Technical, forensic and organisational aspects of work with Monero cryptocurrency

Keywords: cryptocurrency, Monero, law enforcement agencies, crime prevention, trace evidence.


The forensic, organisational and technical features of law enforcement agencies' work with the Monero cryptocurrency in the context of pre-trial investigation and operational search activities are analysed. The development of the Monero system is described. The reasons and trends of Monero use by offenders are identified, and the scheme of operation of this payment system, which ensures its increased confidentiality, is shown. Examples of criminal offences in which Monero is used are presented. The functionality of OpenAlias to facilitate the work with Monero addresses is disclosed. The possibility of identifying participants in Monero transactions is studied. It is stated that there are currently no effective ways of such identification without knowledge of the public address and the corresponding keys, especially if users use additional security mechanisms such as connection to the TOR network.

The features of forensic investigation of computer equipment used to work with Monero are revealed. It is established that the most effective is the study of traces of work with Monero, which are removed from the relevant computer equipment of the person of interest. Useful information can be stored in RAM, on a disc, and partially in network traffic. The article identifies artefacts that should be taken into account during inspection and search. Atomic Swaps of XMR are modelled to determine the trace pattern and identify artefacts of increased attention during forensic procedures. The fact that an atomic swap was carried out to obfuscate traces may be evidenced by the presence of specific software files on the disc used for this purpose.

The algorithm for XMR withdrawal using multisig addresses has been proposed, from which funds can be withdrawn only when digital signatures of several persons are superimposed. The work of this algorithm in the test network Stagenet is modelled. It has been concluded that law enforcement agencies should focus on classical investigative measures to identify Monero users of interest. At the same time, there are effective mechanisms for documenting traces of work with the Monero payment system and proven methods for extracting passphrases to crypto-wallets and other sensitive information on the movement of funds in the Monero system from computer equipment.


Download data is not yet available.

Author Biographies

V. V. Nosov, Kharkiv National University of Internal Affairs

Candidate of Technical Sciences, Associate Professor.
Department of Cybercrime Combating.

O. V. Manzhai, Kharkiv National University of Internal Affairs

Candidate of Law, Professor.
Department of Cybercrime Combating.

V. O. Kovtun, Cyberpolice Department of the National Police of Ukraine

2nd Unit (Analysis of Open Sources) of the 4th Department (Operational and Analytical Support and Analysis of Open Sources).


Bahamazava, K., & Nanda, R. (2022). The shift of DarkNet illegal drug trade preferences in cryptocurrency: The question of traceability and deterrence, Forensic Science International: Digital Investigation, 4.

Biryukov, A., & Tikhomirov, S. (2019, June 17–19). Deanonymization and Linkability of Cryptocurrency Transactions Based on Net-work Analysis [Conference presentation abstract]. Conference Proceedings “2019 IEEE European Symposium on Security and Privacy”, Stockholm, Sweden.

Damgård, I., Ganesh, C., Khoshakhlagh, H., Orlandi, C., & Siniscalchi, L. (2021, May 17–21). Balancing Privacy and Accountability in Blockchain Identity Management [Conference presentation abstract]. Conference Proceedings “Topics in Cryptology – CT-RSA 2021”. Stockholm, Sweden.

Handaya, W. B. T., Yusoff, M. N., & Jantan, A. (2020). Machine learning approach for detection of fileless cryptocurrency mining malware. Journal of Physics: Conference Series, 1450.

Keller, P., Florian, M., & Böhme, R. (2021). Collaborative Deanonymization [Conference presentation abstract]. Financial Cryptography and Data Security : FC 2021 International Workshops, Berlin, Germany.

Kethineni, S., & Cao, Y. (2020). The Rise in Popularity of Cryptocurrency and Associated Criminal Activity. International Criminal Justice Review, 30(3), 325–344.

Koerhuis, W., Kechadi, T., & Le-Khac, N.-A. (2020). Forensic analysis of privacy-oriented cryptocurrencies. Forensic Science International: Digital Investigation, 33.

Kumar, A., Fischer, C., Tople, S., & Saxena, P. A (2017, September 11–15). Traceability Analysis of Monero’s Blockchain [Conference presentation abstract]. 22nd European Symposium “Computer Security – ESORICS 2017”, Oslo, Norway. DOI:

Musch, M., Wressnegger, C., Johns, M., & Rieck, K. (2019, August 26–29). Thieves in the Browser [Conference presentation abstract]. Proceedings of the 14th International Conference on Availability, Reliability and Security, Canterbury, United Kingdom.

Nosov, V. V. & Manzhai, I. A. (2021). Certain Aspects of the Analysis of Cryptocurrency Transactions during the Prevention and Investigation of Crimes. Law and Safety, 1(80), 93–100.

Nosov, V. V., Manzhai, O. V. & Panchenko, Ye. V. (2022). Analysis of Ethereum transactions during the prevention and investigation of criminal offenses. Law and Safety, 4(87), 108–124.

Pastrana, S., & Suarez-Tangil, G. (2019, October 21–23). A First Look at the Crypto-Mining Malware Ecosystem [Conference presentation abstract]. IMC’19: ACM Internet Measurement Conference, Amsterdam, Netherland.

Peili, L., & Haixia, X. (2020). Blockchain User Anonymity and Traceability Technology. Journal of Electronics & Information Technology, 42(5), 1061–1067.

Russo, M., Šrndić, N., & Laskov, P. (2021). Detection of illicit cryptomining using network metadata. EURASIP Journal on Information Security, 11.

Rüth, J., Zimmermann, T., Wolsing, K., & Hohlfeld, O. (2018). Digging into Browser-based Crypto Mining [Conference presentation abstract]. IMC’18: Internet Measurement Conference, Boston, United States.

Sampson, J. (2018). Secret digital coin mining and trading is a threat to your business. Computer Fraud & Security, 4, 8–10.

Tramer, F., Boneh, D., & Paterson, K. G. (2020, August 12–14). Remote Side-Channel Attacks on Anonymous Transactions [Conference presentation abstract]. SEC’20: 29th USENIX Conference of Security Symposium, United States.

Wijaya, D. A., Liu, J., Steinfeld, R., & Liu, D. (2018, August 1–3). Monero Ring Attack: Recreating Zero Mixin Transaction Effect [Conference presentation abstract]. 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications / 12th IEEE International Conference on Big Data Science and Engineering, New York, United States.

Zhang, Y. & Xu, H. (2022). Accountable Monero System with Privacy Protection. Security and Communication Networks, 22.

Zimba, A., Wang, Z., Mulenga, M., & Odongo, N. H. (2018). Crypto Mining Attacks in Information Systems: An Emerging Threat to Cyber Security. Journal of Computer Information Systems, 60(4).

How to Cite
Nosov, V. V., Manzhai, O. V. and Kovtun, V. O. (2023) “Technical, forensic and organisational aspects of work with Monero cryptocurrency”, Law and Safety, 90(3), pp. 102-125. doi: 10.32631/pb.2023.3.09.