayer and John C Mitchell. Third-party web tracking: Policy and technology. In IEEE Symposium on Security and Privacy, 2012.
 Sarah Meiklejohn and Claudio Orlandi. Privacy-enhancing overlays in bitcoin. In Financial Cryptography and Data Security, 2015.
 Sarah Meiklejohn, Marjori Pomarole, Grant Jordan, Kirill Levchenko, Damon McCoy, Geoffrey M Voelker, and Stefan Savage. A fistful of bitcoins: Characterizing payments among men with no names. In Proceedings of ACM IMC, 2013.
 Georg Merzdovnik, Markus Huber, Damjan Buhov, Nick Nikiforakis, Sebastian Neuner, Martin Schmiedecker, and Edgar Weippl. Block me if you can: A large-scale study of tracker-blocking tools. In IEEE Symposium on Security and Privacy, 2017.
 Ian Miers, Christina Garman, Matthew Green, and Aviel D Rubin. Zerocoin: Anonymous distributed e-cash from bitcoin. In IEEE Symposium on Security and Privacy, 2013.
 Andrew Miller, Malte Möser, Kevin Lee, and Arvind Narayanan. An empirical analysis of linkability in the monero blockchain. Proceedings on Privacy Enhancing Technologies, 2018.
 Malte Möser and Rainer Böhme. Join me on a market for anonymity. In Proceedings of WPES. ACM, 2016.
 Satoshi Nakamoto. Bitcoin: A Peer-to-Peer Electronic Cash System, 2008.
 Till Neudecker and Hannes Hartenstein. Could network information facilitate address clustering in bitcoin?
 Joseph Poon and Thaddeus Dryja. The bitcoin lightning network: Scalable off-chain instant payments. 2015.
 Rebecca S. Portnoff, Danny Yuxing Huang, Periwinkle Doerfler, Sadia Afroz, and Damon McCoy. Backpage and bitcoin: Uncovering human traickers. In Proceedings of the Conference on Knowledge Discovery and Data Mining, 2017.